What it does OrgKernel is a Python/FastAPI security layer that gives AI agents cryptographic identities (Ed25519 keypairs signed by an Org CA), mints mission-scoped execution tokens with tool allowlists and numeric parameter bounds, and writes everything to a three-layer SHA-256 hash-chained audit log. It does not run models; it decides whether an agent is allowed to act, and leaves proof it checked.

The interesting bit The “token grafting” prevention is the kind of detail most systems skip: every execution token is Ed25519-signed by the Org CA and binds to a specific agent_id, so stealing a token from another mission gets you nowhere. The audit chain is similarly paranoid—three separate SHA-256 chains (IDENTITY, EXECUTION, COMPLIANCE) so tampering in one layer doesn’t cascade across all logs.

Key highlights

• Ed25519 PKI with CSR workflow, challenge-response auth, and 5-minute nonce TTL for anti-replay
• Execution tokens carry tool allowlists and numeric parameter bounds, not just coarse permissions
• Three-layer audit: L1 business context, L2 every tool call/transition, L3 compliance-only escalations
• 27 REST endpoints in Phase 1; PostgreSQL/MySQL/SQLite persistence
• Apache 2.0 licensed, Python 3.10+

Caveats

• Five of eight modules are still planned (Phases 2–5): mission lifecycle state machine, tool gateway, policy engine, authority graph, and data classifier are not implemented
• The full “Mission Launch → Approval → Tool Execution → Close” flow exists only in documentation
• Server-side keypair generation for agents means the Org CA briefly holds private keys during issuance

Verdict Worth watching if you’re building multi-agent systems where “trust but verify” isn’t a slogan but a requirement. Skip it if you need a working policy engine or authority graph today—those are still on the roadmap.