Drop in the interceptor
Wrap an `AxiruPolicyProvider` in an `AxiruToolCallInterceptor` and register it on your `GovernanceKernel` interceptor chain. Every tool call AGT evaluates passes through your existing chain plus this one.
OSS · MIT · Zero deps
Axiru on top of Microsoft AGT.
@axiru/agt-extension drops payment-action governance into Microsoft's Agent Governance Toolkit. Stripe refunds, Plaid transfers, Modern Treasury orders, Dwolla, Square, all routed to Axiru's policy engine and the tamper-evident ledger. Non-payment tool calls keep hitting AGT defaults.
Quickstart
Four lines from npm install to governed payments.
If your stack already uses AGT, this is a drop-in. If you've never seen AGT, the wiring fits on a Post-it.
pnpm add @axiru/agt-extension
import { GovernanceKernel } from "@microsoft/agt-core";
import { AxiruPolicyProvider, AxiruToolCallInterceptor, isPaymentTool } from "@axiru/agt-extension";
const provider = new AxiruPolicyProvider({ apiKey: process.env.AXIRU_API_KEY! });
const interceptor = new AxiruToolCallInterceptor(provider, isPaymentTool);
const kernel = new GovernanceKernel({
policyPaths: ["policies/agt.yaml"],
interceptors: [interceptor], // payment tools → Axiru; everything else → AGT defaults
});How it wires
Four steps. Two integration points. No fork required.
The extension implements AGT's PolicyProviderInterface and ToolCallInterceptor contracts. We don't modify AGT, we plug into it.
Payment tools route to Axiru
The classifier identifies money-moving tool calls, Stripe refunds, Plaid transfers, Modern Treasury orders, Dwolla, Square, and any tool with the `axiru.refund.` / `axiru.charge.` / `axiru.payment.` prefix.
Everything else hits AGT defaults
Notion writes, GitHub commits, Slack messages, database queries, non-payment tool calls fall through to AGT's default policy engine and the rest of your interceptor chain. Nothing else changes.
Decisions land in the ledger
Each routed call writes a tamper-evident entry to your Axiru ledger with the AGT `agentId`, tool name, policy version, and decision id. AGT's decision metadata carries the same `decisionId` so you can join AGT logs to Axiru ledger entries 1:1.
Coverage
What's routed to Axiru by default.
The classifier is a pure function, extend or replace it without touching AGT.
| Service | Tool names |
|---|---|
| Stripe | stripe.refund.create, stripe.charge.create, stripe.charge.capture, stripe.payment_intent.create, stripe.payment_intent.confirm, stripe.payout.create, stripe.transfer.create, stripe.dispute.update |
| Plaid / ACH | plaid.transfer.create, plaid.transfer.cancel |
| Modern Treasury | modern_treasury.payment_order.create |
| Dwolla | dwolla.transfer.create |
| Square | square.refund.create, square.payment.create |
| Custom | axiru.refund.*, axiru.charge.*, axiru.payment.* |
Why it matters
Microsoft built the runtime. We built the payment policy.
AGT covers prompt injection, tool-call interception, mesh identity, OWASP Agentic AI Top 10. It does not ship opinionated, regulator-aware policies for money movement. This extension fills that one box, on top of the runtime your platform team already trusts.
Distribution, not competition
Every AGT deployment is a place Axiru can land. We don't ask customers to choose a runtime, we plug into the one Microsoft is making the default.
One audit trail, not two
Decision id and policy version are returned in AGT's metadata field, so AGT logs join 1:1 to the Axiru ledger. Auditors get one chain of custody, not a reconciliation problem.
Fail-closed for money
Default `failureMode: "deny"` ensures payments never silently fire when governance is unavailable. Shadow-mode customers can opt into `"allow"` for evaluation runs.
Zero runtime dependencies
~300 lines of TypeScript. No transitive supply chain. Reviewable in five minutes by a security team that wants to know what just landed in their AGT pipeline.
FAQ
Common questions
Plain answers about scope, failure modes, and integration.
How is this different from running AGT alone?
AGT's default policy engine governs the broad agent-safety surface, prompt injection, tool-call interception, OWASP Agentic AI Top 10. It does not ship opinionated, regulator-aware policies for money movement. This extension fills that one box: refunds, payouts, ACH transfers, charge captures, dispute-evidence submissions get human-approval-aware, ledger-backed governance with audit guarantees.
Do I have to migrate off AGT?
No. The extension is additive, register it on your existing `GovernanceKernel.interceptors` array and your AGT setup is unchanged. Non-payment tool calls keep hitting AGT's default policies.
What happens when Axiru is unreachable?
Fail-closed by default: payment tool calls deny with a clear reason if Axiru returns 5xx or the network fails. You can opt into shadow-mode (`failureMode: "allow"`) where unreachable Axiru passes through to AGT defaults. 4xx responses (auth/validation) always deny regardless of mode, never silently elevate a misconfigured deployment.
How big is this package?
~300 lines of TypeScript. Zero runtime dependencies. MIT licensed. The whole thing is published on GitHub and reviewable in five minutes.
Can I extend the payment-tool classifier?
Yes. `buildPaymentToolPredicate({ toolNames, toolPrefixes, custom })` lets you add your own tool names, prefix matchers, or arbitrary predicate. The built-ins are exposed as `DEFAULT_PAYMENT_TOOL_NAMES` and `DEFAULT_PAYMENT_TOOL_PREFIXES` if you want to extend rather than replace.
Where do I get an Axiru API key?
Sign up at axiru.com/start-free. Free tier includes 1,000 governed decisions per month, enough to wire AGT and run real tool calls in shadow mode against your own data.
Skip the wiring entirely
Or have your agent onboard itself in one POST.
If your agent already speaks MCP, it can discover Axiru via /.well-known/agent.json and call /api/agent/onboard once, no human-mediated setup, no AGT integration to write. The orchestrator returns a tenant-scoped API key, a magic link for the human, and starter policies installed in shadow mode.
Comparing Axiru with Microsoft AGT directly? See the full Axiru vs Microsoft AGT breakdown →
Next step
Drop us into your AGT pipeline.
Four lines of wiring. Zero runtime dependencies. Money moves are governed; everything else stays exactly as Microsoft intended.
Start in shadow mode first. Move to live enforcement later.