Skip to content

AxioRank/agent-security-gateway

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

AGS-1: The Agent Security Gateway Specification

An Agent Security Gateway sits between an AI agent and everything it touches: MCP servers, APIs, databases, and other agents. Before any agent action reaches a destination, the gateway governs it. AGS-1 specifies what "governs" means, so the model is something any party can recognize, require, and verify, not a single vendor's feature.

            AI Agent
               |
               v
      +-------------------+
      |  Agent Security   |
      |     Gateway       |
      +-------------------+
               |
        +------+------+
        v      v      v
       MCP    APIs   Databases

The five gates

A conforming gateway intercepts every in-scope agent action and applies these gates before the action reaches its destination.

Gate Name Requirement (summary)
AGS-1.1 Identity A short-lived, attributable identity with the full delegation chain. No ambient or shared credentials.
AGS-1.2 Policy An explicit policy that defaults to deny. The decision is allow, deny, or hold.
AGS-1.3 Inspection Content scored for secrets, sensitive data, destructive operations, and injection, 0 to 100, on the hot path.
AGS-1.4 Audit A tamper-evident, append-only log that should be independently verifiable, even against the operator.
AGS-1.5 Proof An offline-verifiable proof an action was governed, checkable against a pinned key with no trust in the operator.

Conformance

  • AGS-1 Core: satisfies gates AGS-1.1 through AGS-1.4 for every in-scope action.
  • AGS-1 Provable: additionally satisfies AGS-1.5, and the audit log is independently verifiable.

Coverage is part of the claim. State the scope of actions you intercept, for example "AGS-1 Provable for outbound MCP and HTTP tool calls". A bare "AGS-1 Provable" with no scope is not a conformance statement.

Declare it

Publish a machine-readable descriptor at /.well-known/agent-security-gateway so a counterparty can discover and check the claim. AxioRank serves the reference example at axiorank.com/.well-known/agent-security-gateway. The full convention, a gate-by-gate implementation map, and the badge are in the conformance guide.

Badge

[![AGS-1 Provable](https://axiorank.com/api/badge/ags-1)](https://axiorank.com/spec)

The badge is neutral. Any implementation that meets the spec for its stated scope can show it.

Status

AGS-1 is a living draft, maintained by AxioRank (Crawlog LLC). AxioRank implements AGS-1 Provable; the specification is meant to outlive any single implementation. Feedback and implementations are welcome: open an issue or a pull request.

License

The spec text and this repository are MIT licensed. See LICENSE. Implement it freely.

About

Open spec for the Agent Security Gateway (AGS-1): the five gates every agent action passes through (identity, policy, inspection, audit, proof), plus the reference proof artifact. Verifiable offline.

Topics

Resources

License

Contributing

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors