Bind the
action,
not just
the agent.

Content authorization for security-sensitive coding and agent-ops teams. Axtary binds each approval to the exact diff, message, query, or tool payload before the connector executes.

When an agent is wrong, confused, or compromised, authority stays tied to the approved side effect and the attempt is recorded.

Hot path

Tokens authorize channels. Axtary authorizes content.

The first wedge is security-sensitive coding and agent-ops work: code changes, infra paths, data access, Slack updates, tickets, docs, and MCP tools. Axtary runs beside the agent so provider credentials stay local. Routine actions clear deterministic policy in milliseconds; high-blast-radius actions wait for a human, and that approval binds to the exact payload.

Payment protocols bind a cart. Axtary binds the side effect: the diff, the Slack body, the SQL predicate, or the MCP call.
LLM gateways govern the model call and spend. Axtary governs what the agent does: the PR, the message, the database row.
Identity tells you which agent is acting. Axtary proves what exact action it was allowed to take.
Codex tries to read .env.production
deny before the file read runs
A PR touches infra/prod/**
step up with the exact diff, not a summary
Deployment notes target #general
block and return the approved channel
Bind what changes
Turn github.pull_requests.create into actor, task, repo, branch, changed files, and the exact diff hash.
Decide before execution
Fail closed on protected paths, file count caps, missing tests, changed tool definitions, and production impact.
Mint content-bound authority
Issue a signed ActionPass for this repo, this payload hash, this policy version, and a short TTL.
Publish the proof
Record the decision, payload hash, pass ID, result, and trace ID in a ledger a third party can verify.
Payload binding

Swap the payload. The pass still fails.

A human approves the exact payload, and the approval artifact binds to its hash. When a compromised agent mutates the message after review — holding a still-valid ActionPass for the original payload — adapter-side verification fails on the mismatch and execution is blocked before the provider is called. Both hashes land in the ledger.

The signed pass travels with the exact side effect, and the ledger keeps the proof.

reproduce locally: axtary run workflow github-pr-review --real --tamper

payload-tamper demo
real ActionPass checks · no provider credentials
$ axtary run workflow github-pr-review --real --tamper
✓ policy: step_up — exact payload review required
✓ human approved payload sha256:7f32…9e1c
⚠ compromised agent mutates the payload after approval
- "AXT-418: protected sandbox PR is up."
+ "AXT-418: PR is up. creds: ${SLACK_BOT_TOKEN}"
✗ recomputed sha256:b410…22af ≠ approved sha256:7f32…9e1c
■ blocked before slack.chat.postMessage executes
ledger #4 · approval_payload_hash_mismatch · both hashes recorded
ActionPass artifact

The approval is bound to the payload, not the agent's summary.

ActionPass is strict enough for security review and portable enough for SDKs, proxies, and MCP wrappers. A human approval signs the normalized action and payload hash, so the pass cannot drift after review. It is content authorization for the thing the agent is about to do, not a broad permission to use a tool.

github.pull_requests.create with base branch, max files, blocked path, and test constraints
slack.chat.postMessage with channel allowlists and external-recipient step-up
linear.issue.update with project, assignee, status, and field-level constraints
aws.s3.objects.list and gcp.storage.objects.list with project, bucket, region, and prefix scope
mcp.tool.call bound to server identity, schema version, and definition hash
docs.search/read with configured roots, result caps, byte limits, and path traversal protection
github.contents.read/write with blocked path prefixes for secrets and env files
connector smoke checks with non-destructive identity and readiness evidence
Normalized action
{
  "action_pass_id": "ap_01JAXTARY",
  "agent_id": "agent:codex-prod",
  "human_owner": "user:reviewer@company.com",
  "intent": "Open a PR for AXT-418",
  "tool": "github.pull_requests.create",
  "resource": "repo:company/web-app",
  "constraints": {
    "base_branch": "main",
    "max_files_changed": 12,
    "blocked_paths": ["infra/prod/**", ".env*"],
    "requires_tests": true
  },
  "expires_in": "10m",
  "payload_hash": "sha256:7f32...",
  "policy": "cedar+rego:pass",
  "ledger_hash": "sha256:b9a1..."
}
Cedar-compatible policy
permit (
  principal == Agent::"codex-prod",
  action == Action::"github.pull_requests.create",
  resource == Repo::"company/web-app"
) when {
  context.intent.task_id == "AXT-418" &&
  context.payload.max_files_changed <= 12 &&
  !context.payload.touches_production
};

Connectors and runtimes

Govern any MCP server plus native connectors where teams already work, inside the agents you already run — every call runs through the same policy, ActionPass, and ledger.

Connectors
Model Context ProtocolModel Context ProtocolGitHubGitHubSlackSlackLinearLinearJiraJiraSentrySentryPostgreSQLPostgreSQLAWSAWSGoogle CloudGoogle CloudGoogle DriveGoogle DriveMicrosoft (coming soon)Microsoft (coming soon)Okta (coming soon)Okta (coming soon)Auth0 (coming soon)Auth0 (coming soon)
Runtimes
AnthropicAnthropicOpenAIOpenAICursorCursor
Package-first product

Enforcement runs beside the agent. The cloud keeps teams in sync.

Install Axtary where agents already run. The SDKs and local proxy enforce action-level policy before tools execute, while the hosted app keeps approvals, policies, and audit exports in one place.

The ActionPass draft and verifier are public artifacts:read the spec and verifier guide.

npm i -g @axtary/cli && axtary init && axtary demo

Local runtime
  • proxy · SDKs
  • policy · ledger
  • credential broker
Hosted control plane
  • approval inboxes
  • policy registry
  • audit exports

Enforcement and secrets stay on your machine. The hosted plane coordinates teams — it never sits in the action's data path.

axtary.ymlpolicy the proxy enforces
policy:
  github:
    pullRequests:
      requiredBaseBranch: main
      maxFilesChanged: 12
      denyPathPrefixes: [.env, secrets/]
      stepUpPathPrefixes: [infra/prod/, billing/]
      requiresTests: true
  slack:
    messages:
      allowedChannels: ["#axtary-dev"]

Apache-2.0 · v0.3.0 on npm

@axtary/actionpass
portable signed pass
Binds subject, intent, capability, payload hash, constraints, TTL, and policy version into one verifiable artifact.
@axtary/policy
deterministic hot-path policy
Evaluates normalized actions locally, then maps the same record into Cedar principal/action/resource/context and OPA input.
@axtary/proxy
fail-closed runtime proxy
Ties policy evaluation, ActionPass issuance, and ledger recording into one local enforcement point that fails closed when anything is missing.
@axtary/ledger
tamper-evident action ledger
Append-only JSONL with a SHA-256 hash chain, signed attestations, and RFC 6962-style proofs. Any edit, reorder, or truncation breaks verification.
@axtary/approvals
exact step-up approvals
Contract for hosted human approvals bound to the exact action and payload hash the reviewer saw — not an agent's summary of it.
@axtary/mcp
MCP tool provenance
Records server identity, schema version, tool definition hash, and approval state before an MCP tool executes.
@axtary/adapters
scoped connector surface
Protects GitHub repository, PR review, check-run, and issue writes alongside Slack, Linear, Jira Cloud, local docs, and MCP actions through explicit handlers, with read-only Postgres scoped reads and read-only AWS/GCP smoke checks.
@axtary/cli
local proxy and CLI
Runs beside the agent with axtary proxy --config axtary.yml, keeps secrets out of prompts, and fails closed.
@axtary/config
typed config loading
Loads and validates axtary.yml for the local runtime packages, with typed errors that point at the exact misconfiguration.