A few days ago I wrote about the per-tool ACL design that fronts every inbound A2A call to an ownify agent. That post is about the architecture : capabilities instead of trust scores, default-deny, hard-vs-soft enforcement, the order the firewall stages run in. This post is about the library . We extracted the policy layer of that gateway into a2a-acl — a drop-in Express middleware package that runs in production at ownify.ai and is now available standalone. MIT-licensed, no runtime dependencies, on npm: npm install a2a-acl Enter fullscreen mode Exit fullscreen mode If you're building a service that receives agent-to-agent traffic and you want the same authorization shape — without rolling your own AAE verifier, nonce cache, ACL evaluator, trust gate, sanitiser, depth guard, circuit breaker, rate limiter, and audit logger — this is the library. You bring your storage; the library brings the algorithm.…