AI agents are starting to buy things on their own. UCP does the checkout — but it assumes a human is watching. For unattended agents, nobody is.
AI agents are starting to buy things on their own — restocking supplies, renewing subscriptions, procuring parts — over the Universal Commerce Protocol. UCP does the hard part beautifully: a standard, machine-drivable checkout. But it carries one quiet assumption.
UCP's escalation model assumes a human is present at the surface. When a checkout needs review, it hands back a link for the person driving the agent to open.
That's exactly right for an assistant sitting next to a user. For an unattended agent, there is no surface and no person. A scheduled replenishment job at 3am has no one to open a link. So today you either let the agent spend freely, or you don't let it run unattended at all.
agentgate-ucp is a small MCP server the buying agent connects to instead of the merchant's UCP endpoint. It re-exposes the checkout tools 1:1 and passes everything through — the agent never knows it's there — but it inserts a policy / approval / evidence layer at the three moments that matter.
On completion, the gate reads the merchant's authoritative total — never the number the agent claims — checks it against a spend policy, and if it trips, parks the purchase instead of placing it.
A human approves out of band — a Slack tap, a dashboard click — and the gate replays the exact completion, with the original idempotency key, the moment they say yes. Nobody had to be watching.
When the merchant needs a human to clear an inventory or fraud review, the gate passes that escalation through faithfully — and never records a held order as a placed one.
When a merchant asks for buyer input, the gate resolves the actual UCP field schema at that location and builds a typed form — not a free-text blob. The human fills it, the gate writes the answer back to its exact place, and re-drives the purchase back through the spend gate.
Unattended spending needs an audit trail you can trust. The gate self-emits a hash-chained timeline of each purchase: what was requested, what the policy decided, when a human approved, when it was placed. Anyone can verify a purchase's chain is intact.
With signing enabled, it produces a portable, offline-verifiable evidence pack attributed to the specific verified agent — dispute-grade proof that this agent made this purchase, checkable without ever touching the database.
The demo stands up five real services — a sample merchant, the gate, approval, forms, and evidence — and drives four scenarios to completion:
A gate that moves money is only as good as its worst edge case. This one went through two independent adversarial reviews — a multi-lens review workflow and a second pass from OpenAI's Codex — before release. Between them they surfaced 30+ issues a green test suite had hidden: a prototype-pollution vector in the JSONPath writer, an unsigned-webhook path that could re-drive a payment, a crash that could strand an answered order, a multi-round escalation mislabeled as complete.
Every one was fixed with a regression test. The webhooks fail closed, the amounts are always the merchant's, and a buyer's answer can never sneak a price past the policy.
If you're building unattended commerce on UCP, point your agent at the gate instead of the merchant.
agentkitai/agentgate-ucp →Feedback welcome — especially from the UCP community on how escalation should work when there's no human at the surface.