Merge
Agent-authored PRs stay blocked until the right signer approves the exact commit.
Pioneering the agentic authority layer
Agents write the code. Nothing ships without your authority.
Permission Protocol holds agent-authored merges, deploys, and migrations until the right human — or policy — signs the exact change.
The authority layer between agents and production
GitHub required check Human signer Tamper-evident receipt No receipt, no merge
89-second demo — define rules · connect repo · PP enforces
"About 90% of code at Anthropic is now written by Claude — engineers are in a supervisory role."
External authority for parallel agents
Agents accelerate everything. Authority shouldn't be optional.
Cursor, Claude Code, Copilot, Codex, and parallel agent platforms can open PRs, change infrastructure, write migrations, and trigger workflows. CI can tell you whether code passed. Code review can tell you whether a human looked. Permission Protocol answers the question enterprise buyers actually care about:
Who authorized this agent to perform this exact production action?
Deploy
Production deploys require a signed authority receipt before release workflows proceed.
Mutate data
Destructive SQL and broad customer-data changes require explicit approval before execution.
Agent incidents
51 documented incidents of agents acting without authorization — 25 critical.
Latest (2026-06-12): A booby-trapped document gives M365 Copilot a persistent backdoor
For compliance, risk, and audit leaders
When the regulator asks who authorized the action, can the firm answer?
Most enterprise AI logging proves the agent acted. It rarely proves the human approved the exact action at the exact moment. That gap shows up first in audit reconstruction, in SOX and FINRA exams, in FDA inspections, and in board-level questions about AI accountability. Permission Protocol is the authorization layer that captures human signoff at the action boundary and produces tamper-evident receipts built for regulatory exams.
Explicit approval
Every consequential AI action routes to a named human signer at the action boundary, with policy decisions captured as part of the same record.
Tamper-evident receipts
Each receipt is cryptographically signed and structured for retention windows that match SEC Rule 204-2, FINRA, HIPAA, and SOX requirements.
Calibrated by risk tier
Low-risk actions flow through under policy. Consequential actions require explicit human signoff. The firm controls the calibration, not the AI vendor.
Start with production SQL. Expand to every production path.
No signature. No production SQL.
Your engineers use Cursor, Copilot, and Claude to generate migrations. Today, who signs that SQL before it hits prod?
Permission Protocol blocks AI-generated database changes from reaching production unless there is a signed approval bound to the commit, migration hash, environment, and approver.
See the SQL gate demoDROP COLUMN
users.email
Schema changes need named approval.
BROAD UPDATE
accounts SET tier = 'free'
Mass mutations get held.
NO ROLLBACK
migration has no down step
No down-step, no silent merge.
GitHub App install
Required status checks
Human-signed receipts
The right human
Policy chooses the signer.
The signer is chosen by policy: repo, path, role, owner, or risk level. AI-written changes can’t bypass the people accountable for that part of the system.
How the signature gate works.
AI-authored PRs stay blocked until CI/CD passes and the right human signs the exact production change.
01
PR check blocked
A coding agent opens or changes a PR that touches SQL, infrastructure, or another production path. The required GitHub check stays pending.
02
Human signs
An authorized signer reviews the repo, PR, commit, target environment, policy, and requested action before signing.
03
GitHub can merge
Permission Protocol turns the required authority check green for that PR context. GitHub native auto-merge can complete once CI/CD is also green.
Already using GitHub Environments? Here's what's missing.
GitHub branch protection decides whether a branch can accept a merge under repo rules. Permission Protocol proves whether this exact agent-authored action was authorized.
