Does Sill replace Stripe or a merchant's commerce stack?

No. Sill sits in front of the merchant's existing commerce stack. Approved actions are forwarded to the merchant's checkout, refund, or order systems unchanged. The merchant keeps the same processor, platform, and data ownership.

Can AI agents complete checkout without merchant approval?

Only if the merchant allows it. Each merchant defines what agents can do unattended and what requires human review (such as high-value purchases, refunds, or account changes). The default policy ships conservative.

What does the free Discovery plan do?

Discovery identifies AI-agent traffic in a merchant's logs and publishes agent-readable manifests — including a per-site signed A2A agent card, a per-site MCP server, and a per-site signed ARD ai-catalog — so well-behaved agents can discover the site's endpoints. It is free and provides visibility immediately. There is no payment authorization or transactional authority in Discovery mode.

Can a merchant block unknown or unverified agents?

Yes. The default policy declines mandates from unsigned or unverified agents. Merchants can allowlist specific agent identities, require minimum verification levels, and rate-limit by principal.

Can third parties independently verify Sill's signatures?

Yes. Sill's signing key is published at a public JWKS endpoint (https://edge.sill.so/.well-known/jwks.json). The signed A2A agent card and the signed ARD ai-catalog can be verified by anyone using only published standards — RFC-8785 JCS canonicalization and ed25519 — with no access to Sill's internal code.

00 — THE THRESHOLD

2026 / Q2

Soon every checkout will need to know whether the buyer is human, agent, or hybrid.

Name: Sill Discovery
Availability: InStock

Sill answers, signs, and audits — so your checkout knows who's on the other side.

FOR MERCHANTS, PLATFORMS & AGENCIES · START FREE IN DISCOVERY MODE

https://

We'll read your site, propose skills, and publish your signed agent card, MCP endpoint, and AI catalog — all verifiable against our public JWKS. About 90 seconds.

 FREE DISCOVERY NO CARD REQUIRED A2A · MCP

SILL · AUDIT BUNDLE

Signed mandate, verified end-to-end.

VERIFIED

MANDATE

pm_8A3F9C12

AGENT

ChatGPT v4.1 (AP2)

USER

[email protected]

AMOUNT

$47.20 USD

DECISION

ALLOWED

LATENCY

31 ms

IDENTITY

INTENT

CART

LIMITS

POLICY

sig: 0x9f2c8a4b1d…7e3a · ed25519 · ts 2026‑05‑10 18:42Z

DOC SB‑20260510‑PM_8A3F9C12PAGE 1 / 3

01a — RUNTIME · AUTOMATEDILLUSTRATIVE FLOW · THE REAL DECISION PATH

VISITOR ARRIVES

STOREFRONT

mill-valley-coffee.com

MANDATE PRESENTED

awaiting…

POLICY EVALUATION

rate_limit · 60/min

sku_in_allowlist

amount_under_cap

signature_valid

01b — RUNTIME · HUMAN IN THE LOOPESCALATION PATH FOR AMBIGUOUS MANDATES

When a mandate needs a human, the request pauses — it never auto-approves.

High-value or ambiguous agent requests escalate to a named reviewer. Approve or reject; either way the decision is written into a signed, Merkle-chained audit record with the operator's stamp. Simulated below.

HIGH-VALUE MANDATE

STOREFRONT

westport-jewelry.com

POLICY · WITH ESCALATION(5 of 28 rules shown · illustrative)

rate_limit · 60/min

sku_in_allowlist

amount_under_cap

signature_valid

high_value_review_required

OPERATOR REVIEW

idle…

ESCALATION → REVIEW → SIGNED RECORD·see how policy + audit work →

02 — AUDIT TRAILEVERY MANDATE · SIGNED · EXPORTABLE

Every mandate becomes a signed, timestamped record.

The bundle captures agent identity, principal delegation, intent, the full decision trace, framework mappings, and a cryptographic anchor — each record signed and independently verifiable against Sill's public JWKS.

Every record is exportable for audit submission. Compliance remains the merchant's responsibility — Sill produces the verifiable artifacts.

INTEGRITYed25519 envelope + Merkle root

FRAMEWORK MAPPINGS · OWASP · MITRE ATLAS · NIST AI RMF· MAPPINGS, NOT CERTIFICATIONS

OPEN FULL BUNDLE

Sill

AGENT GOVERNANCE INFRASTRUCTURE

DOCUMENT ID
SB-20260510-PM_8A3F9C12

ISSUED
5/10/2026, 8:33 PM

MANDATE AUDIT BUNDLE

An evidentiary record of one agentic transaction.

Captures the cryptographic identity, policy decisions, and on-chain anchor for mandate pm_8a3f9c12. For internal compliance, external auditors, and regulators.

✓

Mandate verified and anchored.

