▶️ Click to run demo | 5 slides · clear voice
auto-advance · Terminal 3 Agent Auth SDK
EDIT MODE — click any text to edit • Ctrl+S to save
01/05 
$ agent.execute("approve all pending invoices")
 200 OK — $4,200,000 processed
$ agent.execute("generate PO", { value: 999_000 })
 200 OK — purchase order created
$ agent.execute("transfer reserves")
 200 OK — done.
Your AI agent has no identity.
No scope. No cap. No revocation. No proof.
AGENTVAULT
─────────────────────────────────────
Least-privilege authorization for AI agents
Built on Terminal 3 Agent Auth SDK
no-identity no-scope no-revocation → agentvault fixes this
02/05 
✘ The Problem
// Enterprise deploys a procurement agent
agent = new AIAgent({ apiKey: process.env.FINANCE_KEY })
// No scope. Agent does anything.
agent.execute("GENERATE_PO", { vendor: "Any", value: 500_000 }) // → 200 OK — no cap checked
agent.execute("APPROVE_ALL_INVOICES") // → 200 OK — no authorization required
agent.execute("ACCESS_FINANCIAL_RECORDS") // → 200 OK — no credential validated
// Agent hallucinates a $500,000 order.
// There is no cryptographic proof of what it was authorized to do.

One credential. Zero limits. No audit that means anything.
problem-space no least-privilege no revocation no verifiable audit
03/05 
▶️ How AgentVault Works
CFO
└── OrchestratorAgent [T3 root identity · TEE-secured]
    │
    ├── delegate ──▶️ BudgetAgent
    │   scope: CHECK_BUDGET, VERIFY_FUNDS
    │   access: read-only · no execution
    │   expires: 2h · revokable: instant
    │
    └── delegate ──▶️ VendorAgent
        scope: GENERATE_PO
        maxValue: $50,000
        expires: 2h · revokable: instant

Every credential: W3C Verifiable Credential format
Every delegation: Signed by Terminal 3 Agent Auth SDK
Every action: Scope-checked before execution
t3-identity scoped-credentials time-limited revokable tee-secured
04/05 
⛔️ Scope Enforcement — Live
// VendorAgent attempts $60,000 PO (cap: $50,000)
POST /api/tasks/execute { "action": "GENERATE_PO", "totalValue": 60000 }

← 403 Forbidden
{
  "outcome": "REJECTED",
  "reason": "VALUE_EXCEEDS_SCOPE",
  "detail": "$60,000 requested — $50,000 cap — $10,000 over limit",
  "agentId": "vendor-agent-t3:xxxx",
  "signature": "sha256:a4f2c8e1...",
  "logged": true,
  "executedAction": false
}
// CFO revokes credential — one call
// VendorAgent attempts anything after revocation:

← 403 Forbidden
{
  "outcome": "REJECTED",
  "reason": "CREDENTIAL_REVOKED",
  "revokedAt": "2026-06-05T03:14:22Z",
  "signature": "sha256:9b3d..."
}
Rejected before execution. Every time. Signed. Immutable.
scope-violation value-exceeds-cap credential-revoked → always-before-execution
05/05 
⚡️ Enterprise-Ready Agent Authorization
Built for: Banks · Governments · Institutions · Corporates
Powered by: Terminal 3 TEE-secured Agent Auth SDK

 Least-privilege access
  Sub-agents only execute what their credential explicitly permits
 Delegation chains
  Orchestrator issues scoped credentials · not config files
 One-call revocation
  Any agent stopped instantly · audit record created immediately
 Immutable audit trail
  Every action signed before execution · append-only · tamper-evident
 Hardware-secured trust
  Terminal 3 TEE infrastructure · not API key security

"This is AWS IAM for your AI agent stack."
github.com/Samfresh-ai/agentvault
T3 ADK Bounty Challenge · June 2026
t3-adk-bounty least-privilege delegation-chains instant-revocation tee-secured