Platform / Runtime Prevention

Runtime Prevention

Pillar 4 of 5 — the one no tracer offers. Policies stop, redirect, or downgrade a run while it's happening, not after.

Every alerting tool — including Dunetrace's own structural detection — tells you about a failure after the run that produced it has already finished. That's still faster than a user complaint, but it's still after. Runtime prevention is different: policies evaluate mid-run, after every tool call and LLM response, and can act before a bad run ever completes.

No tracer can do this. Langfuse, LangSmith, and Braintrust all observe a run — they have no code path running inside your agent's process while it executes. Dunetrace's SDK does, because instrumentation is how it captures events in the first place.

What a policy can do

ActionEffect
stopHalts the run immediately, with a clear exit reason your code can catch
switch_modelDowngrades to a cheaper model mid-run when a cost condition is crossed
inject_promptAppends a corrective instruction the agent reads on its next step — e.g. "stop repeating tool calls, answer directly"
logRecords the condition without interrupting, for conditions you want visibility on but not enforcement of yet

Example

dt.add_policy(
    name="cap tool calls",
    condition={"trigger": "tool_call_count", "operator": "gt", "value": 5},
    action={"type": "stop"},
)
dt.add_policy(
    name="loop fix",
    condition={"trigger": "signal", "operator": "eq", "value": "TOOL_LOOP"},
    action={"type": "inject_prompt", "params": {
        "prompt": "Stop repeating tool calls. Summarise what you know and answer directly."
    }},
)

Why this can only ever see structural signals

Policies run synchronously, in your agent's own process, checking conditions like tool-call count, accumulated cost, and structural detector signals — all computable in real time with zero LLM calls. Semantic evaluation (pillar 3) runs entirely after a run completes, in a separate background worker. There is no code path by which an in-process policy check could see a semantic finding, because none exist yet at the moment the check runs — by the time semantic evaluation judges a run, there's nothing left to prevent.

This isn't a limitation to work around — it's the reason runtime prevention can be fast and cheap enough to run on every single event: it never waits on an LLM call.

Defined once, applied everywhere

Policies can be added directly in code, or created and edited in the dashboard and fetched automatically by every instrumented agent (60-second cache). Every policy is signed at write time, so a tampered or replayed policy is rejected before it ever reaches an agent process.