# agentlock - Doramagic AI Context Pack

> Positioning: a pre-install experience and judgment asset. It helps the host AI get off to a good start, but it does not mean the project has already been installed, run, or validated.

## Sufficiency Principle

- **Sufficiency over compression**: The AI Context Pack should be sufficient for the host AI to understand the project's value, capability boundaries, entrypoints, risks, and evidence sources before starting work; it may be layered, but it does not aim for the shortest possible summary.
- **Compression policy**: Compress only noise and duplication, never context that affects judgment or the quality of the work.

## How the Host AI Should Use This

You are reading the AI Context Pack that Doramagic compiled for agentlock. Treat it as pre-work context: help the user understand who it fits, what it can do, how to start, what must be verified after install, and where the risks are. Do not claim that you have already installed, run, or executed the target project.

## Claim Consumption Rules

- **Fact source**: Repo Evidence + Claim/Evidence Graph; the Human Wiki only supplies salience, terminology, and narrative structure.
- **Minimum status for a fact**: `supported`
- `supported`: May be used as a project fact, but the answer must cite the claim_id and evidence path.
- `weak`: Usable only as a low-confidence lead; the user must be asked to keep verifying.
- `inferred`: Usable only for risk notes or open questions; must not be packaged as a project fact.
- `unverified`: Must not be used as fact; state clearly that evidence is insufficient.
- `contradicted`: Must show the conflicting sources and must not force a single version on the user's behalf.

## Who It Fits Best

- **AI researchers or builders of research-oriented Agents**: The README clearly centers on research, experiment, or paper workflows. Evidence: `README.md` Claim: `clm_0002` supported 0.86
- **Developers already using host AIs such as Claude/Codex/Cursor/Gemini**: The README or plugin config mentions multiple host AIs. Evidence: `README.md` Claim: `clm_0003` supported 0.86

## What It Can Do

- **Command-Line Startup or Install Flow** (Verify after install): The project documentation contains runnable commands; real use requires running them in a local or host environment. Evidence: `README.md` Claim: `clm_0001` supported 0.86

## How to Start

- `pip install agentlock` Evidence: `README.md` Claim: `clm_0004` supported 0.86, `clm_0005` supported 0.86, `clm_0006` supported 0.86, `clm_0007` supported 0.86 et al.
- `pip install agentlock[langchain]    # LangChain` Evidence: `README.md` Claim: `clm_0005` supported 0.86
- `pip install agentlock[crewai]       # CrewAI` Evidence: `README.md` Claim: `clm_0006` supported 0.86
- `pip install agentlock[autogen]      # AutoGen` Evidence: `README.md` Claim: `clm_0007` supported 0.86
- `pip install agentlock[mcp]          # Model Context Protocol` Evidence: `README.md` Claim: `clm_0008` supported 0.86
- `pip install agentlock[fastapi]      # FastAPI` Evidence: `README.md` Claim: `clm_0009` supported 0.86
- `pip install agentlock[flask]        # Flask` Evidence: `README.md` Claim: `clm_0010` supported 0.86
- `pip install agentlock[crypto]       # Ed25519 signed receipts` Evidence: `README.md` Claim: `clm_0011` supported 0.86
- `pip install agentlock[all]          # Everything` Evidence: `README.md` Claim: `clm_0012` supported 0.86
- `git clone https://github.com/webpro255/agentlock.git` Evidence: `README.md` Claim: `clm_0013` supported 0.86

## Continue-or-Stop Decision Card

- **Current recommendation**: Sandbox trial only
- **Why**: The project has signals of install commands, host configuration, or local writes; do not go straight into your primary environment—trial it in isolation first.

### 30-Second Read

- **What to do now**: Sandbox trial only
- **Minimum safe next step**: Run Prompt Preview first; if you still want to install, trial only in an isolated environment
- **Do not trust yet**: Real output quality cannot be trusted before install.
- **Continuing will touch**: Command execution, Local environment or project files, Host AI context

### What You Can Trust Now

- **Target-audience signal: AI researchers or builders of research-oriented Agents** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `README.md` Claim: `clm_0002` supported 0.86
- **Target-audience signal: Developers already using host AIs such as Claude/Codex/Cursor/Gemini** (supported): Backed by a supported claim or project evidence, but that still is not the same as real install results. Evidence: `README.md` Claim: `clm_0003` supported 0.86
- **Capability exists: Command-Line Startup or Install Flow** (supported): You can trust that the project contains signals of this capability; whether it fits your specific task still needs trial or after-install verification. Evidence: `README.md` Claim: `clm_0001` supported 0.86
- **There are Quick Start / install-command signals** (supported): You can trust that the docs mention a startup or install entrypoint; do not run it directly in your primary environment because of that. Evidence: `README.md` Claim: `clm_0004` supported 0.86, `clm_0005` supported 0.86, `clm_0006` supported 0.86, `clm_0007` supported 0.86

### What You Cannot Trust Yet

- **Real output quality cannot be trusted before install.** (unverified): Prompt Preview can only show how it guides you; it cannot prove result quality in the real project.
- **Host AI version compatibility cannot be trusted before install.** (unverified): Host loading rules and version differences across Claude, Cursor, Codex, Gemini, and others must be verified in a real environment.
- **That it will not pollute your existing host AI's behavior cannot be trusted directly.** (inferred): Skill, plugin, and AGENTS/CLAUDE/GEMINI instructions may change the host AI's default behavior.
- **Safe rollback cannot be assumed by default.** (unverified): Unless the project clearly provides uninstall and recovery instructions, verify in an isolated environment first.
- **After a real install, is it compatible with the user's current host AI version?** (unverified): Compatibility can only be verified in the actual host environment.
- **Does the project's output quality meet the user's specific task?** (unverified): The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **Do the install commands require network access, permissions, or global writes?** (unverified): This affects install risk in both enterprise and personal environments. Evidence: `README.md`

### What Continuing Will Touch

- **Command execution**: Package managers, network downloads, the local plugin directory, project config, or the user's home directory. Why: Running the very first command can already change your environment; decide whether it is worth running first. Evidence: `README.md`
- **Local environment or project files**: Install results, plugin caches, project config, or local dependency directories. Why: The write scope and rollback path cannot be proven before install and need isolated verification. Evidence: `README.md`
- **Host AI context**: The AI Context Pack, Prompt Preview, Skill routing, risk rules, and project facts. Why: Importing context affects the host AI's later judgment, so avoid packaging unverified items as facts.

