ConsentKey

A Logitech Actions SDK plugin that turns your MX Console into a physical consent firewall — blocking AI agents from executing risky actions without a hardware-signed human approval.

Comment

Inspiration

AI coding agents can now draft and execute infrastructure commands — service restarts, secret rotations, deployment rollbacks — in seconds. Production systems are fragile. A single unreviewed action can cascade into an outage affecting thousands of users.

Today, the only gate between an AI agent's intent and live execution is a text prompt on screen that's easy to miss or reflexively accept. Software approval dialogs are click-through noise — the digital equivalent of a terms-of-service checkbox. YubiKeys prove identity, not intent. There is no hardware-level, deliberate human-intent verification in the loop.

That gap is what inspired ConsentKey. We asked: what if the Logitech MX Creative Console wasn't just a productivity surface — what if it became a trust anchor? A physical object that stands between an AI agent and the real world, requiring a real human decision before anything dangerous executes.

What it does

ConsentKey is a Logitech Actions SDK plugin that places a physical trust boundary between AI agents and the execution layer. It turns the MX Creative Console and Actions Ring into human-intent control points.

When an AI agent proposes a risky action (e.g., kubectl rollout restart deploy/auth-service -n prod), execution is paused until an operator makes a deliberate physical gesture on hardware — not just a click on screen. Here's the flow:

  1. Agent wraps a risky command with consent-run, which submits the action to the local Consent Broker. The CLI blocks, polling broker state.
  2. Broker classifies risk (LOW / HIGH / CRITICAL) and pauses execution.
  3. The request surfaces on hardware — the MX Creative Console keys and Actions Ring overlay display the pending action with its risk level, diff preview, blast radius, and policy ID.
  4. The operator decides physically using a risk-graduated gesture:
    • LOW risk — single tap to approve (read-only diffs, safe previews).
    • HIGH risk — press and hold ~1.2 seconds to prevent accidental approval (service restarts).
    • CRITICAL risk — written reason required + hold ~1.8 seconds (secret rotation + restart).
    • Deny — single press on the deny key at any risk level.
  5. Broker responds — on approval, a short-lived token is issued and the command executes. On denial, the agent receives 403 Consent Required and exits non-zero. Every decision is tagged with surface: "mx-creative-console" in the audit record.

The key insight: ConsentKey approves intent, not identity. That's what makes it different from any existing security tool.

How we built it

ConsentKey is composed of four tightly integrated components:

1. Consent Broker (Security Engine) An in-memory state-machine API built with Next.js. It receives agent action requests over HTTP, classifies risk, enforces single-active-request, pauses execution until the operator decides, and issues demo tokens on approval. Routes: request, approve, deny, state, scenarios.

2. Logitech Actions SDK Plugin (Hardware Layer) Four bound actions on the MX Creative Console: Request High-Risk, Request Critical, Approve Pending, Deny Pending. Hardware button presses POST directly to the local broker. Cross-platform source with a Windows-native logitoolkit-buildable wrapper.

3. consent-run CLI (Agent Adapter) A Node.js CLI wrapper that gates any shell command. It submits actions to the broker, renders a consent card in the terminal, polls for decisions, and executes on approval. Works with any AI agent or automation tool.

4. Real-Time Dashboard (Operator UI) Polls broker state every 600ms. Shows live status transitions, diff previews, haptic indicator visualization, blast radius warnings, and issued tokens. Includes operator mode for triggering scenarios.

Risk-graduated interaction design:

Risk Level Haptic Pattern Approval Gesture Reason Required
LOW Gentle single pulse Single tap No
HIGH Strong dual pulse Press + hold 1.2s No
CRITICAL Danger triple pulse Press + hold 1.8s Yes (min 8 chars)

Challenges we ran into

Making haptics feel meaningful, not random. The hardest design problem was creating haptic patterns that communicate risk intuitively — without any training. We went through iterations of patterns. The breakthrough was thinking of it like a car's collision warning system: the urgency of the sensation has to match the urgency of the situation instinctively.

Preventing accidental approvals without creating friction hell. If the consent flow is annoying, developers will find ways around it — defeating the entire purpose. We had to find the right balance: low-risk actions should feel effortless (single tap), while high-risk actions should feel deliberate (press and hold) without feeling punishing. The graduated hold times (1.2s for HIGH, 1.8s for CRITICAL) came from testing what felt intentional without being frustrating.

Getting the Actions SDK plugin to round-trip reliably. Binding four distinct hardware actions, wiring them to POST directly to the local broker, and ensuring every approval is tagged with the correct surface identifier (mx-creative-console) required careful coordination between the plugin lifecycle and the broker state machine.

Scoping the integration surface. AI agents can plug into hundreds of tools. We had to resist the temptation to build adapters for everything and instead pick the one scenario that is universal and immediately legible: preventing destructive infrastructure actions. One use case, told perfectly, beats five use cases told vaguely.

Accomplishments that we're proud of

  • Reframing the hardware's identity. The MX Console is marketed as a productivity tool. We turned it into a security primitive. That conceptual shift — from shortcut surface to trust anchor — is the accomplishment we're most proud of.
  • The haptic risk language. Building a vocabulary of physical sensations that communicates risk level without any visual interface is genuinely novel. The graduated pulse patterns (single / dual / triple) map directly to risk severity — operators can distinguish LOW from HIGH from CRITICAL by feel alone.
  • Live hardware round-trips. The MX Creative Console and Actions Ring are fully wired — button presses flow through the Actions SDK plugin to the broker and back, with every decision tagged to the originating hardware surface in the audit record.
  • A complete consent loop, end to end. From consent-run kubectl rollout restart to hardware approval to command execution (or 403 denial) — the entire flow works with real shell exit codes and real state transitions.

What we learned

Physical objects change decision-making quality. There is research on "friction by design" in security — adding intentional resistance to dangerous actions improves outcomes. What we didn't fully appreciate until building ConsentKey is how much more effective physical friction is than digital friction. A popup is dismissed without thought. A haptic pulse and a hold gesture cannot be.

The "YubiKey vs. ConsentKey" distinction is everything. Early feedback often came back: "isn't this just a YubiKey?" Clarifying that YubiKeys authenticate who you are while ConsentKey authenticates what you're agreeing to — and shows you the specific action, diff, and blast radius before you agree — was the sharpest communication challenge and the most important lesson in positioning.

The audit trail matters as much as the gate. Tagging every decision with the hardware surface, risk level, and timestamp creates a compliance-ready record that answers "who approved this, on what device, and what exactly did they see?" That question is what compliance officers, CISOs, and auditors actually need answered.

What's next for ConsentKey

Near term:

  • Signed JWT approval tokens with claims (action hash, timestamp, device serial, policy ID, expiry window)
  • YAML-based policy engine for custom risk classification rules
  • MX Master 4 integration for pointer-based consent at the IDE level

Medium term:

  • Adapters for agent frameworks: LangChain, AutoGen, Cursor, GitHub Copilot
  • Team dashboard for shared policy management and real-time approval notifications
  • SHA-256 hash-chained tamper-evident audit logs for SOC2 and ISO 27001 compliance export

Long term:

  • Dual approval mode — CRITICAL actions require consent from two different registered MX devices
  • Expand ConsentKey beyond the MX Console to any Logitech device with haptic capability
  • Partner with CI/CD platforms and cloud providers to make ConsentKey the standard human-in-the-loop control for agentic workflows

Built With

Share this project:

Updates