Governance control plane

Every agent action passes through one gate.
Nothing else exists.

Mandate intercepts every tool call an AI agent makes, evaluates it against policy before execution, and produces a signed, independently verifiable receipt. Unauthorized actions cannot execute — not because of convention, but because no other path exists.

How it works

Four steps. No exceptions.

01

Agent requests a tool call

The LangChain adapter intercepts the invocation before it reaches the external tool. A signed ExecutionRequest is assembled — agent ID, tool name, risk level, parameter hash, session ID.

02

Gateway evaluates against policy

The Execution Gateway forwards to the Policy Engine (OPA + Rego). Every registered policy is evaluated in under 5ms. The result is one of three outcomes: APPROVED, DENIED, or REQUIRE_APPROVAL.

03

Decision is enforced

APPROVED actions execute. DENIED actions are blocked immediately. REQUIRE_APPROVAL actions pause execution and surface a context-rich card to a human operator with a countdown timer (default: 10 min, then auto-denied).

04

Receipt is generated and sealed

Every terminal state — approved, denied, timed out, terminated — produces a signed receipt containing execution_id, agent_id, tool, decision, policy_ref, and decided_by. Stored to Walrus: content-addressed, append-only.

Trust boundary

Nothing above the gateway is trusted.Nothing below it is trusted either.

The LLM, the agent framework, and the SDK adapter are all treated as untrusted — they can hallucinate, contain bugs, or be manipulated. Trust starts at the gateway.

security perimeter
Threat model

Nothing above the gateway is trusted.

The security perimeter begins at the Execution Gateway. Everything above it — the LLM, the agent framework, the SDK adapter — is treated as potentially compromised.

LLM
May hallucinate tool calls or parameters
UNTRUSTED
Agent Framework (LangChain)
May be buggy, may pass malformed invocations
UNTRUSTED
Mandate SDK / Adapter
Intercepts but does not evaluate — relays only
UNTRUSTED
━━ SECURITY PERIMETER ━━
Execution Gateway
Authenticated entry point, enforces no-bypass rule
TRUSTED
Control Plane (Policy, Identity, Approvals)
Sole authority for governance decisions
TRUSTED
Receipt Engine → Walrus
Content-addressed, append-only audit store
TRUSTED FOR IMMUTABILITY
Verifiable receipts

Every decision is sealed.

Every terminal state — approved, denied, timed out, terminated — produces a signed receipt stored on Walrus. Externally verifiable. Immutable. No receipt can be deleted or modified after creation.

RECEIPT
APPROVED
receipt_id
rcpt_7f3a2b9c1d4e
execution_id
exec_000042
agent_id
agent_002
tool_id
send_email
tool_input_hash
sha256:a3f7e2b9c1d4e5f6a3f7e2b9c1d4e5f6
decision
APPROVED
policy_ref
require-approval-high-risk
decided_by
operator_a8f2
timestamp
2026-07-15T08:44:21Z
execution_result
success
walrus_cid
bafybeic3euh7zvtpkzq6kqxkzqzqzqzqzqzqzqz
Stored on Walrus — content-addressed, append-only

This receipt is externally verifiable without Mandate infrastructure.

Policy outcomes

One taxonomy. Three outcomes. No exceptions.

LOWAuto-approvedsearch_web, read_public_doc
MEDIUMAuto-approvedread_document, query_database
HIGHHeld for human approvalsend_email, write_file, call_api
CRITICALAuto-denied without explicit granttransfer_funds, delete_record, deploy_code

See the gate hold.

The console shows every decision live — approved, denied, held for a human, sealed to a receipt.