### Minimum Safe Next Steps

- **Run Prompt Preview first**: Use a pre-install interactive trial to judge whether the way of working fits; it needs no authorization or environment change. (applies when: Applies to any project, especially when output quality is unknown.)
- **Trial-install only in an isolated directory or a test account**: Avoid letting install commands pollute your primary host AI, real projects, or home directory. (applies when: When there are signals of command execution, plugin config, or local writes.)
- **After install, verify just one minimal task**: Verify loading, compatibility, output quality, and rollback first, then decide whether to use it deeply. (applies when: When moving from a trial into a real workflow.)

### Exit Plan

- **Preserve the pre-install state**: Record the original host config and project state so you can later judge whether it is recoverable.
- **Record the install commands and written paths**: Without clear uninstall instructions, you at least need to know which directories or configs to clean up manually.
- **If there is no rollback path, do not enter your primary environment**: No rollback is a blocker before continuing; do not proceed on trust or luck.

## What Can Only Be Previewed

- Explain who the project fits and what it can do
- Demonstrate a typical conversation flow based on project docs
- Help the user decide whether it is worth installing or researching further

## What Must Be Verified After Install

- Actually installing the Skill, plugin, or CLI
- Running scripts, modifying local files, or accessing external services
- Verifying real output quality, performance, and compatibility

## Boundary & Risk Decision Card

- **Mistaking the pre-install preview for a real run**: The user may overestimate how much configuration, permission, and compatibility verification the project has already done. Mitigation: Clearly separate prompt_preview_can_do from runtime_required. Claim: `clm_0015` inferred 0.45
- **Command execution will modify the local environment**: Install commands may write to the user's home directory, the host plugin directory, or project configuration. Mitigation: Run in an isolated environment or a test account first. Evidence: `README.md` Claim: `clm_0016` supported 0.86
- **To confirm**: After a real install, is it compatible with the user's current host AI version?. Why: Compatibility can only be verified in the actual host environment.
- **To confirm**: Does the project's output quality meet the user's specific task?. Why: The pre-install preview can only show flow and boundaries; it cannot replace real evaluation.
- **To confirm**: Do the install commands require network access, permissions, or global writes?. Why: This affects install risk in both enterprise and personal environments.

## Pre-Work Working Context

### Loading Order

- First read how_to_use.host_ai_instruction to establish the boundaries of this pre-install judgment asset.
- Read claim_graph_summary to confirm facts come from the Claim/Evidence Graph, not the Human Wiki narrative.
- Then read intended_users, capabilities, and quick_start_candidates to judge whether the user is a match.
- When you need to carry out a concrete task, check role_skill_index first, then evidence_index.
- For real install, file modification, network access, performance, or compatibility questions, turn to risk_card and boundaries.runtime_required.

### Task Routes

- **Command-Line Startup or Install Flow**: State that this is an after-install capability first, then give a pre-install checklist. Boundary: Must be verified after a real install or run. Evidence: `README.md` Claim: `clm_0001` supported 0.86

### Context Scale

- Total files: 55
- Important-file coverage: 40/55
- Evidence index entries: 48
- Role / Skill entries: 8

### Handling Insufficient Evidence

- **missing_evidence**: State that evidence is insufficient and ask the user for the target file, a README section, or after-install verification records; do not fill in facts.
- **out_of_scope_request**: State that the task is beyond the current AI Context Pack's evidence scope and suggest the user check the Human Manual or verify after a real install.
- **runtime_request**: Provide a pre-install checklist and command sources, but do not run commands for the user or claim they have been run.
- **source_conflict**: Show the conflicting sources side by side, mark them as unverified, and do not force a single version.

## Prompt Recipes

### Fit assessment

- Goal: Judge whether this project fits the user's current task.
- Expected output: A fit conclusion, key reasons, evidence citations, what can be previewed before install, what must be verified after install, and a next-step recommendation.

```text
Based on the AI Context Pack for agentlock, ask me 3 necessary questions first, then judge whether it fits my task. The answer must cover: who it fits, what it can do, what it cannot do, whether it is worth installing, and where the evidence comes from. Every project fact must cite evidence_refs, source_paths, or a claim_id.
```

### Pre-install experience

- Goal: Let the user feel the core workflow before installing, while avoiding packaging the preview as real capability or a marketing promise.
- Expected output: An experience script with boundary labels, an after-install verification checklist, and a cautious recommendation; with no real-run promises or strong marketing language.

```text
Treat agentlock as a pre-install experience asset, not an already-installed tool or a real runtime environment.

Output exactly four parts:
1. Ask me 3 necessary questions first.
2. Give an "experience script": use the three labels [Previewable before install], [Must verify after install], and [Insufficient evidence] to show how it might guide the workflow.
3. Give an after-install verification checklist: list which capabilities can only be confirmed after a real install, real host loading, and a real project run.
4. Give a cautious recommendation: only "worth researching/trialing further", "add information before deciding", or "not recommended to continue"; do not endorse the project.

Hard boundaries:
- Do not claim you have installed, run, executed tests, modified files, or produced real results.
- Do not write promise-like phrasing such as "auto-adapts", "guarantees passing", "perfect fit", or "strongly recommend installing".
- If you describe how it works after install, you must use a conditional such as "if installed successfully and the host loads the Skill correctly, it might...".
- The experience script may only be written as "example lines / hypothetical flow": use "might ask / might suggest / might show", not "has written, has generated, has passed, is running, is generating".
- Prompt Preview does not hand out install commands; if the user is ready to trial, only prompt them to read Quick Start and the Risk Card first and to verify in an isolated environment.
- Every project fact must come from a supported claim, evidence_refs, or source_paths; inferred/unverified items can only be risks or open questions.

