Honest limits
What Atested can and can't do
Atested's limits are architectural, not provisional. Here is where the boundary is and why.
What Atested knows
Tier 1 classifications are deterministic
The operation specifies a file path, and the classifier reads the path. The policy evaluator checks whether the path is within allowed directories, whether it targets a hidden file, whether the action type is permitted. The decision (ALLOW or DENY) follows from the evidence and the rules with no ambiguity. Two operators running the same operation against the same policy get the same answer.
Tier 2 classifications are high-confidence inferences
When the agent runs git push origin main, the classifier recognizes git push as a network-scope execute operation. This inference is reliable for well-known commands (git, curl, npm, pip, docker, make, pytest, and about 40 others in the classifier). The accuracy depends on the command being what it looks like. An adversarial binary named git that does something else would be classified as the real git. In practice this doesn't happen in normal agent operation, but it's a theoretical gap.
What Atested can't fully see
Tier 3 operations are opaque
The classifier sees the entry point (a script path, an interpreter invocation, a piped command) but not the behavior. Running python3 deploy.py produces a Tier 3 classification: the classifier knows it's executing Python but doesn't know what the script does. These operations default to DENY in the standard policy. You can approve specific Tier 3 operations after reviewing what they do.
Tier 4 operations are uninspectable
The parameters contain encoded content (base64, hex blobs, or obfuscated arguments) that the classifier can't parse. These default to DENY in the standard policy unless approved.
The gap between "classified" and "understood" is real. Atested tells you which tier each operation landed in. The tier is the honest statement of how much the classifier knows.
What the chain proves
The chain proves that a specific action was proposed by the model, classified at a specific tier, evaluated against a specific policy rule, and resulted in a specific decision at a specific time. Every record is Ed25519 signed — the same algorithm that secures SSH connections and Signal messages. Anyone with the public key can verify the entire chain on their own machine. The signatures are mathematical — they either verify or they don't. There is no ambiguity.
What the chain doesn't prove
The chain proves the process was followed, not that the outcome is correct. No system can prove an operation's result is right before it happens. Atested proves that every operation was classified, evaluated against policy, and decided before execution. What happens during execution — whether the code does what the agent intended — is outside the governance boundary. This is a real limit, not a gap to be filled.
What telemetry collects and excludes
Telemetry is on by default. Atested collects aggregated counts: total operations, denials, categories, and machine coverage counts. It never collects file paths, command strings, content, or user identities. Aggregation happens locally; on multi-machine installs, remotes sync summaries to the primary and only the primary transmits externally. You control telemetry through the dashboard and can opt out at any time. See Trust and telemetry for full details.
What the proxy can and can't see
The proxy sees all API traffic between the agent and the model provider. It reads model responses and classifies the actions proposed. It does not see what happens after an allowed action reaches the agent.
Operator identity
You choose an operator name when submitting approvals or acknowledgments. This name is recorded in the governance chain as a label identifying who took the action. Atested does not verify operator names against an external identity provider — the name is a self-declared label, not an authenticated credential. This is by design: governance chains record what happened and who claimed responsibility, using the same trust model as git commit authorship.
Quick reference
Start attesting your AI operations
Stop worrying and start knowing in less than five minutes.