OxDeAI — Control What AI Agents Can Execute

why this exists

Prompts and monitors are not enforcement.

Agents can call APIs, provision infrastructure, move money. You need a boundary that holds before any side effect occurs.

Prompt guardrails

Shape behavior. Don't enforce execution.

Guardrails influence what an agent is likely to do. They are probabilistic. They can be bypassed, jailbroken, or drift with model versions. They do not prevent execution.

Monitoring / logging

Tells you what happened. After the fact.

Observability is essential. It is not a control plane. By the time you see the log, the API was called, the transaction was sent, the resource was provisioned.

OxDeAI

Fail-closed boundary. Before side effects.

Every action requires a valid, signed, policy-bound authorization artifact before execution is permitted. No authorization → no execution. Deterministic. Verifiable. Portable across runtimes.

demo

The boundary holds in every case.

Four outcomes. No path to execution without a valid authorization artifact.

ALLOW Policy passes. Signed artifact issued. Execution proceeds.

DENY Policy blocks. No artifact issued. No execution. No side effect.

REPLAY auth_id already consumed. Execution blocked. Fail-closed.

BYPASS Direct upstream call without authorization → 403 rejected.

non-bypassable-demo · oxdeai

OxDeAI non-bypassable terminal demo: direct call returns 403, gateway path enforces ALLOW, DENY, and REPLAY

No valid authorization → no execution path.

$ export UPSTREAM_EXECUTOR_TOKEN=demo-internal-token

$ node examples/non-bypassable-demo/protected-upstream.mjs

$ node examples/non-bypassable-demo/pep-gateway.mjs

$ node examples/non-bypassable-demo/agent.mjs

View demo source →

how it works

Decision and execution are separated.

The Policy Decision Point (PDP) decides. The Policy Enforcement Point (PEP) enforces. The Verifier checks trust. Execution is impossible without authorization.

Agent proposes action

Agent produces a proposed action:
name, args, estimated cost,
agent ID, target, metadata.

PEP normalizes → PDP evaluates

Guard normalizes to Intent.
(intent, state, policy) →
deterministic evaluation.

03a

ALLOW

Signed AuthorizationV1 artifact issued.
Verifier checks trustedKeySets.
auth_id consumed (replay-safe).

03b

DENY

Blocked before execution.
No side effect occurs.
No artifact issued.

A valid signature is not trust. trustedKeySets must be configured explicitly by the verifier. In strict mode, missing key sets → TRUSTED_KEYSETS_REQUIRED. A valid signature from an unknown issuer still fails closed.

technical guarantees

What the implementation actually guarantees.

Properties derived directly from the protocol spec and conformance tests.

✓

Deterministic decisions

Same (intent, state, policy) inputs produce identical outputs across runtimes, restarts, and replicas. Policy-critical logic has no ambient randomness or shared mutable state.

✓

Replay protection

Authorization IDs are single-use via a pluggable ReplayStore. Nonce window tracking per agent. Durable backends (Redis, Postgres) drop in without changing the guard API. TOCTOU tests are part of the conformance suite.

✓

Explicit trust model

trustedKeySets must be configured by the verifier. In strict mode, missing key sets → TRUSTED_KEYSETS_REQUIRED. A valid signature from an unknown issuer still fails closed.

✓

Local, portable verification

Authorization artifacts are self-contained. Verification requires no network calls, no central authority, no runtime dependency on the issuer. Any conformant implementation can verify any artifact.

✓

Signed audit trail

Hash-chained audit log built into the engine. Decisions are serialized to a verification envelope (VerificationEnvelopeV1 draft) with state snapshots and event sequences.

✓

Cross-language conformance

Frozen conformance vectors validated by Go and Python harnesses. CI enforces that all adapters (LangGraph, CrewAI, AutoGen, OpenAI, OpenClaw) produce identical results from identical inputs.

integration

The guard wraps every action.

One function intercepts all proposed actions. Execution only proceeds if the policy allows it.