```

### Role / Skill selection

- Goal: Pick the best-matching asset from the project's roles or Skills.
- Expected output: A list of candidate roles or Skills, each with an applicable scenario, evidence paths, risk boundary, and whether after-install verification is needed.

```text
Read role_skill_index and recommend 3-5 of the most relevant roles or Skills for my target task. For each recommendation, state the applicable scenario, likely output, risk boundary, and evidence_refs.
```

### Risk pre-check

- Goal: Identify environment, permission, rule-conflict, and quality risks before installing or adopting.
- Expected output: A checklist of environment, permission, dependency, license, host-conflict, quality risk, and unknown items.

```text
Based on risk_card, boundaries, and quick_start_candidates, give me a pre-install risk pre-check list. Do not run commands for me; only explain what I should check, why, and what impact a failure would have.
```

### Host AI kickoff instruction

- Goal: Turn the project context into a host AI instruction for the start of a conversation.
- Expected output: A pre-work instruction with clear boundaries and clear evidence citations, suitable to copy to a host AI.

```text
Based on the AI Context Pack for agentlock, generate a pre-work instruction I can paste to my host AI. This instruction must obey not_runtime=true and must not claim the project has been installed, run, or produced real results.
```

## Role / Skill Index

- Indexed 8 role / Skill / project-doc entries.

- **The Problem** (project_doc): AgentLock An adversarially benchmarked reference implementation for pre-action agent authorization Your AI agent needs a login screen. AgentLock is that login screen. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `README.md`
- **Quick Start Guide** (project_doc): Protect Your First Tool in 5 Minutes Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/quickstart.md`
- **Contributing to AgentLock** (project_doc): Thank you for your interest in contributing to AgentLock. This project aims to establish an open standard for authorization in AI agent systems. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `CONTRIBUTING.md`
- **AgentLock Security Benchmark Report** (project_doc): AgentLock Security Benchmark Report Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/benchmark.md`
- **Framework Integrations** (project_doc): AgentLock is framework-agnostic. The core library has zero framework dependencies. Optional integrations wrap popular frameworks with AgentLock authorization. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/integrations.md`
- **AgentLock Specification v1.2** (project_doc): AI agents are being deployed with direct access to tools that can read databases, send emails, execute financial transactions, and modify production systems. Yet these tools have no standardized permission model. Every major agent framework LangChain, CrewAI, AutoGen, and others treats tool calls as trusted function invocations with no identity verification, scope constraints, or access control. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `docs/specification.md`
- **Changelog** (project_doc): All notable changes to AgentLock will be documented in this file. Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `CHANGELOG.md`
- **Security Policy** (project_doc): Version Supported --------- -------------------- 1.2.x Yes 1.1.x Yes 1.0.x Yes Activation hint: Reference this when the user needs to understand the project's structure, install path, or boundaries. Evidence: `SECURITY.md`

## Evidence Index

- Indexed 48 evidence entries.

