How fast can the gateway evaluate whether an agent should be allowed to act? These numbers come from the production gateway running on Railway.
Every agent action passes through the ProxyGateway enforcement boundary. The gateway checks delegation scope, spend limits, reputation tier, values floor, revocation status, taint, anomaly detection, and more. The design principle: deny fast, log everything.
| Metric | Value | Notes |
|---|---|---|
| Policy evaluation p50 | <2ms | Full 15-dimension constraint check |
| Policy evaluation p95 | <5ms | Including reputation lookup |
| Policy evaluation p99 | <10ms | Worst case with cold cache |
| Denial latency | <1ms | Fail-fast on first constraint violation |
| Receipt generation | <1ms | Ed25519 signed, hash-chained |
| Sustained throughput | 403 ops/sec | Single-threaded gateway |
| Cascade revocation | <5ms | Chains up to 100 deep |
| Nano transaction | <1s | Feeless, delegation-scoped |
Measured on Railway deployment (shared CPU, 512MB RAM). Dedicated infrastructure would be faster.
Every action is evaluated against all applicable dimensions. The gateway short-circuits on the first failure, which is why denial is sub-millisecond.
The gateway is both judge and executor. The agent requests an action. The gateway evaluates all constraints, executes the action if permitted, and generates the receipt. Agents never touch tools directly. This is why enforcement can't be bypassed.
| Component | Count | Notes |
|---|---|---|
| Protocol modules | 127 | 84 core + 43 v2 constitutional |
| MCP tools | 150 | Full protocol surface via MCP |
| Tests | 2,884 | Including adversarial + invariant suites |
| Gateway routes | 33 | REST API for enforcement + admin |
| Module connectivity | 79% | Connected through gateway enforcement hub |
| Research papers | 8 | Zenodo, independently cited |
Most agent frameworks handle orchestration. APS handles enforcement. These are the capabilities that matter when you need to control what agents do, not just coordinate them.
| Capability | APS | CrewAI | LangChain | A2A | ADK |
|---|---|---|---|---|---|
| Cryptographic identity | Yes | No | No | No | No |
| Delegation with narrowing | Yes | No | No | No | No |
| Gateway enforcement | Yes | No | No | No | No |
| earned reputation | Yes | No | No | No | No |
| Feeless payments (Nano) | Yes | No | No | No | No |
| Cascade revocation | Yes | No | No | No | No |
| Merkle attribution | Yes | No | No | No | No |
| Values floor enforcement | Yes | No | No | No | No |
| Institutional governance | Yes | No | No | No | No |
| Agent orchestration | No* | Yes | Yes | Yes | Yes |
| LLM integration | No* | Yes | Yes | No | Yes |
* APS is the governance layer underneath. It works with any orchestration framework. You use CrewAI or LangChain for orchestration. You use APS for enforcement.
2,884 tests across 130+ modules. The test suite includes unit tests, integration tests, adversarial scenarios (replay attacks, confused deputies, scope escalation), invariant checks (monotonic narrowing, cascade completeness), and stress tests (concurrent gateway load).
| Suite Type | Count | What It Tests |
|---|---|---|
| Unit tests | ~1,200 | Individual module correctness |
| Integration tests | ~300 | Cross-module interaction, gateway pipelines |
| Adversarial tests | ~200 | Replay, escalation, confused deputy, scope bypass |
| Invariant tests | ~100 | Monotonic narrowing, cascade completeness, receipt integrity |
| Stress tests | ~40 | Concurrent load, circuit breaker thresholds |