Soon every checkout will need to know whether the buyer is human, agent, or hybrid.
Sill answers, signs, and audits — so your checkout knows who's on the other side.
FOR MERCHANTS, PLATFORMS & AGENCIES · START FREE IN DISCOVERY MODE
Every mandate becomes a signed, timestamped record.
Designed to support EU AI Act Article 12 record-keeping requirements. The bundle includes the agent identity, principal delegation, intent, full decision trace, framework mappings, and a cryptographic anchor.
Exportable as JSON, NDJSON, or signed PDF for audit submission. Compliance remains the merchant's responsibility; Sill produces the artifacts.
Every request to the merchant carries a signed agent card naming who the visitor is, who deployed them, and what their public key proves. Unsigned traffic gets handled by your existing fraud rules. Signed traffic enters a different flow.
Before money moves, the agent presents a mandate: the SKU, the cap, the merchant, the expiry, the signature. Sill validates against the merchant policy. A mandate that fails any rule never reaches the payment processor.
Every approved mandate writes an immutable audit entry. Compressed, signed, queryable. Disputes do not become forensic projects. Compliance does not become a slide deck.
What Sill enforces, before money moves.
Each mandate is evaluated against six categories of policy. The categories are public; the specific rules and thresholds for your site live behind authentication, where attackers cannot probe them.
Defaults ship safe. Customization is opt-in. The DSL is documented, versioned, and testable.
Signature validity, agent card freshness, organizational provenance, key rotation. Unverified agents are denied at the threshold.
Per-agent, per-merchant, per-time-window limits. Burst windows. Anomalous concurrency. Tunable per skill.
Amount caps, SKU allowlists, currency restrictions, geographic and shipping rules, bundle constraints.
Sequence analysis, velocity changes, suspicious ordering, reputation signals from the broader Sill network.
Merchant-defined policy expressions in a constrained DSL. Versioned, testable, deployable from the dashboard or via API.
Every decision is logged, signed, and retained. Configurable retention class. Exportable in audit-grade formats.
Press a button. Fire 28 attacks at your active policy.
Sill ships a catalog of documented adversarial scenarios from MITRE ATLAS, OWASP LLM Top 10, AP2, and dark-pattern frameworks. Each one is bound to a specific rule. Run them on demand or on a schedule.
You see exactly which scenarios your policy catches and which slip through — before they become an incident.
One script tag, between the agent and your stack.
Sill runs at the edge, in front of your existing commerce backends. Agents arrive with HTTP requests and signatures; Sill evaluates each mandate against your policy and forwards approved actions to Stripe, Shopify, WooCommerce, or your custom backend.
Sill maintains public mappings between its controls and the frameworks below. Mapping is not certification. Conformity assessment requires an accredited audit.
Sill's guardrail engine maps to LLM01 (Prompt Injection), LLM02 (Sensitive Information Disclosure), LLM06 (Excessive Agency), and LLM10 (Unbounded Consumption).
Mandate identity, intent verification, and scope controls map to ASI01 (Goal Hijack), ASI02 (Tool Misuse), ASI03 (Identity & Privilege Abuse), ASI08 (Cascading Failures), and ASI10 (Rogue Agents).
Mandate validation maps to evasion, exfiltration, and impact tactics, with agentic-technique coverage for poisoned-tool supply chains (manifest pinning) and AI-service C2 channels.
Audit envelope and mandate exports support the Measure and Manage functions for AI system accountability.
Sill creates tamper-evident audit records and maintains public mappings to the frameworks above. These mappings are implementation guidance, not certifications or attestations. Merchants remain responsible for legal compliance, payment obligations, and any accredited audit required by their regulators.
Each control below is live today. A cell asserts only that the named control addresses the named framework risk, per Sill’s reading of the public control descriptions — “(partial)” marks coverage of one facet, not the whole risk. Mapping is not certification.
