liceat
v0.5.0
Published
Liceat — 'let it be permitted.' The authority control plane for AI agents: issue verifiable, attenuable, revocable warrants; enforce them at the point of action; prove every decision.
Maintainers
Readme
◈ Liceat
Liceat (Latin: "let it be permitted" — the jussive of licet*, the root of license and licit)* — the authority control plane for AI agents. Issue verifiable, attenuable, revocable warrants; enforce them at the point of action; prove every decision. Every authorization the gateway makes is the old question answered cryptographically: licet, or non licet.
As AI moves from chat to action — agents that call tools, spend money, and delegate to other agents — every action must pass one point that answers: is this agent authorized, by whom, within what scope and limits, and can we prove it afterward? Liceat is the neutral, protocol-agnostic layer that owns that point — as imprimatur ("let it be printed") once licensed publication, Liceat licenses agent action.
docs/STRATEGY.md— the market thesis, moat, and plan (sourced)docs/SPEC.md— the frozen CW1 wire specification +spec/vectors.jsonconformance vectorsdocs/PROTOCOL.md— design rationale for the Warrantdocs/SECURITY.md— security model, threat analysis, and the properties (P1–P9) it holds againstdocs/BENCHMARKS.md— measured performance (verify, log, proofs)docs/FLYWHEEL.md— the built-in distribution flywheel and the adversarial Sentinelllms.txt— the canonical machine-readable integration guide (also served at/llms.txt)
What's here
A working, tested implementation of the hard core — zero runtime
dependencies, only Node's built-in crypto (native Ed25519). Minimal
supply-chain surface is a feature for an authority product.
- Warrant (
src/core) — an attenuable, offline-verifiable, revocable capability token (public-key Macaroon/Biscuit lineage). Solves safe multi-hop agent delegation: authority provably only narrows down the chain. - Caveat engine (
src/core/caveats.ts) — scope, action, expiry, holder-binding (proof-of-possession), and stateful cumulative spend caps & rate limits. - Gateway (
src/gateway) — the enforcement point: verify → evaluate → check revocation → audit → forward. Drop it in front of any tool, MCP server, API, or payment rail. chokepoint-mcp(src/mcp) — warrant enforcement for any MCP server in one line, no server modification, fail-closed.- Tamper-evident audit ledger (
src/audit) — hash-chained, independently verifiable; doubles as the state backing spend/rate limits; self-repairing disk mirror. - The Sentinel (
src/sentinel) — continuous adversarial self-maintenance: attacks the system's cryptographic invariants (thousands of checks per cycle, zero-false-positive oracles), probes the live deployment, and self-corrects along provably safe lines (fail-closed quarantine, verified ledger repair, supervised restart). - Warrant Inspector (
/inspect) — the public verifier every shared warrant points its recipient at. CLI, dashboard, revocation registry, issuer keystore + JWKS, and a full end-to-end demo.
Quickstart
npm install
npm test # 28 unit + integration + conformance tests
npm run demo # full lifecycle end-to-end over HTTP
npm run sentinel # the adversarial battery, once (CI mode)
npm run gateway # gateway + dashboard + inspector on :3000Or, once published: npx liceat serve. Python: pip install liceat
(sdk/python) — wire-compatible by construction: both languages
verify the same frozen vectors.
Open http://localhost:3000 and click Run live demo scenario: issuance, in-scope authorization, sub-agent attenuation, out-of-scope denial, cumulative spend-cap enforcement, and revocation — each written to the tamper-evident audit chain.
Protect an MCP server in one line
liceat-mcp --gateway http://localhost:3000 --token CW1~... --label github \
-- npx -y @modelcontextprotocol/server-githubEvery tools/call is verified, caveat-checked (scope/spend/rate), revocation-checked,
and audited before it reaches the server. Denials return structured JSON-RPC
errors with reasons and an inspector link. Unreachable gateway ⇒ deny (fail-closed).
Use as an SDK
import { issue, attenuate, verifyWarrant, generateKeypair } from 'liceat';
const root = generateKeypair();
const { warrant, attenuationKey } = issue(root.sec, 'root-1', {
principal: 'org:acme',
agent: 'agent:booker',
caveats: [
{ type: 'resource', patterns: ['pay:*'] },
{ type: 'action', actions: ['pay'] },
{ type: 'spend_limit', currency: 'USD', max: 5000 },
],
});
// hand a narrower warrant to a sub-agent — it provably cannot escalate
const sub = attenuate(warrant, attenuationKey, [{ type: 'action', actions: ['read'] }]);The 60-second mental model
principal ──issue──▶ Warrant(agent, caveats)
│ agent can attenuate → narrower Warrant for a sub-agent
▼
agent ──request + Warrant──▶ Gateway ──verify (offline, chain)
──evaluate caveats (scope, spend, rate, pop)
──check revocation
──append to tamper-evident ledger
──forward to tool / MCP / payment rail
▲
Sentinel ── attacks invariants + probes + self-corrects, continuouslyAPI (gateway)
| Method | Path | Purpose |
|---|---|---|
| POST | /issue | mint a root Warrant (admin) |
| POST | /attenuate | narrow a Warrant for a sub-agent |
| POST | /verify | check a Warrant against a request (no side effects) |
| POST | /call | enforced + audited action through the gateway |
| POST | /authorize | enforced + audited decision, no forwarding (for sidecars) |
| POST | /inspect | decode + structurally verify a Warrant |
| POST | /revoke | revoke by root jti (admin) |
| POST | /repair-ledger | rewrite disk mirror from verified memory (admin) |
| GET | /inspect | public Warrant Inspector |
| GET | /audit | audit chain + integrity proof |
| GET | /sentinel | latest adversarial self-check report |
| GET | /.well-known/chokepoint-jwks | issuer public keys |
| GET | /stats, /health, /revocations | dashboard summary, liveness, revocation list |
Continuous assurance
CI/CD is sandbox-native — no GitHub Actions required. ops/ci.sh is the full
release gate (build, TypeScript suite, 300-iteration adversarial battery, and
the Python SDK against the frozen conformance vectors); production runs it
daily, and ops/release.sh gates every publish (npm → PyPI → MCP registry) on
it. In production the Sentinel additionally re-attacks the core and probes the
live gateway every 10 minutes, quarantining (fail-closed) on any proven flaw.
Details and honest limits: docs/FLYWHEEL.md.
License
Business Source License 1.1 — see LICENSE.
