flux7-supervisor — L1 Evaluation Agent
The problem
Your AI agents make hundreds of tool calls per session. flux7-mesh enforces policy on every call — but some actions land in a grey zone. The policy says human_approval, and a human stares at a terminal prompt:
Allow filesystem.write_file to /home/user/project/src/main.py? [y/n]
For the 47th time today. Same agent, same directory, same pattern. The human approves mechanically, attention already elsewhere.
Meanwhile, an agent sends an email to an external address. Same human_approval policy. The human, deep in approval fatigue, hits y without reading.
The problem isn't the policy. The problem is that routine and risky look the same to a queue.
What flux7-supervisor is
A standalone agent that sits between policy (L0) and human (L2). It evaluates pending approvals using rules and an LLM, auto-resolving the routine ones so humans only see what actually needs judgment.
flux7-mesh (L0) sup7 (L1) Human (L2)
policy: human_approval ──► rules + LLM evaluate ──► only ambiguous cases
│ │
├─ approve (routine) ├─ approve/deny
├─ deny (dangerous) │
└─ escalate (unsure) ───────┘
Install and run :
It polls flux7-mesh for pending approvals, evaluates each one, and resolves. Decisions are logged to JSONL and stored in flux7-memory as queryable facts.
Three-level approval flow
| Level | Component | Speed | Judgment | Example |
|---|---|---|---|---|
| L0 | flux7-mesh policy | instant | none — static rules | allow reads, deny deletes |
| L1 | flux7-supervisor | seconds | bounded — rules + LLM | project writes → approve, unknown tool → escalate |
| L2 | Human (terminal or UI) | minutes | full | external email, ambiguous intent |
The supervisor reduces L2 load by handling the predictable cases. Over time, as decisions accumulate in flux7-memory, patterns emerge and the supervisor gets more confident.
Pluggable LLM providers
The evaluation brain is configurable. Choose based on your constraints :
| Provider | Transport | Latency | Cost | Context |
|---|---|---|---|---|
| Ollama | HTTP to local model | ~1s | free | tool name + params only |
| Anthropic | Claude Messages API | ~2s | per-token | tool name + params only |
| Claude Code | MCP callback | async | per-session | full codebase + conversation |
The Claude Code provider is the most interesting : instead of calling an API, the supervisor queues the evaluation and exposes it as an MCP tool. Claude Code — already connected to flux7-mesh — sees the pending evaluation, reviews it with full codebase context, and submits its verdict. The supervisor acts on it.
How it works
sup7
┌────────────┐
flux7-mesh │ poll loop │ flux7-memory
GET /approvals ◄─────│ │──────► store decision
?status=pending │ rules │ (decisions as facts)
│ ↓ │
POST /approvals/ │ LLM eval │
{id}/approve ◄────│ ↓ │
{id}/deny ◄────│ resolve │
└────────────┘
- Poll —
GET /approvals?status=pendingvia mesh7 SDK, deduplicated across tool scopes - Fetch context —
GET /approvals/{id}returns params, recent traces, active grants, injection risk - Evaluate rules — YAML conditions, first-match-wins, with confidence scores
- LLM fallback — if no rule matches and an LLM provider is configured, delegate evaluation
- Confidence gate — if LLM confidence is below threshold, escalate to human
- Resolve —
POST /approvals/{id}/approveor/denywith reasoning and confidence - Log — JSONL file + flux7-memory store (tagged
supervisor,decision)
Current state (May 2026)
- v0.1.0 — 3 providers, rule engine, MCP server for Claude Code callback, 49 tests
- SDKs — consumes
mesh7(AgentMesh) andmem7(Mem7) Python SDKs - Extracted from flux7-console backend, now standalone
Apache 2.0 licensed. github.com/KTCrisis/flux7-supervisor