- **The Problem** (documentation): AgentLock An adversarially benchmarked reference implementation for pre-action agent authorization Your AI agent needs a login screen. AgentLock is that login screen. Evidence: `README.md`
- **Quick Start Guide** (documentation): Protect Your First Tool in 5 Minutes Evidence: `docs/quickstart.md`
- **Contributing to AgentLock** (documentation): Thank you for your interest in contributing to AgentLock. This project aims to establish an open standard for authorization in AI agent systems. Evidence: `CONTRIBUTING.md`
- **License** (source_file): Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ Evidence: `LICENSE`
- **AgentLock Security Benchmark Report** (documentation): AgentLock Security Benchmark Report Evidence: `docs/benchmark.md`
- **Framework Integrations** (documentation): AgentLock is framework-agnostic. The core library has zero framework dependencies. Optional integrations wrap popular frameworks with AgentLock authorization. Evidence: `docs/integrations.md`
- **AgentLock Specification v1.2** (documentation): AI agents are being deployed with direct access to tools that can read databases, send emails, execute financial transactions, and modify production systems. Yet these tools have no standardized permission model. Every major agent framework LangChain, CrewAI, AutoGen, and others treats tool calls as trusted function invocations with no identity verification, scope constraints, or access control. Evidence: `docs/specification.md`
- **Agentlock V1.2** (structured_config): { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://agentlock.dev/schema/v1.2", "title": "AgentLock Tool Definition Schema v1.2", "description": "Authorization schema for AI agent tool calls. Defines the agentlock permissions block that extends standard tool definitions with access control, rate limiting, data policies, audit requirements, adaptive hardening, DEFER/STEP UP/MODIFY decision types, signed receipts, and hash-chained context.", "type": "object", "properties": { "name": { "type": "string", "description": "Tool identifier" }, "description": { "type": "string", "description": "Human-readable tool description" }, "parameters": { "type": "object", "descriptio… Evidence: `schema/agentlock-v1.2.json`
- **Init** (source_file): version = "1.2.1" ⋮---- all = Evidence: `agentlock/__init__.py`
- **v1.1 additions** (source_file): logger = logging.getLogger "agentlock.audit" ⋮---- all = "AuditRecord", "AuditLogger", "AuditBackend", "FileAuditBackend" ⋮---- def generate audit id - AuditId ⋮---- ts = time.strftime "%Y-%m-%d", time.gmtime seq = secrets.token hex 4 ⋮---- @dataclass slots=True class AuditRecord ⋮---- """A single audit entry.""" ⋮---- audit id: AuditId = field default factory= generate audit id timestamp: float = field default factory=time.time tool name: str = "" user id: str = "" role: str = "" action: str = "" "allowed", "denied", "error" reason: str = "" risk level: str = "" parameters: dict str, Any None = None response summary: str = "" token id: str = "" session id: str = "" duration ms: float = 0.0… Evidence: `agentlock/audit.py`
- **Resolve authority from policy** (source_file): all = "ContextProvenance", "ContextState", "ContextTracker" ⋮---- def generate provenance id - str ⋮---- @dataclass slots=True class ContextProvenance ⋮---- """Attribution for a single context entry.""" ⋮---- provenance id: str = field default factory= generate provenance id source: ContextSource = ContextSource.TOOL OUTPUT authority: ContextAuthority = ContextAuthority.DERIVED writer id: str = "" timestamp: float = field default factory=time.time tool name: str None = None token id: str None = None session id: str = "" content hash: str = "" previous hash: str = "" parent provenance id: str None = None metadata: dict str, Any = field default factory=dict ⋮---- @staticmethod def hash conten… Evidence: `agentlock/context.py`
- **Exceptions** (source_file): class AgentLockError Exception ⋮---- class DeniedError AgentLockError ⋮---- def format self - str ⋮---- parts = f"denied: {self.reason}" ⋮---- def to dict self - dict str, Any ⋮---- """Serialize to the AgentLock denial response format.""" d: dict str, Any = { ⋮---- class AuthenticationRequiredError DeniedError ⋮---- def init self, auth methods: list str None = None, kwargs: Any - None ⋮---- class InsufficientRoleError DeniedError ⋮---- def init self, kwargs: Any - None ⋮---- class ScopeViolationError DeniedError ⋮---- class RateLimitedError DeniedError ⋮---- class SessionExpiredError DeniedError ⋮---- class ApprovalRequiredError DeniedError ⋮---- class TrustDegradedError DeniedError ⋮---- c… Evidence: `agentlock/exceptions.py`
- **Adaptive prompt hardening off by default — pass HardeningConfig to enable** (source_file): @dataclass class AuthResult ⋮---- allowed: bool decision: DecisionType = DecisionType.ALLOW token: ExecutionToken None = None denial: dict str, Any None = None audit id: str = "" hardening: HardeningDirective None = None modify output fn: Callable str , str None = None transformations applied: list str = field default factory=list deferral id: str = "" stepup request id: str = "" receipt: SignedReceipt None = None ⋮---- def raise if denied self - None ⋮---- """Raise DeniedError if the call was denied.""" ⋮---- class AuthorizationGate ⋮---- """Central authorization enforcement point. This is the primary interface for AgentLock. Register tools with their permissions, then call authorize on ev… Evidence: `agentlock/gate.py`
- **Hardening** (source_file): all = ⋮---- DEFAULT SIGNAL WEIGHTS: dict str, int = { ⋮---- SIGNAL INSTRUCTIONS: dict str, list str = { ⋮---- COMPOUND RULES: list dict str, Any = ⋮---- @dataclass slots=True class HardeningSignal ⋮---- signal type: str weight: int timestamp: float = field default factory=time.time details: str = "" source: str = "" ⋮---- @dataclass class HardeningDirective ⋮---- """Defensive instructions to inject into the agent's system prompt. The framework integration must check this after every authorize call and update the LLM's system prompt accordingly. """ ⋮---- active: bool = False severity: str = "none" instructions: list str = field default factory=list triggered by: list str = field default fac… Evidence: `agentlock/hardening.py`
- **Built-in prohibited content patterns** (source_file): all = ⋮---- def generate entry id - str ⋮---- @dataclass class MemoryEntry ⋮---- """A persisted memory item with provenance.""" ⋮---- entry id: str = field default factory= generate entry id user id: str = "" tool name: str = "" content: str = "" content hash: str = "" persistence: MemoryPersistence = MemoryPersistence.SESSION writer: MemoryWriter = MemoryWriter.SYSTEM created at: float = field default factory=time.time provenance: ContextProvenance None = None metadata: dict str, Any = field default factory=dict ⋮---- @property def is expired self - bool ⋮---- """Check if the entry has exceeded its max age. Note: max age is not stored on the entry — it's checked against the policy at read… Evidence: `agentlock/memory_gate.py`
