Spec Overview — HARP
The human authorization standard for AI agents
AI agents are autonomous. HARP makes every action reviewable and every approval cryptographically verifiable — from a separate human-controlled device.
The problem
Section titled “The problem”Today’s AI coding agents can generate plans, modify files, apply diffs, run commands, commit code, and deploy infrastructure. But approvals happen inside the same IDEs, terminals and servers the agent controls — a button click with no cryptographic meaning.
No binding between what was reviewed and what executed. No out-of-band verification. No enterprise governance.
How HARP solves it
Section titled “How HARP solves it”Deterministic artifacts
Every agent action (plan, patch, command, checkpoint) becomes a canonical, hashable artifact with a stable identity.
Out-of-band approval
Artifacts are encrypted end-to-end to a mobile device. The human reviews and signs on a device the agent cannot control.
Cryptographic binding
The signature is mathematically bound to the exact artifact hash, scope, and expiry. Substitution is detectable.
Local enforcement
The desktop enforcer verifies everything locally before execution. If verification fails, it fails closed.
What HARP prevents
Section titled “What HARP prevents”Substitution
Approve A, execute B? Not possible — the Decision is bound to the artifact hash.
Replay
Reuse an old approval? Blocked by nonce, expiry, and replay cache.
In-band compromise
Agent controls the IDE? Doesn’t matter — signing keys are on your phone.
Enforcement bypass
Execute without verification? Blocked at the local enforcement boundary.
Who needs HARP
Section titled “Who needs HARP”Engineering teams
Developers using AI agents for coding, refactoring, and deployment.
Enterprise security
Organizations requiring governance, auditability, and compliance for AI-assisted workflows.
Agent platform vendors
IDE and agent vendors who need an open, interoperable human authorization layer.