Complete trust boundaries for programmable delegation
pap:// seals the entire stack: the request boundary and the execution boundary. Mandates set scope cryptographically. OS-level sandboxing enforces it. Humans stay in control. Agents stay accountable. No AI required.
Two boundaries. One complete trust model.
Most tools guard one edge and call it security. pap:// governs both the request an agent makes and the execution it performs. A compromise at one boundary cannot cascade through the other.
pap:// minimizes what agents see
Every delegation is a signed mandate: the action allowed, the disclosure scope, and a time-to-live. SD-JWT selective disclosure reveals only the fields a task needs, negotiated over a six-phase handshake. A child request can never exceed its parent's scope. The containment is checked, not trusted.
pap-sandbox minimizes what agents can do
Approved actions run inside an OS-level sandbox. On Linux, seccomp denies the syscalls an agent should never make: network and subprocess calls, blocked by the kernel. Anywhere with Docker, a locked-down container does the same. Every action produces a cryptographic receipt recording exactly which constraints actually ran, co-signed by the principal.
What is an agent?
An agent is any software party that acts on someone else's behalf. A cron job that files your reports is an agent. A payments service that moves money for you is an agent. An LLM that reads your codebase and opens a pull request is an agent. What they share is delegation. A principal, the human or system that owns the data and holds the keys, hands off a task to something that will carry it out.
pap:// governs that hand-off, whatever the agent is made of. A mandate names exactly what the agent may see and do. The sandbox enforces it. A receipt records it. The protocol never asks whether an agent is "intelligent." It asks what the agent was authorized to do, and what it actually did.
No AI required. An agent is defined by the delegation, not the technology behind it.
If legal issues come, pap:// already speaks the language
"Principal" and "agent" aren't our words. They're how the law has handled one person acting for another for centuries. A principal is bound by what their agent does within the authority they granted, and not by what goes beyond it. pap:// didn't invent that. It made it checkable. The mandate is the grant of authority, signed. The receipt is the record of what was done, signed.
Regulators are starting to ask for the same thing. The EU AI Act, whose rules for high-risk systems take effect in August 2026, says those systems have to log their own activity so it can be traced (Article 12) and stay under human control, with a person able to step in, override, or shut them down (Article 14). A signed mandate is that human decision, on the record. A signed receipt is that log, and it can't be quietly edited. It comes out of the protocol from the first exchange, not bolted on before an audit.
Copyright law already draws its line at human authorship: the US Copyright Office and the courts won't register work with no person behind it. Who's liable when an autonomous agent acts is still being worked out. Both questions come down to the same two: who authorized this, and what were they allowed to do.
The six-phase handshake
Every delegation runs the same sequence between the initiating agent and the receiver. Watch it step through.
Humans. Agents. Data.
You hold the keys
Device-bound keypairs, no registration, ephemeral session DIDs per transaction. The principal owns the root of trust. Decentralized and under your control.
Accountable by construction
Agents register in Chrysalis, attributed to an operator and cryptographically vouched for. Every action traces back to a named, accountable party.
Never leaves scope
Selective disclosure at Phase 3 releases only what a task needs. Receipts store references to property types, never the values themselves. Proof without exposure.
Inside the execution boundary
This is where an approved action actually runs. We put it in a locked room it can't talk its way out of, then watch what it tries to do.
The agent can ask the computer for anything it wants. Only what the mandate allowed gets through. The computer refuses the rest, and every run ends with a signed receipt of what actually happened.
Proof, not promises
Every run ends with a signed receipt. It lists what the computer actually enforced, not what the policy asked for. Which requests were blocked. Where it ran. If a protection didn't run, the receipt says so.
When an auditor or a client or your own security team asks what an agent could do, you don't tell them what you meant to happen. You show them what did.
Every field on the receipt is something that actually happened. No wishful checkboxes.
Sealed end to end
A boundary on the request without one on the execution is half a trust model. pap:// closes both. Cryptographic scope on what agents see. OS-level confinement on what they can do. A signed receipt for everything that happened. Open source, forever.
Get your pap:// assessment