Below is a customer-refund agent running under AgentGuard, with a real Ed25519 keypair generated in this tab. Drive it: approve a small refund, push it past the $500/day cap, try a payment_execute action while you only hold read_only, or flip the kill switch. Every decision (allow and block) is hashed into a chained, signed receipt you can verify independently. Watch the BLOCK land.
Everything above ran in your browser. AgentGuard never saw this. The signing key was generated locally with @noble/ed25519, the private key never leaves this tab, and no refund, customer record, or amount was sent to any server. The receipt is content-free by construction: it proves the decision, never the data. That is the zero-data-plane guarantee, not a promise on a slide.
Each decision is canonicalized, SHA-256 hashed into an entryHash, signed over that hash, and linked to the previous entry by previousHash. Edit one byte and the next button proves it.
When the agent tries to exceed the cap or act above its capability, AgentGuard signs the BLOCK. A refusal you can hand an auditor is worth as much as the approval.
Every receipt card has a “Verify on /verify” link that re-checks the signature and chain on a separate page, and a copy button so you can verify it from your own terminal.