Complete Trust Boundaries
for Programmable Delegation.

PAP seals the entire stack: request boundaries (what agents see) and execution boundaries (what agents can do). Mandates set scope cryptographically. Sandboxing enforces constraints at the OS level. Humans stay sovereign. Agents stay accountable. No AI required.

Read the Protocol Work With Us →
Two Boundaries. Complete Trust Model.
PAP — The Request Boundary

Minimize what agents see.

A principal signs a mandate specifying the action, the disclosure scope, and the TTL. SD-JWT selective disclosure ensures agents receive only the properties their mandate permits. The 6-phase handshake enforces those bounds cryptographically at every delegation step. A child request cannot exceed its parent's scope — this is Scope::contains() in the protocol, not a policy setting.

pap-sandbox — The Execution Boundary

Minimize what agents can do.

Agents execute in OS-level sandboxes with enforced capability constraints (seccomp, pledge, entitlements). Even if an agent is compromised, the OS prevents network access, filesystem escape, and subprocess spawning. Every execution produces a cryptographic receipt proving what constraints were applied. Audit trail: disclosure scope + execution constraints, co-signed by the principal.

Humans → Decentralized Device-bound keypair. No registration. Ephemeral session DIDs per transaction. Self-sovereign.
Agents → Centralized Registered in Chrysalis. Operator-attributed. Cryptographically vouched. Accountable.
Data → Never Leaves Scope Selective disclosure at Phase 3. Co-signed receipts store property type references, not values.
Protocol Spec
Principal Agent Protocol

Request boundary: mandate-based delegation with cryptographic scope enforcement. A principal signs what may be asked, by whom, and for how long. Works with any agent runtime. No new crypto. No token economy. No central registry.

Read the spec → Desktop App In Development
Papillon

One canvas, many agents, your rules. Agents work in sandboxed isolation with enforced capability constraints. Each sees only what it needs. Preview plans before execution, verify results and constraints after.

See Papillon → Agent Registry
Chrysalis

Federated agent registry. Agents register with verifiable DIDs and Ed25519-signed advertisements. PAP mandates are verified before execution. Per-agent sandbox enforcement with cryptographic attestation. Self-hostable, federated, no gatekeeper.

Learn more → Browser Extension
Papillon Extension

Handle pap:// links natively in Chrome and Firefox. 6-phase cryptographic handshake, Schema.org result rendering, and native messaging bridge to the desktop app.

Get the extension → Consulting
Work With Us

Your agents run in demos. PAP + Chrysalis makes them production-grade. We evaluate your delegation model, find the enforcement gaps, and deliver the implementation — alongside your existing stack.

See how it works →