TL-Agent · Receipt-gated control plane for AI agents

An agent cannot authorize its own actions.
And cannot rewrite the history of what it did.

TL-Agent gives an AI agent its permissions as notarial receipts from the TimeLayer network — receipts it cannot issue itself. Every action it takes is backed by one. Its history is tamper-evident and verifiable offline by any third party.

NO VALID RECEIPT → NO ACTION
  • Action control. Every action passes a gate: no valid receipt — the action does not run. The topology defines what is permitted at all.
  • Tamper-evident history. What the agent did is recorded in receipts that neither the agent nor the operator can rewrite. Verifiable offline by a third party.
  • Fail-closed by design. Any conflict, missing permission, or unknown action → agent stops and waits for a human. Silence is a safe refusal, not a hidden success.

Autonomous AI agents today have nothing to limit themselves with — and nothing to prove themselves with.

  • An agent can authorize its own action or claim it did something — on the model's word, with no proof.
  • Its action log lives with the operator and is editable. A third party cannot verify what actually happened.
  • There is no machine-verifiable boundary between "what the agent is allowed to do" and "what it actually did."

When an agent spends money, sends emails, and changes data on your behalf — "trust the log" is not an answer.

The agent's permissions and history become notarial receipts — ones it cannot issue itself or rewrite.

  • Before an action, the SDK checks: is there a valid permission receipt, is the action declared in the topology, does the notarial signature pass offline verification? No → STOP.
  • What the agent did is recorded in result receipts — a portable, tamper-proof history that travels with the agent.
  • Anyone verifies that history offline with an open-source verifier — no trust in the agent's operator required.

Why not just put checks in the agent's code?

The first question any developer asks: "I can add flags and logs myself." Here's the difference:

Self-built (flags + log in code)TL-Agent
The agent essentially decides itself — it can "authorize" itself to bypass the check Permission is a notarial receipt the agent does not issue (INV-01)
Action history — a log at the operator, editable History — receipts that cannot be rewritten, third-party verifiable
Trust — in your code and your server Trust — in a quorum of independent operators, offline verification with open-source code
"Done" — on the model's word "Done" — only with a receipt present (INV-06: the model's text is not proof)

In one line: a check in the agent's code can be bypassed by the agent; a notarial receipt it cannot issue itself — cannot.

The memory an agent cannot lie about

AI agents lose memory between sessions — but even the memory they have (vector stores, context) has a gap: it can be hallucinated or edited. TL-Agent adds the missing layer:

Not a replacement for memory — the part of it that cannot lie. A verifiable, tamper-evident, portable history of what the agent provably did. Regular memory answers "what do I know"; receipts answer "what I actually did — and it cannot be rewritten."

Honest framing: receipts do not store content and do not do semantic search — this is provenance, not recall. But it is a history the agent cannot forge. No memory system has that.

One call in your agent loop

Open Rust SDK, GitHub, no network calls in the gate:

let bundle = AgentBundle::load("./agent-bundle")?; match bundle.check_action("action_read_files") { CheckResult::Allow(receipt) => { // run — permission is notarially confirmed } CheckResult::Stop { reason, .. } => { // halt, show the user — NO_RECEIPT, TOPOLOGY_VIOLATION, etc. } }

Exit code 0 = ALLOW, 1 = STOP. Wire it into any shell script or CI pipeline.

CLI commands

  • tl-agent check — gate check before action
  • tl-agent next — allowed next steps
  • tl-agent audit — verify entire bundle
  • tl-agent record — log execution with digest

Bundle built in the cabinet

  • Define actions and topology visually
  • Each action gets a notarized receipt
  • Download ready-to-use ZIP bundle
  • Use with the Rust SDK or CLI immediately

Air-gapped mode — for regulated industries

Agent permissions on a physical read-only medium it cannot rewrite.

A bundle is just a folder, so the same permissions run from a container on disk or from a USB flash drive — your choice. A log or a plain record can't travel like that: it is tied to the server that wrote it. A notarial receipt verifies offline, on any machine — so permissions can move on a stick and stay tamper-evident and self-verifying.

  • The bundle lives on a removable read-only medium. The agent only reads — physically cannot issue itself a new permission.
  • Results go to a separate medium; notarization happens outside the agent's environment.
  • To grant more, you don't edit a receipt (they're immutable) — you build a new bundle; the new actions get fresh receipts, the old ones travel alongside.
  • For fintech, legal-tech, medicine, public sector — where "the agent must not be able to unblock itself" is a requirement, not a preference.
Honest framing: protects from the agent, not from a compromised host. Requires actual hardware read-only. Issuing a new receipt requires an online moment. This is an option, not mandatory — the standard mode works from the filesystem.

What we say honestly

  • TimeLayer network: quorum of independent operators, public keys on GitHub
  • Signatures: Ed25519, hash commitment is quantum-resilient; post-quantum signing is on the roadmap
  • TL-Agent is guardrails + tamper-evident audit for a cooperative agent — not a sandbox that physically locks down malicious code (except air-gapped, and even then only from the agent, not the host)
  • Not memory as recall — provenance. No promise that "the agent will remember everything"
  • External network audit is on the roadmap; "a live honest network, not a certified one"
NO VALID RECEIPT → NO ACTION

Part of the TimeLayer ecosystem →