Phase I – Runtime Trust Layer¶
Versions: v0.32.0 – v0.37.0 Question: How do you make those governed relationships usable by autonomous agents at runtime — fast, portable, and with human override authority for high-stakes actions?
What Changed¶
Invocation-Bound Capability Tokens (v0.32): An InvocationToken
fuses sovereign identity, an attenuated capability scope (always a subset
of the source agreement), an optional invocation budget, and policy
constraints into a single Ed25519-signed JSON record. Any verifier
holding the issuer’s public key validates it offline. Each invocation
produces a signed InvocationUseRecord linked by prev_use_digest,
forming a tamper-evident use ledger. Verification latency: 0.189 ms.
Justification proofs (v0.33): A JustificationProof wraps the
ordered GateTrace from a BoundaryEngine run — each gate’s name, type,
inputs, and pass/fail result, with a short-circuit pointer. Signed by the
issuer; verifiable by any auditor without re-running the engine.
Human oversight + dual-signed commitments (v0.34): A
HumanOversightPolicy runs eight deterministic checks (capability scope,
counterparty allowlist, value threshold, time window, frequency limit,
irreversibility, novel counterparty, anomaly flag) and produces one of
three outcomes: automatic, human_approve, or block. High-stakes
actions produce a HumanApprovalRequest that the human custodian
must countersign; the result is a DualSignedCommitment requiring both
keys. Neither party can forge it alone.
Selective disclosure (v0.35): A CapabilityCommitment is a signed
Merkle root over a sorted capability set. A CapabilityMembershipProof
carries only the leaf hash and O(log N) sibling hashes — nothing about
other capabilities. A CapabilityNullifier prevents replay.
Distributed consensus authorization (v0.36): A ConsensusProof
assembles K-of-N signed ValidatorVotes over the same
JustificationProof. Votes from sovereigns outside the named validator
set are excluded. An approved proof issues an EphemeralExecutionIdentity
that expires in ~120 s and cannot be transferred.
Peer risk signals (v0.37): A PeerRiskSignal starts at 0.5 and
moves via EWMA (α=0.2) with successful and failed outcomes. Between
updates it decays as signal × exp(-λ × elapsed_days) (λ=0.05). A
RiskAnomaly is raised when a new delta falls more than 3σ outside the
variance of the last 10 updates. Strictly local: no shared ledger, no
federation-wide score, no cross-sovereign comparison.
Value Added¶
An agent can carry a signed bearer token to an offline verifier without any network call to the GM stack.
Every authorization decision has a signed gate trace; auditors can verify how the decision was made, not just what it was.
High-stakes actions require both the agent key and a human custodian key — the agent cannot execute them alone.
An agent can prove one capability to a third party without revealing the full capability set.
Consequential authorizations can require K-of-N named validators, not a single operator.
Each sovereign independently tracks counterparty reliability through a time-decaying signal updated from execution history.
Every component is opt-in; the normal authorization path is unmodified.
What Became Possible¶
With a complete runtime trust layer, Phase J hardened the pipeline against adversarial behavior: correlated validators, patient credit-farming, hidden model instructions, context injection, communication fingerprinting, and DNS-free discovery.
Key Releases¶
Version |
Milestone |
|---|---|
v0.32.0 |
Invocation-Bound Capability Tokens (IBCTs): offline bearer token, use ledger |
v0.33.0 |
Justification Proofs: signed GateTrace artifact, evaluate_with_proof() |
v0.34.0 |
Human Oversight + DualSignedCommitment: 8-check policy, countersign flow |
v0.35.0 |
Selective Disclosure: Merkle capability proof, CapabilityNullifier |
v0.36.0 |
Distributed Consensus Authorization: K-of-N, EphemeralExecutionIdentity |
v0.37.0 |
Peer Risk Signals: EWMA, decay, anomaly detection, RiskSignalGate |