Docs/Authority/Predicate Runtime Integration

Predicate Runtime Integration

If your agent uses the predicate-runtime SDK, you can build shared authority evidence from runtime state and route decisions through an optional pre-action authorizer.

Thin integration first

Start with an optional pre-action hook and fail-closed behavior for protected flows. You can roll out per workflow, not all at once.

Authority request flow

  1. Snapshot + assertions run in the runtime.
  2. Runtime builds ActionRequest via the contracts adapter.
  3. Pre-action authorizer returns allow/deny decision.
  4. Runtime executes action only when allowed.

Build authority request from runtime

request = runtime.build_authority_action_request(
    principal_id="agent:web-checkout",
    action="browser.click",
    resource="https://example.com/checkout",
    intent="click submit order",
    tenant_id="tenant-a",
)

decision = my_authorizer(request)
if not decision.allowed:
    raise RuntimeError("Denied by authority")

Runtime hook pattern

from predicate.runtime_agent import RuntimeAgent

agent = RuntimeAgent(
    # ...existing args...
    pre_action_authorizer=my_authorizer,
    authority_principal_id="agent:web-checkout",
    authority_tenant_id="tenant-a",
    authority_fail_closed=True,  # recommended for production
)

Integration guidance

  • Keep the authority hook optional for staged rollout.
  • Use fail-closed for protected workflows in production.
  • Keep contracts agent-agnostic to avoid web-only lock-in.
  • Add audit sink forwarding for governance and incident response.
Previous
Sidecar and Operations
Next
Audit Logging