Skip to content
@openagp

openagp

README.md
OpenAGP — The Agent Governance Protocol

Spec PyPI Spec License Code License Conformance Status

One protocol. Every vendor. One control plane.

Read the spec · Python SDK · TypeScript SDK · Conformance suite · Registry · Examples

Without AGP

  • N vendors × M customers = N × M bespoke integrations
  • Audit logs in N incompatible formats
  • Policy authored separately for every vendor
  • No cryptographic provenance — "trust us, the agent did this"
  • Compliance evidence assembled by hand, quarterly
  • A single agent action across 3 vendors is 3 separate stories

With AGP

  • N vendors × M customers = N + M integrations
  • One canonical event schema, signed end-to-end
  • One policy DSL, pushed to every vendor
  • Every event signed; ledger is hash-chained and verifiable
  • Compliance evidence is a query, not an effort
  • A single agent action is one event with verifiable lineage

The way SAML standardized "who is this user," and MCP standardized "what tools can an agent call" — AGP standardizes "what is this agent allowed to do, who said so, and what did it actually do" across every AI agent vendor.

How it works

AGP defines three flows between a customer's governance plane and an agent vendor. A vendor implements one or more — declaring its conformance level (L1, L2, or L3) — and the same policy works everywhere.

sequenceDiagram
    autonumber
    participant Plane as Customer Plane
    participant Vendor as Agent Vendor
    participant Agent as Agent Action

    rect rgb(232, 244, 255)
    Note over Plane, Vendor: Flow B — Policy (L2)
    Plane->>Vendor: POST /agp/v0/policy<br/>signed YAML policy
    Vendor-->>Plane: 202 Accepted + policy_hash
    end

    Agent->>Vendor: agent attempts action

    rect rgb(255, 245, 230)
    Note over Vendor, Plane: Flow C — Real-time decision (L3)
    Vendor->>Plane: POST /agp/v0/decision
    Plane-->>Vendor: allowed | blocked (≤300ms)
    end

    Vendor->>Agent: apply decision

    rect rgb(232, 255, 240)
    Note over Vendor, Plane: Flow A — Events (L1, always)
    Vendor->>Plane: POST /agp/v0/events<br/>signed canonical event
    end
Loading

Events are signed Ed25519. Policies are signed Ed25519. The plane verifies every signature against the AGP Registry of public keys before it trusts a single byte. The customer's ledger becomes a cryptographic chain of agent action — auditable, replayable, and impossible to forge without compromising a registered key.

Conformance levels

Level Vendor implements What the customer gets Cost to ship
L1
events		 Flow A — emit signed canonical events Passive observability. Every agent action recorded with verifiable provenance. ≤ 1 eng-week
L2
governance		 Flow A + Flow B — accept and apply customer policy Customer-authored policy enforced inside the vendor. One policy, all vendors. + 1 eng-week
L3
real-time		 Flow A + Flow B + Flow C — synchronous decision callback High-stakes actions gated by the customer plane in <300ms. Human-in-the-loop becomes a protocol primitive. + 2 eng-weeks

Vendors advertise their level via a .well-known/agp discovery document. Customers pin minimum levels in procurement.

The repos

📜 Protocol

openagp/spec — protocol specification, JSON Schemas, fixtures
Phase 0 · formalization in progress

openagp/registry — public directory of compliant actors and their public keys
Phase 4 · pending

🛠️ Reference implementations

openagp/sdk-python — Python SDK · pip install openagp
Phase 1 · stub published

openagp/sdk-typescript — TypeScript SDK · npm i @openagp/sdk
Phase 1 · scaffold

openagp/cts — Conformance Test Suite (agp-cts)
Phase 2 · pending

openagp/examples — end-to-end worked examples
Alongside Phase 1

Quick start

🏢 I'm a vendor

Ship L1 in <1 engineer-week:

from openagp.events import Event, sign

event = Event(
  actor={"vendor": "acme.com",
         "agent_id": "agt_42"},
  action={"type": "tool_call",
          "tool_name": "browser.navigate"},
)
plane_client.emit(sign(event, key))

Then validate:

agp-cts validate-vendor \
  --endpoint https://api.acme.com/agp/v0/

Submit your registry entry with the signed conformance report.

