Introduction

Learn how to configure Lelu in your project.

Lelu is a policy engine for AI-driven systems. It combines Rego-based authorization, confidence-aware decisioning, human approval queues, and auditable enforcement so teams can ship AI agents without giving up control.

No signup required. Generate an anonymous API key and get 500 requests per day — instant access, privacy first.

Features

Lelu includes the core building blocks needed to govern AI actions in production, with simple defaults for development and stronger controls for enterprise workloads.

Framework Agnostic: Works with any AI framework or model provider. Integrate with OpenAI, Anthropic, LangChain, or custom agents without changing your architecture.
Confidence-Aware Policies: Author policies that branch on the model's self-reported confidence score, not just binary allow/deny. Low-confidence actions route to human review automatically.
Human-in-the-Loop: Automatically queue risky or uncertain operations for human review. The agent pauses and waits for an approval or denial before continuing.
Prompt Injection Defense: Detect and block adversarial instructions embedded in user input or tool responses before they can manipulate agent behavior.
Observability & Tracing: OpenTelemetry integration with AI agent semantic conventions. Every authorization decision is a traced span with full context.
Multi-Agent Coordination: Parent agents delegate to sub-agents with scoped, time-limited permissions. Enforces least-privilege across swarms.

Why Lelu?

Traditional authorization systems — RBAC, ABAC — are binary: a user either has permission or they don't. But AI agents operate on probabilities. When an agent tries to execute a financial trade, delete a database record, or send an email on someone's behalf, you don't just want to know if it has permission — you want to know how confident it is.

Lelu is the authorization layer purpose-built for this. It sits between your AI agent and the world, evaluating every proposed action against your policies and the agent's own certainty before letting it proceed.

How Lelu Works

Confidence-Aware Policies

Write authorization rules in Rego that branch on the AI's self-reported certainty. A high-confidence action is allowed; a borderline one routes to a human. No binary allow/deny.

allow {

input.action == "trade"

input.confidence >= 0.90

}

require_approval {

input.action == "trade"

input.confidence < 0.90

}

Human-in-the-Loop

When an action fails the confidence threshold, Lelu enqueues it for human review. The agent pauses and polls until an operator approves or denies. This gives teams fine-grained control without blocking the happy path.

Immutable Audit Trail

Every authorization decision — the action requested, the policy matched, the confidence score, the human reviewer if any — is recorded as an immutable event. Export to your SIEM or query via the Audit API.

Architecture

Lelu runs as a sidecar or standalone service. Your agents make a single POST /v1/agent/authorize call before every tool invocation. The engine evaluates your Rego policies — sub-50ms — and returns allow, deny, or require_approval.

AI Agent→POST /v1/agent/authorize→Lelu Engine

allow — conf ≥ 90%

review — conf < 90%

deny — blocked

Model Context Protocol

Lelu ships a first-party MCP server so you can use it with any AI client that supports the Model Context Protocol. Use the CLI to add it in one command, or configure manually.

The Lelu MCP is powered by fastmcp. The official MCP package is lelu-mcp on npm.

CLI options

Use the Lelu CLI to add the MCP server to your preferred client:

npx lelu-mcp add --cursor

Manual configuration

Alternatively, point any MCP-compatible client at the Lelu SSE endpoint directly:

claude mcp add --transport http lelu http://localhost:3003/sse

Next steps

Installation