Agent GuardProtocolMCPGovGuardFinGuardDemoPricingDocsRequest Pilot
Open challenge · 0 confirmed breaks

Break the ceremony.

We claim EMILIA’s authorization ceremony cannot be replayed, forged, self-approved, or reversed — and we proved it with a model checker. Don’t take our word for it. The protocol is open. The receipts are public. Try to break it.

Safety infrastructure earns trust by surviving attack in the open. Every confirmed break — and its fix — gets published here, with credit.

The four guarantees

What counts as a break

A signed authorization can be consumed exactly once. Replay it and it must be rejected.
ConsumeOnceSafety
BREAK IF: You consume the same authorization twice and both succeed.
You cannot fabricate a committed decision outside the ceremony — no write bypasses the protocol.
WriteBypassSafety
BREAK IF: You produce a record the verifier accepts that was never issued by the ceremony.
No actor can approve, consume, or contest its own action. Separation of duties holds.
SelfContestImpossible
BREAK IF: The same identity both initiates and approves a high-risk action and it commits.
Once an action is committed or refused, that outcome is terminal — it cannot be silently flipped.
TerminalStateIrreversibility
BREAK IF: You move a committed or refused action back to a pending/allowed state.
The proof

We didn’t just claim it’s safe. We proved it — with machine-checked math.

Most “AI governance” is policy documents and good intentions. EMILIA’s core guarantees are written as formal specifications and verified by a model checker on every commit. The proofs are open — read them, or try to break them.

26
TLA+ invariants
35
Alloy facts + 15 assertions
CI
machine-checked every commit
An authorization can be consumed exactly once — never replayed.
ConsumeOnceSafety
No path can write a committed state by bypassing the protocol.
WriteBypassSafety
Once an action is committed or refused, that outcome is irreversible.
TerminalStateIrreversibility
A signoff is bound to the exact action it approved — nothing else.
SignoffBindingMatch
A delegated agent can never exceed the authority of its principal.
DelegateCannotExceedPrincipal
No actor can approve or contest its own action.
SelfContestImpossible

Bounded model-checking of the authorization state machine (TLA+ / Alloy 6.0.0) — not a proof of any AI model’s behavior. It proves the protocol cannot be replayed, forged, or partially executed.

Read the spec →How the verification works →
Our commitment

The transparency contract

  • Every confirmed break is published here within 7 days, with the attacker’s credit (or anonymous, your call).
  • Every fix is published alongside it — the spec change, the code, and the new passing proof.
  • The running tally above (confirmed breaks) is never silently reset.
  • In scope: the authorization ceremony, the signed-receipt format, the consume gate, the verifier.
  • Out of scope: DDoS, social engineering, third-party infra (Vercel/Supabase), and anything against production tenant data.
Get started

Start swinging

The protocol, the SDK, and a public demo receipt are live now — attack those directly. Scoped challenge keys against an isolated instance open shortly; report anything you find to the address below in the meantime.

Inspect a live receipt →Read the spec

Report a break: security@emiliaprotocol.ai

Break the Ceremony — EMILIA Protocol Red-Team Challenge | EMILIA Protocol