Every agent passport layer is grading its own exam

A new layer is consolidating in the agent stack, and it has a name now: pre-action authorization. The idea is clean. Before an agent executes a tool call, a deterministic policy engine intercepts it, checks it against declarative rules, and signs an audit record. The model proposes; the gateway disposes.

This pattern is real and it is shipping.

In Before the Tool Call: Deterministic Pre-Action Authorization for Autonomous AI Agents (arXiv 2603.20953), Uchi Uchibeke specifies it precisely: authorization "runs at the framework layer, not the model's reasoning layer. Prompt injection cannot override it." Same inputs, same decision, no model in the evaluation path. The Agent Passport System (APS) ships the same shape in production form — Ed25519 identities, scoped delegation that can only narrow, a three-signature action chain.

The architecture is right. The protocol layer cannot enforce safety, so a deterministic gateway above it must. NSA's June MCP advisory says the same thing from the defensive side: deny-by-default, scope everything, sign every message.

So the design is converging. Here is the part that isn't.