Agent actions.
Authorized
first.

Axtary gives every high-impact tool call a scoped ActionPass before an agent reaches GitHub, Slack, MCP, or production APIs.

See how it worksView packages
Hot path

Agents should not inherit the blast radius of your API keys.

The first wedge is coding-agent work across GitHub, Slack, Linear, docs, and MCP tools. Axtary runs beside the agent, checks the exact action payload, and only releases authority when policy allows it.

Normalize
Convert github.pull_requests.create into a typed action with actor, intent, resource, and payload hash.
Evaluate
Run fail-closed rules against branch, changed files, blocked paths, and production-impact flags.
Issue
Mint a signed pass scoped to repo:company/web-app, base_branch: main, and expires_in: 10m.
Record
Append the decision, policy version, payload hash, and pass ID to the local JSONL ledger.
ActionPass artifact

Not another agent framework. A permission artifact for the hot path.

ActionPass is portable enough for SDKs and proxies, strict enough for security review, and exact enough for human approvals that show the payload, not an agent-written summary.

github.pull_requests.create with base branch, max files, blocked path, and test constraints
slack.chat.postMessage with channel allowlists and external-recipient step-up
linear.issue.update with project, assignee, status, and field-level constraints
mcp.tool.call bound to server identity, schema version, and definition hash
docs.search/query with workspace, document class, and row/result limits
paid API calls with reservation IDs, spend caps, and commit/rollback status
Normalized action
{
  "action_pass_id": "ap_01JAXTARY",
  "agent_id": "agent:codex-prod",
  "human_owner": "user:asrar@company.com",
  "intent": "Open a PR for AXT-418",
  "tool": "github.pull_requests.create",
  "resource": "repo:company/web-app",
  "constraints": {
    "base_branch": "main",
    "max_files_changed": 12,
    "blocked_paths": ["infra/prod/**", ".env*"],
    "requires_tests": true
  },
  "expires_in": "10m",
  "payload_hash": "sha256:7f32...",
  "policy": "cedar+rego:pass",
  "ledger_hash": "sha256:b9a1..."
}
Cedar-compatible policy
permit (
  principal == Agent::"codex-prod",
  action == Action::"github.pull_requests.create",
  resource == Repo::"company/web-app"
) when {
  context.intent.task_id == "AXT-418" &&
  context.payload.max_files_changed <= 12 &&
  !context.payload.touches_production
};
Package-first product

The product lives in the runtime. The web app coordinates it.

Install Axtary where agents already run. The SDKs and local proxy enforce action-level policy before tools execute, while the hosted app keeps approvals, policies, and audit exports in one place.

@axtary/actionpass
pass schema, signing, verification
Signs subject, intent, capability, payload hash, constraints, TTL, and policy version into a portable pass.
@axtary/policy
native rules, Cedar input, OPA input
Maps a normalized action into Cedar principal/action/resource/context and OPA input without changing app code.
axtary
local proxy and CLI
Runs `axtary proxy --config axtary.yml`, keeps secrets outside model context, and writes a local JSONL ledger.
@axtary/adapter-github
first protected tool surface
Protects PR creation, branch writes, blocked paths, required tests, file counts, and production-impact diffs.
@axtary/mcp
MCP wrapper
Binds every MCP tool call to server identity, schema version, tool definition hash, and approved payload shape.
app.axtary.com
thin hosted control plane
Hosts policy registry, approval inbox, audit exports, docs, and customer onboarding without owning execution.
Control plane

Every approval should carry the exact action it authorizes.

Axtary turns agent requests into reviewable, signed records: who owns the task, what tool is being called, what payload is allowed, which policy matched, and when the permission expires.

Runtime enforcement
SDKs and adapters sit between agents and tools, checking the normalized action before credentials or APIs are reached.
  • ActionPass schema
  • Local policy evaluator
  • Cedar/OPA input adapters
  • JSONL action ledger
  • GitHub adapter
  • MCP wrapper
Operational visibility
Teams get policy sync, approval inboxes, audit exports, and a ledger of issued passes without giving agents standing keys.
JIT TTLs
Passes
Policy
Ledger