Skip to content
Open-source · Apache-2.0 · model-agnostic

Know what your AI agent did — and stop the risky moves before they happen.

Every action your agent takes gets a signed, tamper-evident receipt — proof you verify yourself, offline, no NOA account needed. Install the MCP proxy or SDK core from npm today; pausing risky actions for your sign-off ships next. Works with any agent or model.

safe → auto-allow risky → your approval forbidden → blocked

receipt issued · agent action sealed

noa.receipt/0.1EXECUTED
idrcpt_01J9X4P2K7M3QV8ZB6N0WYHT5R
actionpayment.refund
riskHIGH
agentsupport-agent
modelvendor/model
paramsHashsha256:9f2c41a0e8b7d6c5f4a3b2c1d0e9f8a7b6c5d4e3f2a1b0c9d8e7f6a5b4c3d2e1
approvedByHUMAN:you@acme.com
ruleIdapproval-request
seq#42
prevHashsha256:1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b
hashsha256:c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5

$1,000,000 refund · flagged HIGH-RISK · you approved it · tamper-evident · example

In plain words

The AI assistants you already use are starting to do things, not just answer.

NOA is the safety brake that stops your AI from accidentally sending money, deleting the wrong files, or doing something important without a check.

Think of it like the second approval before a big bank transfer — but for AI agents.

The short version

Four questions, four plain answers.

What is it?

A safety layer between your AI assistant and the real world. Before it does something that actually matters, NOA checks it first.

How does it work?

Safe actions just go through. Risky ones pause for your approval. Forbidden ones are blocked. Every action leaves a tamper-evident receipt you can verify yourself.

Why do you need it?

AI makes mistakes, and AI assistants are starting to do real things — pay, email, delete, change live systems. Once a wrong action runs, it's done. NOA stops it before it runs.

What you get

The confidence to finally let AI do real work. A verifiable, tamper-evident receipt for every action. You decide what needs your sign-off. Works with any AI. Open-source — read and verify everything.

The problem

AI agents are starting to do things — pay, refund, email, delete, deploy. And AI makes mistakes.

Once a wrong action runs, it's done. That's why teams keep agents read-only — too scared to give them real power.

After-the-fact

Logs tell you what happened.

By the time it's in the log, the payment is sent and the rows are deleted. A rear-view mirror can't stop the crash.

Before it runs

NOA decides what should — before it runs.

The risky action waits for a check or an approval. The hallucination never reaches the irreversible step.

How it works

Three steps, from agent intent to a receipt you can verify.

  1. 01

    Agent proposes an action

    Your agent calls a tool — refund a payment, send an email, drop a table. Once integrated, NOA intercepts the request before it executes.

    agent → propose( payment.refund )
  2. 02

    NOA gates it

    Safe actions auto-allow in sub-millisecond. Risky ones require a human approval. Forbidden ones are blocked outright — by the policy you wrote.

    auto-allow safeapprove riskyblock forbidden
  3. 03

    A tamper-evident receipt is issued

    Every verdict is sealed into a hash-chained receipt — who, what, which rule, what happened. Reversible actions can be rolled back.

    receipt rcpt_… · hash sha256:… · prevHash ↩

Every receipt links to the last one. Edit any past receipt and the chain breaks at the next hash.

The demo

A hallucinating agent tries to refund $1,000,000.

NOA doesn't just block — for a risky call it can pause for your sign-off, then execute and seal a receipt. Wrap one tool with the SDK core, live on npm today; the approval pause below ships in the next release.

agent.tslive on npm

Wrap any tool with noa-mcp-adapter-core's preCheck — model-agnostic — and NOA gates every call: auto-allow safe, block forbidden, before it executes. The approval-pause step in the timeline on the right ships in the next release.

SDK core (noa-mcp-adapter-core) and MCP proxy (noa-mcp-proxy) are live on npm today — the approval-pause in the timeline is illustrative, next release. Verify a receipt yourself, live today: npx noa-receipt verify (right).

noa · illustrative (next release)
approved + executed + receipted
noa · forbidden action
blocked — never ran

verify it yourself

$ npx noa-receipt verify receipt.json --keyring keys.json
✓ tamper-evident · chain intact · 3/3 receipts valid

Also verifiable from source: git clone github.com/NordenSoft/noa node dist/src/cli.js verify …

Offline. No NOA account. The verifier recomputes every hash and checks each prevHash link — if anyone edited a past receipt, it fails right at that sequence.

Or verify a chain right now, in your browser
Why open source

A trust layer you have to blindly trust isn't a trust layer.

NOA's policy rules and receipt format — the governance/receipt organ — are open-source (Apache-2.0). You read the rules. You verify the receipts. Offline. No NOA account required.

$npx noa-receipt verify receipt.json --keyring keys.json→ ✓ tamper-evident
For the skeptics

Overhead

A policy check is sub-millisecond on the safe path. Most actions never pause.

Fail-mode

Fail-closed by default (configurable). If NOA can’t decide, the risky action waits — it doesn’t slip through.

PII-free receipts

Receipts store only hashes of params — never raw data, customer info, or secrets.

FAQ

Straight answers, including the uncomfortable ones.

No, in practice. A policy check on the safe path is sub-millisecond, and the vast majority of actions auto-allow without ever pausing. Only the genuinely risky calls wait — and only when you've configured them to.

For developers

Four ways in. Pick the one that fits your stack.

The verify CLI, the MCP proxy, and the tool-gating SDK core are all live on npm today. Runtime human-approval-in-the-loop — pausing a risky action for your sign-off — ships in the next release.

MCP proxyzero-code · live on npm

Drop the proxy in front of any MCP host — every tool call is governed today: auto-allow safe, block forbidden, no rewrites.

$ npx noa-mcp-proxy -- node your-server.mjs
→ every tools/call gated: ALLOW → forwarded + receipted
  DENY → blocked + receipted
preCheckSession()one function call · live on npm

Gate a single tool call in CrewAI, LangChain, or your own executor — one function call, any framework.

$ npm install noa-mcp-adapter-core
const { decision, receipt } = preCheckSession(toolCall, opts);
if (decision === 'ALLOW') await run(toolCall);
// receipt is signed + hash-chained either way
NOA Receiptopen spec

A small, PII-free, hash-chained JSON format. JSON-Schema + conformance suite.

{
  "spec": "noa.receipt/0.1",
  "governance": { "verdict": "EXECUTED" },
  "chain": { "seq": 42, "hash": "sha256:…" }
}
npx noa-receipt verifyverify · live on npm

Recompute every hash, check each prevHash link. Offline, no service.

$ npx noa-receipt verify receipts.json --keyring keys.json
→ ✓ VALID · signatures + chain intact
  (or) ✗ TAMPERED at seq=37

Give your agents real power — safely.

NOA is open-source and live now — no waitlist, no signup. Install the packages, run them in your own environment, and verify every receipt yourself, offline. The hosted control plane is on the roadmap.

$npm install noa-receipt

No waitlist. The open-source core is usable today from npm or source — the hosted product is on the roadmap.