Governing Agentic Mutation with Execution-Bound Safety and Evidence Chains
OpenKedge is a protocol for safely operating AI agents over real-world systems.
It replaces direct API execution with:
- intent-governed mutation
- execution-bounded contracts
- verifiable decision lineage (IEEC)
npm install
npm run build
./dist/cli/index.js preview examples/intents/terminate-25-instances.jsonSee exactly why a mutation would be blocked before it ever reaches production.
OpenKedge is backed by a research paper:
π arXiv:2604.08601
This work introduces intent-based mutation governance β a shift from direct API execution to structured, policy-controlled decision flows.
The core ideas from the paper are implemented here:
| Paper Concept | OpenKedge Implementation |
|---|---|
| Intent | OpenKedgeClient.submitIntent() / SDK |
| Context Resolution | ContextProvider |
| Policy Evaluation | AwsSafetyPolicyEvaluator, OPA policy packs, and Cedar adapters |
| Execution Control | Executor + IdentityManager / execution identity |
| Evidence Chain | Event store + ReplayEngine |
Modern infrastructure is built on assumptions that no longer hold:
- callers are deterministic
- actions are correct
- context is complete
This breaks in the era of AI agents.
Todayβs model:
Agent β API β Immediate Mutation
Leads to:
- unsafe deletions (e.g., terminating live infrastructure)
- conflicting multi-agent updates
- context-blind automation
- cascading failures
π The issue is not just the model β itβs the mutation model.
OpenKedge introduces a governed mutation pipeline:
Intent β Context β Policy β Contract β Execution β Evidence Chain
Agents do not execute APIs directly.
They submit:
what they want to achieve
The system evaluates:
- system-wide context
- dependencies
- policy constraints
- multi-agent conflicts
Approved intents are compiled into execution contracts:
- allowed actions
- scoped resources
- strict time bounds
Execution is enforced via ephemeral identities (e.g., AWS STS).
Even if an agent hallucinates, execution is physically constrained.
Every mutation produces a verifiable lineage:
Intent β Context β Policy β Contract β Execution β Outcome
Properties:
- cryptographically linked
- temporally ordered
- fully reconstructable
This enables:
- auditability
- explainability
- forensic debugging
π Not just what happened, but why it was allowed
Mutation should not be executed. Mutation should be governed.
Key guarantees:
- no direct agent β API execution path
- all mutations pass governance
- execution is strictly bounded
- every step is recorded in IEEC
A user tells an AI agent to terminate 2 EC2 instances. The agent immediately invokes the AWS API:
Action: ec2:TerminateInstances
Instances: [i-0123456789abcdef0, i-0abcdef1234567890]
The problem: If you look at AWS CloudTrail, you only see that the ec2:TerminateInstances API was called. The original user request, the agent's context, and any safety checks (or lack thereof) are never logged. You only see what eventually happened, even if the instances were actively serving production traffic.
OpenKedge forces the AI agent to start from an "intent" and enforces safety checks through policies prior to execution. Everything is recorded in a cryptographically chained log.
1. Intent Submission The agent cannot call the API directly. It submits an intent:
{
"action": "terminate_instances",
"reason": "User requested cleanup of idle environments",
"targets": ["i-0123456789abcdef0", "i-0abcdef1234567890"]
}2. Context & Policy Evaluation OpenKedge evaluates the blast radius against live infrastructure state:
- Context: Are these instances receiving traffic from an active Load Balancer?
- Policy: Does the agent have permissions to terminate instances lacking the
env:devtag?
3. Execution Contract Generation If approved, OpenKedge generates an immutable execution contract and issues highly-scoped, temporary credentials (e.g., via AWS STS) that only permit terminating those exact two instances within a 5-minute window.
4. Bounded Execution The mutation occurs. Even if the agent goes rogue, the physical execution is bounded by the credentialsβit cannot terminate a third instance.
5. Intent-to-Execution Evidence Chain (IEEC) Instead of an isolated CloudTrail API event, OpenKedge produces a cryptographically sealed chain:
[Hash1: Intent] β [Hash2: Context] β [Hash3: Policy Approval] β [Hash4: Contract] β [Hash5: Execution Event]
You have complete forensic visibility into why the mutation was allowed, not just that it happened.
git clone https://github.com/openkedge/openkedge
cd openkedge
npm installExperience the OpenKedge safety guarantees in real-time by running the full-stack interactive demo locally. The demo overlays an automated agent attempting a destructive mutation against a mocked context.
You will need two terminals.
Terminal 1: Start the API Engine (Backend)
cd apps/demo-server
npm run devTerminal 2: Start the Replay Visualizer (Frontend)
cd apps/replay-ui
npm run dev- Navigate to
http://localhost:5173/in your browser. - Click Run Outage Simulation
- Watch the visual timeline demonstrate how the mutation is intercepted, contextualized, and blocked dynamically.
β οΈ Early-stage reference implementation
The paper shows how unsafe mutations happen.
This repo shows how to stop them.
npm run demo:blastExcerpt from the real demo output:
=== Terminate 50 instances -> CRITICAL -> blocked ===
{
"finalOutcome": "blocked",
"blastRadius": {
"riskLevel": "CRITICAL"
},
"result": {
"success": false,
"error": "Blocked by policy: ... Blocked due to CRITICAL blast radius"
}
}
This is the exact failure mode described in the paper β prevented in real time.
- AI-driven DevOps automation
- multi-agent systems
- cloud infrastructure safety
- workflow engines with AI integration
- autonomous system governance
- intent-governed mutation protocol
- execution-bound safety via contracts
- IEEC: verifiable mutation lineage
OpenKedge is governed by a formal RFC process to ensure protocol stability and multi-agent interoperability.
- RFC Index: Browse all RFCs, architectural standards, and protocol specifications.
- Intent Governance Protocol (IGP): Our primary specification for intent-based safety.
- Event Evidence Chain (EEC): The mathematical model for verifiable mutation lineage.
- Execution Identity (EI): The ephemeral, intent-scoped security primitive.
- Replay & Simulation API (RSA): Standardized interface for time-travel debugging and "what-if" simulations.
- Protocol Schemas: Machine-readable definitions for Intents and Evidence Chains.
- Core protocol (v0.1)
- AWS adapter (STS + policy integration)
- Policy engine plugins (Cedar / OPA)
- Multi-agent simulation framework
- IEEC visualization UI
- Production SDK
We welcome contributions across:
- policy engines
- cloud adapters
- agent integrations
- visualization tools
@article{openkedge2026,
title = {OpenKedge: Governing Agentic Mutation with Execution-Bound Safety and Evidence Chains},
author = {He, Jun and Yu, Deying},
journal = {arXiv preprint arXiv:2604.08601},
year = {2026},
}MIT
As AI agents become primary operators of infrastructure, the correctness of individual agents becomes secondary to the correctness of the system governing them.
OpenKedge provides that foundation.
Star the repo and follow the project.
This is just the beginning.