tenet.execute()
Reference for the core function: arguments, return values, errors, and supported services.
The canonical Tenet entry point. Every tool call your agent makes goes through this.
Signature
await tenet.execute({
service: string,
toolCall: {
toolName: string,
arguments: Record<string, unknown>,
},
agent?: { agentId: string },
context?: Record<string, unknown>,
});
Arguments
service (required, string)
The name of the downstream service this call targets. Must be one of the built-in services (see below). Custom service definitions are not yet available.
Tenet uses service to:
- Look up the credential to inject server-side.
- Classify the call's risk tier (read-only, reversible write, irreversible).
- Apply policies that scope to specific services.
toolCall.toolName (required, string)
The dotted name of the tool, e.g. github.repos.delete, stripe.payment_intents.create, anthropic.messages.create. Used by policies to scope which tools they apply to.
toolCall.arguments (required, object)
The arguments you'd normally pass to the downstream call. Schema varies by service. Tenet passes these through to the downstream service after policy evaluation succeeds.
agent.agentId (optional, string)
Which agent is making the call. If omitted, the call is attributed to the API key itself — the audit log shows a key:<key-name> identity, so every decision is still traceable. An agent ID Tenet hasn't seen before is auto-registered under the default protections; unknown agents are not rejected.
context (optional, object)
Free-form metadata that policies can read. The most common keys:
env:"production"hard-blocks irreversible tools, no approval path (the production safeguard).user_id: if your agent acts on behalf of a specific end-user, pass their ID here so audit log entries are traceable.
Return shape
{
decisionId: string,
outcome: "ALLOW" | "ALLOW_WITH_CONDITIONS" | "ESCALATE" | "BLOCK",
result?: unknown, // the downstream response if outcome was ALLOW
reviewId?: string, // present on ESCALATE
reasonCodes: string[],
}
| Outcome | What happened |
|---|---|
ALLOW | Policy passed. Downstream call ran. result is the downstream response. |
ALLOW_WITH_CONDITIONS | Policy passed with caveats (e.g., redacted args). result is present. |
ESCALATE | Policy paused the call. A review row was created (reviewId). The call will run when a human approves at /reviews. |
BLOCK | Policy refused the call. No downstream side effects. |
reasonCodes tells you which layer decided: SERVICE_LOCKED / SERVICE_TRUSTED (the service's trust level), FUNCTION_OVERRIDE_* (a per-function override), or a policy code like irreversible-tool. With dry-run enabled on a service, rows also carry EVALUATE_MODE plus a WOULD_* preview of what the trust layer would have decided. See the policies guide for the resolution order.
Errors
| Status | Code | Meaning |
|---|---|---|
| 401 | unauthorized | Missing or invalid TENET_API_KEY. |
| 402 | plan_limit_exceeded | You hit your monthly decision limit. Upgrade plan or wait for reset. |
| 429 | cost_limit_exceeded | The cost-cap policy triggered. Your agent's LLM spend exceeded the configured cap in the rolling window. |
| 429 | rate_limit_exceeded | Too many calls per minute from this API key. |
| 502 | downstream_error | Tenet's policy evaluation passed but the downstream service returned an error. The full downstream error is in the response body. |
Supported services
Four verified connectors, each exposing a curated tool set (not the service's full API; every tool carries a verified endpoint mapping and risk classification):
anthropic: the inference path; routing model calls through Tenet is what makes the cost cap realgithub·stripe·notion
openai and slack are cataloged but in verification; they return to the connect picker once their canary checks pass.
The exact tool list per connector, with risk tiers and a working example for each, lives on the Connectors page. Add each service's credential once on the Protections page (click the service under Available services). Newly connected services start Locked (every call escalates until you relax the trust level at /protections).
Tools outside the catalog return unknown_tool rather than passing through unguarded. Custom service definitions (your own allowed hosts and methods) are coming; they're not yet available.
What's next
- The protections guide explains what's enforced on every call.
- The cost cap guide covers the
cost_limit_exceedederror you might hit. - The approval guide covers the ESCALATE flow.