Agent action gateway
AutonomyNeedsAccountability.
MandateSeal checks agent actions against explicit rules before execution and records the result as a signed receipt your team can verify later.
10
policy rules
3
decision states
Ed25519
signed receipts
POLICY CHECKlive preflight
APPROVEDPOST /api/check42ms
agentAtlas-01
actionpaid_api_call
toolweb_search
targetapi.openai.com
cost$0.02
matched ruleallowed_tools
reasontool allowed, cost under limit
receipt rct_4d593e95eabbe1e06b8c
policyHash 8b7d4f91a22c90e5c31a0f6e42bd98a2
receiptHash 42f9c71bd0a35e7c1e8ad9910e67f3ab
mandate mnd_prod_01stored
01
Request
agent_atlas_01 wants to call web_search
02
Decision
tool allowed, cost below max action limit
03
Receipt
rct_4d59... sealed and stored
// 01
Policy checks before actions
Set tool, domain, action, and cost limits for each agent. Requests are checked before the agent is allowed to continue.
// 02
Receipts for every decision
Each check creates a signed receipt with the agent, mandate, action, reason, policy hash, and receipt hash.
// 03
A log your team can inspect
Search approvals, blocked attempts, spend, and receipt history when you need to answer what an agent tried to do.
THE FLOW
APPROVE BEFORE. PROVE AFTER.
agent wants to act
-> POST /api/check (Bearer <agent_api_key>)
<- MandateSeal returns APPROVED | BLOCKED | NEEDS_APPROVAL
-> if APPROVED, agent runs the action
<- MandateSeal emits a signed receipt
-> anyone can call /api/verify to confirm it later