Full walkthrough
How Mandate Works
Every AI tool call routes through a governance control plane. Here's the complete execution flow from request to receipt.
Four steps. No exceptions.
Agent requests a tool call
The LangChain adapter intercepts the invocation before it reaches the external tool. A signed ExecutionRequest is assembled — agent ID, tool name, risk level, parameter hash, session ID.
The adapter itself is untrusted. It relays only — no policy decisions happen here.
Gateway evaluates against policy
The Execution Gateway forwards to the Policy Engine (OPA + Rego). Every registered policy is evaluated in under 5ms. The result is one of three outcomes: APPROVED, DENIED, or REQUIRE_APPROVAL.
The Gateway is the only route to external tools. No bypass path exists architecturally.
Decision is enforced
APPROVED actions execute. DENIED actions are blocked immediately. REQUIRE_APPROVAL actions pause execution and surface a context-rich card to a human operator with a countdown timer (default: 10 min, then auto-denied).
Failure mode: if the Control Plane is unreachable, execution fails closed — not open.
Receipt is generated and sealed
Every terminal state — approved, denied, timed out, terminated — produces a signed receipt containing execution_id, agent_id, tool, decision, policy_ref, and decided_by. Stored to Walrus: content-addressed, append-only.
Receipts are verifiable externally without Mandate infrastructure. No receipt can be deleted.
Timeout behavior
Default timeout: 10 minutes. If a human operator does not respond within the configured window, the request is automatically rejected (default-deny). The agent framework receives a governed exception.
No operator action can extend the timeout without explicit operator instruction — the Approval Engine must never auto-approve or self-extend.
Performance targets (MVP)
See the gate hold.
The console shows every decision live — approved, denied, held for a human, sealed to a receipt.