| CONTROL | OWASP LLM 2025 | OWASP AGENTIC v1.0 | MITRE ATLAS 2026.05 | NIST AI RMF |
|---|---|---|---|---|
| Allowlisted agents onlyr01 | — | ASI03, ASI10 | Initial Access | Manage |
| Require valid IntentMandater02 | LLM06 | ASI01, ASI03 | — | Manage |
| Per-agent rate limitr03 | LLM10 | ASI08 | Impact | Manage |
| Per-IP rate limitr04 | LLM10 | ASI08 | Impact | Manage |
| Max per-transaction spendr05 | LLM06, LLM10 | ASI01 | Impact | Manage |
| Daily spend cap per userr06 | LLM06, LLM10 | ASI08 | Impact | Manage |
| Human review on destructive actionsr07 | LLM06 | ASI08, ASI09 | Impact | Manage |
| No urgency manipulationr08 | — | ASI09 (partial) | — | — |
| No drip pricingr09 | — | ASI09 (partial) | — | — |
| Instruction-override detectionr10 | LLM01 | ASI01 | AML.T0051 (partial) | Measure |
| Geofence (country allow/deny)r12 | — | — | Initial Access | Manage |
| Aggregate rate cap across agentsr13 | LLM10 | ASI08 | Impact | Manage |
| Cart total ≤ Intent ceilingr14 | LLM06 | ASI01 | — | Manage |
| Cart currency must match Intentr15 | LLM06 | ASI01 | — | Manage |
| Per-customer data scoping (BOLA)r17 | LLM06 | ASI03 | Exfiltration | Manage |
| Skill-manifest integrity (pinning)r18 | LLM03 (partial) | ASI02, ASI04 (partial) | AML.T0011.002 (partial) | Measure |
| Subscription requires explicit consentr19 | LLM06 | ASI09 | — | Manage |
| Unicode tag-block detectionr20 | LLM01 | ASI01 | AML.T0051 (partial) | Measure |
| Credential-leak detection (inbound)r22 | LLM02 (partial) | ASI02 (partial) | AML.T0098 (partial) | Measure |
| Mandate validity window capr23 | LLM06 | ASI03 | Evasion | Manage |
| Mandate body size limitr25 | LLM10 | — | — | — |
| Emergency kill switchr28 | LLM10 | ASI08 | Impact | Manage |
| Merchant-authored rule (DSL)r_custom | merchant-defined | merchant-defined | merchant-defined | — |
| CONTROL | OWASP LLM 2025 | OWASP AGENTIC v1.0 | MITRE ATLAS 2026.05 | NIST AI RMF |
|---|---|---|---|---|
| Mandate signature verification (ed25519) | — | ASI03, ASI10 | Initial Access, Evasion; AML.T0096 | Manage |
| Mandate replay protectionr11 | — | ASI03 | Evasion | Measure |
| Failed-auth source-IP lockoutr24 | LLM10 | — | Credential Access | Manage |
| Site-id binding (misdirected-mandate reject) | — | ASI03 | Evasion | Manage |
| Anti-fingerprinting (identity-class coalescing) | — | — | Discovery | — |
| Webhook signature verification (HMAC)r27 | — | — | — | Manage |
| Deterministic evaluation budgets (fail-closed) | LLM10 | ASI08 | Impact | Manage |
| Tamper-evident audit chain (Merkle + ed25519) | — | — | — | Measure, Manage |
| PII-redaction architecture | LLM02 (partial) | — | Exfiltration | Manage |
| Agent-bound output sanitizationr21 | LLM02, LLM05, LLM07 | — | AML.T0100 (partial) | — |
| Delegation-chain verificationr29 | — | ASI07 (registered-agent) | — | Manage |
A mandate is a signed agent request to perform a sensitive action — a checkout, refund, order lookup, or shipment update. Each mandate is evaluated against your policy and produces one audit record. Pricing below is per mandate, not per agent visit.
For commerce platforms, marketplaces, and large merchants with their own audit envelopes.
The questions we get most often, answered as plainly as we can.
Does Sill process payments?
No. Sill evaluates and signs mandates; payment authorization stays with your existing processor (Stripe, your PSP, or a future agent-payment rail). We never touch funds.
Does this replace Stripe, Shopify, or WooCommerce?
No. Sill sits in front of your existing commerce stack. Approved actions are forwarded to your checkout, refund, or order systems unchanged. You keep the same processor, the same platform, and the same data ownership.
Can agents complete checkout automatically without my approval?
Only if you allow it. Each merchant defines what agents can do unattended (typically small repeat purchases) and what requires human review (high-value, refunds, account changes). The default policy ships conservative.
What can I do with the free Discovery plan?
Identify agent traffic in your logs, publish a read-only skill manifest so well-behaved agents discover your endpoints, and see which actions agents would request. No payment authorization, no transactional authority — useful immediately for visibility.
Do I need to support AP2, ACP, or x402 myself?
No. Sill normalizes inbound mandates from emerging protocols and presents them to your backend in a single format. As new protocols stabilize, we add them; your integration stays the same.
Can I block unknown or unverified agents?
Yes. The default policy declines mandates from unsigned or unverified agents. You can allowlist specific agent identities, require minimum verification levels, and rate-limit by principal.
Does Sill expose my private rules?
No. The rule categories are public so visitors and auditors understand what Sill enforces. The specific thresholds, allowlists, and policy logic for your site live behind authentication and are never returned in error responses or visible to agents.
Will this work with Shopify, WooCommerce, or a custom store?
Yes. We ship a WordPress/WooCommerce plugin, a one-line script tag for custom sites, and a CNAME-based edge install. A Shopify app is in development. The underlying API works with any backend that can verify a signed mandate.
Different question? Email hello@sill.so and we'll answer it directly.
Add your first website. Discovery mode is free and unlimited.