The latest articles on DEV Community by Kmori (@kmori_f732750cda96b27efe7). https://dev.to/kmori_f732750cda96b27efe7 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3980380%2F8a48e405-8cc1-44cf-94a1-84bd11422eb0.png https://dev.to/kmori_f732750cda96b27efe7 en Kmori Fri, 12 Jun 2026 15:00:00 +0000 https://dev.to/kmori_f732750cda96b27efe7/i-built-an-open-source-authorization-layer-for-ai-agents-heres-what-the-audit-trail-looks-like-n5g https://dev.to/kmori_f732750cda96b27efe7/i-built-an-open-source-authorization-layer-for-ai-agents-heres-what-the-audit-trail-looks-like-n5g <h1> I built an open-source authorization layer for AI agents — here's what the audit trail looks like </h1> <p>When an AI agent takes an action in production — isolates a host, rotates credentials, applies a patch — you can log what happened. But you can't prove it was <strong>authorized</strong>. Logs show what happened. They don't prove who said it was allowed to happen.</p> <p>I built <a href="https://github.com/kmori-source/shani" rel="noopener noreferrer">Shani</a> to solve this. It sits between an agent's intent and execution, issues signed authorization tokens, and produces a tamper-evident audit trail.</p> <h2> The core idea </h2> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>Agent ──DecisionProposal──► Shani ──ADO──► ExecutionBoundary ──Capability──► World </code></pre> </div> <p><strong>No ADO → no Capability → no execution.</strong></p> <p>An agent submits a <code>DecisionProposal</code> (what it wants to do + evidence). Shani evaluates it against a YAML policy — blast radius, reversibility, environment risk, evidence quality. If authorized, it issues a signed <code>ADO</code> (Authorized Decision Object). The agent can only act through a <code>Capability</code> derived from a valid ADO.</p> <p>The risk level (D-SAL 0–4) is computed by Shani from proposal context — <strong>not declared by the agent</strong>. An agent cannot claim its own action is low-risk.</p> <p>When D-SAL exceeds a threshold, Shani blocks and waits for human approval via Slack, webhook, or CLI.</p> <h2> Real example: vulnerability remediation CI pipeline </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Scan</span> pip-audit <span class="nt">--format</span><span class="o">=</span>json <span class="o">&gt;</span> pip-audit.json <span class="c"># Shani judgment (auto-approve in CI, HITL in prod)</span> <span class="nv">SHANI_HITL_AUTO</span><span class="o">=</span>1 python examples/vuln_remediation/scenario.py </code></pre> </div> <p>Here's what a real run looks like — 5 vulnerabilities detected, evaluated, and patched:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight console"><code><span class="go">[scan] Running pip-audit… 5 vulnerability finding(s) across 47 packages [govern] PYSEC-2026-196 [MEDIUM] pip 24.0 AUTHORIZED — ADO ff73fedc… dsal=1 OK: upgraded to 26.1.2 [govern] CVE-2025-8869 [MEDIUM] pip 24.0 AUTHORIZED — ADO 6590afbf… dsal=1 OK: upgraded to 25.3 [govern] CVE-2026-6357 [MEDIUM] pip 24.0 AUTHORIZED — ADO 4cd03165… dsal=1 OK: upgraded to 26.1 [audit] audit.json (executed=5 denied=0 skipped=0) </span></code></pre> </div> <p>And the audit trail:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"schema_version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"agent_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"vuln-remediation-agent/v1"</span><span class="p">,</span><span class="w"> </span><span class="nl">"mode"</span><span class="p">:</span><span class="w"> </span><span class="s2">"auto"</span><span class="p">,</span><span class="w"> </span><span class="nl">"summary"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"total"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"executed"</span><span class="p">:</span><span class="w"> </span><span class="mi">5</span><span class="p">,</span><span class="w"> </span><span class="nl">"denied"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="p">,</span><span class="w"> </span><span class="nl">"skipped"</span><span class="p">:</span><span class="w"> </span><span class="mi">0</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"entries"</span><span class="p">:</span><span class="w"> </span><span class="p">[</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"vuln_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"PYSEC-2026-196"</span><span class="p">,</span><span class="w"> </span><span class="nl">"package"</span><span class="p">:</span><span class="w"> </span><span class="s2">"pip"</span><span class="p">,</span><span class="w"> </span><span class="nl">"action"</span><span class="p">:</span><span class="w"> </span><span class="s2">"executed"</span><span class="p">,</span><span class="w"> </span><span class="nl">"ado_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"ff73fedc-..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"approved_by"</span><span class="p">:</span><span class="w"> </span><span class="s2">"SOC-Analyst"</span><span class="p">,</span><span class="w"> </span><span class="nl">"detail"</span><span class="p">:</span><span class="w"> </span><span class="s2">"OK: upgraded to 26.1.2"</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="p">]</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>Every entry proves not just that the upgrade happened, but that it was <strong>authorized, by whom, and against which specific vulnerability finding</strong>.</p> <h2> Also works with nanoclaw (zero TypeScript required) </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pnpm run chat <span class="s2">"Isolate host:prod-db-12. Evidence: EDR detected lateral movement (0.93), SIEM anomalous outbound (0.88)"</span> </code></pre> </div> <p>Claude reads the Shani SKILL.md, submits a DecisionProposal, waits for HITL approval, and only proceeds after receiving a signed ADO.</p> <h2> CI/CD pipeline integration </h2> <p>Ships a GitHub Actions workflow: Trivy + Grype + OSV-Scanner → Shani judgment → <code>shani-audit.json</code>. Gate your deployments on policy, not just vulnerability counts.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s">Run Shani vulnerability judgment</span> <span class="na">env</span><span class="pi">:</span> <span class="na">SHANI_HITL_AUTO</span><span class="pi">:</span> <span class="s1">'</span><span class="s">1'</span> <span class="na">run</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">python examples/vuln_remediation/shani_vuln_judge.py \</span> <span class="s">--trivy trivy.json --grype grype.json \</span> <span class="s">--output shani-audit.json \</span> <span class="s">--fail-on-denied</span> </code></pre> </div> <h2> What this gives you that observability tools don't </h2> <p>LangSmith answers "what did the agent do?" Shani answers "was it authorized, by whom, and why was it blocked?" These are complementary. But for the conversation with your security team, compliance officer, or a regulator — you need both.</p> <h2> Honest limitations </h2> <ul> <li>v0.4, self-hosted only</li> <li>Evidence is agent-submitted (push model — pull-based verification not yet implemented)</li> <li>YAML policy is expressive but not yet well-documented for complex cases</li> </ul> <p>Apache 2.0: <a href="https://github.com/kmori-source/shani" rel="noopener noreferrer">github.com/kmori-source/shani</a></p> <p>If you're shipping AI agents to production and have hit the accountability problem, I'd genuinely like to hear what you've tried.</p> <p><em>Tags: #security #ai #devops #opensource #llm</em></p> security ai devops opensource