Bind the
action,
not just
the agent.
Content authorization for security-sensitive coding and agent-ops teams. Axtary binds each approval to the exact diff, message, query, or tool payload before the connector executes.
When an agent is wrong, confused, or compromised, authority stays tied to the approved side effect and the attempt is recorded.
Tokens authorize channels. Axtary authorizes content.
The first wedge is security-sensitive coding and agent-ops work: code changes, infra paths, data access, Slack updates, tickets, docs, and MCP tools. Axtary runs beside the agent so provider credentials stay local. Routine actions clear deterministic policy in milliseconds; high-blast-radius actions wait for a human, and that approval binds to the exact payload.
Swap the payload. The pass still fails.
A human approves the exact payload, and the approval artifact binds to its hash. When a compromised agent mutates the message after review — holding a still-valid ActionPass for the original payload — adapter-side verification fails on the mismatch and execution is blocked before the provider is called. Both hashes land in the ledger.
The signed pass travels with the exact side effect, and the ledger keeps the proof.
reproduce locally: axtary run workflow github-pr-review --real --tamper
The approval is bound to the payload, not the agent's summary.
ActionPass is strict enough for security review and portable enough for SDKs, proxies, and MCP wrappers. A human approval signs the normalized action and payload hash, so the pass cannot drift after review. It is content authorization for the thing the agent is about to do, not a broad permission to use a tool.
{
"action_pass_id": "ap_01JAXTARY",
"agent_id": "agent:codex-prod",
"human_owner": "user:reviewer@company.com",
"intent": "Open a PR for AXT-418",
"tool": "github.pull_requests.create",
"resource": "repo:company/web-app",
"constraints": {
"base_branch": "main",
"max_files_changed": 12,
"blocked_paths": ["infra/prod/**", ".env*"],
"requires_tests": true
},
"expires_in": "10m",
"payload_hash": "sha256:7f32...",
"policy": "cedar+rego:pass",
"ledger_hash": "sha256:b9a1..."
}permit (
principal == Agent::"codex-prod",
action == Action::"github.pull_requests.create",
resource == Repo::"company/web-app"
) when {
context.intent.task_id == "AXT-418" &&
context.payload.max_files_changed <= 12 &&
!context.payload.touches_production
};Connectors and runtimes
Govern any MCP server plus native connectors where teams already work, inside the agents you already run — every call runs through the same policy, ActionPass, and ledger.
Enforcement runs beside the agent. The cloud keeps teams in sync.
Install Axtary where agents already run. The SDKs and local proxy enforce action-level policy before tools execute, while the hosted app keeps approvals, policies, and audit exports in one place.
The ActionPass draft and verifier are public artifacts:read the spec and verifier guide.
npm i -g @axtary/cli && axtary init && axtary demo
- proxy · SDKs
- policy · ledger
- credential broker
- approval inboxes
- policy registry
- audit exports
Enforcement and secrets stay on your machine. The hosted plane coordinates teams — it never sits in the action's data path.
policy:
github:
pullRequests:
requiredBaseBranch: main
maxFilesChanged: 12
denyPathPrefixes: [.env, secrets/]
stepUpPathPrefixes: [infra/prod/, billing/]
requiresTests: true
slack:
messages:
allowedChannels: ["#axtary-dev"]Apache-2.0 · v0.3.0 on npm