Buchumschlag

Gespeichert in:
Bibliographische Detailangaben
1. Verfasser: Nunes, Harold
Format: Recurso digital
Sprache:Englisch
Veröffentlicht: Zenodo 2026
Schlagworte:
Agent Trust Fabric
ATF
AI governance
forensic verification
evidence lifecycle
post-quantum cryptography
ML-DSA-65
Dilithium-3
NIST FIPS 204
governance protocol
open standard
RFC
ATF-FEI-Compliant
OMNIX QUANTUM
cryptographic delegation
audit infrastructure
multi-agent systems
immutable archive
forensic package
conformance suite
Online-Zugang:https://doi.org/10.5281/zenodo.20247342
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Inhaltsangabe:
  • <p><strong>RFC-ATF-3</strong> is the third foundational specification in the <strong>Agent Trust Fabric (ATF) Open Protocol Standard</strong> — an open, post-quantum governance protocol for AI agents operating in high-stakes environments that require cryptographically verifiable delegation chains, real-time authority monitoring, and forensically auditable evidence infrastructure.</p> <p>The ATF stack was designed to answer a question that most AI governance frameworks avoid: <em>how do you formally prove, years after the fact, that an AI agent acted within the boundaries it was authorized to act within — without relying on the availability of the platform, the original operators, or any live infrastructure?</em> RFC-ATF-3 is the answer to that question.</p> <h3>Context: The ATF Protocol Stack</h3> <p>RFC-ATF-3 is the third and final layer of a three-RFC architecture, each addressing a distinct structural problem in AI agent governance:</p> <ul> <li><strong>RFC-ATF-1</strong> (DOI: <a href="https://doi.org/10.5281/zenodo.20155016">10.5281/zenodo.20155016</a>) established the cryptographic foundation: ML-DSA-65 delegation chains, monotonic authority reduction, and offline verifiability. Six invariants. <em>ATF-Compliant</em> designation.</li> <li><strong>RFC-ATF-2</strong> (DOI: <a href="https://doi.org/10.5281/zenodo.20241344">10.5281/zenodo.20241344</a>) addressed runtime continuity: the Continuity Enforcement Score (CES) formula, Runtime Continuity Records, HALT semantics, and acyclicity constraints on delegation chains. Eight invariants. <em>ATF-RGC-Compliant</em> designation.</li> <li><strong>RFC-ATF-3</strong> (this document) addresses the evidence problem: what is produced by a governed system, how long it is retained, how it is archived with cryptographic immutability, and how it is forensically reconstructed by an independent auditor. Twenty-six new invariants. <em>ATF-FEI-Compliant</em> designation.</li> </ul> <p>Together, the three RFCs define <strong>40 formally specified invariants</strong> — the most comprehensive formal constraint set published for AI agent governance infrastructure to date.</p> <h3>Part I — Governance Policy Interoperability Layer (GPIL)</h3> <p>Multi-agent systems increasingly operate across organizational boundaries, regulatory jurisdictions, and technical runtimes. Most governance frameworks treat interoperability as a configuration problem. GPIL treats it as a formal protocol problem.</p> <p>GPIL defines a <strong>three-tier interoperability taxonomy</strong> that separates concerns which virtually all existing frameworks conflate:</p> <ul> <li><strong>Layer 1 — Cryptographic Interoperability:</strong> Can two runtimes verify each other's signatures? Governed by algorithm compatibility (ML-DSA-65 ↔ ML-DSA-65) and key format standardization. Non-negotiable — no sovereign override permitted.</li> <li><strong>Layer 2 — Protocol Interoperability:</strong> Do two runtimes implement the same ATF message types, delegation semantics, and receipt formats? Governed by version negotiation and profile matching.</li> <li><strong>Layer 3 — Governance Policy Interoperability:</strong> Can two organizations agree on thresholds, approval quorums, retention periods, and escalation paths — without compromising either party's sovereign governance parameters?</li> </ul> <p>GPIL introduces the <strong>Policy Parameter Registry</strong> — a categorized table of all ATF-relevant governance parameters, each classified as <em>Protocol-Bounded</em> (immutable by organizational policy) or <em>Sovereign</em> (configurable within formal bounds). This prevents the class of governance failures caused by misconfigured thresholds that silently override protocol-level safety constraints.</p> <p>The <strong>Cross-Runtime Governance Contract (CRGC)</strong> is a signed, version-locked bilateral agreement between two ATF runtimes. A CRGC specifies the agreed parameter set for the interaction, carries ML-DSA-65 signatures from both parties, and is immutable once executed. Any parameter drift after CRGC execution triggers a protocol violation — not a configuration warning. Three invariants: GPIL-INV-001–003.</p> <h3>Part II — Evidence Lifecycle & Archive Pipeline (ELP)</h3> <p>A governed AI system continuously produces evidence: delegation receipts, runtime continuity records, authority transitions, escalation events, approval decisions, execution traces. Without a formal lifecycle specification, this evidence accumulates without structure, degrades without policy, and becomes forensically useless over time.</p> <p>ELP defines <strong>eight evidence classes</strong> with formal classification rules:</p> <ul> <li>Governance Delegation Receipt (GDR)</li> <li>Runtime Continuity Record (RCR)</li> <li>Authority Transition Record (ATR)</li> <li>Escalation Event Record (EER)</li> <li>Approval Decision Receipt (ADR)</li> <li>Policy Violation Record (PVR)</li> <li>Forensic Reconstruction Input (FRI)</li> <li>Archive Integrity Proof (AIP)</li> </ul> <p>Each class carries a mandatory classification at creation time (ELR-INV-001), and that classification is immutable for the lifetime of the record (ELR-INV-002). Evidence transitions through formal lifecycle stages — ACTIVE → ARCHIVED → COLD → SEALED — with retention tier compliance enforced by invariant (ELR-INV-003, ELR-INV-004).