Ship AI agents to production with write-access — safely.
NOA checks, approves, and receipts every real action your agent takes — before it happens. Works with any agent or model.
receipt issued · agent action sealed
$1,000,000 refund · flagged HIGH-RISK · you approved it · tamper-evident
In plain words
The AI assistants you already use — ChatGPT, Claude — are starting to do things, not just answer.
NOA is the safety brake that stops your AI from accidentally sending money, deleting the wrong files, or doing something important without a check.
Think of it like the second approval before a big bank transfer — but for AI agents.
Four questions, four plain answers.
What is it?
A safety layer between your AI assistant and the real world. Before it does something that actually matters, NOA checks it first.
How does it work?
Safe actions just go through. Risky ones pause for your approval. Forbidden ones are blocked. Every action leaves a receipt — a proof you can check yourself.
Why do you need it?
AI makes mistakes, and AI assistants are starting to do real things — pay, email, delete, change live systems. Once a wrong action runs, it's done. NOA stops it before it runs.
What you get
The confidence to finally let AI do real work. Proof of every action. You decide what needs your sign-off. Works with any AI. Open-source — read and verify everything.
AI agents are starting to do things — pay, refund, email, delete, deploy. And AI makes mistakes.
Once a wrong action runs, it's done. That's why teams keep agents read-only — too scared to give them real power.
After-the-fact
Logs tell you what happened.
By the time it's in the log, the payment is sent and the rows are deleted. A rear-view mirror can't stop the crash.
Before it runs
NOA decides what should — before it runs.
The risky action waits for a check or an approval. The hallucination never reaches the irreversible step.
Three steps, from agent intent to a receipt you can verify.
- 01
Agent proposes an action
Your agent calls a tool — refund a payment, send an email, drop a table. NOA intercepts the request before it executes.
agent → propose( payment.refund ) - 02
NOA gates it
Safe actions auto-allow in sub-millisecond. Risky ones require a human approval. Forbidden ones are blocked outright — by the policy you wrote.
auto-allow safeapprove riskyblock forbidden - 03
A tamper-evident receipt is issued
Every verdict is sealed into a hash-chained receipt — who, what, which rule, what happened. Reversible actions can be rolled back.
receipt rcpt_… · hash sha256:… · prevHash ↩
Every receipt links to the last one. Edit any past receipt and the chain breaks at the next hash.
A hallucinating agent tries to refund $1,000,000.
NOA doesn't just block — it asks you, executes once you approve, and seals a receipt. Wrap one tool and watch it happen.
import { guard } from '@noa/sdk'
// wrap any tool — one line, model-agnostic
const safeRefund = guard(refundTool)
await safeRefund({ amount: 1_000_000 })
// ↳ HIGH-RISK → waits for your approvalNo SDK? The MCP proxy does the same with zero code for any MCP host.
verify it yourself
Offline. No NOA account. The verifier recomputes every hash and checks each prevHash link — if anyone edited a past receipt, it fails right at that sequence.
A trust layer you have to blindly trust isn't a trust layer.
NOA's kernel and the receipt format are open-source (Apache-2.0). You read the rules. You verify the receipts. Offline. No NOA account required.
Overhead
A policy check is sub-millisecond on the safe path. Most actions never pause.
Fail-mode
Fail-closed by default (configurable). If NOA can’t decide, the risky action waits — it doesn’t slip through.
PII-free receipts
Receipts store only hashes of params — never raw data, customer info, or secrets.
Straight answers, including the uncomfortable ones.
No, in practice. A policy check on the safe path is sub-millisecond, and the vast majority of actions auto-allow without ever pausing. Only the genuinely risky calls wait — and only when you've configured them to.
Four ways in. Pick the one that fits your stack.
Early access — the governance kernel runs in our production today. The SDK, proxy, and CLI below publish with the open-source release; here's the interface you'll wire in.
Drop the proxy in front of any MCP host. Every tool call is governed — no rewrites.
npx @noa/mcp-proxy \
--upstream ./your-mcp-server \
--policy noa.policy.yamlWrap a single tool in CrewAI, LangChain, or your own executor.
import { guard } from '@noa/sdk'
const safe = guard(myTool, {
risk: 'HIGH',
})A small, PII-free, hash-chained JSON format. JSON-Schema + conformance suite.
{
"spec": "noa.receipt/0.1",
"governance": { "verdict": "EXECUTED" },
"chain": { "seq": 42, "hash": "sha256:…" }
}Recompute every hash, check each prevHash link. Offline, no service.
$ npx noa verify receipts.json
→ ✓ VALID · chain intact
(or) ✗ TAMPERED at seq=37Give your agents real power — safely.
NOA is open-source and in early access. Leave your email and we'll reach out as access opens — the public repo and hosted control plane are publishing now.
No spam. The open-source core is usable today — the hosted product is being built in the open.