Execution Authorization Layer for AI Systems

Machine actions
need authority.

KiLu is the execution authorization layer for AI systems.
Add ALLOW / REQUIRE_CONFIRM / BLOCK before tools, browser actions, and high-risk execution.

Agent / Framework ↓ Proposed Action ↓ KiLu ALLOW | REQUIRE_CONFIRM | BLOCK ↓ Execute (bounded, receipt-linked)

Explore the SDK → Read Architecture See Evidence

Published SDK on npm 3 live integration proofs Real control plane path Decisions durably recorded Signed receipts for allowed actions

Get Started

Choose your path

For Developers

Add authorization before execution

Wrap tool handlers in MCP, LangGraph node calls, or browser action hooks with a deterministic ALLOW / REQUIRE_CONFIRM / BLOCK layer.

Explore the SDK →

For Security / Assurance

Separate reasoning from authority

KiLu enforces that no component can plan, authorize, and execute in the same loop. Signed receipts. Explicit denial records. Fail-closed by design.

Review Security Model →

For Evaluators / DD

Inspect grants, receipts, evidence

Grants prove bounded authority. Receipts prove authorized execution. Evidence remains separable from reasoning and verifiable offline.

See Evidence →

Quickstart

Get started in minutes

Local examples run with a mock authority layer. Real control plane path is available.

$ npm install @kilu-control/sdk

TypeScript

import { KiluClient } from "@kilu-control/sdk";

const kilu = new KiluClient({
  baseUrl: process.env.KILU_BASE_URL!,
  apiKey:  process.env.KILU_API_KEY!,
});

const result = await kilu.submitIntent({
  actor:  "agent:browser",
  action: "browser.click",
  target: "#confirm-purchase",
});

if (result.outcome === "ALLOW") {
  // execute — grant is bounded and receipt-linked
}

MCP Tool Gate LangGraph Approval Gate Browser Approval View on GitHub

Works With

Integrates into your existing stack

MCP

Gate tool execution at the handler level. Block or confirm before any tool call runs.

Tool-level gate

LangGraph

Wrap graph nodes with an approval step. Drive confirm/block flows without framework changes.

Node-level approval

Browser Agents

Intercept clicks, submissions, and navigation before they execute. Works in any browser automation layer.

Action interception

Why KiLu

Why KiLu vs other approaches

Most approaches record what happened or hint what to avoid. KiLu decides before execution and produces a verifiable record either way.

Approach	What it does	What it misses
Prompt guardrails	Hints the model before generation	Fragile — bypassable, no decision record
Audit logs	Records what happened	Too late — action already executed
HITL everywhere	Adds manual review steps	Fatigue, no policy semantics, no receipts
OAuth / scopes	Controls resource access	Not action-level authority — no per-action decisions
KiLu	Decides before execution. Produces a bounded grant or explicit denial record.	Adds an explicit authority layer — you control policy

Reasoning is Not Authority

The authorization gap in autonomous systems

AI systems can propose actions. Policy systems can adjudicate them. But neither step alone creates a bounded execution authority object that can be constrained, linked to an approval event, and verified later.

The result is god-mode agents: systems where planning, policy, authority, execution, and evidence collapse into a single opaque loop. No clear boundary. No verifiable grant. No audit-legible receipt.

The Authorization Gap

Approved ≠ authorized. Policy approval does not produce a bounded, scoped, time-limited execution right.
Logs ≠ receipts. Execution logs are retrospective and detached. Receipts are cryptographically linked to the authority that permitted the action.
Execution rights need scope, TTL, bindings. Without explicit constraints, authority is effectively unlimited.
God-mode agents collapse too many roles. Planning, authority, execution, and evidence must be separated — not merged into one opaque process.

How KiLu Works

Authority-to-execution flow

KiLu sits between what a model or ingress surface proposes and what a runtime is permitted to execute. Every step produces an artifact — a grant, a receipt, or a denial record.

