Phase H – First Complete Trust Architecture Cycle

Versions: v0.26.0 – v0.31.0 Question: How do two AI agents, governed by independently administered sovereigns, establish and execute a trust relationship with full forensic accountability and no shared identity provider?

What Changed

Six sequential releases built the answer as a stack, each closing one layer. The canonical JSON signing convention (sort_keys=True, compact separators, exclude={"signatures"}) was established in v0.26 and carried through every subsequent model.

Dual-signed agreement (v0.26): An AgreementRecord signed by both parties via Offer → Counter-offer → Acceptance. Neither can produce it alone.

Attenuable delegation chains (v0.27): A DelegatedAgreementRecord passes a strict subset of rights to a third party. Every hop must narrow, never widen. The chain invariant is enforced at creation and verified at each hop.

Gated authorization (v0.28): A ContextRecord asserts a specific capability at a specific time. The BoundaryEngine evaluates it through ordered gates and produces a signed, time-bounded BoundaryDecision. A passed decision can be verified offline.

Tamper-evident execution chain (v0.29): Each ExecutionEvidence record is linked via prev_evidence_digest = SHA-256(prior.canonical_json). Any insertion, deletion, reordering, or tamper breaks the chain at a specific sequence number.

Bounded freshness proofs (v0.30): A signed FreshnessProof attests that the revocation feed was at a specific sequence at a specific time. Revocation latency is now bounded and independently verifiable.

Machine-checked security lemmas (v0.31): The five-release pipeline is modelled in Tamarin Prover. Five lemmas are machine-checked: authorization_requires_agreement, execution_requires_authorization, agreement_has_two_signers, delegation_requires_agreement, execution_traceability. Three interop bridges (SPIFFE, W3C VC, JWT) let GM artifacts travel across ecosystem boundaries.

Value Added

  • Two AI agents can establish a cryptographically governed relationship without a shared identity provider.

  • Authority can be delegated in an attenuated chain with a verifiable narrowing invariant at every hop.

  • Every authorization decision is signed and offline-verifiable.

  • Every execution is recorded in a tamper-evident chain linked to the decision that authorized it.

  • Revocation latency is bounded and auditable.

  • Five security properties are machine-checked, not just empirically tested.

  • Protocol artifacts are interoperable with SPIFFE, W3C Verifiable Credentials, and JOSE/JWT ecosystems.

What Became Possible

With a complete, machine-verified trust architecture cycle, Phase I made those governed relationships usable by autonomous agents at runtime: portable bearer tokens, human oversight, selective disclosure, and distributed consensus.

Key Releases

Version

Milestone

v0.26.0

Relationship Agreement: dual-signed AgreementRecord, canonical JSON convention

v0.27.0

Attenuable Delegation Chains: DelegatedAgreementRecord, narrowing invariant

v0.28.0

Relationship Context + BoundaryEngine: gated, signed BoundaryDecision

v0.29.0

Execution Evidence Hash Chain: tamper-evident linked execution records

v0.30.0

Freshness Proofs: bounded revocation latency, signed FreshnessProof

v0.31.0

Tamarin formal verification (5 lemmas) + SPIFFE/W3C VC/JWT interop bridges