AgentGuard Control Plane Guide

AgentGuard is the live control plane for deciding which agents can read protected content. The operator workflow is concrete: observe traffic, approve signed policy, enforce through the SDK, and show the response body mode on screen.

Core Promise

Every protected request follows this chain:

```text

agent request -> 4-layer cascade -> signed decision receipt -> optional signed PolicyVersion -> HTTP enforcement

```

The four cascade layers are operator signature, delegation proof, behavioral fingerprint, and operator reputation. The release invariant is strict: only `allow` can serialize the full protected body. `deny`, `priced`, `queue`, `sandbox`, and `throttle` return teaser or quote content only.

Operator Workflow

1. Open the real dashboard from the shell: [/dashboard](/dashboard).
2. Select the protected route group for the content property.
3. Watch live `TrafficEvent` rows with actor kind, operator, endpoint, action, outcome, confidence, and receipt id.
4. Open a row and inspect the signed receipt before changing policy.
5. Draft the narrowest policy rule that matches the traffic problem.
6. Simulate against recent traffic before approval.
7. Approve a signed `PolicyVersion` only after the simulation matches intent.
8. Confirm later traffic shows the expected policy version id and response body mode.

Use canned feeds for landing-page storytelling only. Operational decisions must use live traffic emitted by the SDK path.

J2 Blog Gate Proof Flow

The demo story Carter called out should be visible without guessing:

| Step | On-screen proof |

| --- | --- |

| Select actor | Actor is `ChatGPT`, operator is `openai`, action is `read`. |

| Select endpoint | Endpoint is `/api/v1/content/posts/seam-debt-the-hidden-tax-on-multi-agent-handoffs/body`. |

| Block ChatGPT | Policy outcome is `deny`; response body mode is `teaser`; full-body marker is absent. |

| Allow delegated ChatGPT | Policy outcome is `allow`; response body mode is `full`; receipt id is visible. |

| Show receipt | Decision receipt, matched policy version, and request id are displayed beside the response. |

The live policy flip needs the backend policy endpoint that Integrator requested. Until that endpoint exists, the docs can describe the required proof contract, but the UI must not pretend a fake toggle is enforcing production.

Rule Lifecycle

```text

RuleDraft -> simulate -> human approval -> signed PolicyVersion -> SDK enforcement

```

A `RuleDraft` is never enforcing. LLM and swarm suggestions are advisory until a human-approved signed `PolicyVersion` exists.

Recommended rule discipline:

• Scope rules by endpoint, action, actor kind, operator id, and agent id before using broad blocks.
• Use `priced` when the business answer is paid access.
• Use `throttle` when identity is acceptable but volume is high.
• Use `sandbox` when limited preview is safer than full access.
• Use `deny` or `revoke` for untrusted, out-of-scope, or abusive requests.

Release Checklist

• Dashboard reads live `TrafficEvent` data, not a static feed.
• Policy signers are pinned out of band.
• Protected routes require delegation signatures when delegation is expected.
• Non-allow responses cannot materialize or serialize protected full body.
• Operators can see who approved each policy, when, and with which signer key.
• The J2 proof shows ChatGPT blocked and allowed against the same gated blog endpoint.

Structured Answers