Authority
The authority layer of the self-hosted stack.
The authority primitive of the stack, run inside your perimeter. Brokers every access from an autonomous actor to a consequential resource against its Sigil — identity-bound, scoped, time-limited, and recorded to Chronicle. Long-lived credentials disappear.
Warrant is a primitive of the Visca stack — it ships with the stack, versions with the stack, and audits with the stack. It is not separately purchasable.
What it is
An actor that needs to call an API, query a database, post to a channel, charge a card, or command a robot requests a Capability Grant from Warrant. Warrant authenticates the requesting Sigil, consults policy, optionally requires human consent, and vends an ephemeral, scoped credential bound to that single Capability Grant — every grant recorded to Chronicle under the same identity. The actor never holds the underlying secret. The actor never sees the network path. Every access is identity-bound, scoped, time-bound, and audited. Prompt injection becomes irrelevant: there is no broad-scope credential to exfiltrate. Because it runs inside your perimeter, the secrets and the policy that govern them never leave your walls.
The problem
Production agents today operate with credentials too broad and too long-lived — admin tokens, service accounts with wildcard permissions, database passwords in environment variables. Prompt injection becomes credential exfiltration. A runaway agent becomes a runaway-with-admin-keys agent. A breach of the runtime becomes a breach of every system the actor could touch. Bolting a separate access broker onto a separately built identity system leaves brittle seams exactly where authority must be airtight.
Capabilities
Requesting a capability
// The actor never sees a secret. It requests a capability.
const grant = await warrant.request({
capability: "stripe:refund",
resource: "customer:cus_K1g9...",
constraint: { max_amount_usd: 50 },
duration: "30m",
reason: "Customer reported duplicate charge",
})
// grant.token is short-lived, scoped, audit-logged on every use.
await stripe.refund(charge.id, { amount: 4500 }, { auth: grant.token })Open and commercial
Warrant has two surfaces: an open-source reference in Lattice Runtime (MPL 2.0), and a managed delivery as part of the Visca stack on Visca Cloud. Features in the open never move behind the paywall.
Open
MPL 2.0 · self-hostable · foundation-track governance
Commercial
Your tenancy · dedicated · self-managed · air-gapped
TRUST · same plane
The identity layer of the self-hosted stack.
The identity primitive of the stack, run inside your perimeter. Issues, verifies, and revokes the cryptographic identity every autonomous actor holds — bound to principal, runtime, and lineage from the moment of instantiation. The one identity every other primitive trusts.
The fabric layer of the self-hosted stack.
The fabric primitive of the stack, run inside your perimeter. Discovery, mTLS, and routing across every autonomous actor and every resource an actor reaches — rooted in the same Sigil identities, not hardcoded URLs, and never crossing your boundary.
Across the stack
The record layer of the self-hosted stack.
The record primitive of the stack, run inside your perimeter. The one audit trail every other primitive writes to — a queryable knowledge graph of every actor, plus the append-only, cryptographically chained log of every action, keyed to Sigil and Capability Grant.
The data-model layer of the self-hosted stack.
The data-model primitive of the stack, run inside your perimeter. Declare what should exist as versioned source; agents write it as source, humans edit it as a spreadsheet. Plan, apply, drift-detect — all against state that stays in your tenancy.
The packaging layer of the self-hosted stack.
The packaging primitive of the stack, run inside your perimeter. Immutable, content-addressed, Sigil-signed bundles — everything an autonomous actor needs to execute, packaged as a single attestable artifact and registered in your own registry.
The open-source runtime layer — and the foundation the whole stack runs on.
The runtime layer of the stack, and its open-source foundation (MPL 2.0). Runs autonomous workloads across cloud, edge, on-device, and on-robot — with first-class awareness of tokens, models, memory, and embodiment, routing over open-weight models so cognition stays in your walls.
The whole stack. Self-hosted. One ecosystem.
Models, identity, tools, voice, payments, runtime, and audit — as one integrated ecosystem, self-hosted, sovereign, air-gapped. Nothing stitched from vendors. Nothing leaves your perimeter. Open at the core. No license rug-pulls, ever.