ABSTRACT

As AI agents gain the ability to execute financial transactions autonomously, a critical governance gap emerges: how do you verify that an agent is operating within defined spending boundaries before a transaction executes? xBPP (Execution Boundary Permission Protocol) addresses this by providing a chain-agnostic, declarative policy evaluation standard. Unlike binary allow/deny systems, xBPP introduces a three-decision model - ALLOW, BLOCK, and ESCALATE - enabling graduated autonomy where agents can operate independently within bounds while deferring to human oversight in ambiguous situations. This paper describes the problem space, the protocol design, the evaluation pipeline, and the path toward formal standardization.

1. PROBLEM STATEMENT

The current landscape of AI agent payments operates on a dangerous binary: agents either have full access to spend (via API keys, wallet private keys, or pre-authorized credit lines) or no access at all. Neither extreme works for production autonomous systems.

Full access creates unacceptable risk. An agent with an unrestricted API key can drain an account through rapid small transactions, pay inflated prices to compromised vendors, or execute transactions that violate corporate policy - all without any checkpoint.

No access defeats the purpose of autonomy. If every transaction requires human approval, the agent is merely a suggestion engine - slower and more expensive than a human doing the work directly.

The missing piece is graduated autonomy - a way for agents to operate independently within defined bounds, with clear escalation paths for edge cases. This is what xBPP provides.

2. DESIGN PRINCIPLES

Policy is data, not code. Policies are expressed as declarative JSON documents. Any conforming implementation can evaluate them. This ensures portability across languages, runtimes, and chains.

Evaluate before execute. xBPP operates as a pre-execution checkpoint. The protocol evaluates intent before a transaction is submitted - never after. This prevents irreversible actions from violating policy.

Three decisions, not two. The ESCALATE decision is the key innovation. Binary allow/deny forces agents to guess on edge cases. ESCALATE enables the agent to say "I'm not sure - let a human decide" without blocking the workflow entirely.

Separation of concerns. The specification defines what to check. The SDK defines how to check it. The application decides what to do with the verdict. Each layer is independently replaceable.

Chain-agnostic. xBPP is not tied to any blockchain, payment rail, or currency. The same policy can govern on-chain USDC transfers, Stripe charges, and internal budget allocations.

Posture-driven ambiguity resolution. When the spec says a check "varies," the posture (AGGRESSIVE, BALANCED, CAUTIOUS) determines the outcome. This allows the same policy structure to express different risk tolerances.

3. PROTOCOL OVERVIEW

xBPP defines a standardized evaluation function:

evaluate(action, policy, state) → Verdict

The three inputs are:

Action:What the agent wants to do - a payment request with amount, currency, target, and metadata.
Policy:The rules governing the agent - limits, trusted recipients, rate limits, operating hours, verification requirements.
State:The agent's current spending state - how much has been spent today, this week, this month, recent transaction history.

The output is a Verdict containing the decision (ALLOW, BLOCK, or ESCALATE), an array of reason codes explaining why, and metadata for audit trails.

4. DATA STRUCTURES

xBPP defines four core data structures. All are expressed as JSON and are designed to be serializable, hashable, and portable.

// Policy - the rules
{
  "schema": "xbpp-pay/v1.0",
  "posture": "BALANCED",
  "limits": {
    "max_single": 100,
    "max_daily": 1000,
    "require_human_above": 500
  },
  "verification": "BUILT_IN"
}

// Action - the intent
{
  "type": "xbpp-pay/transfer",
  "value": { "amount": 150, "currency": "USDC" },
  "target": { "address": "0x...", "chain": "base" }
}

// Verdict - the decision
{
  "decision": "ESCALATE",
  "reasons": ["HIGH_VALUE"],
  "confidence": 0.85,
  "metadata": { "evaluator": "xbpp-sdk/0.1.0" }
}

5. EVALUATION PIPELINE

The specification defines a 9-phase evaluation pipeline. Each phase can produce reason codes that contribute to the final verdict. Phases are ordered by priority - early phases can short-circuit the pipeline.

1ValidationSchema and format validation

2EmergencyKill switch check (global/principal/agent)

3Input ValidationValue sanity (negative, zero, precision)

4Core LimitsSingle, daily, weekly, monthly spending bounds

5Duplicate DetectionAction hash deduplication

6VerificationCounterparty trust and registry checks

7Profile RulesChain rules, rate limits, gas, confidence

8EscalationHuman review triggers

9Final DecisionAggregate into verdict with reason codes

6. SECURITY MODEL

xBPP addresses the following threat categories with specific mitigations defined in the specification:

Slow drain attack

Rolling budget windows (hourly/daily/weekly) detect cumulative spending patterns

Policy tampering

Policy signing with hash verification prevents unauthorized modifications

Address poisoning

Dedicated security phase detects known attack patterns

Drainer contracts

Registry-based verification flags known malicious contracts

Rate-based attacks

Burst detection and per-minute rate limits prevent rapid transactions

Fragmentation attacks

Sliding window analysis detects split-transaction patterns

7. REFERENCE IMPLEMENTATION

The reference SDK (@vanar/xbpp v0.1.0-beta.1) is a TypeScript package with zero runtime dependencies. It implements the core policy engine covering:

▸Spending limits (per-transaction, hourly, daily)
▸Escalation thresholds
▸Recipient whitelisting and domain blocking
▸Rate limiting (requests per minute)
▸Suspicious pattern detection (rapid same-recipient transactions)
▸Operating hours enforcement
▸Currency filtering
▸Policy expiration
▸x402 payment protocol integration via fetch wrapper

Scope note: The SDK implements a 12-check flat evaluation model covering the core policy engine. Advanced features specified in the protocol (9-phase pipeline, two-phase commit, chain rules, kill switch, persistent audit trail) are planned for future releases.

8. COMPARISON

Dimension	xBPP	x402	Smart Contract
Focus	Pre-execution governance	Payment protocol	On-chain enforcement
Decision model	ALLOW / BLOCK / ESCALATE	Pay / Don't pay	Revert / Execute
Chain dependency	None (chain-agnostic)	Blockchain payment rails	Specific chain
Policy format	Declarative JSON	HTTP headers	Solidity/bytecode
Human escalation	Built-in ESCALATE decision	Not supported	Not supported
Composability	Works with x402	Standalone	Standalone

xBPP and x402 are complementary. x402 handles the payment mechanics (HTTP 402, stablecoins, settlement). xBPP handles the governance layer (should this payment happen at all?). The SDK's wrap() function demonstrates this integration directly.

9. ROADMAP

Current

▸Reference SDK (TypeScript, 12 core checks)
▸Protocol specification v1.0
▸Interactive spec simulator
▸x402 integration
▸@vanar/xbpp published on npm

Near-term

▸Conformance test suite
▸Independent implementation (Go or Python)
▸Persistent audit trail

Medium-term

▸Full 9-phase evaluation in SDK
▸Two-phase commit (confirm/void lifecycle)
▸Chain rules and security checks
▸Formal standards submission (EIP or internet-draft)

Long-term

▸Multiple independent implementations
▸IANA media type registration
▸Production deployments with real agents
▸Standards body adoption

XBPP: EXECUTION BOUNDARY PERMISSION PROTOCOL