Know what your AI agent did — and stop the risky moves before they happen.
Every action your agent takes gets a signed, tamper-evident receipt — proof you verify yourself, offline, no NOA account needed. Install the MCP proxy or SDK core from npm today; pausing risky actions for your sign-off ships next. Works with any agent or model.
receipt issued · agent action sealed
$1,000,000 refund · flagged HIGH-RISK · you approved it · tamper-evident · example
In plain words
The AI assistants you already use are starting to do things, not just answer.
NOA is the safety brake that stops your AI from accidentally sending money, deleting the wrong files, or doing something important without a check.
Think of it like the second approval before a big bank transfer — but for AI agents.
Four questions, four plain answers.
What is it?
A safety layer between your AI assistant and the real world. Before it does something that actually matters, NOA checks it first.
How does it work?
Safe actions just go through. Risky ones pause for your approval. Forbidden ones are blocked. Every action leaves a tamper-evident receipt you can verify yourself.
Why do you need it?
AI makes mistakes, and AI assistants are starting to do real things — pay, email, delete, change live systems. Once a wrong action runs, it's done. NOA stops it before it runs.
What you get
The confidence to finally let AI do real work. A verifiable, tamper-evident receipt for every action. You decide what needs your sign-off. Works with any AI. Open-source — read and verify everything.
AI agents are starting to do things — pay, refund, email, delete, deploy. And AI makes mistakes.
Once a wrong action runs, it's done. That's why teams keep agents read-only — too scared to give them real power.
After-the-fact
Logs tell you what happened.
By the time it's in the log, the payment is sent and the rows are deleted. A rear-view mirror can't stop the crash.
Before it runs
NOA decides what should — before it runs.
The risky action waits for a check or an approval. The hallucination never reaches the irreversible step.
Three steps, from agent intent to a receipt you can verify.
- 01
Agent proposes an action
Your agent calls a tool — refund a payment, send an email, drop a table. Once integrated, NOA intercepts the request before it executes.
agent → propose( payment.refund ) - 02
NOA gates it
Safe actions auto-allow in sub-millisecond. Risky ones require a human approval. Forbidden ones are blocked outright — by the policy you wrote.
auto-allow safeapprove riskyblock forbidden - 03
A tamper-evident receipt is issued
Every verdict is sealed into a hash-chained receipt — who, what, which rule, what happened. Reversible actions can be rolled back.
receipt rcpt_… · hash sha256:… · prevHash ↩
Every receipt links to the last one. Edit any past receipt and the chain breaks at the next hash.
A hallucinating agent tries to refund $1,000,000.
NOA doesn't just block — for a risky call it can pause for your sign-off, then execute and seal a receipt. Wrap one tool with the SDK core, live on npm today; the approval pause below ships in the next release.
Wrap any tool with noa-mcp-adapter-core's preCheck — model-agnostic — and NOA gates every call: auto-allow safe, block forbidden, before it executes. The approval-pause step in the timeline on the right ships in the next release.
SDK core (noa-mcp-adapter-core) and MCP proxy (noa-mcp-proxy) are live on npm today — the approval-pause in the timeline is illustrative, next release. Verify a receipt yourself, live today: npx noa-receipt verify (right).
verify it yourself
Also verifiable from source: git clone github.com/NordenSoft/noa → node dist/src/cli.js verify …
Offline. No NOA account. The verifier recomputes every hash and checks each prevHash link — if anyone edited a past receipt, it fails right at that sequence.
Or verify a chain right now, in your browserA trust layer you have to blindly trust isn't a trust layer.
NOA's policy rules and receipt format — the governance/receipt organ — are open-source (Apache-2.0). You read the rules. You verify the receipts. Offline. No NOA account required.
Overhead
A policy check is sub-millisecond on the safe path. Most actions never pause.
Fail-mode
Fail-closed by default (configurable). If NOA can’t decide, the risky action waits — it doesn’t slip through.
PII-free receipts
Receipts store only hashes of params — never raw data, customer info, or secrets.
Straight answers, including the uncomfortable ones.
No, in practice. A policy check on the safe path is sub-millisecond, and the vast majority of actions auto-allow without ever pausing. Only the genuinely risky calls wait — and only when you've configured them to.
Four ways in. Pick the one that fits your stack.
The verify CLI, the MCP proxy, and the tool-gating SDK core are all live on npm today. Runtime human-approval-in-the-loop — pausing a risky action for your sign-off — ships in the next release.
Drop the proxy in front of any MCP host — every tool call is governed today: auto-allow safe, block forbidden, no rewrites.
$ npx noa-mcp-proxy -- node your-server.mjs
→ every tools/call gated: ALLOW → forwarded + receipted
DENY → blocked + receiptedGate a single tool call in CrewAI, LangChain, or your own executor — one function call, any framework.
$ npm install noa-mcp-adapter-core
const { decision, receipt } = preCheckSession(toolCall, opts);
if (decision === 'ALLOW') await run(toolCall);
// receipt is signed + hash-chained either wayA small, PII-free, hash-chained JSON format. JSON-Schema + conformance suite.
{
"spec": "noa.receipt/0.1",
"governance": { "verdict": "EXECUTED" },
"chain": { "seq": 42, "hash": "sha256:…" }
}Recompute every hash, check each prevHash link. Offline, no service.
$ npx noa-receipt verify receipts.json --keyring keys.json
→ ✓ VALID · signatures + chain intact
(or) ✗ TAMPERED at seq=37Give your agents real power — safely.
NOA is open-source and live now — no waitlist, no signup. Install the packages, run them in your own environment, and verify every receipt yourself, offline. The hosted control plane is on the roadmap.
No waitlist. The open-source core is usable today from npm or source — the hosted product is on the roadmap.