</p> <p>The <strong>Immutable Evidence Archive Pipeline (EAP)</strong> specifies the cold archive structure: a Merkle-chained sequence of COLD blocks, each containing a set of sealed evidence records, a canonical hash computed over its contents, and a back-pointer to the previous block's hash. The genesis block carries a cryptographic anchor (EAP-INV-007) that allows any auditor to verify the integrity of the entire archive from any point in the chain. COLD blocks are immutable once sealed (EAP-INV-004) — no amendment, no deletion, no reprocessing. Seven invariants: EAP-INV-001–007.</p> <h3>Part III — Forensic Verification Protocol (FVP)</h3> <p>Forensic verification in AI governance faces a problem that traditional audit frameworks do not: the auditor may have no access to the live system, no relationship with the original operators, and no ability to replay the events being audited. The only thing they have is what was exported — and that export must be sufficient for a complete, independent reconstruction.</p> <p>The <strong>OMNIX Evidence Package (OEP)</strong> is the forensic deliverable format specified by RFC-ATF-3. An OEP is a self-contained directory archive with a fixed structure:</p> <pre>OMNIX-PACKAGE-{DATE}-{ID}/ META/ manifest.json (signed package manifest) README.txt (human-readable verification instructions) BLOCKS/ OMNIX-BLOCK-*.json (COLD blocks in chain order) chain_index.json (block sequence with canonical hashes) KEYS/ public_key.b64 (ML-DSA-65 public key, base64) VERIFY/ omnix_atf_verify.py (offline CLI verifier, Python 3.8+) verify_all.sh (full chain verification script) CUSTODY/ evidence_custody_log.json REPORT/ forensic_report.html (offline forensic reconstruction report) SIGNATURE/ package_signature.json (ML-DSA-65 signature over canonical manifest hash) </pre> <p>An OEP can be verified entirely offline — no network access, no platform availability, no operator involvement. The verifier script is included in the package itself. Six invariants: OEP-INV-001–006.</p> <p>The <strong>Forensic Export Authentication (FEA)</strong> protocol governs how OEPs are generated. FEA-INV-001 mandates key isolation: export signing keys must be separate from governance signing keys — a single key compromise cannot simultaneously invalidate both the governance chain and its forensic deliverables. FEA-INV-003 mandates fail-closed behavior: if the signing key is absent or invalid at export time, the export fails — it does not produce an unsigned package. Five invariants: FEA-INV-001–005.</p> <p><strong>FVP-INV-007</strong> — the Determinism Invariant — is the most technically consequential constraint in RFC-ATF-3: any conformant verifier implementation, regardless of programming language or platform, must produce an identical forensic verdict given identical inputs. This means the hash function, the serialization format, the canonical form of all inputs, and the verdict encoding must all be specified with sufficient precision that two independent implementations cannot produce divergent results. Cross-language hash parity is mandatory, not aspirational.</p> <h3>ATF-FEI-Compliant Designation</h3> <p>An implementation that fully conforms to RFC-ATF-1, RFC-ATF-2, and RFC-ATF-3 earns the <strong>ATF-FEI-Compliant</strong> (Forensic Evidence Infrastructure Compliant) designation — the highest tier in the ATF protocol hierarchy. This designation is intended for forensic-grade, regulatory-grade, and institutional-grade deployments where governance decisions must be independently auditable for years or decades after the fact, without platform availability.</p> <p>Conformance is verified using the standalone <strong>ATF Conformance Suite</strong>:</p> <ul> <li>92 test vectors across all 40 invariants</li> <li>Three profiles: BASE (ATF-INV-001–006), RGC (BASE + RGC-INV-001–008), ALL (full 40-invariant ATF-FEI-Compliant)</li> <li>Zero external dependencies beyond Python 3.8</li> <li>Each run produces an <strong>ATF Conformance Result (ATFCR)</strong> artifact with a unique ATFCR-* identifier and SHA-256 integrity hash suitable for inclusion in regulatory submissions, audit logs, and IMPLEMENTATIONS.md</li> </ul> <p>Available at: <a href="https://github.com/Costenho19/atf-protocol-standard/tree/main/atf-conformance-suite">github.com/Costenho19/atf-protocol-standard/tree/main/atf-conformance-suite</a></p> <h3>Cryptographic Design</h3> <p>RFC-ATF-3 is post-quantum secure by design. All signatures — governance receipts, delegation records, forensic packages, Cross-Runtime Governance Contracts, and export authentication — use <strong>ML-DSA-65 (Dilithium-3)</strong>, standardized as NIST FIPS 204 (August 2024). ECDSA, RSA, and any pre-quantum signature scheme are not referenced in the protocol. Evidence packages are designed to remain cryptographically verifiable for decades, assuming continued availability of ML-DSA-65 implementations — which, as a NIST standard, is a reasonable long-term assumption.</p> <h3>Publication Notes</h3> <ul> <li>This document is the reference specification for the OMNIX QUANTUM governance platform</li> <li>Published as an open standard under CC BY 4.0 to enable independent implementations, academic review, and institutional adoption</li> <li>Full source, conformance suite, test vectors, and implementation guidance available at <a href="https://github.com/Costenho19/atf-protocol-standard">github.com/Costenho19/atf-protocol-standard</a></li> <li>The PDF included in this record was generated from the canonical markdown source (RFC-ATF-3.md, also included) using the OMNIX institutional PDF pipeline with ML-DSA-65 branding and full dark-mode rendering</li> </ul>

Ähnliche Einträge