Statisv0.4 · beta
Try in 5 min →
Back to Blog
LaunchApril 27, 20265 min read

One decorator. Your agent asks permission before it touches production.

An AI agent deleted our production Snowflake tables. We built @statis.gate so it can't happen again — to us or anyone else. Four lines of Python. Every destructive action gated, receipted, and graduated to policy.

An AI agent deleted our production Snowflake tables. We built @statis.gateso it can’t happen again — to us or anyone else.

It was a Thursday. Our data engineering on-call agent had full write access to our production Snowflake warehouse — the same access a senior engineer would have. It hallucinated a cleanup query. It ran DROP TABLE. The tables were gone.

We recovered. But the pattern didn’t go away. The same week, our Sales and CSM teams were running production agent tools with the same level of access and no governance layer. Every one of those agents was one bad prompt away from the same incident.

We looked at how other engineering teams were handling this. The answers were: a hand-rolled Slack webhook that breaks in week three, a framework-native interrupt that doesn’t produce an audit trail, or nothing at all. None of them scale. None of them compose across frameworks. None of them give you a cryptographic receipt you can show an auditor.

So we built the thing we wanted.

Four lines

pip install statis-ai

from statis import gate

@gate("warehouse.execute_sql")
def execute_sql(query: str) -> dict:
    # runs against your actual warehouse
    return snowflake_client.execute(query)

That’s the whole install. From this point forward, every call to execute_sql goes through Statis before it executes.

What happens on the first call

  1. 1The agent proposesexecute_sql("DROP TABLE customers") fires. The decorator catches it before it reaches Snowflake.
  2. 2A signed approval URL is generatedThe terminal prints a single-use link. The function blocks. No Slack bot required — the link is the UI.
  3. 3A human reviews and decidesThe approval page shows the exact query. "DROP TABLE customers" — one look and you click Deny. The function raises ActionDeniedError. The table survives.
  4. 4A receipt is writtenWhether you approve or deny, a tamper-evident receipt is written immediately — SHA-256 hash-chained, tenant-scoped, from action one.

The part that stops the paging

The first approval is manual. The second is manual. The third time your agent runs the same SELECT count(*) query with the same argument shape, Statis notices. It auto-drafts a policy rule and shows it to you on the approval page:

# Auto-drafted after 3 identical approvals
rule_id: graduated_warehouse.execute_sql_a3f1b9_v1
action_type: warehouse.execute_sql
decision: APPROVED
conditions:
  canonical_args_hash: a3f1b9c2d4e5...

Save it. The fourth call with that query shape auto-approves. No human in the loop. You didn’t write a policy — you approved an action three times and the policy wrote itself.

Destructive actions keep escalating. Routine, approved patterns graduate to auto-approve. The humans stay in the loop for exactly the decisions that need them.

What ships with it

  1. 1Sync + asyncmode='auto' inspects your function. async def gets an awaitable. sync def blocks up to timeout_s.
  2. 2Fail-closed by defaultAPI unreachable → decorator raises. on_error='fail_open' available for non-destructive reads.
  3. 3STATIS_DISABLED=1Env var pass-through. Remove Statis from any environment in one line, no code changes.
  4. 4Hash-chained receipts from action oneEvery decision writes a SHA-256 receipt. The chain starts the moment you install the decorator.
  5. 5statis.advancedIf you were using propose()/execute() directly, it still works. Nothing broke.

Who this is for

If you’re giving an AI agent write access to a production system — a database, a CRM, a payment processor, a deployment pipeline — and you don’t have a governance layer, this is for you.

Python-native stacks running LangGraph, CrewAI, or direct Anthropic/OpenAI agents. Post-seed to Series A. Someone on your team is either post-incident or quietly nervous about the one that hasn’t happened yet.

We built it after our own incident. We’ve run 104+ of our own governed actions through it with zero incidents. We think you should have it too.

pip install statis-ai
export STATIS_API_KEY=st_...

@gate("warehouse.execute_sql")
def execute_sql(query: str) -> dict:
    ...

Running agents in production? Want to talk about how you handle governance today, or did something like this already happen to you? Reach us at founders@statis.dev.

← All postsTry the gate in 5 min →