              
              
              
            
TypeScript

            import { PolicyEngine } from "@oxdeai/core";
import { OxDeAIGuard, OxDeAIDenyError } from "@oxdeai/guard";

// 1. Initialize the Policy Decision Point (PDP)
const engine = new PolicyEngine({
  policy_version:             "v1.0.0",
  engine_secret:              process.env.OXDEAI_ENGINE_SECRET,
  authorization_ttl_seconds:  60,
  authorization_signing_alg:  "Ed25519",
  authorization_signing_kid:  "k1",
});

// 2. Create the Policy Enforcement Point (PEP)
const guard = OxDeAIGuard({
  engine,
  getState:      () => getAgentState(),
  setState:      (s) => setAgentState(s),
  trustedKeySets: [myKeySet],   // trust is explicit, never implicit
  onDecision:    (record) => auditLog(record),
});

// 3. Every action goes through the guard
try {
  await guard(
    {
      name:    "charge_wallet",
      args:    { amount: 100, currency: "usd" },
      context: { agent_id: "agent-001" },
    },
    async () => chargeWallet(100)   // only runs if ALLOW
  );
} catch (err) {
  if (err instanceof OxDeAIDenyError) {
    // DENY — execution did not occur
  }
}
          

            import { verifyAuthorization, createVerifier } from "@oxdeai/core";

// Inline: strict mode requires trustedKeySets
const result = verifyAuthorization(artifact, {
  mode:             "strict",
  trustedKeySets:   [myKeySet],
  expectedPolicyId: "policy-production-v1",
});
// A valid signature from an unknown issuer → still fails closed
// Missing trustedKeySets in strict mode → TRUSTED_KEYSETS_REQUIRED

// Bound verifier: pre-configure trust once, reuse everywhere
const verifier = createVerifier({
  trustedKeySets: [myKeySet],     // required, non-empty
  expectedIssuer: "oxdeai-pdp",
});

// Verify envelope produced by the engine after a run
const envelopeResult = verifyEnvelope(envelopeBytes, {
  mode:             "strict",
  trustedKeySets:   [myKeySet],
  expectedPolicyId: "policy-production-v1",
});

if (envelopeResult.status === "ok") {
  // audit trail is intact and cryptographically verified
}
          

            import { createDelegation } from "@oxdeai/core";
import { OxDeAIGuard } from "@oxdeai/guard";

// Parent agent narrows authority to a child agent
const delegation = createDelegation(parentAuth, {
  delegatee: "child-agent-002",
  scope: {
    tools:      ["provision_gpu"],
    max_amount: 300n,     // strictly narrowed from parent
  },
  expiry:     parentAuth.expiry,   // cannot exceed parent
  kid:        "key-001",
  privateKey: signingKey,
});

// Child guard verifies chain + scope before execution
await guard(
  action,
  async () => provisionGpu(),
  {
    delegation: { delegation, parentAuth },
    // Replay prevention via pluggable ReplayStore
    // (default: in-memory; swap for Redis/Postgres)
  }
);
// delegation_id consumed atomically — replay → OxDeAIAuthorizationError
          

npm install @oxdeai/guard @oxdeai/core Read the docs →

adapters

Works with the frameworks you already use.

All adapters delegate to @oxdeai/guard. Identical inputs produce identical authorization decisions across all of them.

LangGraph

@oxdeai/langgraph

Node execution gating in LangGraph agent graphs.

available

CrewAI

@oxdeai/crewai

Task-level authorization for CrewAI crews.

available

AutoGen

@oxdeai/autogen

Function call management for Microsoft AutoGen.

available

OpenAI Agents

@oxdeai/openai-agents

Tool-call interception for OpenAI Agents SDK.

available

OpenClaw

@oxdeai/openclaw

Guard integration for OpenClaw agent runtimes.

available

Cross-adapter conformance validated in CI: same intent + state + policy → same decision across all adapters.

Control what AI agents can execute.

Prompts and monitors are not enforcement.

The boundary holds in every case.

Decision and execution are separated.

What the implementation actually guarantees.

The guard wraps every action.

Works with the frameworks you already use.

Production-safe agents start here.