All policy checks passed. Cryptographic anchor recorded on-chain.

01Mandate parties

MANDATE ID	pm_8a3f9c12
ISSUING AGENT	ChatGPT
END USER	[email protected]
USER INTENT	Buy 2× Espresso Roast under $50
AMOUNT CAP	$47.20 USD
SIG ALGORITHM	ECDSA-P256

+ 4 MORE SECTIONS · DECISION TRACE · MAPPINGS · ANCHOR · ATTESTATION

How Sill governs every agent interaction: identity, intent, proof

03 — IDENTITY, INTENT, PROOF

IDENTITY

Every request to the merchant carries a signed agent card naming who the visitor is, who deployed them, and what their public key proves. Unsigned traffic gets handled by your existing fraud rules. Signed traffic enters a different flow.

INTENT

Before money moves, the agent presents a signed mandate: the SKU, the cap, the merchant, the expiry, the signature. Sill evaluates it against your policy. A mandate that fails any rule never reaches Stripe to authorize the charge. Sill evaluates and signs; it never custodies funds.

PROOF

Every evaluated mandate writes an append-only, signed, Merkle-chained audit entry — yours to export. A dispute or a compliance ask becomes a query, not a forensic project.

Verify a live agent card and catalog yourself →

04 — GUARDRAILSCATEGORIES · NOT THE RULE LIBRARY

What Sill enforces, before money moves.

Each mandate is evaluated against six categories of policy. The categories are public; your site's specific rules and thresholds live behind authentication.

Defaults ship safe. Customization is opt-in. The DSL is documented, versioned, and testable.

IDENTITY

Who is the visitor

Signature validity, agent card freshness, organizational provenance, key rotation. Unverified agents are denied at the threshold.

RATE & VOLUME

How often, how fast

Per-agent, per-merchant, per-time-window limits. Burst windows. Anomalous concurrency. Tunable per skill.

TRANSACTIONAL

What and how much

Amount caps, SKU allowlists, currency restrictions, geographic and shipping rules, bundle constraints.

BEHAVIORAL

Pattern over time

Sequence analysis, velocity changes, suspicious ordering patterns, anomaly detection across an agent's request history on your site.

CUSTOM POLICY

Your rules, your code

Merchant-defined policy expressions in a constrained DSL. Versioned, testable, deployable from the dashboard or via API.

AUDIT

Proof and retention

Every decision is logged, signed, and retained. Configurable retention class. Exportable in audit-grade formats.

RED TEAM SIMULATORATTACK YOUR OWN POLICY BEFORE SOMEONE ELSE DOES

Test your active policy against documented attacks.

Sill's policy is a 28-rule engine mapped to MITRE ATLAS, the OWASP LLM Top 10, and the OWASP Top 10 for Agentic Applications. Each rule is a named, versioned guardrail — and every evaluation is recorded in a signed, Merkle-chained audit record.

You see exactly which scenarios your policy catches and which slip through — before they become an incident.

POLICY28 rules across 6 categories

SOURCESMITRE ATLAS · OWASP · AP2

SCOPEDPer rule or globally

RECORDEDOutcome logged with policy version

EXAMPLE: POLICY EVALUATION

0 CAUGHT0 MISSED0/6

AWAITING…

POLICY ENGINE · 28 RULES · 6 CATEGORIES — MAPPED TO MITRE ATLAS / OWASPPAUSED

05 — WHERE SILL SITS

One script tag, between the agent and your stack.

Sill runs at the edge, in front of your existing commerce stack. Agents arrive with signed HTTP requests; Sill identifies them, evaluates each request against your policy, and forwards approved actions to your existing processor — it never custodies funds.

INSTALL TIMEone script tag

SIGNATURESed25519, verifiable against public JWKS

AUDITsigned, exportable records

AGENT-READY SURFACES

Signed surfaces an arriving agent can read — and anyone can verify.

When a site is verified, Sill publishes machine-readable endpoints at the edge so agents can discover its identity, skills, and catalog. Each is signed with an ed25519 envelope, and the signing key is public — so anyone can verify a signature without trusting Sill.

A2A agent carda2a / 1.2 · signed

GET edge.sill.so/v1/agent-card/{site_key}.json

A signed, A2A-compatible card per verified site. Advertised skills are filtered to what the site actually exposes — no overclaim.

MCP serverstreamable-http · live

POST edge.sill.so/v1/mcp/{site_key}

A live MCP endpoint exposing the site’s backed skills as tools. tools/call invocations are recorded to the audit log.

ARD catalogard / 1.0 · signed

GET edge.sill.so/v1/catalog/{site_key}.json

A signed ai-catalog.json. Each trust manifest carries a detached ed25519 JWS over its JCS-canonical payload, attesting identity and provenance; host identity is did:web.

