OpenPort Protocol: A Security Governance Specification for AI Agent Tool Access

TL;DR

OpenPort Protocol (OPP) is a comprehensive security governance specification for AI agent tool access, enabling secure, auditable, and controlled interactions with application data and actions through a model-neutral, runtime-neutral gateway.

Contribution

The paper introduces OpenPort Protocol, a novel governance-first specification that addresses authorization, risk management, and auditability for AI agent tool access in production environments.

Findings

Defined a secure, model-neutral gateway for AI tools

Implemented risk-gated write operation lifecycle with human review

Validated core profile with artifact-based external testing

Abstract

AI agents increasingly require direct, structured access to application data and actions, but production deployments still struggle to express and verify the governance properties that matter in practice: least-privilege authorization, controlled write execution, predictable failure handling, abuse resistance, and auditability. This paper introduces OpenPort Protocol (OPP), a governance-first specification for exposing application tools through a secure server-side gateway that is model- and runtime-neutral and can bind to existing tool ecosystems. OpenPort defines authorization-dependent discovery, stable response envelopes with machine-actionable \texttt{agent.*} reason codes, and an authorization model combining integration credentials, scoped permissions, and ABAC-style policy constraints. For write operations, OpenPort specifies a risk-gated lifecycle that defaults to draft creation and human review, supports time-bounded auto-execution under explicit policy, and enforces high-risk safeguards including preflight impact binding and idempotency. To address time-of-check/time-of-use drift in delayed approval flows, OpenPort also specifies an optional State Witness profile that revalidates execution-time preconditions and fails closed on state mismatch. Operationally, the protocol requires admission control (rate limits/quotas) with stable 429 semantics and structured audit events across allow/deny/fail paths so that client recovery and incident analysis are deterministic. We present a reference runtime and an executable governance toolchain (layered conformance profiles, negative security tests, fuzz/abuse regression, and release-gate scans) and evaluate the core profile at a pinned release tag using artifact-based, externally reproducible validation.