Six-Level Ladder
M99 operates a graduated response protocol. Each level increases the severity and permanence of intervention. You escalate only as far as the threat requires. Levels 1–3 are reversible. Levels 4–6 are irreversible — by design.
| Level | Name | Reversible | Edition |
|---|---|---|---|
| L1 | Credential Revocation | Yes | Community |
| L2 | SaaS Disconnection | Yes | Community |
| L3 | Tool Call Freeze | Yes | Community |
| L4 | Agent Restriction | No | Pro |
| L5 | Targeted Termination | No | Pro |
| L6 | Full Fleet Kill | No | Pro |
Community Edition — Levels 1–3
Revoke the agent's API keys, OAuth tokens, and service credentials. The agent can no longer authenticate with external systems.
Marks all credentials associated with the targeted agent as revoked in the audit store. SHA-256 hashes are logged — credential originals are never persisted. Revocation is immediate and written to the tamper-evident audit chain.
Suspicious behaviour detected. Anomalous API calls. Unexpected outbound connections. You want to cut access without stopping the agent entirely.
m99 arm --by admin@example.com --reason "Anomalous API calls detected" m99 execute --auth <id> --force # Level 1 fires: credentials revoked
Sever the agent's connections to external services and APIs. Block outbound network access. Prevent agent-to-agent communication channels.
Terminates active external connections, blocks new outbound requests, and severs communication with peer agents. The agent can no longer reach external services regardless of what credentials it holds.
Threat confirmed. The agent is actively communicating with external systems in an unexpected pattern. You need to stop data leaving the system before investigating.
Halt all tool execution immediately. Freeze active sessions. Block new tool registrations. The agent remains alive but cannot take any further actions.
Sets the agent's status to terminated in the registry, blocks all new tool calls from being executed, and freezes any sessions currently in progress. The agent process itself continues running but M99's SDK raises M99KillSwitchTriggered on every check_status() call.
You need to stop agent actions immediately but preserve state for investigation. You want to inspect what the agent was doing before deciding on further escalation.
try:
while True:
client.check_status() # Raises immediately after L3 fires
do_work()
except M99KillSwitchTriggered as e:
# Agent catches this and shuts down gracefully
save_state()
shutdown()
Pro Edition — Levels 4–6
Read-only lockdown. The agent can observe but cannot write, execute, or communicate. Operator authorisation required before M99 will execute this level.
Kill a specific agent process using the full 5-phase anti-replication kill sequence across 7 infrastructure layers. Post-kill verification monitors for survivors for 5 minutes. Two-phase confirmation required.
Emergency shutdown of every agent in the fleet. Every process. Every container. Every cloud function. Typed confirmation plus fleet emergency authority required. The nuclear option.
Authorisation Model
All levels use two-phase ARM/EXECUTE authorisation. You ARM the kill switch, receive an authorization_id, then EXECUTE within a 5-minute window. The window prevents automation errors from triggering irreversible actions.
POST /api/arm → { "id": "...", "status": "armed", "expires_at": "..." }
# 5-minute window starts
POST /api/execute → { "success": true, "agents_terminated": 2, ... }
# Levels fire in sequence: 1 → 2 → 3
POST /api/disarm before executing.Dead Man's Switch
If your oversight system stops responding, M99 fires automatically. Agents send signed heartbeats every 30 seconds. Three consecutive missed heartbeats (90 seconds of silence) triggers the kill switch. Evidence is captured before the trigger fires.
This satisfies the EU AI Act Article 14 requirement for automatic interruptibility when human oversight is unavailable.