ABS Core
Features

Guardian Replay

Reproduce any past authorization decision deterministically. Prove to auditors and regulators exactly why an action was allowed or denied.

Guardian Replay

Why this exists

CISOs and compliance teams face a recurring objection when evaluating AI governance tools:

"How do I know the governance layer was actually enforced — and not tampered with after the fact?"

Guardian Replay addresses this directly. Every POST /v1/authorize decision is stored with a replay envelope — a cryptographic snapshot of all inputs, policies, and the resulting verdict. Any decision can be reproduced exactly, byte-for-byte, at any future point in time.

How it works

When a decision is made, ABS stores a replay_envelope alongside the normal proof_hash:

Authorize request

Policy evaluation

Decision (ALLOWED / DENIED)

[Replay envelope persisted] ← agent_id, tool_name, input_hash,
                               policy_version, timestamp, verdict,
                               risk_score, proof_hash

The envelope uses content-addressed storage: the proof_hash is a SHA256 of the full decision payload, so any modification to the stored data is immediately detectable.

Inspect a stored decision

GET /v1/decisions/{decision_id}/replay
Authorization: Bearer {your-api-key}
{
  "decision_id": "dec_01JN8K...",
  "verdict": "DENIED",
  "risk_score": 95,
  "proof_hash": "a3f8c2...",
  "timestamp": "2026-02-20T18:44:41Z",
  "replay_envelope": {
    "agent_id": "claudebot-prod",
    "tool_name": "exec_cmd",
    "input_hash": "b9e1d4...",
    "policy_tag": "FINANCIAL",
    "policy_version": "2.1.0",
    "risk_level": "HIGH"
  }
}

Re-run the decision (integrity check)

POST /v1/decisions/{decision_id}/replay
Authorization: Bearer {your-api-key}

ABS re-evaluates the stored envelope against the policy engine and compares the result:

{
  "decision_id": "dec_01JN8K...",
  "integrity": "VERIFIED",
  "original_verdict": "DENIED",
  "replayed_verdict": "DENIED",
  "proof_hash_match": true,
  "replayed_at": "2026-02-21T09:00:00Z"
}

If the policy was changed between the original decision and the replay, or the stored data was modified:

{
  "integrity": "INTEGRITY_VIOLATION",
  "original_verdict": "DENIED",
  "replayed_verdict": "ALLOWED",
  "proof_hash_match": false,
  "divergence_reason": "Policy version changed: 2.1.0 → 2.2.0"
}

Use cases

Compliance audit: An auditor requests proof that agent claudebot-prod was blocked from calling exec_cmd on Feb 20. You provide the decision ID — they can verify independently.

Post-incident forensics: An unauthorized action occurred. Replay all decisions in the incident window to find the first policy miss.

Policy regression testing: Before promoting a new policy version, replay the last 30 days of decisions to see what would have changed.

Availability

Replay envelopes are stored for all decisions made on ABS v10.1.5+. Decisions made before this version will return a 404 with the message "It may predate Guardian Replay (v10.1.5).".

Envelopes are subject to your configured audit log retention policy.

MCP Guardian Network

Opt-in federated threat intelligence. When one ABS instance detects an attack pattern, all participating instances receive advance warning — automatically.

Heartbeat Sentinel

Dead Man Switch for Autonomous Agents

On this page

Guardian ReplayWhy this existsHow it worksInspect a stored decisionRe-run the decision (integrity check)Use casesAvailability