- **Track fields that were blocked not just modified** (source_file): all = ⋮---- DEFAULT PII TYPES = "ssn", "email", "phone", "credit card", "api key" ⋮---- @dataclass class ModifyResult ⋮---- modified: bool = False original params: dict str, Any None = None modified params: dict str, Any None = None original output: str None = None modified output: str None = None transformations applied: list str = field default factory=list blocked fields: list str = field default factory=list ⋮---- class ModifyEngine ⋮---- def init self - None ⋮---- result = ModifyResult original output=output current = output ⋮---- t field = t.field if hasattr t, "field" else t.get "field", "" t action = t.action if hasattr t, "action" else t.get "action", "" t config = t.config if hasa… Evidence: `agentlock/modify.py`
- **---------------------------------------------------------------------------** (source_file): @dataclass slots=True class RequestContext ⋮---- user id: str = "" role: str = "" session id: str = "" data boundary: DataBoundary = DataBoundary.AUTHENTICATED USER ONLY record count: int = 1 recipient: str = "" is bulk: bool = False is external: bool = False is financial: bool = False amount: float = 0.0 max output classification: DataClassification None = None metadata: dict str, Any = field default factory=dict context state: ContextState None = None ⋮---- @property def is authenticated self - bool ⋮---- @dataclass slots=True class PolicyDecision ⋮---- """Result of policy evaluation.""" ⋮---- allowed: bool reason: DenialReason None = None detail: str = "" required role: str = "" suggesti… Evidence: `agentlock/policy.py`
- **Rate Limit** (source_file): @dataclass slots=True class Window ⋮---- calls: list float max calls: int window seconds: int ⋮---- class RateLimiter ⋮---- def init self - None ⋮---- key = tool name, user id now = time.time cutoff = now - window seconds ⋮---- window = self. windows key ⋮---- oldest = min window.calls if window.calls else now retry after = int oldest + window seconds - now + 1 ⋮---- def remaining self, tool name: str, user id: str - int None ⋮---- """Return remaining calls in the current window, or None if no limit set.""" ⋮---- window = self. windows.get key ⋮---- cutoff = now - window.window seconds active = t for t in window.calls if t cutoff ⋮---- def reset self, tool name: str None = None, user id: st… Evidence: `agentlock/rate_limit.py`
- **Receipts** (source_file): all = ⋮---- def generate receipt id - str ⋮---- @dataclass class SignedReceipt ⋮---- """A signed record of an authorization decision.""" ⋮---- receipt id: str = field default factory= generate receipt id timestamp: float = field default factory=time.time decision: str = "" allow/deny/defer/step up/modify tool name: str = "" user id: str = "" role: str = "" parameters hash: str = "" SHA-256 of parameters reason: str None = None policy version hash: str = "" context hash: str = "" trust ceiling: str None = None signing key id: str = "" signature: str = "" hex-encoded signature metadata: dict str, Any = field default factory=dict ⋮---- def canonical bytes self - bytes ⋮---- """Deterministic se… Evidence: `agentlock/receipts.py`
- **Schema** (source_file): all = ⋮---- SCHEMA VERSION = "1.2" ⋮---- class ScopeConfig BaseModel ⋮---- data boundary: DataBoundary = DataBoundary.AUTHENTICATED USER ONLY max records: int None = Field default=None, ge=1 allowed recipients: RecipientPolicy = RecipientPolicy.KNOWN CONTACTS ONLY ⋮---- model config = {"extra": "forbid"} ⋮---- class RateLimitConfig BaseModel ⋮---- max calls: int = Field ge=1 window seconds: int = Field ge=1 ⋮---- class DataPolicyConfig BaseModel ⋮---- input classification: DataClassification = DataClassification.PUBLIC output classification: DataClassification = DataClassification.PUBLIC prohibited in output: list str = Field default factory=list redaction: RedactionMode = RedactionMode.NON… Evidence: `agentlock/schema.py`
- **Session** (source_file): def generate session id - SessionId ⋮---- @dataclass class Session ⋮---- """An authenticated session. Attributes: session id: Unique session identifier. user id: Verified identity. role: Active role for this session. data boundary: Current scope of data access. created at: Unix timestamp. expires at: Unix timestamp. metadata: Arbitrary session metadata device info, IP, etc. . """ ⋮---- user id: str role: str data boundary: DataBoundary = DataBoundary.AUTHENTICATED USER ONLY created at: float = field default factory=time.time expires at: float = 0.0 session id: SessionId = field default factory= generate session id metadata: dict str, Any = field default factory=dict ⋮---- max duration: int… Evidence: `agentlock/session.py`
- **Token** (source_file): def generate token id - TokenId ⋮---- @dataclass slots=True class ExecutionToken ⋮---- """A single-use, time-limited, operation-bound execution token. Attributes: token id: Unique identifier. tool name: The specific tool this token authorizes. user id: Authenticated identity of the caller. role: The role under which this call is authorized. scope: Data boundary constraints snapshot. parameters hash: SHA-256 of the serialized call parameters. issued at: Unix timestamp of issuance. expires at: Unix timestamp after which the token is invalid. status: Current lifecycle state. """ ⋮---- tool name: str user id: str role: str scope: dict str, Any = field default factory=dict parameters hash: str =… Evidence: `agentlock/token.py`
- **Types** (source_file): all = ⋮---- class DecisionType str, Enum ⋮---- ALLOW = "allow" DENY = "deny" DEFER = "defer" STEP UP = "step up" MODIFY = "modify" ⋮---- class RiskLevel str, Enum ⋮---- NONE = "none" LOW = "low" MEDIUM = "medium" HIGH = "high" CRITICAL = "critical" ⋮---- class AuthMethod str, Enum ⋮---- OAUTH2 = "oauth2" MAGIC LINK = "magic link" MFA = "mfa" API KEY = "api key" ⋮---- class DataClassification str, Enum ⋮---- PUBLIC = "public" INTERNAL = "internal" CONFIDENTIAL = "confidential" MAY CONTAIN PII = "may contain pii" CONTAINS PII = "contains pii" CONTAINS PHI = "contains phi" CONTAINS FINANCIAL = "contains financial" ⋮---- class DataBoundary str, Enum ⋮---- AUTHENTICATED USER ONLY = "authenticate… Evidence: `agentlock/types.py`
- **-- run report: viewer is denied, analyst is allowed ----------------------** (source_file): gate = AuthorizationGate ⋮---- @agentlock gate, risk level="low", allowed roles= "viewer", "analyst", "admin" def search docs query: str - str ⋮---- @agentlock gate, risk level="medium", allowed roles= "analyst", "admin" def run report report name: str, date range: str - str ⋮---- def delete user username: str - str ⋮---- result = search docs query="agentlock setup", user id="bob", role="viewer" ⋮---- -- run report: viewer is denied, analyst is allowed ---------------------- ⋮---- result = run report ⋮---- -- delete user: only admin ----------------------------------------------- ⋮---- result = delete user username="eve", user id="carol", role="analyst" ⋮---- result = delete user username="… Evidence: `examples/decorator_example.py`
