execution authorization protocol

Control what your AI agents do before they do it.

Deterministic execution authorization for AI agents.

No authorization → no execution.

▶ Run the demo View GitHub Read the protocol →
30-second explanation

Agent proposes. Policy decides. Execution follows—or doesn't.

The decision and the execution are separate. That separation is the guarantee.

01
Agent proposes action
Agent produces an intent:
action type, target, amount,
agent ID, nonce, metadata hash.
02
PolicyEngine evaluates
(intent, state, policy)
→ deterministic evaluation.
Same inputs → same output, always.
03a
ALLOW
Signed authorization artifact
issued and bound to intent + state.
Verifier checks trustedKeySets.
03b
DENY
Blocked before execution.
No side effect occurs.
No artifact issued.
architecture

Decision and execution are separated.

The PolicyEngine (PDP) decides. The Guard (PEP) enforces. The Verifier checks trust. Execution is impossible without authorization.

Agent Runtime
proposes action (name, args, context)
proposed action
Guard — Policy Enforcement Point
intercepts, normalizes to Intent, calls PolicyEngine
(intent, state, policy)
PolicyEngine — Policy Decision Point
evaluates deterministically → ALLOW | DENY
ALLOW
Authorization Artifact
signed · bound to intent + state · short TTL
Verifier
trustedKeySets · strict mode
verified
Executor / Tool
executes — side effect occurs here
DENY
BLOCKED
no artifact · no execution
A valid signature is not trust. Trust is explicitly configured by the verifier via trustedKeySets. In strict mode, missing trust configuration fails closed.
why this exists

Prompts and monitors are not enforcement.

Agents can call APIs, provision infrastructure, move money. You need a boundary that holds before any side effect occurs.

Prompt guardrails
Shape behavior. Don't enforce execution.
Guardrails influence what an agent is likely to do. They are probabilistic. They can be bypassed, jailbroken, or drift with model versions. They do not prevent execution.
Monitoring / logging
Tells you what happened. After the fact.
Observability is essential. It is not a control plane. By the time you see the log, the API was called, the transaction was sent, the resource was provisioned.
OxDeAI
Fail-closed boundary. Before side effects.
Every action requires a valid, signed, policy-bound authorization artifact before execution is permitted. No authorization → no execution. Deterministic. Verifiable. Portable across runtimes.
technical properties

What the implementation actually guarantees.

Properties derived directly from the protocol spec and conformance tests.

Deterministic decisions
Same (intent, state, policy) inputs produce identical outputs across runtimes, restarts, and replicas. Policy-critical logic has no ambient randomness or shared mutable state.
Replay protection
Nonce window tracking per agent. Authorization IDs are single-use. The same intent evaluated twice with changed state → DENY on the second call. TOCTOU tests are part of the conformance suite.
Explicit trust model
trustedKeySets must be configured by the verifier. In strict mode, missing key sets → TRUSTED_KEYSETS_REQUIRED. A valid signature from an unknown issuer still fails closed.
Local, portable verification
Authorization artifacts are self-contained. Verification requires no network calls, no central authority, no runtime dependency on the issuer. Any conformant implementation can verify any artifact.
Signed audit trail
Hash-chained audit log built into the engine. Decisions are serialized to a verifiable envelope (verifyEnvelope) with state snapshots and event sequences.
Cross-language conformance
Frozen conformance vectors validated by Go and Python harnesses. CI enforces that all adapters (LangGraph, CrewAI, AutoGen, OpenAI, OpenClaw) produce identical results from identical inputs.
demo

Execution boundary in action.

An agent proposes the same action twice. Executed exactly once. Replay is blocked at the boundary before any side effect.

execution-boundary-demo — oxdeai
OxDeAI terminal demo: agent proposes action twice, executed once, replay blocked
ALLOW → authorization artifact issued → execution proceeds.  |  ALLOW → second call succeeds on first evaluation.  |  DENY → replay attempt blocked before execution.
verifyEnvelope() → ok — audit trail verified offline after the run.
$ git clone https://github.com/AngeYobo/oxdeai.git
$ cd oxdeai && pnpm install && pnpm build
$ pnpm -C examples/execution-boundary-demo start
View example →
integration

The guard wraps every action.

One function intercepts all proposed actions. Execution only proceeds if the policy allows it.

