The financial firewall for AI agent-initiated payments.
The agent governance work we built in iFivo has been folded into Axiru. Axiru governs refunds, credits, payouts, and any money-moving action an AI agent can trigger — with deterministic policy, human approvals, a tamper-evident ledger, and a kill switch.
Four primitives, one decision point.
Drop the Agent Action Gateway in front of every Stripe call your agent makes. Everything else flows from there.
Agent Action Gateway
Every money-moving call your agent makes goes through one decision endpoint. Policy evaluates allow / deny / require_approval before the Stripe (or Plaid, or ACH) call ever leaves your stack.
Per-agent kill switch & quarantine
Freeze a single agent in one click. Quarantine it pending review. Engage org-wide kill switch to stop every agent at once. All transitions land in the audit log.
Live approvals + Slack bot
Pending agent actions stream into a live queue. Reviewers approve or reject from the dashboard or directly from Slack with HMAC-verified buttons.
Tamper-evident audit export
One PDF export bundles ledger, decisions, approvals, agent-control changes, and kill-switch transitions. Every row is part of a SHA-256 chain. Auditors can re-derive and verify integrity.
What makes Axiru specific to money.
Microsoft AGT is excellent for general agent telemetry. Generic observability captures traces. Neither stops a refund from executing.
| Capability | Axiru | Microsoft AGT | Generic observability |
|---|---|---|---|
| Governs money-moving actions specifically | ✓ | × | × |
| Tamper-evident financial audit evidence | ✓ | × | × |
| Stripe Connect / refund governance | ✓ | × | × |
| Human-in-the-loop payment approvals | ✓ | partial | × |
| Per-agent kill switch on payments | ✓ | × | × |
Deeper read on how the two stack up, including the architecture for running both: Axiru vs Microsoft AGT →
Cite the evidence behind every decision.
Add the Evidence Agent to fetch carrier tracking, Stripe disputes, and merchant ToS at decision time. Each fetch lands as an EVIDENCE_FETCH entry in the ledger linked to its decision.
- Three seeded sources — carrier tracking (FedEx / UPS / USPS / DHL), Stripe disputes, merchant ToS pages
- Confidence-routed — anything below 0.85 falls through to the approval router
- PII-classified via Microsoft Presidio; SENSITIVE outputs auto-block at v1
- $1,500 / month add-on on Control, included at Enterprise
Honest coverage today, real runway behind it.
Refunds (including failed deliveries), goodwill credits, payouts (full lifecycle including failures and reconciliation), Connect transfers, disputes (with evidence-deadline routing), and application fee refunds are now governed end-to-end: typed events, per-category thresholds, deterministic decisions, ledger writes, and approval routing. Discounts and comps are partially supported. Charge reversals are routed by the AGT extension; native dashboard surfaces land next. Chargeback acceptance, write-offs, subscription cancels, trial extensions, and promo credits are explicitly not yet covered.
- GA today · Webhook live: refunds (full, partial, failed), goodwill credits, payouts (created, paid, failed, canceled, reconciliation_completed), Connect transfers (forward and reversed), disputes (5-stage lifecycle with evidence-deadline escalation), application fee refunds, all flowing through the typed Stripe webhook dispatcher in production with persistent dedupe
- Partial: discounts and comps — governed by the policy engine, native UI on the runway
- Plumbing only: charge reversals — the AGT extension routes them; dedicated templates land in weeks 1–6
- Not covered yet: chargeback acceptance, write-offs, subscription cancels, trial extensions, bulk promo credits
Already running Microsoft AGT? Drop us in.
@axiru/agt-extension is a small, MIT-licensed package that plugs into Microsoft's Agent Governance Toolkit. Payment-action tool calls route to Axiru's policy engine; everything else keeps hitting AGT defaults.
- Zero runtime dependencies — ~300 lines of TypeScript, reviewable in five minutes
- Stripe, Plaid, Modern Treasury, Dwolla, Square covered out of the box
- Fail-closed by default — payments never silently fire when governance is unavailable
- One audit trail — AGT decision metadata joins 1:1 to the Axiru ledger
One POST. One human click. A governed Axiru tenant.
External agents discover Axiru via /.well-known/agent.json and call /api/agent/onboard once with an intent and contact email. They get a tenant-scoped API key, a starter policy pack installed in shadow mode, and a magic link to hand the human.
- Discoverable: agent.json + ai-plugin.json served at
/.well-known/, derived from one builder so they cannot drift - Idempotent: same idempotency_key in, same tenant out — agent loops can't fork workspaces
- Shadow mode by default: the engine evaluates and logs every decision, but no money moves until the human clicks the magic link
- Deterministic 4-step orchestrator: workspace → api_key → starter_policies → magic_link, ships in
@axiru/agent-core/onboarding
When Stripe ships a breaking change, you hear it from us first.
Axiru's Rail Change Monitor diff engine compares a captured rail action surface — tool name, parameter shape, capability version — against the previous snapshot and classifies every change by severity. The diff engine is live; rail-specific snapshot capture and the auto-freeze → on-call page-out hooks ship next.
- Action-signature builder: deterministic capture of tool name, category, required + optional params, and capability version — one entry per governed rail action
- Severity-aware diff: tightenings (new required param, removed action) trip critical; loosenings and additive changes are warning or info — nine total change kinds
- Snapshot adapters and auto-freeze hooks: on the near-term roadmap — Stripe first, then Plaid, Modern Treasury, Dwolla, Square, and any rail registered through the AGT extension
- Pure functional core: ships in
@axiru/agent-core/rail-monitor— zero runtime deps, deterministic output, runs anywhere
Wire one endpoint. Govern every agent payment.
Start in shadow mode — Axiru observes without enforcing. Flip enforcement on when your team is ready.
Start in shadow mode first. Move to live enforcement later.