Your AI agent can move money, delete production data, send email, and sign contracts. Agent Guard puts EMILIA Gate before the configured tool or executor, then requires the evidence your policy names. It protects only the paths actually mediated by that integration.
Run the rail now: FAST=1 node examples/mcp/payment-server.mjs · no account needed
No proxy to deploy. No data path to reroute. You call the gate at the decision point; EMILIA answers allow, require signoff, or deny — decided by a policy engine with 26 machine-checked theorems behind it.
The HTTP call below is live with your API key (signup is free). The wrapper below it ships today on npm and PyPI. Exact signatures in the docs.
# Ask EMILIA whether this exact action may proceed — before it runs.
curl -s https://www.emiliaprotocol.ai/api/trust/gate \
-H 'authorization: Bearer ep_live_…' \
-H 'content-type: application/json' \
-d '{
"entity_id": "agent_invoice_bot",
"action": "payment.release",
"context": { "amount": 50000, "destination": "acct_9f12" }
}'
# → { "decision": "allow" | "deny", "reasons": [ … ] }
# Signoff-grade decisions (allow_with_signoff) come from the
# /api/v1 precheck adapters — the full ceremony is on /finguard.import { withGuard } from '@emilia-protocol/langchain';
// Wrap anything irreversible. One wrapper.
const guarded = withGuard(wireMoney, {
action: 'payment.release',
context: (input) => ({ amount: input.amount, destination: input.to }),
// Resolve once a named human approves — otherwise signoff throws:
onSignoff: async (decision) => waitForApproval(decision.raw),
});
// Give `guarded` to your agent instead of `wireMoney`.
await guarded.invoke({ amount: 50000, to: 'acct_9f12' });
// → throws "EMILIA requires human signoff" until a human approves.
// Python: pip install langchain-emilia → guard_tools([…]) does the same.import { requireEmiliaReceipt } from '@emilia-protocol/require-receipt';
// Refuse the irreversible action unless a valid, action-bound receipt
// from a trusted issuer rides with the request.
app.post('/release-payment', requireEmiliaReceipt({
trustedKeys: [process.env.EMILIA_ISSUER_PUBKEY],
action: 'payment.release',
statusCode: 428,
manifestUrl: '/.well-known/agent-actions.json',
maxAgeSec: 900,
}), handler);
// No receipt? The caller gets 428 Receipt Required with a
// challenge; a well-behaved agent obtains one and retries. Verified
// offline — no EMILIA backend. Run: FAST=1 node examples/mcp/payment-server.mjsThe flip side of the gate: make your own endpoint require proof. An irreversible call with no valid receipt gets a 428 describing exactly what to bring — a well-behaved agent obtains one and retries, and you verify it offline. The agent self-serves authorization, no human in the support loop.
Add Receipt Required to an MCP server →Your agent is about to do something it can’t take back. One withGuard() wrapper routes the exact action — actor, intent, parameters — to EMILIA before it touches the real world.
The configured policy returns allow, require signoff, or deny. Allow means the stated policy was satisfied; it is not a claim that the action is wise, safe, or lawful.
Every protected decision emits signed authorization evidence bound to the action hash. A relying party can verify it offline with @emilia-protocol/verify under explicitly pinned trust inputs.
Agent Guard is framework-agnostic middleware, not a lock-in. It sits at the action boundary, wherever that is in your loop — and it doesn’t care whose model your agent runs on.
An invoice-paying agent attempts a payment to a new account. Blocked. A named human signs off. Wire proceeds with a receipt.
A coding agent runs a destructive migration on the production database. The action is gated before it executes.
An agent changes the bank account on a benefits case. Blocked pending an accountable caseworker signoff — due process, proven.
An agent attempts to export a table of personal records to an external destination. The high-risk write is intercepted.
The Protocol, verifier, vectors, SDK, and MCP packages are open. Add EMILIA Gate when you need managed policy, approval routing, enforcement operations, and continuous evidence.