PERMISSION/PROTOCOL
The authority layer for AI agents

Your agents are shipping. Who signed for it?

Policy clears the routine. A named human signs the consequential. Every agent action gets a portable, tamper-evident receipt.

Runs across MCP · CI/CD · SQL · APIs

Sign your first receipt
GitHub required check Human signer Tamper-evident receipt No receipt, no merge
90-second demo: define rules · connect repo · PP enforces
"About 90% of code at Anthropic is now written by Claude — engineers are in a supervisory role."
Dario Amodei, CEO Anthropic · Dreamforce 2025

Agent incidents

97 documented incidents of agents acting without authorization, 40 of them critical.

Latest (2026-07-09): Symlink attack fools HITL approval — Claude Code knew the risk and hid it

The question no one can answer

The question no one can answer today

List every production change last quarter that was AI-originated. Show the accountable human for each.

Your repo host cannot answer it. Your observability stack cannot. The sandbox cannot. Approvals today record that a human clicked; they carry no record of which agent acted, under whose delegated authority, against which exact payload.

Who authorized this agent to perform this exact production action?

MCP · CI/CD · SQL · APIs

How it works across surfaces

MCP tool call

Agent tool calls route through MCP Guard. Routine calls pass in milliseconds. Consequential calls hold for a named signer.

Merge

Agent-authored PRs stay blocked until the right signer approves the exact commit.

Deploy

Production deploys require a signed authority receipt before release workflows proceed.

Mutate data

Destructive SQL and broad customer-data changes require explicit approval before execution.

Two products

Two doors in. One receipt layer.

MCP Guard

Open-source authority proxy for MCP. Intercepts tool calls, holds the consequential ones, mints a receipt for every decision. Start in observe mode: zero risk, full visibility.

Install MCP Guard

Deploy Gate

Agent-authored merges and deploys stay held until the right human signs the exact change. Auto-approve clears low-risk paths so the gate never becomes the bottleneck.

Gate a repo

For compliance, risk, and audit leaders

When the regulator asks who authorized the action, can the firm answer?

Most enterprise AI logging proves the agent acted. It rarely proves the human approved the exact action at the exact moment. That gap shows up first in audit reconstruction, in SOX and FINRA exams, in FDA inspections, and in board-level questions about AI accountability. Permission Protocol is the authorization layer that captures human signoff at the action boundary and produces tamper-evident receipts built for regulatory exams.

Explicit approval

Every consequential AI action routes to a named human signer at the action boundary, with policy decisions captured as part of the same record.

Tamper-evident receipts

Each receipt is cryptographically signed and designed for the retention windows regulated firms operate under.

Calibrated by risk tier

Low-risk actions flow through under policy. Consequential actions require explicit human signoff. The firm controls the calibration, not the AI vendor.

Start with production SQL. Expand to every production path.

No signature. No production SQL.

Your engineers use Cursor, Copilot, and Claude to generate migrations. Today, who signs that SQL before it hits prod?

Permission Protocol blocks AI-generated database changes from reaching production unless there is a signed approval bound to the commit, migration hash, environment, and approver.

See a blocked migration get signed

The receipt layer

Every decision produces a receipt.

Cleared by policy or signed by a human, each action mints the same portable, tamper-evident record: who acted, who authorized it, under which policy, at what time.

See a real signed receipt

✓ ACTION AUTHORIZED

Deploy → billing-service

Agent
deploy-bot
Approved by
Sarah Kim
Policy
production-deploy
Timestamp
2026-03-03 10:14:22 UTC
SignatureVerified ✓
IssuerPermission Protocol

permissionprotocol.com/r/8f91c2

Pricing

Two ways in

Free for developers

MCP Guard is open source, and the Free plan is $0: one signer, one connected repo or MCP client, and real signed receipts.

Install MCP Guard

Rollouts from $50K

Pilot to enterprise, run with our team: prove one high-risk workflow, then expand until every consequential agent action carries a receipt.

See pricing

Common questions

How does this differ from GitHub branch protection?

How does this differ from GitHub reviews?

What exactly gets blocked?

Does this replace branch protection?

Can an agent bypass it?

Do I need to use AI coding agents for this to be useful?

What counts as a protected repo?

What if I hit my repo limit?