by elliot35
Governance gateway for AI agents — bounded, auditable, session-aware control with MCP proxy, shell proxy & HTTP API. Works with Cursor, Claude Code, Codex, and any MCP-compatible agent.
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
# Add to your Claude Code skills
git clone https://github.com/elliot35/deterministic-agent-control-protocolGuides for using ai agents skills like deterministic-agent-control-protocol.
Last scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@hono/node-server: @hono/node-server has authorization bypass for protected static paths via encoded slashes in Serve Static Middleware",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "express-rate-limit: express-rate-limit: IPv4-mapped IPv6 addresses bypass per-client rate limiting on servers with dual-stack network",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fast-uri: fast-uri vulnerable to path traversal via percent-encoded dot segments",
"severity": "high"
},
{
"type": "npm-audit",
"message": "fastify: Fastify's Missing End Anchor in \"subtypeNameReg\" Allows Malformed Content-Types to Pass Validation",
"severity": "high"
},
{
"type": "npm-audit",
"message": "hono: Hono added timing comparison hardening in basicAuth and bearerAuth",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "path-to-regexp: path-to-regexp vulnerable to Denial of Service via sequential optional groups",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "rollup: Rollup 4 has Arbitrary File Write via Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
}
],
"status": "WARNING",
"scannedAt": "2026-05-30T16:37:54.497Z",
"npmAuditRan": true,
"pipAuditRan": true
}A governance gateway for AI agents — making every action bounded, auditable, reversible, and explainable.
Works transparently with Cursor, Claude Code, Codex, and any MCP-compatible agent. Also supports shell command governance and a language-agnostic HTTP API.
https://github.com/user-attachments/assets/ec7a9524-1527-4e51-b837-7e05a24b189d
Agents never execute tools directly. Every action flows through the control plane for evaluation, enforcement, and audit:
flowchart LR
A["Agent"] -->|"action request"| CP["Control Protocol"]
CP -->|"evaluate against policy"| D{"Decision"}
D -->|"allow"| E["Agent Executes Action"]
D -->|"deny"| F["Blocked + Reason Logged"]
D -->|"gate"| G["Human Approval Required"]
E -->|"record result"| L["Evidence Ledger"]
G -->|"approved"| E
The protocol does not execute actions itself. It evaluates them against a policy, enforces session-level budgets, requires human approval for risky operations, and records everything in a tamper-evident audit ledger.
| Principle | Description |
|---|---|
| Bounded | Agents can only perform allowed actions within allowed scopes |
| Session-Aware | Budget, rate limits, and escalation rules across the full interaction |
| Auditable | Every action logged in a tamper-evident ledger with SHA-256 hash chaining |
| Reversible | Compensation plans for undoing executed actions |
| Explainable | Full reporting — what was allowed, denied, gated, and why |
npm i @det-acp/core
npx det-acp init cursor # Cursor
npx det-acp init codex # Codex CLI
npx det-acp init claude-code # Claude Code
This generates all required files (policy, MCP config, governance rules) with sensible defaults. Edit policy.yaml to customize — everything else is handled automatically.
# Use your own policy instead of the default
npx det-acp init cursor --policy ./my-policy.yaml
After running
init, restart your agent to pick up the MCP server.
Create agent.policy.yaml:
version: "1.0"
name: "my-agent"
capabilities:
- tool: "file:read"
scope:
paths: ["./src/**"]
- tool: "file:write"
scope:
paths: ["./src/**"]
- tool: "command:run"
scope:
binaries: ["npm", "node", "tsc"]
limits:
max_runtime_ms: 1800000
max_files_changed: 50
gates:
- action: "file:delete"
approval: "human"
risk_level: "high"
evidence:
require: ["checksums", "diffs"]
format: "jsonl"
forbidden:
- pattern: "**/.env"
- pattern: "rm -rf"
session:
max_actions: 100
max_denials: 10
rate_limit:
max_per_minute: 30
escalation:
- after_actions: 50
require: human_checkin
- after_minutes: 15
require: human_checkin
import { AgentGateway } from '@det-acp/core';
const gateway = await AgentGateway.create({
ledgerDir: './ledgers',
onStateChange: (sessionId, from, to) => console.log(`${from} -> ${to}`),
});
// Create a session
const session = await gateway.createSession('./agent.policy.yaml', {
agent: 'my-coding-agent',
});
// Evaluate an action (does NOT execute it)
const verdict = await gateway.evaluate(session.id, {
tool: 'file:read',
input: { path: './src/index.ts' },
});
if (verdict.decision === 'allow') {
// Execute the action yourself
const content = fs.readFileSync('./src/index.ts', 'utf-8');
// Record the result
await gateway.recordResult(session.id, verdict.actionId, {
success: true,
output: content,
durationMs: 5,
});
}
// Terminate and get report
const report = await gateway.terminateSession(session.id, 'task complete');
console.log(`Allowed: ${report.allowed}, Denied: ${report.denied}`);
Ready-to-use guides for popular AI agents. Each integration includes policy, config templates, governance rules, test sandbox, and step-by-step instructions.
| Agent | Integration Mode | Governance Level | Guide |
|---|---|---|---|
| Cursor | MCP Proxy + Cursor Rules | Soft | integrations/cursor/ |
| Codex CLI | MCP Proxy + AGENTS.md + OS Sandbox | Soft + Sandbox | integrations/codex/ |
| Claude Code | MCP Proxy + CLAUDE.md + settings.json | Soft + Semi-Hard | integrations/claude-code/ |
| OpenClaw | HTTP API + Skill + Docker Sandbox | Hard | integrations/openclaw/ |
settings.json).For any MCP-compatible agent not listed above, see MCP Proxy (General).
Production-ready policies in examples/ — usable out of the box:
| Policy | File | Use Case | Tools Used |
|---|---|---|---|
| Coding Agent | coding-agent.policy.yaml |
AI coding agents operating on a project | 13 tools |
| DevOps Deploy | devops-deploy.policy.yaml |
Deployment agents that build, test, and deploy code | 16 tools |
| Video Upscaler | video-upscaler.policy.yaml |
Media processing agents running upscaling pipelines | 11 tools |
| Data Analyst | data-analyst.policy.yaml |
Data analysis agents processing datasets and generating reports | 12 tools |
| Security Audit | security-audit.policy.yaml |
Security scanning agents auditing code and dependencies | 11 tools |
| Infrastructure Manager | [` |
deterministic-agent-control-protocol is an open-source ai agents skill for AI coding assistants such as Claude Code, Codex CLI, and ChatGPT, built by elliot35. Governance gateway for AI agents — bounded, auditable, session-aware control with MCP proxy, shell proxy & HTTP API. Works with Cursor, Claude Code, Codex, and any MCP-compatible agent. It has 108 GitHub stars.
deterministic-agent-control-protocol returned warnings in SkillsLLM's automated security scan. It has no critical vulnerabilities, but review the flagged issues in the Security Report section before adding it to your workflow.
Clone the repository with "git clone https://github.com/elliot35/deterministic-agent-control-protocol" and add it to your Claude Code skills directory (see the Installation section above).
deterministic-agent-control-protocol is primarily written in TypeScript. It is open-source under elliot35 on GitHub, so you can review or fork the full source.
Yes. SkillsLLM lists many other AI Agents skills you can browse and compare side by side. Open the AI Agents category from the badge at the top of this page, or use the Related Skills and comparison links further down to weigh deterministic-agent-control-protocol against similar tools.
No comments yet. Be the first to share your thoughts!