explaingit

timelayer-os/tl-agent

Analysis updated 2026-05-18

1RustAudience · ops devopsComplexity · 4/5Setup · hard

TLDR

A Rust SDK and CLI that governs AI agent actions using external notarial receipts: no valid receipt means no action, and completed actions produce tamper-evident provenance records verifiable offline.

Mindmap

mindmap
  root((TL-Agent))
    Core guarantee
      No receipt no action
      Fail-closed design
      Agent cannot self-authorize
    Bundle structure
      Topology graph
      Action receipts
      Policy files
    Verification
      Offline receipt check
      Audit command
      Exit code 0 or 1
    Deployment
      Local disk
      Air-gapped USB
      Rust SDK
Click or tap to explore — scroll the page freely

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Gate every AI agent action against a pre-issued notarial receipt so the agent cannot authorize itself.

USE CASE 2

Audit an entire agent bundle offline to verify every permitted action has a valid, unmodified receipt.

USE CASE 3

Deploy an AI agent in an air-gapped environment using a read-only USB bundle for tamper-proof permissions.

USE CASE 4

Build a Rust AI agent that fails closed: any missing permission or invalid signature stops execution.

What is it built with?

RustCLI

How does it compare?

timelayer-os/tl-agentabyo-software/ferro-stashariasbruno/glyph
Stars111
LanguageRustRustRust
Setup difficultyhardmoderateeasy
Complexity4/54/52/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · hard Time to first run · 30min

Requires Rust 1.70+ to build, issuing new receipts requires connectivity to the TimeLayer network, but verification is fully offline.

In plain English

TL-Agent is a Rust library and command-line tool for controlling what an AI agent is allowed to do, with the property that the agent cannot authorize its own actions. Every permitted action must be backed by a receipt issued by an external network of independent operators. If no valid receipt exists for an action, the agent stops. This holds even if someone edits the agent's code, because the receipts cannot be created by the agent itself. In practice, you define your agent's permitted actions and the allowed order between them (called topology), then build a bundle containing a notarial receipt for each action. The bundle is a folder with policy files, a topology graph, and signed certificate files. To run a gate check before executing any step, you call the tl-agent CLI or Rust library. If the receipt is valid and the action is allowed by the topology, the result is ALLOW. Any missing receipt, invalid signature, or topology violation results in STOP. The history of what the agent did is stored as receipts that neither the agent nor the operator can change after the fact. This makes the history verifiable offline by anyone with the public key, including an auditor or regulator. The bundle format is portable. It is just a folder, so it can run from a local disk, a network share, or a read-only USB drive in an air-gapped environment. The README includes a two-mode setup for high-security deployments where the permission bundle lives on a read-only device and results go to a separate append-only device. The project requires Rust 1.70 or later to build from source. A prebuilt binary is available in the releases. Issuing new receipts requires a moment of connectivity with the TimeLayer network, verifying existing ones is fully offline. No open-source license is specified in the README.

Copy-paste prompts

Prompt 1
How do I run tl-agent check to gate an AI agent action against a notarial receipt bundle?
Prompt 2
How do I build an agent bundle with actions and topology using the TL-Agent bundle format?
Prompt 3
How does TL-Agent prevent an agent from issuing its own receipts or modifying its permission bundle?
Prompt 4
How do I set up tl-agent in air-gapped USB mode with a read-only permission bundle?

Frequently asked questions

What is tl-agent?

A Rust SDK and CLI that governs AI agent actions using external notarial receipts: no valid receipt means no action, and completed actions produce tamper-evident provenance records verifiable offline.

What language is tl-agent written in?

Mainly Rust. The stack also includes Rust, CLI.

How hard is tl-agent to set up?

Setup difficulty is rated hard, with roughly 30min to a first successful run.

Who is tl-agent for?

Mainly ops devops.

Open on GitHub → Explain another repo

This repo across BitVibe Labs

Scan in gitsafehub Deploy in gitdeployhub timelayer-os on gitmyhub

Verify against the repo before relying on details.