Thanks for taking a look.
A big part of the motivation here was the idea that governance should sit in the execution path, not outside of it.
In this prototype, agents don’t execute actions directly against files, APIs, or shells. They have to go through an authorization step first, receive a capability token, and then execute through a controlled airlock.
The current prototype includes mission budgets, single-use tokens, controlled execution, runtime activity visibility, and termination with a tomb registry on violation.
I’m especially interested in feedback on whether this infrastructure-style approach makes sense for agent systems, or whether people think this problem should be handled some other way.