Proposal / Ingress — agent or Telegram submits task

Policy / Approval separation — adjudicated outside KiLu

KiLu issues grant — scoped, TTL-bound, approval-linked

Executor receives bounded authority — no grant = no execution

Execution occurs within explicit bounds

Receipt / evidence emitted — linked to grant, verifiable

Verification succeeds — or denial is surfaced as evidence

Grants and Receipts

Two distinct objects. One verifiable chain.

A grant is a bounded execution right, issued after approval. A receipt is the record of what happened under that authority. They are distinct but cryptographically linked.

Grant object

grant_idgrt_a4f8...

subjectapprover:dev_9a2d

action_classweb:fetch

scopeallowlist:klimacoach.com

ttl300s

toolchain_idtc_default_web

approval_siged25519:390a...82f1

Receipt object

receipt_idrec_b7c2...

linked_grantgrt_a4f8...

statusALLOW

timestamp1774280000

intent_hashsha256:a1b2...

tamper_evidenttrue

signatureed25519:9f3a...c1e0

Illustrative structure. Fields represent the object model — not a live receipt from this page. See evidence page →

What KiLu Provides

The authority surface

⬡

Execution Grants

⏱

Scope / TTL / Constraints

🔏

Verifiable Receipts

Deny Evidence

⛓

Split-Trust Model

Use Cases

Three core integration surfaces

🔌

MCP Tool Gating

Wrap tool handlers with a deterministic decision layer. Every tool call passes through ALLOW / REQUIRE_CONFIRM / BLOCK before execution.

View MCP solution →

🔗

LangGraph Approval Flows

Use KiLu to decide when actions require confirmation inside a graph. Drive approval flows without changing your graph structure.

View LangGraph solution →

🌐

Browser Action Control

Intercept clicks and form submissions before execution. Works in any browser automation layer — from Playwright to headless agents.

View Browser solution →

Where KiLu Fits in the Stack

Three layers. One governed execution chain.

🛡

AegisAI

Decides whether an action is admissible — policy adjudication and governance

aegisai.systems

⬡

KiLu

Issues execution authority and receipts — bounded grants, verifiable evidence

kilu.network

⚙

StasysOS

Runs the bounded execution environment — deterministic, fail-safe runtime

stasysos.eu

Operational Value

What this means for an engineering team

You do not need to redesign your agent stack to introduce authority. KiLu inserts at a single decision point.

Add approval without rewriting your agent stack

Keep reasoning model-agnostic — any LLM, any framework

Record durable decisions — every ALLOW and BLOCK is stored

Separate access, policy, and execution into distinct layers

Reduce unsafe autonomous actions before they happen

Audit what happened long after the fact — from the receipt alone

Verification Posture

Fail-closed by design

Denial is not an error state. It is a designed system behavior. Both the happy path and the deny path produce verifiable artifacts. A denial record is evidence of the system working correctly.

Happy path evidence

Grant issued and linked to approval
Execution occurs within explicit bounds
Receipt emitted with intent hash + signature
Verification confirms authority chain

Deny path evidence

Missing token → hard deny
Expired grant → hard deny
Scope mismatch → hard deny
Denial artifact recorded as evidence

Read the security and trust model →

FAQ

Common questions

Is KiLu another agent framework?

No. KiLu is not a framework and does not replace one. It is an execution authorization layer — a decision point you insert before your existing execution logic. It works alongside MCP, LangGraph, and any browser agent setup.

Does KiLu replace MCP or LangGraph?

No. KiLu wraps them at the decision boundary. Your MCP handlers and LangGraph nodes stay exactly as they are. KiLu adds ALLOW / REQUIRE_CONFIRM / BLOCK at the point before execution runs.

Do examples require a live backend?

No. All examples include a mock authority layer so you can run locally without any backend setup. You can switch to a real control plane path when ready.

What does REQUIRE_CONFIRM mean?

REQUIRE_CONFIRM is a decision outcome that tells your system: this action is policy-admissible, but a human (or an upstream approval surface) needs to confirm before it executes. KiLu holds the pending decision and waits for the confirmation signal before issuing a grant.

Can I use KiLu with a real control plane?

Yes. The SDK supports both a local mock mode (for development and testing) and a real control plane path. Set KILU_BASE_URL and KILU_API_KEY to point at a running KiLu instance.