Open-source · Go 1.23+ · MIT-licensed

KIFF

Trust infrastructure for AI-operated systems.

A governance protocol between agent proposals and execution. The agent proposes; the runtime decides whether the proposal is allowed to execute.

Try the demo View on GitHub Read the docs
propose · curl
curl https://demo.kiff.dev/refund \
  -H 'content-type: application/json' \
  -d '{"order":"ord_001","amount":4900,"reason":"customer request"}'
decide · response
{
  "outcome": "executed",
  "action": "AUTO_REFUND",
  "entity_id": "ord_001",
  "audit_url": "https://demo.kiff.dev/admin/entities/ord_001"
}

The shape · six primitives, one loop

Between proposal and execution.

KIFF puts a runtime between the agent and your real systems. Every action is a contract: allowed states, required parameters, required permissions, risk, approval requirement. The agent proposes; the runtime decides.

KIFF coordination loopRaw inputs become normalized events that update shared state. The agent records a decision and proposes an action. The runtime validates the action against state, parameters, and permissions; if approval is required it waits for a human reviewer. Once cleared, the executor runs and the result feeds back into the audit trail, which can rebuild state from scratch. raw inputs EVENTS what happened STATE what is true now DECISIONS agent reasoning ACTIONS validated contracts APPROVALS human authority on risk EXECUTOR runs only if cleared AUDIT append-only, replayablerebuild
Failures return typed errors. Successes append events that drive the next state transition. Everything ends up in the audit trail. Replay produces the same state from the same events.

Why · prompt is the wrong layer

Free-form tool calls vs. action contracts.

Most AI features start at the prompt. They work in development, then break the first time an agent confidently does the wrong thing in production. KIFF is a different layer: the runtime between proposal and execution.

without kiff · python
# the agent calls your real system directly.
# state guards live in the prompt, if they live anywhere.

def refund(order_id: str, amount: int, reason: str) -> dict:
    db.update("orders", id=order_id, status="REFUNDED")
    stripe.refund(order_id, amount=amount)
    return {"ok": True}

# llm chooses inputs. nothing checks the order is paid.
# nothing requires approval at $99,900. no audit trail.
with kiff · go
// the agent records a proposal. the runtime decides.
return action.ActionContract{
    Name:                "REFUND_ORDER",
    AllowedStates:       []string{"PAID"},
    RequiredParameters:  []string{"amount", "reason"},
    RequiredPermissions: []permission.Permission{"orders.refund"},
    Risk:                action.RiskHigh,
    ApprovalRequirement: action.ApprovalRequired,
    Executor:            refundOrderExecutor,
}

The agent does not call refundOrderExecutor directly. It records a proposal. The runtime checks current state, parameters, permissions, and approval before any executor runs. Failures return typed errors. Successes append events that drive the next state transition.

Scenarios · same domain, different outcomes

One agent. Five honest endings.

Each scenario is a real KIFF run, scripted on this page so you can read the request, the response, the audit trail, and the rationale together. No live backend; the same JSON the framework's worked examples produce locally.

Small refund

executed

Low-risk refund on a paid order. Auto-execute, audit, done.

propose · curl
curl https://demo.kiff.dev/refund \
  -H 'content-type: application/json' \
  -d '{"order":"ord_001","amount":4900,"reason":"customer request"}'
decide · response
{
  "outcome": "executed",
  "action": "AUTO_REFUND",
  "entity_id": "ord_001",
  "audit_url": "https://demo.kiff.dev/admin/entities/ord_001"
}
Audit trail · 7 records
timekindactorsummary
09:41:02.123event_ingestedstripeORDER_PLACED
09:41:02.124state_changedstripeCREATED → PAID
09:42:11.001decision_recordedops-agentpropose AUTO_REFUND
09:42:11.002action_validatedops-agentAUTO_REFUND ✓
09:42:11.005action_executedops-agentAUTO_REFUND
09:42:11.006event_ingestedops-agentORDER_REFUNDED
09:42:11.007state_changedops-agentPAID → REFUNDED

rebuild: materialized state matches replay ✓

Order is PAID. Amount is below the auto-execute threshold. AUTO_REFUND requires no approval. KIFF runs it.

