Constrain

Define what AI agents can do with signed .aflock policy files. Set spend limits, tool restrictions, file access patterns, and domain allowlists.

Attest

Every agent action produces a cryptographically signed in-toto attestation. The agent never sees the signing key — unforgeable proof of compliance.

Verify

Verify constraint compliance with a 6-phase verification algorithm. Signature verification is implemented; identity, Rego, AI evaluation, and sublayout recursion are in active development.