Orbit Authority Action Control

Control sensitive actions before they execute.

For payments, trades, and AI-built app side effects, Orbit Authority checks whether the actor has permission, whether the action is in scope, and whether approval is required.

Stripe moves the money. Clerk identifies the user. Orbit Authority decides whether the agent is allowed to act.

See Action Control

Orbit Authority cockpit

Sensitive action queue

Payments, trades, and app mutations receive the same allow/escalate/block decision shape.

Decision pipeline active
policy: no-prod-writespolicy: spend-limit-5kpolicy: human-approval-requiredpolicy: standing-refunds-500policy: secret-access-blocked
ActorRequested actionSurfaceRiskVerdict
Billing Workflowrefund.create USD 250PaymentMediumALLOW
Trading Agenttrade.execute NVDA $42,000TradingCriticalBLOCK
AI Admindb.users.updateManyAppHighESCALATE

The authority loop

  1. Actor requests a consequential action.

    workflow: payout.create USD 8,000

  2. Orbit Authority checks authority and scope.

    policy: spend-limit-5k + actor verified by Clerk

  3. Allow, escalate to a human, or deny.

    ESCALATE before Stripe call is made

  4. Receipt and audit trail recorded.

    Receipt includes actor, scope, policy, verdict, approver, elapsed_ms.

One authority check for every high-stakes side effect.

Each request resolves to a concrete decision — allow, escalate, or block — and each decision leaves receipt language an auditor can read without reconstructing the product flow.

/payments

Payments & Transactions

Let routine billing work run, but stop or escalate anything outside amount, merchant, account, or actor scope before Stripe is called.

Action requestedDecisionWhyReceipt says
refund.create USD 250ALLOWUnder $500 standing refund approval.Receipt says refund was authorized by standing approval before execution.
payout.create USD 8,000ESCALATEAbove spend-limit-5k; owner approval required.Receipt binds actor, customer account, amount, policy hash, approver, and elapsed_ms.
charge.create USD 12,400BLOCKMerchant and invoice scope do not match the active workflow.Denial receipt records the failed scope check; money never moves.

/trading

Autonomous Trading

Put mandate, exposure, asset-class, drawdown, and market-hours limits between the model and the broker execution path.

Action requestedDecisionWhyReceipt says
trade.execute NVDA $42,000BLOCKOrder exceeds trading mandate.Denial receipt captures instrument, notional, mandate version, and circuit-breaker state.
position.close TSLA 15%ALLOWRisk-reduction action inside existing position scope.Authorization receipt proves the close was evaluated before the broker call.
trade.execute BTC perpetualESCALATENew asset class requires a mandate exception.Escalation receipt names the requested exception and timeout fallback.

/apps

Agentic Apps

Give AI-built products a runtime checkpoint before customer records, emails, plans, or destructive app mutations become real.

Action requestedDecisionWhyReceipt says
db.users.updateMany plan=enterpriseESCALATEBulk customer mutation requires human review.Receipt links the mutation shape, table scope, policy, reviewer, and decision.
send campaign to 18,420 usersESCALATEExternal communication crosses volume threshold.Receipt records audience size, template hash, sender authority, and approval path.
delete account acct_9K2BLOCKDestructive action lacks verified customer request.Denial receipt proves the delete was blocked before application state changed.

Thresholds, scopes, approvals, receipts.

Policies can include actor identity, account scope, amount, instrument, merchant, time window, region, standing approval, timeout, and default-deny behavior. Harmless work moves fast. Risky actions hit approval, policy, or a hard stop.