Writing UAPK manifests, compiling governed entities, and the plan.lock workflow
View All Tags
The UAPK gateway returns structured responses for every evaluation. A DENY or ESCALATE response includes a reason code that tells you exactly which policy check failed and why. If you're building an integration and getting unexpected denies, this post is your reference.
The manifest defines what an AI agent is allowed to do over its entire deployed lifetime. That's too coarse for most real deployments. You want the agent to be able to read customer data when it's responding to a customer query — but not when it's running a batch analytics task. You want different agents deployed with the same manifest to have different effective permissions depending on what task they're executing.
Capability tokens solve this. They are signed credentials — issued per session or per task — that scope the agent's permissions to a subset of its manifest-defined capabilities, for a specific time window, with a maximum action count.
The fastest path from zero to a governed AI agent is: run the qualification funnel → get your framework list → configure a manifest → register it → make a call. This post walks through each step with real examples.
If you're impatient, the manifest for a simple US SaaS agent is at the bottom of this post. For everyone else, starting with the qualification funnel means you understand why each field is configured the way it is.