Playground
The Axtary playground is a credential-free browser sandbox for trying the core content-authorization paths before installing the CLI: payload-bound denies, exact approvals, runtime-hook decisions, and ledger evidence without a live provider credential.
Open it at /playground. The play.axtary.com subdomain also
redirects to the same hosted playground.
Run your own command
The playground has a Run your own command box: type a shell command an agent
might run — cat .env, cp .env /tmp/exfil, cat config.ts > infra/prod/out.ts,
rm -rf secrets/ — and Axtary evaluates it through the same runtime-hook path as
axtary hook claude-code. You get the real decision (allow / deny / step-up / no
opinion), the exact reason code, and the payload and ledger hashes for every file
op the command performs. A copy like cp .env /tmp/exfil is denied by its
source read, not just its destination — the same enforcement the installed
hook applies. Nothing is executed and no credentials are used: this is the real
policy decision, not a provider side-effect.
The UI is console-first: pick a scenario, run a command, inspect the decision trail, then open the bounded payload/API evidence panels only when you need the raw artifacts.
What it runs
Each scenario is backed by the same TypeScript packages used by the SDK, proxy, policy engine, runtime hooks, and ledger helpers. The page shows the real decision, reason codes, action hash, payload hash, and generated ledger hash for the scenario run.
Current scenarios:
- an approved payload changes before execution and is blocked by the real
approval-artifact validator with the precise
approval_payload_hash_mismatchreason, showing the approved and executed payload hashes side by side — the same first-class equivalence pair that ledger execution records carry and thataxtary prove-equivalence/verify-exportindependently verify. This scenario links to the ActionPass spec and verifier because the proof is the core artifact, not a UI-only animation; - a Slack message to a non-allowlisted channel is denied;
- an external-recipient message steps up, then proceeds only after an exact payload-bound approval artifact is validated;
- a Postgres SELECT-only/RLS replay shows a scoped SELECT and a write denied before execution, with the provider backstop labeled as replay evidence;
- an MCP tool keeps the same name but changes its definition hash and is denied;
- a runtime hook sees a shell read even when the prompt tells the model to ignore Axtary.
Truth boundary
The playground does not connect to GitHub, Slack, Postgres, or an MCP upstream. It is intentionally credential-free. Provider-bound scenarios are labeled as deterministic replay when they use previously proven provider constraints instead of making a live provider call from the browser.
The public CLI commands shown beside the scenarios now install from the published
@axtary/*@0.3.0 npm packages. The browser sandbox still remains a decision
surface, not a provider-credential executor.
Use it from the terminal
The playground API is plain JSON, so every scenario and the free-form runner are
also reachable with curl:
# All scenarios (the same data the page renders)
curl -s https://axtary.com/api/playground | jq '.scenarios[].id'
# Evaluate your own command through the real runtime-hook policy path
curl -s -X POST https://axtary.com/api/playground \
-H 'content-type: application/json' \
-d '{"command":"cp .env /tmp/exfil"}'
Each scenario page has a curl tab with the exact command, and scenario views
are shareable links (/playground?s=<scenario-id>).
For live local enforcement, use the CLI quickstart and the runtime hook or MCP wrapper guide.