GitHub Environments / Branch Protection
Permission Protocol
Identity model
Human reviewer roles
Agent + signer + capability + scope
Audit artifact
Mutable PR comments + GitHub audit log (deletable by org admin)
Signed receipt designed for independent verification and tamper evidence
Portability
Locked to GitHub UI / API
Receipt is designed to be checked outside GitHub by CI, runtime gates, and incident review
Agent awareness
None - sees a commit, not the action
Policy is keyed to the action class (deploy / data access / money movement)
Failure mode
Depends on branch-protection and bypass settings; does not create a portable action-level receipt
Missing receipt keeps configured production gates blocked
Bypass risk
Org admin can override silently
Receipt absence stays visible at configured gates and in the approval record
Identity model
GitHub Environments / Branch Protection
Human reviewer roles
Permission Protocol
Agent + signer + capability + scope
Audit artifact
GitHub Environments / Branch Protection
Mutable PR comments + GitHub audit log (deletable by org admin)
Permission Protocol
Signed receipt designed for independent verification and tamper evidence
Portability
GitHub Environments / Branch Protection
Locked to GitHub UI / API
Permission Protocol
Receipt is designed to be checked outside GitHub by CI, runtime gates, and incident review
Agent awareness
GitHub Environments / Branch Protection
None - sees a commit, not the action
Permission Protocol
Policy is keyed to the action class (deploy / data access / money movement)
Failure mode
GitHub Environments / Branch Protection
Depends on branch-protection and bypass settings; does not create a portable action-level receipt
Permission Protocol
Missing receipt keeps configured production gates blocked
Bypass risk
GitHub Environments / Branch Protection
Org admin can override silently
Permission Protocol
Receipt absence stays visible at configured gates and in the approval record
GitHub branch protection answers
Can this branch accept a merge under repo rules?
Permission Protocol answers
Was this exact agent-authored action authorized by the right signer or policy, and is there receipt-backed proof?
Signed proof, not PR comments.
Comments and logs are useful context. A receipt is the approval artifact: who signed, what PR and commit it covered, and which policy allowed it.
PR comment approval
Easy for humans to read, but not enough by itself to prove authority for a specific production change.
Audit logs
Useful after the fact, but they should not be the first place you learn an AI-authored deploy was allowed.
Permission Protocol receipt
Human-signed approval tied to the PR, commit, action, policy, signer, and timestamp.
Receipt-ID
rcpt_792x_kf93
Verified
Signer
Policy
prod-deploy-v2
PR / Commit
github.com/acme/billing-api/pull/184 @ 9f2c1a7
OAuth grants access. MCP connects agents to tools. Permission Protocol proves human authority for the specific production change.
How it works from install to unblock.
Permission Protocol works with the GitHub controls teams already trust: app installation, branch protection, and required status checks.
1. Install GitHub App
Connect Permission Protocol to the GitHub org or account you want to test.
2. Select one repo
Start with a demo repo or non-production repo before rolling into protected production paths.
3. Open a test PR
Use an AI-authored PR or a manual test PR that changes a configured SQL or production path.
4. Required check blocks
GitHub holds the merge until a human signs.
5. Human signs
An authorized signer approves the exact repo, PR, commit, action, and policy.
6. Receipt unblocks
The receipt is issued and the GitHub check can pass for that approved change.
BRANCH_PROTECTION.yml
required_status_checks:
strict: true
contexts:
- ci/test
- permission-protocol/approval
protected_branches:
- main
- release/*
workflow_file:
.github/workflows/permission-protocol.yml
production_paths:
- .github/workflows/deploy.yml
- infra/terraform/**
- migrations/**
- db/migrations/**
Missing receipt: blocked Required check
Try it safely
Test it safely on one repo.
Install Permission Protocol on a demo or low-risk repo, open a test PR, and inspect the signed receipt before enabling enforcement on production branches.
Agents don't take actions. Humans do — through agents. The receipt is how we keep that true.
Four production paths. All of them exposed today.
Concrete GitHub controls before broader automation scope.
Production SQL / database migrations
Block destructive or AI-generated migrations until an authorized signer approves the exact SQL, commit, environment, and policy.
Infrastructure changes
Hold Terraform, DNS, and runtime config changes until an authorized signer approves the PR.
Deploy workflows
Require human signing before PRs can change production deploy workflows or release paths.
Release branches
Use branch protection and required checks so production branches cannot merge without a receipt.
Common questions
How does this differ from GitHub reviews?
What exactly gets blocked?
Does this replace branch protection?
Can an agent bypass it?
Do I need to use AI coding agents for this to be useful?
What counts as a protected repo?
What if I hit my repo limit?
Protect one repo before the next agent PR ships.
See the blocked PR first. Install the GitHub App when you are ready.