SynOI

Product · SynOI Decisions

Testing

Every AI action, signed and provable.

SynOI Decisions is the receipt layer of the SynOI governance stack. Every action your gateway evaluates -- allow, deny, or route to a human -- produces a Decision Receipt: a canonical JSON document signed with a hybrid Ed25519 + ML-DSA-65 key pair, verifiable offline by any auditor with no SynOI account and no network dependency.

The receipt is the proof. Not a log entry in a database only we can read -- a cryptographic commitment any party can independently verify, forever, even if SynOI ceased to exist tomorrow.

Verify a receipt →Receipt format spec

Decision outcomes

Five outcomes. All receipted.

allow

Allow

Policy evaluated the action and permitted it. The receipt records which policy rule matched and what risk tier was assigned.

deny

Deny

Policy blocked the action before any model call fired. The receipt is proof the block occurred -- auditors can verify the agent was stopped, not just slowed.

hitl_approved

HITL approved

A human reviewed the action on mobile, Slack, SMS, or desktop and approved it. The receipt records who approved it, on which surface, and how long it took.

hitl_denied

HITL denied

A human reviewed and rejected the action. The full approval chain -- who, when, what surface -- is in the signed receipt.

remediate

Remediate

The action was redirected: a corrective step was required before the original request could proceed. The receipt captures the remediation class.

What you get

A complete audit record in one signed document.

Every receipt is a canonical JSON document: null fields dropped, keys sorted lexicographically, byte-exact. The hybrid signature covers the entire canonical body. Mutating any field -- even whitespace -- invalidates the signature.

receipt_id

Globally unique. Embeds in the verify URL. Never reused across tenants or time.

tenant_id

Which tenant this decision belongs to. Receipts are tenant-scoped at signing time.

action_class

What category of action was attempted: tool.deploy, tool.write, llm.call, etc.

action_desc

Human-readable description of what the agent requested to do.

risk_level

low · medium · high · critical. Assigned by tenant policy at evaluation time.

decision

allow · deny · hitl_approved · hitl_denied · remediate.

mode

enforce · monitor · shadow. Whether the gateway actually blocked or only observed.

approver

For HITL decisions: the identity who approved or denied. Omitted for automated decisions.

approval_surface

mobile · slack · sms · desktop · email. Which channel the human used.

elapsed_ms

End-to-end latency of the governance evaluation, in milliseconds.

model

Which LLM model was in use for this action.

oid_hex

SHA-256 content-addressed identifier of this receipt body. Same content always yields the same OID.

recorded_at

RFC 3339 timestamp at which this decision was recorded by the gateway.

signature

Hybrid Ed25519 (RFC 8032) + ML-DSA-65 (FIPS 204) over the canonical JSON body. Verify offline.

Why this design

Approved before it runs. Provable after.

No vendor dependency to verify

The signature is over public keys we publish at a stable URL. Any Ed25519 library in any language can verify the classical signature. ML-DSA-65 future-proofs the same receipt against post-quantum attacks.

Tamper-evident by construction

Canonical JSON: null fields dropped, keys sorted. Any mutation -- a character, a reordering, a field addition -- changes the canonical encoding and invalidates the signature. There is no way to alter a receipt without detection.

Survives vendor risk

The receipt your team generates under SynOI governance verifies with the same math in five years if SynOI is acquired, pivots, or winds down. The cryptographic commitment is independent of our operational continuity.

Auditor-ready out of the box

Paste a receipt URL into verify.synoi.systems: the auditor sees the canonical body, the signature bytes, and the verification result. No account, no sales call, no NDA. That is what the receipt is for.

Human approval in the receipt

HITL decisions carry the approver identity and surface. An auditor can confirm not only that an action was allowed, but that a specific human reviewed it on a specific channel at a specific time. Provable approval chain.

Post-quantum migration path

ML-DSA-65 (NIST FIPS 204) is already in the hybrid signature today. When classical Ed25519 becomes insufficient, the post-quantum component of every existing receipt is already there. No re-issuance required.

Start generating receipts in one env var.

Every action through the SynOI Gateway produces a Decision Receipt automatically. No code changes to your agent. No additional libraries.

Start free →Set up the GatewayVerify a receipt