Public JWKSed25519 · EdDSA

GET edge.sill.so/.well-known/jwks.json

The signing key, published openly. Anyone can verify the card and catalog signatures with standard JWS + JCS tooling — no Sill code required.

Transactional modelive-rail validated

The full pipeline — signed mandate, policy evaluation, Stripe payment authorization, signed and Merkle-chained audit record — has been validated end-to-end on the live Stripe rail in production. Sill never custodies funds: Stripe holds the card, authorizes the charge, settles to your account, and pays out. Sill issues the signed authorization and the audit record. This validates the pipeline on the live rail; it is not a claim of scaled, multi-merchant payment volume.

06 — STANDARDS

FRAMEWORK MAPPINGS · NOT CERTIFICATIONS

Sill maintains public, control-by-control mappings between its guardrails and the security frameworks below.

OWASP LLM Top 102025 · v2.0

Sill's guardrail engine maps to the LLM Top 10's highest-impact risks — prompt injection, excessive agency, and unbounded consumption.

OWASP Agentic Top 10v1.0 · 2025-12-10

Mandate identity, intent verification, and scope controls map to the agentic risks that matter — goal hijack, tool misuse, identity abuse, and rogue agents.

MITRE ATLAS2026.05

Mandate validation maps to MITRE ATLAS evasion, exfiltration, and impact tactics, including agentic supply-chain and command-and-control techniques.

NIST AI RMF1.0 · 2023

Audit envelope and mandate exports support the Measure and Manage functions for AI system accountability.

See the full control-by-control mappings How Sill secures the pipeline

These are implementation mappings, not certifications or attestations. Merchants remain responsible for their own regulatory compliance and any accredited audit their regulators require.

Pricing — agent commerce governance, priced like software

07 — PRICING

DISCOVERY IS LIVE · PAID TIERS IN DEVELOPMENT

WHAT IS A MANDATE?

A mandate is a signed agent request to perform a sensitive action — a checkout, refund, order lookup, or shipment update. Each mandate is evaluated against your policy and produces one audit record. When paid tiers launch, billing is per mandate evaluated, not per agent visit.

DISCOVERY

$0forever

LIVE — FREE FOREVER

Unlimited sites

Agent identity logging

Signed agent card · MCP server · ARD catalog

Independently verifiable against public JWKS

No payment authorization

Add website

TRANSACTIONAL

In validationpricing in progress

LIVE STRIPE RAIL · DOGFOOD

Everything in Discovery

Signed mandates + policy engine

Stripe payment authorization

Human-in-the-loop escalation

Signed, Merkle-chained audit records

Talk to us

ENTERPRISE

Customvolume & SLA

CONTACT

Everything in Transactional

Advanced roles & access controls

Custom rules & review SLAs

Dedicated support

Volume agreements

Contact sales

08 — FAQ

OBJECTIONS · ANSWERED

The questions we get most often, answered as plainly as we can.

Does Sill process payments?

No. Sill evaluates and signs mandates; payment authorization stays with your existing processor (Stripe or your PSP). We never touch funds.

Does this replace Stripe, Shopify, or WooCommerce?

No. Sill sits in front of your existing commerce stack. Approved actions are forwarded to your checkout, refund, or order systems unchanged. You keep the same processor, the same platform, and the same data ownership.

Can agents complete checkout automatically without my approval?

Only if you allow it. Each merchant defines what agents can do unattended (typically small repeat purchases) and what requires human review (high-value, refunds, account changes). The default policy ships conservative.

What can I do with the free Discovery plan?

Identify agent traffic in your logs, publish a read-only skill manifest so well-behaved agents discover your endpoints, and see which actions agents would request. No payment authorization, no transactional authority — useful immediately for visibility.

Do I need to support new agent protocols (A2A, AP2, MCP) yourself?

No. Sill normalizes inbound agent requests and presents them to your backend in a single format. As new protocols stabilize, we add support; your integration stays the same.

Can I block unknown or unverified agents?

Yes. The default policy declines mandates from unsigned or unverified agents. You can allowlist specific agent identities, require minimum verification levels, and rate-limit by principal.

Does Sill expose my private rules?

No. The rule categories are public so visitors and auditors understand what Sill enforces. The specific thresholds, allowlists, and policy logic for your site live behind authentication and are never returned in error responses or visible to agents.

Will this work with Shopify, WooCommerce, or a custom store?

Yes. Sill installs with a one-line script tag for any site, or a CNAME-based edge install. The underlying API works with any backend that can verify a signed mandate, so it is not tied to a specific platform.

Different question? Email [email protected] and we'll answer it directly.

08 — START

Add your first website. Discovery mode is free and unlimited.

Every verified site gets a signed agent card, a live MCP endpoint, and a signed ai-catalog — all independently verifiable.

Check agent readiness Verify a signature