Agent actions.
Authorized
first.

Axtary gives every high-impact tool call a scoped ActionPass before an agent reaches GitHub, Slack, MCP, or production APIs.

Hot path

Agents should not inherit the blast radius of your API keys.

The first wedge is coding-agent work across GitHub, Slack, Linear, docs, and MCP tools. Axtary runs beside the agent, checks the exact action payload, and only releases authority when policy allows it.

Normalize
Convert github.pull_requests.create into a typed action with actor, intent, resource, and payload hash.
Evaluate
Run fail-closed rules against branch, changed files, blocked paths, and production-impact flags.
Issue
Mint a signed pass scoped to repo:company/web-app, base_branch: main, and expires_in: 10m.
Record
Append the decision, policy version, payload hash, and pass ID to the local JSONL ledger.
ActionPass artifact

Not another agent framework. A permission artifact for the hot path.

ActionPass is portable enough for SDKs and proxies, strict enough for security review, and exact enough for human approvals that show the payload, not an agent-written summary.

github.pull_requests.create with base branch, max files, blocked path, and test constraints
slack.chat.postMessage with channel allowlists and external-recipient step-up
linear.issue.update with project, assignee, status, and field-level constraints
mcp.tool.call bound to server identity, schema version, and definition hash
docs.search/query with workspace, document class, and row/result limits
paid API calls with reservation IDs, spend caps, and commit/rollback status
Normalized action
{
  "action_pass_id": "ap_01JAXTARY",
  "agent_id": "agent:codex-prod",
  "human_owner": "user:asrar@company.com",
  "intent": "Open a PR for AXT-418",
  "tool": "github.pull_requests.create",
  "resource": "repo:company/web-app",
  "constraints": {
    "base_branch": "main",
    "max_files_changed": 12,
    "blocked_paths": ["infra/prod/**", ".env*"],
    "requires_tests": true
  },
  "expires_in": "10m",
  "payload_hash": "sha256:7f32...",
  "policy": "cedar+rego:pass",
  "ledger_hash": "sha256:b9a1..."
}
Cedar-compatible policy
permit (
  principal == Agent::"codex-prod",
  action == Action::"github.pull_requests.create",
  resource == Repo::"company/web-app"
) when {
  context.intent.task_id == "AXT-418" &&
  context.payload.max_files_changed <= 12 &&
  !context.payload.touches_production
};
Package-first product

The product lives in the runtime. The web app coordinates it.

Install Axtary where agents already run. The SDKs and local proxy enforce action-level policy before tools execute, while the hosted app keeps approvals, policies, and audit exports in one place.

@axtary/actionpass
pass schema, signing, verification
Signs subject, intent, capability, payload hash, constraints, TTL, and policy version into a portable pass.
@axtary/policy
native rules, Cedar input, OPA input
Maps a normalized action into Cedar principal/action/resource/context and OPA input without changing app code.
axtary
local proxy and CLI
Runs `axtary proxy --config axtary.yml`, keeps secrets outside model context, and writes a local JSONL ledger.
@axtary/adapter-github
first protected tool surface
Protects PR creation, branch writes, blocked paths, required tests, file counts, and production-impact diffs.
@axtary/mcp
MCP wrapper
Binds every MCP tool call to server identity, schema version, tool definition hash, and approved payload shape.
Axtary Cloud
approvals and audit
Coordinates policy registry, approval inboxes, audit exports, docs, and customer onboarding.