- **---------------------------------------------------------------------------** (source_file): audit backend = InMemoryAuditBackend gate = AuthorizationGate audit backend=audit backend ⋮---- perms = AgentLockPermissions ⋮---- --------------------------------------------------------------------------- Step 3: Denied case -- wrong role ⋮---- Alice is a "viewer". The tool requires "admin". Authorization will fail. ⋮---- result denied = gate.authorize ⋮---- You can also use raise if denied to turn denials into exceptions: ⋮---- Step 4: Allowed case -- correct role ⋮---- Now Alice authenticates as "admin". Authorization succeeds. ⋮---- result allowed = gate.authorize ⋮---- Step 5: Execute the tool using the token ⋮---- The token is single-use and time-limited. Pass it to gate.execute alon… Evidence: `examples/quickstart.py`
- **Init** (source_file): @runtime checkable class AuthProvider Protocol ⋮---- def verify self, token or code: str - dict str, Any None ⋮---- class StaticAuthProvider ⋮---- def init self, users: dict str, str - None ⋮---- role = self. users.get token or code Evidence: `agentlock/auth_providers/__init__.py`
- **Init** (source_file): all = Evidence: `agentlock/integrations/__init__.py`
- **Init** (source_file): all = Evidence: `agentlock/signals/__init__.py`
- **Check pairs order-independent within session** (source_file): all = "ComboDetector", "ComboSignal", "ComboConfig" ⋮---- DEFAULT SUSPICIOUS PAIRS: dict tuple str, str , int = { ⋮---- DEFAULT SUSPICIOUS SEQUENCES: dict tuple str, ... , int = { ⋮---- @dataclass slots=True class ComboSignal ⋮---- signal type: str weight: int tools: list str details: str = "" ⋮---- @dataclass class ComboConfig ⋮---- """Configuration for combo detection. Both maps are configurable so deployers can add their own tool combinations without modifying the defaults. """ ⋮---- suspicious pairs: dict tuple str, str , int = field suspicious sequences: dict tuple str, ... , int = field ⋮---- class ComboDetector ⋮---- """Detects suspicious tool call combinations within a session. Call… Evidence: `agentlock/signals/combos.py`
- **System prompt leakage** (source_file): all = "EchoDetector", "EchoSignal", "EchoConfig" ⋮---- DEFAULT ECHO PATTERNS: list tuple str, re.Pattern str , int = ⋮---- System prompt leakage ⋮---- Tool enumeration in response ⋮---- Configuration disclosure ⋮---- Role confusion / persona hijacking echo ⋮---- Instruction-following language in suspicious contexts ⋮---- @dataclass slots=True class EchoSignal ⋮---- """Result from echo detection.""" ⋮---- pattern name: str weight: int matched text: str = "" details: str = "" ⋮---- @dataclass class EchoConfig ⋮---- """Configuration for echo detection.""" ⋮---- patterns: list tuple str, re.Pattern str , int = field Tool names to check for echoing set by the deployer known tool names: list str… Evidence: `agentlock/signals/echo.py`
- **Prompt Scan** (source_file): all = "PromptScanner", "PromptScanConfig" ⋮---- INJECTION PATTERNS: list tuple str, re.Pattern str = ⋮---- AUTHORITY PATTERNS: list tuple str, re.Pattern str = ⋮---- INSTRUCTION PLANTING PATTERNS: list tuple str, re.Pattern str = ⋮---- ENCODING PATTERNS: list tuple str, re.Pattern str = ⋮---- r" A-Za-z0-9+/ {40,}={0,2}" base64 string 40+ chars ⋮---- IMPERSONATION PATTERNS: list tuple str, re.Pattern str = ⋮---- FORMAT FORCING PATTERNS: list tuple str, re.Pattern str = ⋮---- RETRIEVAL PATTERNS: list tuple str, re.Pattern str = ⋮---- @dataclass class PromptScanConfig ⋮---- """Configuration for the prompt scanner.""" ⋮---- detect injection: bool = True detect authority: bool = True detect plan… Evidence: `agentlock/signals/prompt_scan.py`
- **Risk level ordering for topic escalation detection** (source_file): all = "VelocityDetector", "VelocitySignal", "VelocityConfig" ⋮---- @dataclass slots=True class VelocitySignal ⋮---- signal type: str weight: int details: str = "" ⋮---- Risk level ordering for topic escalation detection RISK ORDER: dict str, int = { ⋮---- @dataclass slots=True class CallRecord ⋮---- tool name: str risk level: str timestamp: float ⋮---- @dataclass class VelocityConfig ⋮---- rapid calls count: int = 3 rapid calls window: float = 60.0 rapid calls weight: int = 2 burst count: int = 3 burst window: float = 30.0 burst weight: int = 2 escalation weight: int = 3 ⋮---- class VelocityDetector ⋮---- def init self, config: VelocityConfig None = None - None ⋮---- ts = timestamp if times… Evidence: `agentlock/signals/velocity.py`
- **Changelog** (documentation): All notable changes to AgentLock will be documented in this file. Evidence: `CHANGELOG.md`
- **Security Policy** (documentation): Version Supported --------- -------------------- 1.2.x Yes 1.1.x Yes 1.0.x Yes Evidence: `SECURITY.md`
- **Agentlock V1.0** (structured_config): { "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://agentlock.dev/schema/v1.0", "title": "AgentLock Tool Definition Schema v1.0", "description": "Authorization schema for AI agent tool calls. Defines the agentlock permissions block that extends standard tool definitions with access control, rate limiting, data policies, and audit requirements.", "type": "object", "properties": { "name": { "type": "string", "description": "Tool identifier" }, "description": { "type": "string", "description": "Human-readable tool description" }, "parameters": { "type": "object", "description": "Tool parameter schema" }, "agentlock": { "$ref": " /$defs/AgentLockPermissions" } }, "requi… Evidence: `schema/agentlock-v1.0.json`
- **.gitignore** (source_file): pycache / .py cod $py.class .egg-info/ dist/ build/ .egg .eggs/ .mypy cache/ .pytest cache/ .ruff cache/ .coverage htmlcov/ .so .env .venv/ venv/ env/ .log .DS Store Thumbs.db Evidence: `.gitignore`
- **Notice** (source_file): AgentLock Copyright 2026 David Grice AgentLock — agentlock.dev Evidence: `NOTICE`
- **Chain** (source_file): all = ⋮---- GENESIS HASH = hashlib.sha256 b"" .hexdigest ⋮---- def generate entry id - str ⋮---- """Compute the deterministic hash of a chain entry.""" payload = ⋮---- @dataclass slots=True class ChainedContextEntry ⋮---- entry id: str = field default factory= generate entry id timestamp: float = field default factory=time.time source: str = "" ContextSource value authority: str = "" ContextAuthority value content hash: str = "" SHA-256 of actual content previous hash: str = "" hash of the previous ChainedContextEntry entry hash: str = "" SHA-256 previous hash + content hash + ... writer id: str = "" metadata: dict str, Any = field default factory=dict ⋮---- class ContextChain ⋮---- """Appe… Evidence: `agentlock/chain.py`
