DEV Community

Arnab Mitra
Arnab Mitra

Posted on

Stop building "Yes-Bots": Why I’m open-sourcing a "Purple Line" for AI Agents

#ai #security #opensource #architecture

A protocol for deterministic governance in a world of probabilistic AI.

The Obedience Problem

We’ve all seen the demos. You give an LLM an API key, and it does something cool—moves a file, sends an email, maybe even approves a vendor payment.

But as someone who works at the intersection of Tech and Banking, those demos keep me up at night. Because a perfectly obedient agent is a high-speed liability.

If an agent doesn't have a deterministic way to say "No" to a dangerous human mandate (or a rogue hallucination), it shouldn't be in production.

That’s why I’m launching the Agent Governance Protocol (AGP).

The Gap: Probabilistic vs. Deterministic

Most current AI safety is "probabilistic." We hope the system prompt is strong enough. We hope the model doesn't hallucinate a spend limit.

But "Hope" is not a governance strategy.

AGP introduces the "Purple Line"—a deterministic, fail-closed gate that sits between an agent's intent and its execution.

How it works: The 3-Domain Split

AGP separates concerns into three independent trust domains. This prevents the "God-Agent" problem where a single process handles both the thinking and the permission.

  1. 🗂 The Registry (Authority): Where we handle identity, capabilities, and liability. Does this agent even have the right to move money?
  2. 🧠 The Decision (Policy): The engine that evaluates risk. If the agent wants to move $5k, but its limit is $1k, the protocol triggers a mandatory human-in-the-loop approval.
  3. ⚡ The Execution (The Gate): This is the "Fail-Closed" layer. It only permits an action if it receives a signed Action Envelope containing:
    • The Task ID
    • A valid Capability Token
    • A Policy Clearance artifact
    • A Human Approval (if risk is high)

Missing a signature? The tool call is rejected. Period.

The "Connective Tissue"

AGP isn't here to replace your stack; it's here to govern it. It is designed to be the control plane for the emerging ecosystem:

  • MCP (Model Context Protocol): If MCP is the handshake between an agent and its tools, AGP is the contract that defines what those tools can actually do.
  • A2A (Agent-to-Agent): AGP uses delegation chains to ensure that if a "Parent" agent delegates to a "Child" agent, the liability trail remains intact.
  • AP2 / UCP: For commerce and payments, AGP provides the transactional guardrails before the "Buy" button is ever hit.

Start Building

We’ve launched with official SDKs for Python and TypeScript. You can wrap your tool calls in a governance cage with just a few lines of code.

import { AGPClient } from "@agp-protocol/sdk";

const client = new AGPClient("https://your-agp-server", {
  client_id: "finance-agent",
  client_secret: process.env.AGP_SECRET,
});

// The protocol handles the intent, policy check, and envelope sealing.
const task = await client.registry.createTask({ ... });
const decision = await client.decision.evaluate(task.task_id);`
Enter fullscreen mode Exit fullscreen mode

Join the Conversation
We are building this as an open standard because governance shouldn't be a proprietary black box.

I have a question for the community: How are you currently handling "Human-in-the-loop" for your agents? Is it a rubber stamp, or do you have a deterministic gate in place?

Check out the spec and join the movement:
👉 https://www.agp-protocol.dev/
👉 GitHub Repository

Top comments (0)