PERMISSION/PROTOCOL

Permission Protocol

No agent-written code ships without a signature.

Block PRs from coding agents until a human signs the exact change.

Built for AI coding agents like Cursor, Claude Code, Codex, and other tools opening PRs against real repos.

GitHub required check

permission-protocol/approval pending

Display name: Permission Protocol

PR #184 modifies migrations/20260505_drop_users_email.sql

Agent-written SQL change. Human signature required before merge.

Human-signed receipt required

repo: acme/billing-api

approved_sha: 9f2c1a7

sql_hash: sha256:d46a7403...

signature: ed25519:8f2s...

After approval + CI greenauto-merge ready

First protected repo

Built for the first repo where agents touch production.

Start where the approval path is concrete: one repo, one protected branch, one risky production path, and one required check that cannot turn green without a receipt.

Agent-authored SQL migration

Agent-authored deploy workflow change

Agent-authored Terraform change

Agent-authored release branch merge

Install flow

From install to signed PR control.

01

Install the Permission Protocol GitHub App.

02

Select one repo to protect first.

03

Open a test PR or use an AI-authored PR.

04

Let the Permission Protocol required check block the risky change.

05

Have a human signer approve the exact action.

06

Inspect the signed approval receipt.

07

Let GitHub auto-merge after CI/CD and Permission Protocol are green.

What you'll see

A blocked PR, a signing step, and signed proof.

GitHub check pending

The Permission Protocol check stays pending or blocked when the permission-protocol/approval context needs approval.

PR comment with approval link

Reviewers get a clear comment that explains why the PR is blocked and where to approve.

Approval screen

A human reviews the repo, PR, commit, requested action, target, and policy before signing.

Receipt proof page

The approval creates a receipt showing who authorized what and when.

GitHub auto-merges

After approval, the Permission Protocol check turns green for that PR context. GitHub native auto-merge can ship once all required CI/CD checks are green.

Branch protection vs approval receipts

How is this different from GitHub branch protection?

GitHub branch protection is the lock. Permission Protocol is the signer and receipt layer. Branch protection can require reviews and status checks before merge. Permission Protocol uses those enforcement rails to require explicit human authorization for high-risk or AI-authored changes, then records who approved the action, what was approved, why approval was required, and the receipt that unlocked the check.

We are not replacing branch protection or GitHub auto-merge. We make branch protection carry an agent-specific authorization decision before GitHub is allowed to merge.

GitHub branch protection

Requires reviews and status checks before merge.

Permission Protocol

Uses required checks to enforce human-signed approval for high-risk or AI-authored changes.

GitHub branch protection

Controls whether a protected branch can accept a merge.

Permission Protocol

Records the specific action/request, signer, policy decision, and approval receipt.

GitHub branch protection

Depends on correct branch protection and bypass settings.

Permission Protocol

Adds the agent-action authorization layer on top of the enforcement rail.

Try safely first

Start with a demo repo or non-production repo.

Install GitHub App on one low-risk repo first. Open a test PR, verify that the check blocks, sign the approval, and inspect the receipt before enabling required checks on production branches.

Requirements

What enforcement depends on.

  • A GitHub repo you can install the app on.
  • Permission to install GitHub Apps for the org or account.
  • Branch protection and required checks for enforcement.
  • Repo settings that do not let the wrong people bypass required checks.

Trust boundary

What this does not do.

Permission Protocol is a GitHub approval and receipt workflow. It works best when teams configure branch protection and required checks correctly.

Production environments fail closed. No silent fail-open, ever.

It does not replace GitHub branch protection.

It does not prevent admins from bypassing protections if repo settings allow bypass.

It does not magically classify every possible production risk perfectly.

It provides approval workflow, required-check gating, and approval receipts.

FAQ

How this differs from branch protection.

Is this just GitHub branch protection?

No. GitHub branch protection enforces reviews and required checks. Permission Protocol uses required checks as the enforcement mechanism, but adds an authorization workflow and signed approval receipt for specific AI-authored or high-risk actions. Teams still need to configure branch protection correctly, and admins may be able to bypass depending on repo settings.

Is this just another approval button?

No. The value is approval tied to a specific action/request, signer identity, policy decision, and receipt outside the normal PR review thread.

Does this replace GitHub branch protection?

No. GitHub branch protection is the enforcement rail. Permission Protocol uses required checks inside that rail, so branch protection still needs to be configured correctly.

Can admins bypass it?

Admins may bypass depending on repo settings. Teams should configure GitHub branch protection, required checks, and bypass permissions to match their enforcement goals.

No receipt = no merge

Protect one GitHub repo before the next AI-authored production PR.

Start with one repo, one test PR, and one required GitHub check.