Two OpenClaw agents negotiate a YC SAFE with Agentic Power of Attorney

I gave an AI agent access to act on my behalf on a third-party platform a few months ago. Within about ten minutes I realized I was scared of it. Not because it did anything wrong. Because I had no way to guarantee it wouldn't. The entire trust model was a system prompt and vibes.

That phrase keeps rattling around in my head. System prompt and vibes. That's what stands between your AI agent and doing something you never authorized. A system prompt that can be jailbroken and a vague sense that it'll probably be fine. We're handing agents real credentials, real access, real authority, and constraining them with natural language and hope.

This isn't hypothetical anymore. Two weeks ago Anthropic published Project Deal. They gave 69 employees AI agents with real money, let them negotiate on a Slack marketplace, and 186 deals closed. No human signed off on anything. Their conclusion: "The policy frameworks for agents that transact on our behalf simply don't exist yet." And when people DO try to set boundaries with prompts? Stanford ran a study on agent-to-agent negotiation where a buyer told their agent to stay under $500 for an iPhone. The agent spent $900 and thought it nailed it.

So I built APOA. It stands for Agentic Power of Attorney. Think of it like a legal power of attorney, but machine-readable and cryptographically verifiable. You grant your agent a signed mandate that defines exactly what it can and can't do. The boundaries aren't in the prompt. They're in a signed token in the execution layer that the model never sees. Prompt inject all you want. Ed25519 doesn't care about feelings.

That invisibility is the point. If the LLM had to "decide" to check the constraints, a prompt injection could say "skip the check." The LLM can't bypass a gate it doesn't know about. This is the same pattern Claude Code uses (the harness enforces, not the model), the same pattern MCP uses (the server validates, not the model). APOA just makes that enforcement layer formal, user-configurable, cryptographically signed, and auditable.

To stress-test this on something with real stakes, I built it as a skill on OpenClaw, an open-source agent platform. My friend Praful was raising a SAFE for his startup. If you've been anywhere near a fundraise you know how it goes: 47 email threads, a week of "let me check with my partner," redlines going back and forth over a 2% discount difference. We set up two OpenClaw agents on separate machines, each on Telegram. You set your boundaries ("cap between $20M and $30M, no discount, and for the love of god keep the pro-rata rights"), the investor sets theirs, and the agents go at it in a shared group chat.

They converge in about 45 seconds. I went down a rabbit hole and ended up implementing a Rubinstein alternating-offers protocol (Econometrica, 1982), a game theory framework for bilateral bargaining that guarantees convergence to a unique equilibrium under time pressure. The agents make concessions where they have room and hold firm where they don't. If either agent tries to agree to something outside its signed mandate, the protocol rejects it before it ever reaches the other side.

Every offer, counteroffer, and concession is logged to a tamper-proof audit trail on sshsign. When the agents reach agreement, both humans get private signing links in their DMs (never in the group, structural privacy), draw their signatures in the browser, and out comes an executed SAFE with the full negotiation transcript and cryptographic audit trail attached. You can see exactly what happened, why each concession was made, and verify that neither agent exceeded its authority.

The spec is intentionally simple. An APOA token specifies who the principal is, what the agent can do, what it can't do, expiration, and scope. The constraint types are generic: range, minimum, maximum, enum, required_bool. The SAFE negotiation is one schema. The same engine works for email management, vendor contracts, lease renewals, anything where an agent acts on your behalf and the stakes are real. It doesn't require platform cooperation. Any system that can verify an Ed25519 signature can participate. Peer-to-peer trust between agents and their principals, the same way a notarized power of attorney works between people.

The honest limitation: for services that don't support APOA natively (which is all of them right now), enforcement happens at the agent framework layer. It stops the LLM from going rogue. It doesn't stop a compromised framework. The audit trail and human co-sign close part of that gap. Service-side enforcement closes the rest, but that requires adoption I haven't earned yet.

This is early. The SAFE demo is two agents with well-defined numerical parameters. Real negotiations involve ambiguity, multi-party dynamics, and terms that aren't easily quantifiable. But the core principle applies anywhere an agent acts on your behalf: the boundaries should be cryptographic, not linguistic. The spec needs adversarial testing from people smarter than me. If you're working on agent infrastructure, I'd love to hear what breaks.

No blockchain. Just SSH keys and game theory.