What changed
Two capability shifts converged: (1) OpenAI released gpt-oss-safeguard, a permissively licensed self-hostable safety classifier (FACT, ollama.com source), removing per-call moderation-API cost as a barrier; (2) ChatGPT now runs multi-hour, multi-app autonomous tasks returning finished deliverables (FACT, openai.com source), meaning agents increasingly act unsupervised across real systems.
Why now
Long-running deliverable-agents move the oversight problem from 'niche AI-safety concern' to 'operational necessity' β an HN user explicitly asks for frameworks/tools to regain control over agents (FACT, HN source). The building blocks (open safety classifier, tool-call interception patterns like MCP proxies) only became solo-assemblable in the last few months (INFERENCE).
Converging signals
Self-hosted commercial-use safety classification (gpt-oss-safeguard) + mainstream multi-hour autonomous agents (ChatGPT ambitious-work release) + expressed practitioner pain about loss of control with no satisfying incumbent (HN complaint).
Customer pain
Teams delegating real work to agents cannot see, gate, or reconstruct what the agent did; one concrete complaint captured (HN #48846739). Breadth and payment-intent of this pain are UNPROVEN β demand_evidence array is empty.
Who pays
HYPOTHESIS: small-to-mid dev teams and solo operators running agents against production systems (email, CRMs, repos, payments), and secondarily teams needing audit evidence for SOC2/client contracts. No hiring/spend or forced-buyer evidence was provided, so willingness-to-pay is asserted, not shown.
Solved today
Ad-hoc: platform-native permission prompts (Claude Code permission modes, ChatGPT confirmations), framework-level callbacks (LangChain/LangSmith), observability SaaS (Langfuse), human-in-the-loop APIs (HumanLayer), or simply not delegating risky actions (INFERENCE from market knowledge, not from provided sources).
Why current solutions are bad
Each agent platform has its own partial, non-portable guardrails; nothing vendor-neutral sits at the tool boundary with policy classification + approval + replay in one self-hostable unit. Audit logs from vendors are not designed as compliance evidence (HYPOTHESIS).
Proposed product
Self-hostable MCP/HTTP proxy: agents' tool calls pass through it; gpt-oss-safeguard classifies each action against user-written policy; irreversible/high-risk actions block pending Slack/web approval; everything is recorded to a tamper-evident, replayable audit log exportable as compliance evidence. Open-core: proxy free, paid tier for team approvals, retention, and audit exports.
MVP version
MCP-compatible proxy + YAML policy file + gpt-oss-safeguard via Ollama + Slack approval webhook + append-only SQLite/Postgres audit log with a replay viewer. 4-6 weeks solo with AI-assisted development.
30-day build
Build proxy + classifier + approval flow; dogfood on own Claude Code/agent workloads; publish repo and a 'watch an agent get caught trying something irreversible' demo video; post to HN/r/LocalLLaMA (note: Reddit ingestion here is blocked, but posting is manual).
60-day build
Interview the users the open-source release attracts; identify which segment asks for audit exports vs approval routing; ship hosted/team tier with pricing; land 3-5 design partners at founder pricing.
90-day revenue plan
Convert design partners to $49-$199/mo team plans; target $500-2k MRR by day 120-180. This is a ramp play, acceptable per founder's capital position, but ONLY if 30-60d demand interviews confirm payment intent β otherwise stop.
Distribution path
Open-source launch (HN, GitHub, MCP ecosystem lists) + demo-driven content; matches founder's demonstrated-value-not-relationship-sales style. No paid acquisition needed.
Pricing hypothesis
Free self-hosted core; $49/mo solo-team hosted; $199/mo team tier (approval routing, retention, audit export). Per-seat or per-agent later.
Technical difficulty
Moderate. Proxying MCP/tool calls, running a local classifier, and building an approval UI are all within a strong solo AI-assisted builder's range. Hard part is policy ergonomics, not plumbing.
Legal / regulatory risk
Low. Self-hosted, no regulated data handled by the vendor. gpt-oss-safeguard license is permissive per the source (FACT for licensing claim as reported; verify exact license text before shipping).
Platform dependency
Medium: rides the MCP/agent-tooling ecosystem; if OpenAI/Anthropic ship robust native approval+audit (both are visibly moving this direction), the standalone wedge shrinks to multi-vendor/compliance use cases.
Founder fit
Moderate (5-6/10). Fits his AI-workflow, systems-thinking, micro-SaaS, fast-prototyping profile and his demonstrated-value sales motion. But it is NOT his proven government-mandate/forced-buyer shape (lesson, conf 0.80, applied): no regulation compels anyone to buy this today, and the buyer is developers β a crowded, taste-driven market where he has less credibility than in ops/compliance niches.
Breakout potential
If agent-action auditability becomes a compliance requirement (e.g., insurers, SOC2 auditors, or the EU AI Act asking for agent action logs), the audit-log side becomes a forced-buyer product β that would flip this to a 9. Today that is a HYPOTHESIS with no citation in the provided evidence.
Final recommendation
HOLD / VALIDATE-FIRST. Do not build the general gateway now. The convergence is real and the founder could build it, but with an empty demand_evidence array and a crowded, platform-threatened field, the sellability case rests entirely on hypothesis. Spend β€2 weeks on demand validation targeting the sharpest wedge β compliance-grade, exportable audit logs of agent actions (closest analog to his proven 'someone must produce records for an authority' edge). If β₯5 teams say they'd pay for agent-action audit evidence, build the audit-log wedge, not the full proxy. Revisit automatically if a mandate-shaped signal (AI Act enforcement, SOC2 guidance, insurer requirement) appears.
Next action
Run 10-15 validation conversations (HN thread respondents, MCP/agent Discord/Slack communities, 2-3 fractional-CISO contacts): ask specifically 'what would you pay for an exportable audit trail of every action your agents took?' and log verbatim answers as demand_evidence for re-scoring.