It’s 18,000 lines of working Python with 97+ passing tests. Not a paper. Not a proposal. Working code.
## The Problem
Current agent frameworks (LangChain, AutoGPT, CrewAI) give AI agents direct tool access with essentially no governance. If an agent decides to call a database delete or send an email, it just… does it.
LAP asks: what if tool access required cryptographically-signed capability tokens that enforce budgets, prevent replay attacks, and produce tamper-evident audit trails?
## What LAP Does
- **Capability tokens** — Agents can’t invoke tools without a signed token bound to an evaluated decision - **Tiered constraints** — T0 (routine) through T3 (catastrophic) with escalating controls - **Budget enforcement** — Atomic reservation prevents overspend - **Replay prevention** — Nonces and monotonic counters for high-stakes actions - **Tamper-evident audit** — Every invocation produces signed receipts - **Fail-closed design** — System becomes more restrictive under degradation, never less
## What LAP Is Not
This is governance infrastructure, not an alignment solution. It does not: - Solve deception or mesa-optimization - Guarantee agents will choose safe actions - Replace the need for aligned AI
It constrains what actions are executable and provides audit trails. Necessary but not sufficient.
## How It Was Built
I’ll be transparent: I directed the implementation but didn’t write the code myself. This was built through iterative collaboration with Claude, GPT-4, and Gemini — I provided architecture and requirements, they implemented, I orchestrated adversarial review rounds where each system tried to find vulnerabilities in the others’ work.
The result went through multiple hardening passes. The threat model documents what it does and doesn’t guarantee.
## Why I’m Posting This
I don’t know if this matters or not. But:
1. The gap it addresses is real — almost nothing governs agent tool-use at this level 2. Three independent AI systems converged on “this is solid and useful” 3. It exists, it works, and maybe someone with more reach can use or build on it
If you’re working on agent frameworks or AI deployment infrastructure, I’d appreciate eyes on it. Criticism welcome — the threat model explicitly states limitations.
LAP: A Governance Framework for AI Agent Tool Use (18k lines, working code)
## What This Is
I’m releasing LAP (Lattice Audit Protocol) — a runtime governance framework that sits between AI agents and the tools they use.
**Repo:** https://github.com/PPGigantus/lattice-audit-protocol
It’s 18,000 lines of working Python with 97+ passing tests. Not a paper. Not a proposal. Working code.
## The Problem
Current agent frameworks (LangChain, AutoGPT, CrewAI) give AI agents direct tool access with essentially no governance. If an agent decides to call a database delete or send an email, it just… does it.
LAP asks: what if tool access required cryptographically-signed capability tokens that enforce budgets, prevent replay attacks, and produce tamper-evident audit trails?
## What LAP Does
- **Capability tokens** — Agents can’t invoke tools without a signed token bound to an evaluated decision
- **Tiered constraints** — T0 (routine) through T3 (catastrophic) with escalating controls
- **Budget enforcement** — Atomic reservation prevents overspend
- **Replay prevention** — Nonces and monotonic counters for high-stakes actions
- **Tamper-evident audit** — Every invocation produces signed receipts
- **Fail-closed design** — System becomes more restrictive under degradation, never less
## What LAP Is Not
This is governance infrastructure, not an alignment solution. It does not:
- Solve deception or mesa-optimization
- Guarantee agents will choose safe actions
- Replace the need for aligned AI
It constrains what actions are executable and provides audit trails. Necessary but not sufficient.
## How It Was Built
I’ll be transparent: I directed the implementation but didn’t write the code myself. This was built through iterative collaboration with Claude, GPT-4, and Gemini — I provided architecture and requirements, they implemented, I orchestrated adversarial review rounds where each system tried to find vulnerabilities in the others’ work.
The result went through multiple hardening passes. The threat model documents what it does and doesn’t guarantee.
## Why I’m Posting This
I don’t know if this matters or not. But:
1. The gap it addresses is real — almost nothing governs agent tool-use at this level
2. Three independent AI systems converged on “this is solid and useful”
3. It exists, it works, and maybe someone with more reach can use or build on it
If you’re working on agent frameworks or AI deployment infrastructure, I’d appreciate eyes on it. Criticism welcome — the threat model explicitly states limitations.
**Repo:** https://github.com/PPGigantus/lattice-audit-protocol