🛡️ I'm a customer

Author one policy. It works everywhere:

agp_policy_version: "0.1"
applies_to:
  vendors: ["*"]
rules:
  - id: rule_pii_outbound
    when:
      action.type: tool_call
      action.input_summary:
        contains_pattern: "ssn|email"
    then:
      decision: blocked
      reason: "PII outbound"

Every event is stamped with policy_hash so you can prove which policy was in force.

🤝 I want to contribute

Read GOVERNANCE.md and CONTRIBUTING.md.

# DCO sign-off; no CLA
git commit -s -m "..."

Best places to start:

  • File RFCs on spec
  • PR test cases to cts
  • Add your registry entry
  • Author worked examples

Roadmap

QuarterMilestoneStatus
Q3 2026Spec v0.1 + Python/TypeScript SDKs + CTS published🟡 in progress
Q3 2026First customer deployments use AGP under the hood⚪ pending
Q4 2026Registry entries co-authored with at least 2 model vendors⚪ pending
Q1 2027Working group formed (1 plane + 2 vendors + 2 customers + 1 academic)⚪ pending
Q1 2027First customer RFP requires "AGP L1 conformance"⚪ pending
Q2 2027Spec v0.2 — formal DSL grammar, working-group feedback⚪ pending
Q3 2027First non-reference plane implementation⚪ pending
2028AGP becomes the default expectation in regulated procurement⚪ pending

Detailed sequencing: §5 of the spec.

Governance — honest disclosure

OpenAGP is initially developed and stewarded by Zeron — the company behind ZAK, the canonical reference implementation of an AGP plane. Zeron created AGP because the fragmentation of agent governance is a problem its customers face directly, and because no incumbent — hyperscaler, foundation model vendor, or compliance vendor — is structurally positioned to ship a vendor-neutral protocol.

The explicit roadmap is to transfer governance to a vendor-neutral working group by v1.0. Single-vendor stewardship today; multi-stakeholder governance tomorrow. Candidate permanent homes: Linux Foundation, OpenSSF, OASIS, IETF — to be selected by the working group.

We are transparent about this rather than pretending neutrality on day one.

Stewardship phases

TODAY  ─►  Q1 '27  ─►  v1.0
 │           │            │
 │           │            └─ Foundation
 │           │               (LF / OpenSSF / OASIS / IETF)
 │           │
 │           └─ Working group
 │              (1 + 2 + 2 + 1)
 │
 └─ Zeron-led
    open contribution

Read: GOVERNANCE.md

License

Component License Why
Spec text and JSON Schemas CC BY 4.0 Free to share and adapt — only requires attribution
SDKs and CTS Apache-2.0 Permissive code license with explicit patent grant
Registry data CC0 Public-domain index; signed claims inside are still authored by their submitters

Get involved

Read the spec · Open an RFC · Implement L1 · Add a registry entry


OpenAGP — open spec · vendor-neutral · cryptographically verifiable · enforceable in production
Reach the maintainers: hello@openagp.io

Popular repositories Loading

  1. sdk-python sdk-python Public

    Reference Python SDK for the Agent Governance Protocol

    Python 1

  2. .github .github Public

    Org-level community health files for openagp

  3. spec spec Public

    AGP — protocol specification, JSON Schemas, and reference fixtures (CC-BY-4.0)

  4. cts cts Public

    AGP Conformance Test Suite — agp-cts CLI for self-testing implementations

    Go

  5. sdk-typescript sdk-typescript Public

    Reference TypeScript SDK for the Agent Governance Protocol

    TypeScript

  6. examples examples Public

    End-to-end worked examples — mock vendor, mock plane, full traces

    Python

Repositories

Showing 6 of 6 repositories

People

This organization has no public members. You must be a member to see who’s a part of this organization.

Top languages

Loading…

Most used topics

Loading…