Playground

The Axtary playground is a credential-free browser sandbox for trying the core content-authorization paths before installing the CLI: payload-bound denies, exact approvals, runtime-hook decisions, and ledger evidence without a live provider credential.

Open it at /playground. The play.axtary.com subdomain also redirects to the same hosted playground.

Run your own command

The playground has a Run your own command box: type a shell command an agent might run — cat .env, cp .env /tmp/exfil, cat config.ts > infra/prod/out.ts, rm -rf secrets/ — and Axtary evaluates it through the same runtime-hook path as axtary hook claude-code. You get the real decision (allow / deny / step-up / no opinion), the exact reason code, and the payload and ledger hashes for every file op the command performs. A copy like cp .env /tmp/exfil is denied by its source read, not just its destination — the same enforcement the installed hook applies. Nothing is executed and no credentials are used: this is the real policy decision, not a provider side-effect.

The UI is console-first: pick a scenario, run a command, inspect the decision trail, then open the bounded payload/API evidence panels only when you need the raw artifacts.

What it runs

Each scenario is backed by the same TypeScript packages used by the SDK, proxy, policy engine, runtime hooks, and ledger helpers. The page shows the real decision, reason codes, action hash, payload hash, and generated ledger hash for the scenario run.

Current scenarios:

  • an approved payload changes before execution and is blocked by the real approval-artifact validator with the precise approval_payload_hash_mismatch reason, showing the approved and executed payload hashes side by side — the same first-class equivalence pair that ledger execution records carry and that axtary prove-equivalence / verify-export independently verify. This scenario links to the ActionPass spec and verifier because the proof is the core artifact, not a UI-only animation;
  • a Slack message to a non-allowlisted channel is denied;
  • an external-recipient message steps up, then proceeds only after an exact payload-bound approval artifact is validated;
  • a Postgres SELECT-only/RLS replay shows a scoped SELECT and a write denied before execution, with the provider backstop labeled as replay evidence;
  • an MCP tool keeps the same name but changes its definition hash and is denied;
  • a runtime hook sees a shell read even when the prompt tells the model to ignore Axtary.

Truth boundary

The playground does not connect to GitHub, Slack, Postgres, or an MCP upstream. It is intentionally credential-free. Provider-bound scenarios are labeled as deterministic replay when they use previously proven provider constraints instead of making a live provider call from the browser.

The public CLI commands shown beside the scenarios now install from the published @axtary/*@0.3.0 npm packages. The browser sandbox still remains a decision surface, not a provider-credential executor.

Use it from the terminal

The playground API is plain JSON, so every scenario and the free-form runner are also reachable with curl:

# All scenarios (the same data the page renders)
curl -s https://axtary.com/api/playground | jq '.scenarios[].id'

# Evaluate your own command through the real runtime-hook policy path
curl -s -X POST https://axtary.com/api/playground \
  -H 'content-type: application/json' \
  -d '{"command":"cp .env /tmp/exfil"}'

Each scenario page has a curl tab with the exact command, and scenario views are shareable links (/playground?s=<scenario-id>).

For live local enforcement, use the CLI quickstart and the runtime hook or MCP wrapper guide.