Documentation Protocol v1.0

Installation

Two surfaces: Protocol Verification is live and requires no API key. The Execution Gateway (POST /execute) is in private beta - request access.

npm install trigguard

pip install trigguard==0.2.0

• CLIInstall, login, authorize, and verify from the shell→
• Verify a receipt todayOffline Ed25519 verification · trigguard verify-receipt · /verify→
• Execution gateway accessPrivate beta · hosted PERMIT/DENY/SILENCE evaluation→

How it works

Architecture and decision semantics live on dedicated pages - this hub links into them.

• ArchitectureExecution flow, components, and deployment model→
• Decision modelPERMIT, DENY, SILENCE semantics and invariants→

Quickstart

End-to-end integration path: install, verify offline, then request gateway access when ready.

Protocol reference

• TG-EXECUTION-AUTH-01 Draft · private betaPOST /execute, PERMIT/DENY/SILENCE, fail-closed semantics→
• TG-RECEIPT-SCHEMAReceipt fields, signature format, expiry semantics→
• TG-KEY-DISCOVERY/.well-known/trigguard-keys.json · key rotation→
• Decision vs enforcementDecisions vs EXECUTED/BLOCKED enforcement layer→
• API referenceEndpoints, parameters, responses, error codes→
• Authorization surfacesdeploy.*, infra.*, data.*, secrets.* taxonomy→
• Receipt verificationOffline Ed25519 validation against published keys→

Runtime integration

• GitHub ActionsEnforce PERMIT before deploys and promotions→
• TerraformPre-apply authorization for infrastructure changes→
• REST APIDirect integration · curl, client libraries, webhooks→
• Command lineShell scripts, local development, testing→

Trust & verification

Deterministic authorization boundary - every request yields PERMIT, DENY, or SILENCE. Report vulnerabilities to security@trigguardai.com.

• Receipt signatures (Ed25519)Canonical JSON payload · immutable, offline-verifiable→
• Offline verificationFetch keys once, verify forever - no callback required→
• Key transparencyWell-known discovery · rotation · kid on every receipt→
• Security policyResponsible disclosure and key management→

FAQ

Protocol Verification vs Execution Gateway?

Offline verification is live: Ed25519 over receipt JSON using /.well-known/trigguard-keys.json. The Execution Gateway (private beta) issues PERMIT/DENY/SILENCE for irreversible actions - see TG-EXECUTION-AUTH-01.

API keys for verification?

No. Use published keys with the CLI or /verify.

Canonical quickstart?

/docs/quickstart - offline-first verification path.

SILENCE vs DENY?

DENY is an explicit refusal. SILENCE withholds authorization without leaking policy signals.