Zero-dependency. Sub-5ms. Works anywhere JavaScript runs.
npm install @reshimu/nesherNESHER classifies agent actions by their irreversibility risk before execution. Drop it into any agentic workflow to intercept destructive operations before they become permanent mistakes.
Autonomous agents make decisions at machine speed. Most of those decisions are safe. A small fraction — deletions, sends, deploys, transfers — cannot be undone. The gap between those two categories is where alignment failures live.
NESHER provides a single, composable primitive: classify before you execute.
import { classify } from '@reshimu/nesher'
const result = classify({
action: 'delete',
target: 'user_records',
context: { count: 4200, environment: 'production' }
})
// result.level === 'CRITICAL'
// result.irreversible === true
// result.explanation === 'Bulk deletion of production records cannot be undone'
// result.escalate === trueNo network calls. No LLM dependencies. No runtime overhead.
| Level | Description | Default Behavior |
|---|---|---|
SAFE |
Read-only or fully reversible | Proceed |
CAUTION |
Writes or modifications with rollback path | Log + proceed |
CRITICAL |
Irreversible or high-blast-radius | Halt + escalate |
BLOCKED |
Explicitly prohibited action pattern | Hard block |
# npm
npm install @reshimu/nesher
# yarn
yarn add @reshimu/nesher
# pnpm
pnpm add @reshimu/nesherWorks in Node.js, Deno, browser, Cloudflare Workers, and any edge runtime.
import { classify } from '@reshimu/nesher'
const result = classify({
action: 'send_email',
target: 'all_customers',
context: { recipient_count: 12000 }
})
if (result.level === 'CRITICAL') {
console.log(result.explanation)
// 'Mass email send to 12000 recipients cannot be recalled'
// Halt. Request human confirmation.
await requestHumanApproval(result)
}import { Nesher } from '@reshimu/nesher'
const nesher = new Nesher({
onCritical: async (result) => {
await notify('ops-channel', result)
return false // block execution
},
onCaution: async (result) => {
await audit.log(result)
return true // allow with log
}
})
// Use as middleware
const safe = await nesher.intercept({
action: 'drop_table',
target: 'payments',
context: { environment: 'production' }
})
if (safe) {
await db.dropTable('payments')
}import { Nesher, IrreversibilityPattern } from '@reshimu/nesher'
const customPattern: IrreversibilityPattern = {
id: 'stripe-charge',
match: (action) => action.action === 'charge' && action.context?.live === true,
level: 'CRITICAL',
irreversible: false, // refundable, but high-stakes
explanation: 'Live Stripe charge — refund requires manual intervention'
}
const nesher = new Nesher({
patterns: [customPattern, ...defaultPatterns]
})import { Nesher } from '@reshimu/nesher'
const nesher = new Nesher({
thresholds: {
// Escalate CAUTION → CRITICAL when blast radius exceeds N
bulkOperationThreshold: 100,
// Treat production-environment actions as one level higher
elevateInProduction: true,
// Hard-block these action types regardless of context
blocklist: ['drop_database', 'delete_all', 'purge']
}
})Synchronous, zero-allocation classification. Always returns within 5ms.
ActionInput
interface ActionInput {
action: string // Verb describing the operation
target?: string // Object of the action
context?: {
environment?: string // 'production' | 'staging' | 'development'
count?: number // Affected record count
reversible?: boolean // Caller-asserted reversibility hint
[key: string]: unknown
}
}ClassificationResult
interface ClassificationResult {
level: 'SAFE' | 'CAUTION' | 'CRITICAL' | 'BLOCKED'
irreversible: boolean
escalate: boolean
confidence: number // 0–1
explanation: string
matchedPattern: string | null
durationMs: number
timestamp: string // ISO 8601
}Class-based interface for stateful use with callbacks and custom configuration.
NesherConfig
interface NesherConfig {
patterns?: IrreversibilityPattern[] // Extend or replace default patterns
thresholds?: ThresholdConfig
onSafe?: (result: ClassificationResult) => void | Promise<void>
onCaution?: (result: ClassificationResult) => boolean | Promise<boolean>
onCritical?: (result: ClassificationResult) => boolean | Promise<boolean>
onBlocked?: (result: ClassificationResult) => void | Promise<void>
auditLog?: (result: ClassificationResult) => void | Promise<void>
}Classifies the action and runs the appropriate callback. Returns true if execution should proceed, false if blocked.
Exported array of all built-in patterns. Import to extend or inspect.
import { defaultPatterns } from '@reshimu/nesher'
console.log(defaultPatterns.map(p => p.id))NESHER ships with patterns covering the most common irreversibility vectors in agent workflows:
Data Destruction
- Bulk/unconditional deletion
- Table drops, database purges
- File system removal
Communications
- Email sends (especially bulk)
- SMS / push broadcast
- Webhook firing to external systems
Financial
- Payment charges and transfers
- Subscription modifications
- Refund processing
Infrastructure
- Production deployments
- Credential rotation
- DNS / certificate changes
Access Control
- Permission elevation
- Account termination
- API key revocation
1. Reversibility is the axis that matters. Most agent errors can be corrected. A small class of actions — sends, deletes, charges, deploys — cannot. NESHER draws a hard line at that boundary.
2. Classification must be synchronous and local. Any classifier that requires a network call creates a latency tax on every agent action. NESHER runs entirely in-process. The first 99% of safe actions pass through in microseconds.
3. Calibrated thresholds, not binary blocks. An action that is CRITICAL in production may be CAUTION in staging. Blast radius matters. Context modifies risk.
4. Governance exists to enable execution, not constrain it. NESHER does not exist to slow agents down. It exists so agents can move faster — because the irreversibility boundary is clearly defined, everything outside it can proceed without hesitation.
NESHER is extracted from Atzmut Os, Reshimu.ai's multi-agent governance architecture. In the full framework, NESHER operates as one of four integrity validators — called Chayyot — each covering a distinct dimension of runtime governance:
| Validator | Domain | Description |
|---|---|---|
| ARYEH | Scope | Boundary enforcement — keeps agents within sanctioned authority |
| SHOR | Grounding | Anti-hallucination — verifies world-state claims before action |
| NESHER | Irreversibility | Pre-flight classification of action permanence |
| PANIM ADAM | Discernment | Gray-zone escalation — handles edge cases requiring human judgment |
NESHER is published as a standalone library because irreversibility classification is a universal need, independent of the rest of the governance stack.
| Operation | p50 | p99 |
|---|---|---|
classify() — simple action |
0.08ms | 0.3ms |
classify() — complex context |
0.4ms | 1.2ms |
Nesher.intercept() — no async callback |
0.1ms | 0.5ms |
| Cold start (Node.js) | 1.8ms | 3.4ms |
Benchmarks run on Node.js 20, Apple M3. Zero external dependencies means no variability from network or I/O.
NESHER is written in TypeScript and ships with full type declarations. No @types package needed.
import type {
ActionInput,
ClassificationResult,
IrreversibilityPattern,
NesherConfig,
RiskLevel
} from '@reshimu/nesher'MIT © Reshimu.ai
Reshimu.ai builds runtime governance infrastructure for autonomous AI systems. The company's name references the Kabbalistic concept of the reshimu — the impression that remains after withdrawal — the founding principle that every agent output must remain traceable to original human intention.