- **If the file is a full tool definition** (source_file): def validate args: argparse.Namespace - int ⋮---- path = Path args.file ⋮---- data = json.loads path.read text ⋮---- errors: list str = ⋮---- If the file is a full tool definition ⋮---- tool = ToolDefinition data perms = tool.agentlock ⋮---- perms = AgentLockPermissions data "agentlock" ⋮---- perms = AgentLockPermissions data ⋮---- thr = perms.human approval.threshold.value ch = perms.human approval.channel.value ⋮---- cp = perms.context policy td status = "enabled" if cp.trust degradation.enabled else "disabled" ⋮---- mp = perms.memory policy ⋮---- def schema args: argparse.Namespace - int ⋮---- """Print the AgentLock JSON schema.""" ⋮---- schema = AgentLockPermissions.model json schema ⋮-… Evidence: `agentlock/cli.py`
- **Decorators** (source_file): F = TypeVar "F", bound=Callable ..., Any ⋮---- RESERVED KWARGS = {" user id", " role", " session id", " metadata"} ⋮---- def decorator func: F - F ⋮---- tool name = name or func. name ⋮---- perms = AgentLockPermissions permissions ⋮---- perms = permissions ⋮---- perms dict: dict str, Any = { ⋮---- perms = AgentLockPermissions perms dict ⋮---- @functools.wraps func async def async wrapper args: Any, kwargs: Any - Any ⋮---- user id = kwargs.pop " user id", "" role = kwargs.pop " role", "" ⋮---- meta = kwargs.pop " metadata", None ⋮---- auth result = gate.authorize ⋮---- captured result = await func args, kwargs ⋮---- redacted = gate.redact output tool name, captured result \ ⋮---- @functools.… Evidence: `agentlock/decorators.py`
- **Defer** (source_file): all = "DeferralManager", "DeferralRecord" ⋮---- def generate deferral id - str ⋮---- @dataclass class DeferralRecord ⋮---- """A suspended authorization decision.""" ⋮---- deferral id: str = field default factory= generate deferral id tool name: str = "" user id: str = "" role: str = "" reason: str = "" trigger: str = "" created at: float = field default factory=time.time timeout seconds: int = 60 resolution: str None = None "approved", "denied", "timeout" resolved at: float None = None resolved by: str None = None parameters: dict str, Any None = None ⋮---- @property def is resolved self - bool ⋮---- @property def is expired self - bool ⋮---- class DeferralManager ⋮---- def init self, sibli… Evidence: `agentlock/defer.py`
- **International: +44 7700 900000, +91-9876543210, +1-555-123-4567** (source_file): all = "RedactionEngine", "RedactionResult" ⋮---- BUILTIN PATTERNS: dict str, re.Pattern str = { ⋮---- International: +44 7700 900000, +91-9876543210, +1-555-123-4567 ⋮---- Local with leading zero: 07700 900000, 0800-123-456 ⋮---- @dataclass slots=True class RedactionResult ⋮---- original: str redacted: str redactions: list dict str, str ⋮---- @property def was redacted self - bool ⋮---- class RedactionEngine ⋮---- pattern = re.compile pattern ⋮---- def redact self, text: str - RedactionResult ⋮---- redactions: list dict str, str = result = text ⋮---- replacement = self. placeholder.format type=dtype ⋮---- def replacer match: re.Match str , dt: str = dtype, rep: str = replacement - str ⋮----… Evidence: `agentlock/redaction.py`
- **Stepup** (source_file): all = ⋮---- def generate request id - str ⋮---- @dataclass class StepUpRequest ⋮---- """A pending human approval request.""" ⋮---- request id: str = field default factory= generate request id tool name: str = "" user id: str = "" role: str = "" risk level: str = "" reason: str = "" trigger: str = "" hardening severity: str = "" created at: float = field default factory=time.time timeout seconds: int = 120 resolution: str None = None "approved", "denied", "timeout" resolved at: float None = None resolved by: str None = None ⋮---- @property def is resolved self - bool ⋮---- @property def is expired self - bool ⋮---- @runtime checkable class StepUpNotifier Protocol ⋮---- def notify self, reque… Evidence: `agentlock/stepup.py`
- **Now call through the gate -- output will be automatically redacted** (source_file): gate = AuthorizationGate ⋮---- def lookup customer customer id: str - str ⋮---- raw output = lookup customer customer id="CUST-001" ⋮---- Now call through the gate -- output will be automatically redacted ⋮---- redacted output = gate.call ⋮---- --------------------------------------------------------------------------- You can also use the redaction engine directly for inspection ⋮---- result = gate.redact output "lookup customer", raw output ⋮---- Tool without redaction policy -- output passes through unchanged ⋮---- def get status - str ⋮---- output = gate.call Evidence: `examples/data_redaction.py`
- **Fastapi App** (source_file): audit backend = InMemoryAuditBackend gate = AuthorizationGate audit backend=audit backend ⋮---- app = FastAPI title="AgentLock FastAPI Example" ⋮---- class AuthContext BaseModel ⋮---- user id: str role: str ⋮---- def get auth context request: Request - AuthContext ⋮---- user id = request.headers.get "X-User-Id", "" role = request.headers.get "X-User-Role", "" ⋮---- result = gate.authorize ⋮---- denial = result.denial or {} ⋮---- @app.get "/search" def search q: str, auth: AuthContext = Depends get auth context ⋮---- class ReportRequest BaseModel ⋮---- report name: str date range: str ⋮---- @app.post "/reports" def run report body: ReportRequest, auth: AuthContext = Depends get auth context… Evidence: `examples/fastapi_app.py`
- **Test each user against each tool** (source_file): audit backend = InMemoryAuditBackend gate = AuthorizationGate audit backend=audit backend ⋮---- tools = { ⋮---- users = { ⋮---- tool names = list tools.keys col width = max len t for t in tool names + 2 user col = 18 ⋮---- header = f"{'User role ':<{user col}}" ⋮---- Test each user against each tool ⋮---- row = f"{user id} {role} " row = f"{row:<{user col}}" ⋮---- result = gate.authorize tool name, user id=user id, role=role status = "ALLOW" if result.allowed else "DENY" ⋮---- --------------------------------------------------------------------------- Show per-user detail ⋮---- test cases = ⋮---- status = "ALLOWED" if result.allowed else "DENIED" reason = "" ⋮---- reason = f" {result.denial… Evidence: `examples/multi_role.py`
- **gate.call combines authorize + execute in one step.** (source_file): gate = AuthorizationGate ⋮---- def send notification channel: str, message: str - str ⋮---- gate.call combines authorize + execute in one step. It raises DeniedError including RateLimitedError on failure. ⋮---- RateLimitedError is a subclass of DeniedError with extra fields ⋮---- --------------------------------------------------------------------------- Check remaining quota ⋮---- Different users have independent limits ⋮---- output = gate.call Evidence: `examples/rate_limiting.py`
- **Pyproject** (source_file): build-system requires = "hatchling" build-backend = "hatchling.build" Evidence: `pyproject.toml`

