An agent cannot authorize its own actions.
And cannot rewrite the history of what it did.
TL-Agent gives an AI agent its permissions as notarial receipts from the TimeLayer network — receipts it cannot issue itself. Every action it takes is backed by one. Its history is tamper-evident and verifiable offline by any third party.
- Action control. Every action passes a gate: no valid receipt — the action does not run. The topology defines what is permitted at all.
- Tamper-evident history. What the agent did is recorded in receipts that neither the agent nor the operator can rewrite. Verifiable offline by a third party.
- Fail-closed by design. Any conflict, missing permission, or unknown action → agent stops and waits for a human. Silence is a safe refusal, not a hidden success.
Autonomous AI agents today have nothing to limit themselves with — and nothing to prove themselves with.
- An agent can authorize its own action or claim it did something — on the model's word, with no proof.
- Its action log lives with the operator and is editable. A third party cannot verify what actually happened.
- There is no machine-verifiable boundary between "what the agent is allowed to do" and "what it actually did."
When an agent spends money, sends emails, and changes data on your behalf — "trust the log" is not an answer.
The agent's permissions and history become notarial receipts — ones it cannot issue itself or rewrite.
- Before an action, the SDK checks: is there a valid permission receipt, is the action declared in the topology, does the notarial signature pass offline verification? No → STOP.
- What the agent did is recorded in result receipts — a portable, tamper-proof history that travels with the agent.
- Anyone verifies that history offline with an open-source verifier — no trust in the agent's operator required.
Why not just put checks in the agent's code?
The first question any developer asks: "I can add flags and logs myself." Here's the difference:
In one line: a check in the agent's code can be bypassed by the agent; a notarial receipt it cannot issue itself — cannot.
The memory an agent cannot lie about
AI agents lose memory between sessions — but even the memory they have (vector stores, context) has a gap: it can be hallucinated or edited. TL-Agent adds the missing layer:
Not a replacement for memory — the part of it that cannot lie. A verifiable, tamper-evident, portable history of what the agent provably did. Regular memory answers "what do I know"; receipts answer "what I actually did — and it cannot be rewritten."
One call in your agent loop
Open Rust SDK, GitHub, no network calls in the gate:
Exit code 0 = ALLOW, 1 = STOP. Wire it into any shell script or CI pipeline.
CLI commands
tl-agent check— gate check before actiontl-agent next— allowed next stepstl-agent audit— verify entire bundletl-agent record— log execution with digest
Bundle built in the cabinet
- Define actions and topology visually
- Each action gets a notarized receipt
- Download ready-to-use ZIP bundle
- Use with the Rust SDK or CLI immediately
Air-gapped mode — for regulated industries
Agent permissions on a physical read-only medium it cannot rewrite.
A bundle is just a folder, so the same permissions run from a container on disk or from a USB flash drive — your choice. A log or a plain record can't travel like that: it is tied to the server that wrote it. A notarial receipt verifies offline, on any machine — so permissions can move on a stick and stay tamper-evident and self-verifying.
- The bundle lives on a removable read-only medium. The agent only reads — physically cannot issue itself a new permission.
- Results go to a separate medium; notarization happens outside the agent's environment.
- To grant more, you don't edit a receipt (they're immutable) — you build a new bundle; the new actions get fresh receipts, the old ones travel alongside.
- For fintech, legal-tech, medicine, public sector — where "the agent must not be able to unblock itself" is a requirement, not a preference.
What we say honestly
- TimeLayer network: quorum of independent operators, public keys on GitHub
- Signatures: Ed25519, hash commitment is quantum-resilient; post-quantum signing is on the roadmap
- TL-Agent is guardrails + tamper-evident audit for a cooperative agent — not a sandbox that physically locks down malicious code (except air-gapped, and even then only from the agent, not the host)
- Not memory as recall — provenance. No promise that "the agent will remember everything"
- External network audit is on the roadmap; "a live honest network, not a certified one"
Part of the TimeLayer ecosystem →
TimeLayer