How It Works — HARP
Agent asks. Human approves. From their phone.
Every autonomous action becomes a signed artifact. Every approval is cryptographically bound to what executes.
The flow
Section titled “The flow”Agent creates an artifact
The AI agent produces a plan, patch, command, or checkpoint describing the intended action.
Desktop encrypts & hashes
The enforcer canonicalizes the artifact to deterministic bytes, computes SHA-256 hash, and encrypts end-to-end to the mobile device.
Human reviews on mobile
The mobile approver decrypts and displays the artifact content for review — fully out-of-band from the IDE.
Human signs a decision
Approve or deny. The device signs a Decision (Ed25519) bound to the artifact hash, with scope and expiry.
Desktop enforces
The enforcer verifies signature, hash match, expiration, scope, and replay protection. Only then: execute. Otherwise: fail closed.
Authorization flow
Section titled “Authorization flow”Three components
Section titled “Three components”Desktop Agent
IDE extension (e.g., VS Code). The local enforcement boundary. Encrypts artifacts, verifies signatures, gates execution.
Mobile Approver
Your phone. Holds the private signing key. Decrypts and displays artifacts. Signs approval decisions.
Gateway
Cloud relay (optional). Routes encrypted payloads only. Cannot decrypt artifacts. Cannot forge approvals. Zero-knowledge by design.
Trust boundaries
Section titled “Trust boundaries”- Desktop Enforcer — must be the gating boundary; no execution without valid signed decision
- Mobile Approver — holds signing keys on a separate device the agent cannot control
- Gateway — untrusted for plaintext; routes ciphertext and metadata only