Large refund

approval required

High-risk refund. KIFF holds execution and asks a human.

propose · curl
curl https://demo.kiff.dev/refund \
  -H 'content-type: application/json' \
  -d '{"order":"ord_002","amount":99900,"reason":"customer request"}'
decide · response
{
  "outcome": "approval_required",
  "action": "REFUND_ORDER",
  "approval_id": "appr_xyz",
  "review_url": "https://demo.kiff.dev/admin/approvals/appr_xyz"
}
Audit trail · 4 records
timekindactorsummary
09:48:02.001event_ingestedstripeORDER_PAID
09:48:02.002state_changedstripePAID
09:50:18.430decision_recordedops-agentpropose REFUND_ORDER (high)
09:50:18.431approval_requiredops-agentREFUND_ORDER awaiting human

rebuild: materialized state matches replay ✓

REFUND_ORDER is high-risk. ApprovalRequirement is required. KIFF blocks execution and opens a review record.

Approval granted

approval granted

A reviewer signs off on the held refund. KIFF executes the original proposal.

propose · curl
curl -X POST https://demo.kiff.dev/admin/approvals/appr_xyz/grant \
  -H 'content-type: application/json' \
  -d '{"reviewer":"ops-human","note":"verified with customer"}'
decide · response
{
  "outcome": "approval_granted",
  "approval_id": "appr_xyz",
  "action": "REFUND_ORDER",
  "executed": true,
  "audit_url": "https://demo.kiff.dev/admin/entities/ord_002"
}
Audit trail · 4 records
timekindactorsummary
09:53:55.011approval_grantedops-humanREFUND_ORDER granted
09:53:55.092action_executedops-agentREFUND_ORDER
09:53:55.093event_ingestedops-agentORDER_REFUNDED
09:53:55.094state_changedops-agentPAID → REFUNDED

rebuild: materialized state matches replay ✓

Approval was granted by a human reviewer. KIFF marks the context approved and runs the original proposal.

Approval denied

blocked

A reviewer rejects the held refund. The action never runs.

propose · curl
curl -X POST https://demo.kiff.dev/admin/approvals/appr_xyz/deny \
  -H 'content-type: application/json' \
  -d '{"reviewer":"ops-human","note":"order disputed"}'
decide · response
{
  "outcome": "blocked",
  "approval_id": "appr_xyz",
  "action": "REFUND_ORDER",
  "executed": false,
  "reason": "approval_denied"
}
Audit trail · 2 records
timekindactorsummary
10:01:20.004approval_deniedops-humanREFUND_ORDER denied
10:01:20.005action_blockedops-agentREFUND_ORDER not executed

rebuild: materialized state matches replay ✓

A denied approval is terminal. KIFF will not run the action even if the same proposal is retried under the same context.

Unpaid order

blocked

Refund attempted on an unpaid order. State guard blocks before any executor runs.

propose · curl
curl https://demo.kiff.dev/refund \
  -H 'content-type: application/json' \
  -d '{"order":"ord_003","amount":4900,"reason":"customer request"}'
decide · response
{
  "outcome": "blocked",
  "action": "AUTO_REFUND",
  "reason": "state_not_allowed",
  "current_state": "CREATED",
  "allowed_states": ["PAID"]
}
Audit trail · 4 records
timekindactorsummary
10:14:09.220event_ingestedstripeORDER_PLACED
10:14:09.221state_changedstripeCREATED
10:15:30.118decision_recordedops-agentpropose AUTO_REFUND
10:15:30.119action_blockedops-agentstate_not_allowed

rebuild: materialized state matches replay ✓

AUTO_REFUND requires PAID. Order is CREATED. KIFF refuses to call the executor; the LLM's confident proposal does not become a state change.

Cloud audit records are tamper-evident: anyone can verify them independent of the cloud's database.

Examples · two operational stories

Two examples, two proofs.

Pick an example. Each one is a concrete situation; the runtime is the difference between confident proposals and honest endings.

Five shifts. Five endings. One runtime.

An AI shift manager proposes operational actions — ordering supplies, messaging staff, escalating suppliers. KIFF decides what executes, what waits, what blocks, what escalates.

  1. ticket 1 small in-catalog inventory order executed
  2. ticket 2 bulk order over the per-call ceiling approval_required
  3. ticket 3 off-catalog specialty request blocked
  4. ticket 4 staff message at 02:14 blocked
  5. ticket 5 missed supplier delivery escalated

What KIFF is not

Not a replacement for what you already use.

KIFF is a different layer: the governance protocol between agent proposals and execution. It composes with whatever you already use.

Run it locally · about five minutes

Three commands to a governed loop.

One Go install, one template, one make target. You get a Go domain, an HTTP server, a deterministic stub agent (Bedrock with one flag), and a make demo that runs the governed loop end to end.

1 · install
go install github.com/kiffhq/kiff/cmd/kiff@latest
2 · scaffold
kiff new -template=agentic-ops github.com/your/project
cd project
3 · run the demo
make demo
# auto-execute, approve-then-execute, block-on-missing-consent
# escalate, close — five outcomes, one governance loop