Show HN: Zero Trust Boundary for Agents
Attestor is an open-source zero-trust execution boundary for AI agents. It performs policy checks, approval validation, and evidence review before agent execution, returning decisions such as admit, narrow, review, or block, enforced through a customer-owned gate. Suitable for payments, data access, infrastructure changes, and more.
Notifications You must be signed in to change notification settings
Fork 1
Star 6
BranchesTags
Open more actions menu
Folders and files
NameName
Last commit message
Last commit date
Latest commit
History
1,900 Commits
1,900 Commits
.github
.github
.well-known
.well-known
docs
docs
examples
examples
fixtures
fixtures
ops
ops
scripts
scripts
specs
specs
src
src
tests
tests
vendor/schematron/2026-CMS-QRDA-III
vendor/schematron/2026-CMS-QRDA-III
.gitattributes
.gitattributes
.gitignore
.gitignore
CONTRIBUTING.md
CONTRIBUTING.md
Dockerfile
Dockerfile
LICENSE
LICENSE
README.md
README.md
SECURITY.md
SECURITY.md
docker-compose.dr.yml
docker-compose.dr.yml
docker-compose.ha.yml
docker-compose.ha.yml
docker-compose.observability.yml
docker-compose.observability.yml
docker-compose.yml
docker-compose.yml
package-lock.json
package-lock.json
package.json
package.json
tsconfig.json
tsconfig.json
Repository files navigation
AI systems are moving from chat into tools that can touch payments, data, access, customer messages, infrastructure, and programmable money.
That is no longer a prompt-quality problem. Teams need a stop point before execution, and a record after review: who asked, what was checked, why it held or blocked, and what may run next.
Context anchors: EU AI Act, NIST AI Risk Management Framework, and DORA. These are not compliance claims.
What It Does
Attestor translates AI intent into a structured consequence, then reduces it to a decision, gate status, and proof references.
It checks policy, approval, evidence, allowed scope, freshness, replay, tenant, and token, then returns one bounded decision with reasons: admit, narrow, review, or block.
For requestable approvals, it checks that the approved task still matches the current policy and material scope context before execution.
The real service should run only through the customer-owned gate.
System metadata can show where risky actions are forming. Existing APIs, tools, jobs, telemetry, events, and gateway logs can become review material for action discovery, rule drafts, admission decisions, customer gates, and proof.
View the full consequence path map
AI agent -> proposes an operation Attestor -> admit / narrow / review / block + reasons and proof references Customer-owned gate -> calls the real service only when allowed
Without a customer-side gate, the decision is evidence, not enforcement. With that downstream point, it becomes the stop point.
Run Attestor in shadow pilot mode
Observe mode shows what actions agents would try, why they may be risky, and which policy, approval, and evidence are present. You see the risk before a real service runs.
Run Attestor in shadow pilot mode
The Same Pattern Across Operations
The same gate can sit before these operation classes:
Operation class Examples
Money Movement refunds, payouts, supplier payments, credits, adjustments
Data Movement customer exports, warehouse queries, report releases
Authority Change grants, revocations, unlocks, approvals, delegations
External Communication customer-facing, legal, billing, support, public messages
Operational Execution deploys, secret rotations, infrastructure changes, incidents
Programmable Money wallet calls, Safe transactions, account-abstraction flows, settlement intents
Current State
Package version: 0.3.0-evaluation Release tag: v0.3.0-evaluation Release stage: evaluation baseline Release type: repository baseline / multi-path local review
This baseline is for local review and integration planning. Live customer deployment and external security audit are separate proof steps.
Data Posture
Attestor is a control point, not a data lake. It needs structured request context and proof references, not raw customer data. Customer systems keep the model, agent, workflow, wallet, database, service call, and system of record.
Security and data handling
Start Here
Start light. Go deeper only when you need the detail. If you are new, follow this order: local run, shadow pilot, then customer gate.
Try Attestor first - run the smallest local refund path and see the decision trail.
Run Attestor in shadow pilot mode - observe one real action path before enforcing anything.
How to integrate Attestor - find the real side effect and place the customer-owned gate.
Repository navigator - find deeper docs for hosted, pricing, support, proof, or maintainer work.
Use boundaries: License and use and Security Policy.
About
Zero Trust Execution Boundary.
attestorportal.com
Topics
typescript
openapi
provenance
authorization
audit-log
access-control
risk-management
human-in-the-loop
policy-engine
ai-agents
runtime-security
policy-as-code
ai-governance
llm-security
agent-security
replay-protection
Resources
Readme
License
View license
Contributing
Contributing
Security policy
Security policy
Uh oh!
There was an error while loading. Please reload this page.
Activity
Stars
6 stars
Watchers
0 watching
Forks
1 fork
Report repository
Releases
5 tags
Packages 0
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
Contributors
Uh oh!
There was an error while loading. Please reload this page.
Languages
TypeScript 98.9%
JavaScript 1.1%