Many agent-safety checks look only at the endpoint action: tool name, target, and parameters. CCA studies cases where the action object is identical but the authorization path is different. The result: endpoint-only judging cannot recover path evidence that was never provided to it — especially for delegated scope and chain verifiability.
Two calls to the same tool, with the same target and parameters, can differ only in how they became permissible — who delegated the authority, and whether the chain that produced the action is verifiable. That evidence lives outside the endpoint channel. A path-aware interface receives it as trusted metadata; an endpoint-only judge never sees it.
All checks are deterministic; there is no LLM judge in the authorization loop.
In a controlled matched-pair evaluation, three frontier endpoint judges permitted 58 of 60 illegitimate chain-verifiability cases — the action looked identical to a legitimate one, and the missing evidence never reached their input. The path-aware gate separates all matched pairs in the same harness, under trusted path-side metadata assumptions.
Gate latency: 0.1 ms median, vs 513 ms for an LLM judge measured in the same controlled harness.
The reference implementation is complete and ships as a self-contained technical evaluation bundle: on a fresh Linux or macOS machine, ./verify.sh runs 105 deterministic checks with no API key, alongside an adversarial CLI covering request substitution, under-grading, a concurrent replay race, crash reconciliation, and revocation. The bundle is integrity-anchored by a SHA-256 manifest the evaluator recomputes, and every gate it exercises is mutation-bound — known-vulnerable mutants must each turn their official gate red, so the checks are proven non-vacuous rather than assumed. PAG covers exact action binding, controlled dispatch, signed authorization receipts, replay-safe execution, and audit visibility, targeting agent SDK / MCP-style runtime environments. The bundle is available under NDA.
Between the tool dispatcher and the target system — the same boundary that MCP-style connectors, agent-SDK tool hooks, and enterprise LLM gateways have standardized. Permission lists at that boundary answer what an agent may call; path authorization answers whether the call it is making now was produced by an authorized path. CCA deploys there as a deterministic proxy and adds the evidence channel — verified origin, delegated scope, audit coverage — alongside replay-safe dispatch for irreversible calls, structured denial the agent can replan from, and signed authorization receipts. What it deliberately does not supply — key management, HA storage, tenant isolation — is what a host platform already has. The cut is complementary by design.
This work's own premise is that narration is not evidence, so we don't ask you to trust a clip. The reference implementation ships as a no-key evaluation bundle: fresh machine, one command, deterministic result.
$ ./verify.sh 105 passed — VERIFY: PASS (no-key deterministic path)
An adversarial CLI runs alongside it — request substitution, under-grading, a concurrent replay race, crash reconciliation, revocation — each with an expected verdict that is checked, not narrated. Every gate exercised here is mutation-bound: known-vulnerable mutants must each turn their gate red before the gate counts as evidence. Evaluation access is under NDA. Ask, and it runs in front of you.
For technical evaluation, licensing, or research collaboration:
certumsystems@gmail.com