EMILIA GATE · THE CONSEQUENCE FIREWALL

The firewall for machine action.

Antivirus scanned files. Firewalls filtered packets. EMILIA Gate verifies actions before machines change the world. It sits at the actuator boundary and refuses any consequential action unless it carries a valid, non-replayed authorization receipt — proof a named human approved that exact action.

Not authentication, not permissions, not anomaly detection. A policy-enforcement point that requires portable proof of human authorization before the world is mutated. Deny by default. Fail closed.

How it works Where it runs Request pilot

THE INVARIANT

If an agent cannot produce a valid receipt, it cannot change money, code, permissions, data, infrastructure, energy, or physical state.

The gate is deployed by the resource owner — the bank, the cloud API, the database, the robot controller, the grid. An agent that wants to act must bring a receipt the gate verifies. There is no central authority to trust; verification is offline.

WHAT IT GATES

Consequences, not prompts.

finance.wire_transfer

Move money

Wire release, beneficiary or bank-detail change

devops.deploy

Change production

Deploy, migration, secret rotation, permission grant

data.export

Move or delete data

Bulk export, destructive query, record deletion

grid.curtailment

Change energy posture

Curtailment / dispatch posture change (GRACE)

physical.actuation

Actuate the physical world

Robot motion, tool use, vehicle maneuver

agent.tool_call

Any irreversible agent tool

Dangerous MCP / framework tool call

THE LOOP

Request → challenge → sign → verify → execute → proof.

1

Request

An agent or system requests a consequential action at the actuator boundary.

2

Challenge

If the action is guarded and no valid receipt is present, the gate returns 428 Receipt Required and tells the agent exactly what to bring.

3

Authorize

A named human — or a quorum, for hard cuts — signs the exact action on a device-bound authenticator.

4

Verify

Offline, fail-closed: authority (pinned key), action-binding, assurance tier, freshness, one-time consumption — no trust in the operator.

5

Execute

Only a passing check reaches the actuator. Deny by default; absence of a receipt is the anomaly, not the default.

6

Execution receipt

On execution the gate emits proof bound to the exact authorization decision — the artifact an auditor, regulator, or incident review replays.

Assurance tiers set the floor per action: software — A valid receipt — a software-held key. class_a — A device-bound human signoff (WebAuthn / passkey). quorum — m-of-n distinct humans — the cryptographic two-person rule.

WHERE IT RUNS

One gate, every actuator boundary.

MCP

Shipped

Agent tools

Wrap MCP servers; a dangerous tool call without a receipt returns 428.

API

Shipped

HTTP middleware

Express / Connect / Next / Go — protect POST / PUT / PATCH / DELETE.

FRAMEWORKS

Shipped

Agent runtimes

OpenAI, LangChain, CrewAI, AutoGen — guard tool calls in one wrap().

CLOUD

Roadmap

Infra & platforms

GitHub, AWS/IAM, Kubernetes, Terraform, Supabase, Stripe.

ROBOTS

Reference

Actuator sidecar

A local daemon before motion/tool commands. Pre-authorize a bounded envelope; verify each act offline.

ATTESTED

Roadmap

Attested gate

Prove the gate is actually installed and running via device/workload attestation. Crucial for robots.

THE HONEST LIMIT

It does not stop every bad actor. It makes unreceipted systems untrusted.

A bad actor can build an unguarded machine. EMILIA Gate makes legitimate infrastructure refuse unreceipted consequential actions by default — so the parties with leverage (clouds, payment rails, regulators, insurers) can require a receipt. That is how TLS, code signing, and SOC 2 won: not by stopping every bad actor, but by making serious buyers reject systems that lack the control. Necessary, not sufficient.

Verify a receipt Agent guard Request pilot