> ## Documentation Index
> Fetch the complete documentation index at: https://usenaive.ai/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Governance Gateway

> The credential-injection policy proxy at the tool-call boundary — caps, approvals, audit, revoke.

The **governance gateway** is the mechanism that makes Naïve's spend caps,
approvals, audit, and revoke *real* across the whole agent profile bundle — identity,
money, and comms together — regardless of where the agent runs.

## How it works

Inside the agent, tools are **handles, never raw secrets**. When the model calls
`cards.charge($48)`:

1. The runtime shim sends the call to the **Naïve gateway** — not to the card processor.
2. The gateway authenticates the agent profile's scoped token and loads policy, budget, balance.
3. Policy check: allowed? under cap? crosses the approval threshold?
4. **Allowed →** the gateway (which holds the real issuing credential, never the agent) calls the processor, records the action, and decrements the budget.
5. **Needs approval →** the action is parked, a Slack/email ping is sent, and it returns `pending`; it executes on approve.
6. **Denied →** one clean, structured denial, logged. No retry storm.

The same pattern governs identity actions and comms (sending mail/SMS), so caps,
approvals, audit, and revoke apply across the **whole agent profile**, not just the card.

The budget is a **combined cost ceiling**: real-world spend (cards/trading) and
platform credits (LLM, search, compute, hosted runtime) are summed against one cap.
Hard caps are reserved atomically before execution (no concurrency race) and return
`403 budget_exceeded`; soft caps route to approval; exhausting a hard cap or the
company's credit balance **auto-stops the agent profile's hosted runtime**. Each agent profile
holds its own scoped key(s) — list / rotate / revoke them per agent profile
(`/v1/agent-profiles/:id/keys`) without touching the company key.

## Why it can't be bypassed

The agent holds a **per-agent profile scoped key** (sealed to the agent profile's
`tenant_user` at provision time), never the company key and never the underlying
provider credentials (Stripe, Doola, Footprint, Resend, Surge) — those live behind
the gateway in the encrypted vault. So the agent can only ever ask; the gateway
decides, executes, and records. **`revoke()` is absolute**: it suspends the
agent profile (every subsequent call `403`s), releases its runtime slot, and cascades to
sub-agents. Sub-agent kits are scoped-**down** derivations of the parent
(capabilities can only narrow; budget is shared), closing the confused-deputy hole.

This governance is **constant regardless of where the agent runs** — Naïve-hosted,
or a Vercel Eve / AgentCore / LangGraph agent on your own infra. Self-hosting the
runtime does not bypass it, because governance is at the tool-call boundary.

## How it maps to the platform

| Concept                              | Implementation                                                                                                                         |
| ------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------- |
| Policy (allow/deny, caps, approvals) | [AccountKit](/architecture/account-kits) attached to each agent profile                                                                |
| Human-in-the-loop                    | The [approvals](/architecture/approvals) queue (sensitive actions return `pending_approval`)                                           |
| Enforcement point                    | Every per-agent profile primitive route + the MCP guard                                                                                |
| Audit                                | Per-agent profile activity log (OpenTelemetry-shaped, exportable to Langfuse/Datadog)                                                  |
| Revoke                               | `agentProfile.revoke()` / `POST /v1/agent-profiles/:id/revoke` — suspends the agent profile; the gateway then denies all further calls |

Native observability is required for governance, so the control plane already
records every tool call, spend, and decision — and exports it with no extra module.

## Two planes, one policy

You declare one agent's `can` / `limits`; the control plane routes it to two planes:

* **Business-action governance (we own this)** — budgets, spend caps (enforced at
  authorization), HITL approvals, capability allow/deny, audit, instant revoke —
  at the tool-call boundary, across the whole agent profile bundle. The differentiated
  layer the agent-payments and agent-runtime competitors don't span.
* **System governance (OpenShell-compatible)** — the microVM's network /
  filesystem / process isolation. Compatible with NVIDIA's emerging standard, not
  a competitor.

## Native observability + the native-vs-module rule

The control plane already records every tool call, spend, and decision — it has
to, to govern. That stream is OpenTelemetry-shaped and **exports** to
Langfuse / Datadog (and any OTel sink) with no module. The rule for any
cross-cutting concern: *does the control plane need it to govern?* Yes → native
and exportable (tracing, secrets, identity). No → a module.