TypeScript
import { PolicyEngine } from "@oxdeai/core";
import { OxDeAIGuard, OxDeAIDenyError } from "@oxdeai/guard";

// 1. Initialize the policy engine
const engine = new PolicyEngine({
  policy_version: "v1.0.0",
  engine_secret:  process.env.OXDEAI_ENGINE_SECRET,
  authorization_ttl_seconds: 60,
  policyId:       "policy-production-v1",
});

// 2. Create a guard — the Policy Enforcement Point
const guard = OxDeAIGuard({
  engine,
  getState: () => getAgentState(),
  setState: (s) => setAgentState(s),
  trustedKeySets: [myKeySet],   // trust is explicit, not implicit
  onDecision: (record) => auditLog(record),
});

// 3. Every action goes through the guard
try {
  await guard(
    {
      name:    "charge_wallet",
      args:    { amount: 100, currency: "usd" },
      context: { agent_id: "agent-001" },
    },
    async () => chargeWallet(100)   // only runs if ALLOW
  );
} catch (err) {
  if (err instanceof OxDeAIDenyError) {
    // DENY — execution did not occur
  }
}
import { verifyAuthorization, createVerifier } from "@oxdeai/core";

// Inline: strict mode requires trustedKeySets
const result = verifyAuthorization(artifact, {
  mode:           "strict",
  trustedKeySets: [myKeySet],
  expectedPolicyId: "policy-production-v1",
});
// A valid signature from an unknown issuer → still fails closed
// Missing trustedKeySets in strict mode → TRUSTED_KEYSETS_REQUIRED

// Bound verifier: pre-configure trust once, reuse everywhere
const verifier = createVerifier({
  trustedKeySets: [myKeySet],     // required, non-empty
  expectedIssuer: "oxdeai-pdp",
});

// Verify envelope produced by the engine after a run
const envelopeResult = verifyEnvelope(envelopeBytes, {
  mode:             "strict",
  trustedKeySets:   [myKeySet],
  expectedPolicyId: "policy-production-v1",
});

if (envelopeResult.status === "ok") {
  // audit trail is intact and cryptographically verified
}
import { createDelegation, verifyDelegationChain } from "@oxdeai/core";

// Parent agent delegates narrowed authority to a child agent
const delegation = createDelegation(parentAuth, {
  delegatee: "child-agent-002",
  scope: {
    tools:      ["provision_gpu"],
    max_amount: 300n,     // strictly narrowed from parent
  },
  expiry:     parentAuth.expiry,   // cannot exceed parent
  kid:        "key-001",
  privateKey: signingKey,
});

// Child verifies full chain before execution
const chainResult = verifyDelegationChain(delegation, parentAuth, {
  now:                          Math.floor(Date.now() / 1000),
  trustedKeySets:              [myKeySet],
  requireSignatureVerification: true,
  consumedDelegationIds:        usedIds,  // replay prevention
});

if (chainResult.ok) {
  // execute within delegated scope
}
npm install @oxdeai/guard @oxdeai/core Read the docs →
trust model

A valid signature is not trust.

OxDeAI enforces the execution boundary. Who is trusted is defined outside the protocol, by the verifier.

Concept Controlled by Notes
Issuer Any system Policy engine, delegation service, or any custom authority can sign artifacts.
Trusted keys The verifier — trustedKeySets Explicitly configured by the relying party. Not inferred from the artifact itself.
Signature validity Cryptographic Proves the artifact was not tampered with. Does not confer trust to the issuer.
Execution gate OxDeAI Enforced after trust is established. Fail-closed by design in strict mode.
Strict mode without keys Fails closed TRUSTED_KEYSETS_REQUIRED — no implicit trust, ever.
Correct — explicit trust
verifyAuthorization(auth, { mode: "strict", trustedKeySets: [myKeySet], }); // ok only if signature is valid // AND issuer is in trustedKeySets
Wrong — no trust configured
verifyAuthorization(auth, { mode: "strict", // missing trustedKeySets }); // → invalid (TRUSTED_KEYSETS_REQUIRED)
adapters

Works with the frameworks you already use.

All adapters delegate to @oxdeai/guard. Identical inputs produce identical authorization decisions across all of them.

LangGraph
@oxdeai/langgraph
Node execution gating in LangGraph agent graphs.
available
CrewAI
@oxdeai/crewai
Task-level authorization for CrewAI crews.
available
AutoGen
@oxdeai/autogen
Function call management for Microsoft AutoGen.
available
OpenAI Agents
@oxdeai/openai-agents
Tool-call interception for OpenAI Agents SDK.
available
OpenClaw
@oxdeai/openclaw
Guard integration for OpenClaw agent runtimes.
available

Cross-adapter conformance validated in CI: same intent + state + policy → same decision across all adapters.