_Threshold Documentation

Technical reference for the T8 Engine and the components around it.

Threshold is a runtime trust layer for AI agents: a proxy data plane, a sandboxed rule engine, isolated EVM payments, and a verifiable audit log. This page documents the architecture. For product context, see the Inversed landing page.

Install — t8 plugin ↗ Read the architecture

T8-ENGINE-SHELL

[t8ak_billing_bot_v2] calling tool: stripe:refund_transaction

[t8-core] Evaluating Rule Engine policies...

[t8-rule-runner] MATCHED RULE: refund-limits.js

[t8-rule-runner] Arguments: amount=1420.00, currency="USDC"

[t8-rule-runner] Evaluating V8 sandbox sandbox-6...

[t8-core] DECISION: DENY | Reason: amount exceeds single-transaction budget of 1000 USDC

[t8-core] Log entry securely signed: Merkle Tree Node Root #c4b92...

_Architecture overview

Four components.

Stateless Low-Latency Data Plane

The T8 Engine intercepts agent traffic to seamlessly swap and resolve API credentials. This keeps sensitive keys completely out of the agent's workspace, protecting your infrastructure without requiring changes to agent code.

Live

Sandboxed Policy Engine

Prevent unauthorized actions and enforce spending limits by evaluating policies before every tool call. Custom rules ensure agents only access the specific data and actions they need for their given tasks.

Live

Process-Isolated EVM Payments

Enable your agents to execute programmatic payments while strictly enforcing budgets. Our isolated signing architecture ensures that agents can initiate transactions without ever accessing the underlying private keys.

Beta

Verifiable Audit Logging

Append-only, verifiable cryptographic Merkle trees modeled after Certificate Transparency. Every API request, decision, and payment event is logged into an append-only, cryptographically verifiable ledger. This provides the non-repudiation and clear audit trails required for strict enterprise compliance (e.g., SOC2, HIPAA).

Planned

_V8 Sandbox isolation

Granular control, executed in milliseconds.

Client-authored permission rules execute directly on the proxy path. Tools can be locked down per-agent, per-method, or per-value, with decisions returned in milliseconds.

Fully Isolated Execution

Scripts are evaluated within isolated-vm sandboxes without Node.js global variables, file system access, or network access.

Comprehensive Context Exposure

Rules have full access to connection metadata, calling agent ID, specific namespaced tools, and incoming argument key-values.

Fault-Tolerant Fail-Safe Design

Should the rule runner experience unexpected downtime, tool calls default to allow to keep critical operations moving.

restrict-github-push.js Rule Sandbox #1

// Block non-HR agents from pushing code to master
function rule(ctx) {
  const protectedTools = ["push_files", "delete_file"];
  
  if (ctx.connection_name === "github" && protectedTools.includes(ctx.tool_original_name)) {
    const isDevAgent = ctx.agent_id.startsWith("dev-agent-");
    
    if (!isDevAgent) {
      return { 
        action: "deny", 
        reason: `Agent ${ctx.agent_id} lacks write authorization for branch` 
      };
    }
  }
  
  return { action: "allow" };
}
        

_Payment Security Layer

EVM-Native payments, key-isolated by architecture.

Agents initiate transactions through the T8 Engine instead of holding private keys. Signing happens in an isolated process behind the proxy, with spending limits enforced before any transaction reaches the network.

Standardized x402 Protocol

Built directly on the open-source x402 payment specification, facilitating smooth, gasless USDC standard transactions across EVM networks.

The RemoteProvider Interface

Keeps payment keys safely isolated in an isolated, secure process. The agent asks for payment execution; the T8 Control Plane processes the request after confirming rule compliance.

Enforced Spending Budgets

Configure single-transaction bounds, daily limits, and connection caps to guarantee agent actions are physically bounded by mathematical controls.

INVERSED-PAY-SDK

>>> import inversed_pay as pay

>>> provider = pay.RemoteProvider(endpoint="https://t8/pay")

>>> tx = provider.transfer(to="0x402...", amount=50.00, token="USDC")

[t8] Remote payload received. Checking transaction budgets...

[t8] Validating signature. Multi-sig constraints approved.

[t8] Submitting transaction to EVM network...

>>> print(tx.hash)

"0x5f9b4c0d... (EIP-3009 gasless transfer complete)"

_Tamper-Proof Audit logs

Cryptographically verifiable Merkle Tree transparency.

Every decision and proxied call is written into an append-only Merkle tree modelled on RFC 9162 (Certificate Transparency). Deletions and modifications become detectable to external verifiers without requiring trust in the log operator.

Append-Only Merkle Consistency

Logs are compiled into a Merkle-tree following RFC 9162 (Certificate Transparency). Anyone can verify that past events were not modified using O(log n) cryptographic consistency proofs.

Cryptographic Non-Repudiation

Every log state is cryptographically signed using industry-standard primitives (like ECDSA P-256). This provides a mathematically verifiable history of agent actions that organizations can rely on during audits.

External Anchor Verification

Securely push and anchor signed checkpoints to independent targets—Amazon S3 (with Object Lock), Git, public blockchains, or trusted emails—preventing internal server root-user tampering.

VERIFIABLE-AUDIT-LOG

Root Hash (STH): 0x7f23c01a9b24ed...

├── Node L1: 0x89e02c1...

├── Node L2_A: 0x99c2fd1... (Verified inclusion)

└── Tool Call: stripe:refund {tx: 401}

└── Node L2_B: 0x44bf00d...

Signed Signature Block:

[ECDSA_CLASSICAL] OK: 3045022100...

Anchor state: Anchored to AWS S3 Object Lock at 14:32:01 UTC

_Reference

Detailed reference

Dive into the configuration formats, request lifecycle, and rule contracts.

Data plane

T8 Engine

Proxy modes (HTTPS prefix, MITM, HTTP proxy, MCP), TOML route config, credential resolution, CA install, environment variables.

Read the reference →

Policy

Permission Rule Scripts

Function signature, context schema for HTTP & MCP, return contract, execution limits, debugging, deny behaviour.

Read the reference →

_Engineering details

Layer summary

Quick reference for what each layer is responsible for. Source and installation instructions live in the t8 plugin repository.

Layer	Primary Objective
Control Plane	Admin API endpoints, Postgres configuration state, connection metadata, credentials.
Data Plane (T8 Engine)	Low-latency, stateless proxy paths (HTTPS Prefix, MITM, HTTP proxy) for agent-API routing.
Rule Execution	Millisecond-scale policy evaluations inside resource-constrained V8 virtual machines.
Payment SDK	Open x402 compliance, gasless EVM transfers, RemoteProvider secure isolation.
Transparency Log	Certificate Transparency modeled append-only Merkle-tree structures for complete audits.