by ChristoAnsek
Automated Proof-of-Carrying Change Management for AIOps 2026
# Add to your Claude Code skills
git clone https://github.com/ChristoAnsek/audited-change-gateGuides for using ai agents skills like audited-change-gate.
audited-change-gate is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by ChristoAnsek. Automated Proof-of-Carrying Change Management for AIOps 2026. It has 74 GitHub stars.
audited-change-gate's catalog security scan is still queued. You can run an instant dependency and prompt-injection check now with the "Scan for vulnerabilities" button above.
Clone the repository with "git clone https://github.com/ChristoAnsek/audited-change-gate" and add it to your Claude Code skills directory (see the Installation section above).
audited-change-gate is primarily written in HTML. It is open-source under ChristoAnsek on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh audited-change-gate against similar tools.
No comments yet. Be the first to share your thoughts!
Unlocks once the catalog security scan passes (runs nightly).
The deep catalog scan for this skill is still queued. Run an instant dependency check now instead.
Certifier is a language-agnostic, zero-trust envelope for verifying every action an autonomous agent takes—before, during, and after execution. Think of it as a transaction ledger for infrastructure mutation: each attempted change carries an unforgeable certificate of intent, scope, and reversibility. No agent touches production surfaces without leaving a signed, verifiable receipt.
Built from the ground up as a dependency-free trust gate, Certifier reimagines the relationship between AI-driven automation and operational safety. Rather than bolting on audit logs after the fact, it weaves proof-carrying semantics into the very fabric of every mutation request.
Modern agentic systems can write code, reconfigure firewalls, push Intune policies, or adjust Kubernetes replicas—all at machine speed. The problem is not that they act quickly; the problem is that they act without a verifiable promise. Certifier solves this by requiring each proposed change to carry a cryptographic receipt that answers three questions:
The engine does not block—it chains permission to provable reversibility. If an edit cannot produce a valid rollback receipt, the gate remains closed.
Every agent-originated change request is wrapped in a Certifier Envelope—a tamper-evident structure that embeds:
network:aws:sg-123:port-443, code:file:/etc/nginx/conf.d/default.conf)The attestation logic runs in a tiny, statically linked binary (under 2MB). No Python runtime, no Node modules, no JDK. The envelope format is TLV (type-length-value) serialized over a compact binary protocol, making it embeddable in CI pipelines, shell scripts, or sidecar processes.
Before any change is accepted, Certifier evaluates the influence set — the set of all resources that could be indirectly affected. If the influence set intersects with any blacklisted or protected resource label, the envelope is rejected at the proposal stage. The user sees a structured refusal reason, not a silent failure.
Certifier does not store long-term secrets. Every agent session generates a fresh Ed25519 keypair. The agent signs the PCE with its private half; the public half is broadcast to the trusted gate. Verification is purely asymmetric and stateless.
| Feature | Description |
|---|---|
| Attestation of Intent | Each mutation carries a signed declaration of purpose, resource scope, and lifetime |
| Rollback Precomputation | Reverse operations are computed before execution, not after—no guesswork |
| Language Agnostic | Envelopes are serialized in a wire format; bindings exist for shell, Python, Go, C, and Rust |
| Fail-Open Auditing | If the gate is unreachable, the envelope is logged locally and replayed when connectivity returns |
| Scope Wildcards | Declare allowed scopes with prefix/suffix patterns (e.g., file:/home/*/.env) |
| Graceful Degradation | If rollback precomputation fails (e.g., unknown resource type), the forward action is automatically vetoed |
| Verifiable Suppression | Agents can suppress notifications for low-risk scopes, but the suppression itself is recorded in the audit trail |
| Expiration Policies | Envelopes expire; stale envelopes cannot be replayed or reused |
An autonomous network agent wants to update a firewall rule on a set of cloud instances. Instead of directly calling the cloud API, it generates a Certifier envelope describing the rule change, the affected instance tags, and a precomputed rollback (restore previous rule). The gate verifies the envelope—including whether the agent's ephemeral key was issued for the given resource scope—then applies the change and stores the rollback receipt.
A security posture agent detects a misconfigured endpoint policy and constructs a remediation. The envelope scopes the change to intune:policy:endpoint-protection:* and includes the exact previous configuration state for rollback. The gate verifies the agent's authorization against the defined blast radius and only applies the change if rollback is guaranteed.
A code-generating agent proposes a refactor that touches five repositories simultaneously. Each repository's gate receives an envelope scoped to the specific file paths. The agent collects N-of-M signatures from peer reviewers (human or automated), then applies the changes. If any one repository's gate rejects the envelope due to scope escalation, the entire batch rolls back.
Certifier operates in three modes, depending on deployment topology:
| Mode | Behavior | Best For |
|---|---|---|
| Strict Gate | Reject any envelope without a valid signature, scope, and rollback | Production environments, regulated workloads |
| Audit-Only Gate | Accept all envelopes but log them for replay and analysis | Development sandboxes, experimentation |
| Permissive Gate | Accept any envelope that has a valid signature (ignore scope/rollback) | Rapid prototyping, low-risk changes |
In all modes, every envelope is persisted to an append-only audit log. The log itself is signed—making it tamper-evident.
The gate speaks a structured message protocol, but the human-facing interface (error messages, attestation receipts, rollback scripts) supports locale translation. The core verification engine is locale-independent; only the presentation layer is multilingual. This means teams in Tokyo, Berlin, and São Paulo can all receive gate responses in their local language without modifying the trust logic.
The verification runtime has no external dependencies. No database, no network service, no cloud API. It runs as a standalone binary on any POSIX or Windows system. When deployed in a high-availability configuration, multiple gate instances synchronize their accepted envelope sequence numbers via a lightweight consensus protocol (Raft-lite). If one gate goes down, another takes over without losing audit continuity.
This project is released under the MIT License. You are free to use, modify, and distribute it—even in commercial products—provided you include the original copyright notice. The governance model is open: contributions are reviewed on technical merit, not institutional affiliation.
Certifier does not replace your existing change management tooling—it augments it. There are three primary integration surfaces:
While Certifier significantly reduces the risk of unverified agent actions, no cryptographic system is infallible. The security guarantees depend on proper ephemeral key management, timely revocation of compromised agent sessions, and honest implementation of the rollback precomputation logic. Users should conduct their own threat modeling and red-team testing.
Certifier does not prevent attacks at the orchestration layer—if an attacker controls the agent itself, they can author valid envelopes for malicious changes. The system is des