Benchmarks
How fast can the gateway evaluate whether an agent should be allowed to act? The numbers below come from the APS benchmark suite, measured at four layers from the raw verifier core to a full gateway round-trip, on three machines, with both median and tail latency.
Runtime performance
APS is measured at four layers, from the raw verifier core to a full gateway authorization round-trip, on three environments. Bare-metal Linux (AMD EPYC 7313P) is the canonical reference; Apple M3 and AWS c7i (Intel Xeon 8488C) are shown for range. Core layers run single-threaded over 1,000,000 iterations, the gateway round-trip over 1,000. Both p50 (median) and p99 (tail) are reported.
| Layer | What it measures | Mac M3 | AWS c7i | EPYC (canonical) | p99 (EPYC) |
|---|---|---|---|---|---|
| L0 · verifier core | signature and delegation-chain check, hot cache | 292ns | 347ns | 420ns | 470ns |
| L2 · SDK call | the same check as your code calls it, through N-API | 3.9µs | 5.7µs | 6.5µs | 8.1µs |
| L3 · durable | the call plus a persisted audit record (queued commit) | 4.0µs | 6.7µs | 7.6µs | 13.2µs |
| L4 · gateway round-trip | full authorization across the enforcement boundary | 305µs | 1.07ms | 822µs | 6.0ms |
The fast-reject deny path matches L0 within noise. A synchronous fsync per action, instead of queued commit, is disk-bound: about 1.3ms on server SSD. Durability and round-trip tails are environment-dependent.
Full enforcement stack
The L4 figure above is the lean round-trip. The product gateway does more on every call: cascade revocation, escalation checks, charter governance, settlement, drift detection. Measured against that full stack:
| Operation | Latency | Notes |
|---|---|---|
| Policy evaluation p50 | <2ms | full constraint check across all applicable facets |
| Policy evaluation p99 | <10ms | cold cache, worst case |
| Denial | <1ms | fail-fast on the first failing facet |
| Receipt generation | <1ms | Ed25519 signed, hash-chained |
| Cascade revocation | <5ms | chains up to 100 deep |
Full-stack figures from the gateway benchmark suite, 500 iterations per scenario.
15 Constraint Dimensions
Every action is evaluated against all applicable dimensions. The gateway short-circuits on the first failure, which is why denial is sub-millisecond.
Scope
Delegation scope covers requested action
Spend
Cumulative budget not exceeded
Tier
Reputation tier permits action class
Values
Values floor attestation valid
Revocation
No ancestor in chain revoked
Taint
Cross-chain taint below threshold
Anomaly
No first-max-authority or monolith pattern
Circuit
Circuit breaker not tripped
Approval
Human approval threshold met
Temporal
Delegation not expired, HLC ordered
Jurisdiction
Data transfer jurisdiction OK
Purpose
Data purpose matches source terms
Combination
No forbidden data joins
Retention
Data retention TTL not exceeded
Terms
Agent accepted current data terms
Architecture
The gateway is both judge and executor. The agent requests an action. The gateway evaluates all constraints, executes the action if permitted, and generates the receipt. Agents never touch tools directly. Enforcement is applied at the gateway rather than left to the agent.
| Component | Count | Notes |
|---|---|---|
| Protocol modules | 107 | 84 core + 23 v2 constitutional |
| MCP tools | 150 | Full protocol surface via MCP |
| Tests | 3,881 | Including adversarial + invariant suites |
| Gateway routes | 33 | REST API for enforcement + admin |
| Module connectivity | 79% | Connected through gateway enforcement hub |
| Research papers | 8 | Published on Zenodo |
How We Compare
Most agent frameworks handle orchestration. APS handles enforcement. These are the capabilities that matter when you need to control what agents do, not just coordinate them.
| Capability | APS | CrewAI | LangChain | A2A | ADK |
|---|---|---|---|---|---|
| Cryptographic identity | Yes | No | No | No | No |
| Delegation with narrowing | Yes | No | No | No | No |
| Gateway enforcement | Yes | No | No | No | No |
| earned reputation | Yes | No | No | No | No |
| Feeless payments (Nano) | Yes | No | No | No | No |
| Cascade revocation | Yes | No | No | No | No |
| Merkle attribution | Yes | No | No | No | No |
| Values floor enforcement | Yes | No | No | No | No |
| Institutional governance | Yes | No | No | No | No |
| Agent orchestration | No* | Yes | Yes | Yes | Yes |
| LLM integration | No* | Yes | Yes | No | Yes |
* APS is the governance layer underneath. It works with any orchestration framework. You use CrewAI or LangChain for orchestration. You use APS for enforcement.
Test Coverage
3,932 tests across 107 modules. The test suite includes unit tests, integration tests, adversarial scenarios (replay attacks, confused deputies, scope escalation), invariant checks (monotonic narrowing, cascade completeness), and stress tests (concurrent gateway load).
The suite spans 174 test files. Among them are the cross-implementation conformance fixtures: canonical-JSON vectors that any verifier, in any language, can run to confirm byte-parity against the spec. Those are the tests that make receipts portable.
Independently cited by PDR in Production (University of British Columbia), which references the APS earned-reputation model. One external citation. Zenodo
For AI agents: Visit llms.txt for machine-readable documentation, llms-full.txt for the full technical reference, or .well-known/mcp.json for MCP server discovery.