## Rules the Host AI Must Follow

- **Treat this asset as pre-work context, not a runtime environment.**: The AI Context Pack contains only an evidence-backed understanding of the project, not the project's executable state. Evidence: `README.md`, `docs/quickstart.md`, `CONTRIBUTING.md`
- **When answering the user, distinguish what can be previewed from what can only be verified after install.**: The consumer value of the pre-install experience comes from reducing bad installs and misjudgments, not from pretending to be a real run. Evidence: `README.md`, `docs/quickstart.md`, `CONTRIBUTING.md`

## Questions the User Should Answer First

- Which host AI or local environment do you plan to use it in?
- Do you just want to experience the workflow first, or are you ready to actually install?
- What matters most to you: install cost, output quality, or conflicts with your existing rules?

## Acceptance Checks

- Every capability claim can be traced back to a file path in evidence_refs.
- AI_CONTEXT_PACK.md does not package previews as a real run.
- The user can understand who it fits, what it can do, how to start, and the risk boundaries within 3 minutes.

---

## Doramagic Context Augmentation

The following sections strengthen the repository context for a host AI. Human Manual data is a reading route, and pitfall notes become operating constraints.

## Human Manual Outline

Usage rule: this is only a reading route and salience signal, not factual authority. Concrete claims must still return to repo evidence or Claim Graph.

Host AI hard rules:
- Do not treat page titles, section order, summaries, or importance values as factual project evidence.
- When explaining the Human Manual outline, state that it is only a reading route or salience signal.
- Capability, installation, compatibility, runtime state, and risk claims must cite repo evidence, source paths, or Claim Graph.

- **Overview, Quick Start & Core Principles**: importance `high`
  - source_paths: README.md, docs/quickstart.md, examples/quickstart.py, examples/decorator_example.py, schema/agentlock-v1.2.json
- **Authorization Gate, Policy & Decision Types**: importance `high`
  - source_paths: agentlock/gate.py, agentlock/policy.py, agentlock/token.py, agentlock/exceptions.py, agentlock/modify.py
- **Signed Receipts, Hash-Chained Context & Audit**: importance `high`
  - source_paths: agentlock/receipts.py, agentlock/context.py, agentlock/audit.py, agentlock/session.py, agentlock/schema.py
- **Adaptive Hardening, Signals & Framework Integrations**: importance `high`
  - source_paths: agentlock/hardening.py, agentlock/signals/__init__.py, agentlock/signals/velocity.py, agentlock/signals/combos.py, agentlock/signals/echo.py

## Repo Inspection Evidence

- repo_clone_verified: true
- repo_inspection_verified: true
- repo_commit: `38c22117f30979b6f115303a3319fb9668db7eee`
- inspected_files: `README.md`, `pyproject.toml`, `docs/benchmark.md`, `docs/integrations.md`, `docs/quickstart.md`, `docs/specification.md`, `examples/data_redaction.py`, `examples/decorator_example.py`, `examples/fastapi_app.py`, `examples/multi_role.py`, `examples/quickstart.py`, `examples/rate_limiting.py`

Host AI hard rules:
- Without repo_clone_verified=true, do not claim that the source code has been read.
- Without repo_inspection_verified=true, do not write README, docs, or package-file conclusions as facts.
- Without quick_start_verified=true, do not claim that the Quick Start path has run successfully.

## Doramagic Pitfall Constraints

These rules come from Doramagic discovery, validation, or compilation findings. The host AI must treat them as operating constraints, not background notes.

### Constraint 1: Capability evidence risk requires verification

- Trigger: README/documentation is current enough for a first validation pass.
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: capability.assumptions | https://github.com/webpro255/agentlock
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 2: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: downstream_validation.risk_items | https://github.com/webpro255/agentlock
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 3: Security or permission risk requires verification

- Trigger: no_demo
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: risks.scoring_risks | https://github.com/webpro255/agentlock
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 4: Maintenance risk requires verification

- Trigger: issue_or_pr_quality=unknown。
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/webpro255/agentlock
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.

### Constraint 5: Maintenance risk requires verification

- Trigger: release_recency=unknown。
- Host AI rule: Reproduce the official install and quickstart path in an isolated environment.
- Why it matters: May increase setup, validation, or first-run risk for the user.
- Evidence: evidence.maintainer_signals | https://github.com/webpro255/agentlock
- Hard boundary: Do not present this pitfall as solved, verified, or ignorable unless later evidence explicitly closes it.
