Specifications

RFC Index

The complete Agent Trust Fabric protocol stack — three coordinated open standards, 40 formal invariants, and a published academic record.

RFC-ATF-1 — Delegation RFC-ATF-2 — Continuity RFC-ATF-3 — Evidence
RFC-ATF-1 · v1.0.0 · Standards Track · OMNIX QUANTUM LTD · May 2026

Agent Trust Fabric Delegation Protocol

Specifies the Agent Identity Record, Delegation Receipt, Trust Lattice, and Monotonic Authority Reduction invariant — a cryptographic framework for post-quantum-secured agent authority delegation. Every delegation event produces an artifact verifiable by any third party without platform access.

6 InvariantsML-DSA-65 / FIPS 204Trust LatticeTLA+ Spec
DOI: 10.5281/zenodo.20155016 ↗ SSRN: 6757339 ↗ Full Text on GitHub ↗

Table of Contents

6 Core Invariants

ATF-INV-001
Monotonic Authority Reduction (MAR)budget_granted ≤ budget_delegator. Authority can only decrease through the chain.
ATF-INV-002
Receipt SigningEvery DR must carry a valid ML-DSA-65 signature by the delegating principal.
ATF-INV-003
Chain Root TraceabilityEvery delegation chain must trace to a TIER-1 (human) identity root.
ATF-INV-004
Budget CeilingNo agent may possess authority_budget exceeding its AIR ceiling.
ATF-INV-005
Receipt Immutabilitycontent_hash must match the deterministic SHA-256 of the canonical receipt fields.
ATF-INV-006
Independent VerifiabilityAny party with the issuer's public key can verify any receipt without platform access.

Agent Identity Record (AIR)

Every agent operating under ATF governance must have an AIR — a PQC-signed document establishing:

  • agent_id — format: AID-{JURISDICTION}-{DATE}-{HEX16}
  • tier — TIER-1 (Human) · TIER-2 (Autonomous) · TIER-3 (Subordinate)
  • authority_budget — ceiling [0.0, 1.0]
  • pqc_public_key — ML-DSA-65 public key
  • content_hash — SHA-256 canonical hash

Tier determines registration tier and default authority ceiling.

Trust Lattice

The Trust Lattice is a directed acyclic graph where each node is an AIR and each edge is a signed DR. Properties:

  • Acyclic — no authority loops permitted
  • Single root per chain — must be TIER-1
  • Edge weight = authority_budget (non-increasing)
  • ATF Chain Completeness Score (CCS) measures verifiable depth
  • Offline-verifiable from any node upward to root
RFC-ATF-2 · v1.0.0 · Extension to RFC-ATF-1 · OMNIX QUANTUM LTD · May 2026

Runtime Governance Continuity

Extends RFC-ATF-1 into the full execution lifecycle of long-running agent workflows. Introduces the Runtime Continuity Record, the Continuity Eligibility Score, the Authority Fragmentation Guard, and the Escalation Protocol. Adds 8 RGC invariants.

+8 Invariants (14 total)CES FormulaAFGHALT ProtocolEscalation
SSRN: 6763978 ↗ Full Text on GitHub ↗

Continuity Eligibility Score (CES)

CES = T×0.30 + B×0.30 + D×0.20 + I×0.20
All components ∈ [0, 100]. Weights are protocol invariants (RGC-INV-001) — immutable at runtime.
StageThresholdEffect
NOMINAL≥ 75.0Standard operation
MONITORING≥ 50.0Elevated logging
WARNING≥ 25.0Reduced confidence
CRITICAL≥ 10.0Single-decision auth
HALT< 10.0All execution blocked

8 RGC Invariants

RGC-INV-001
CES Formula FixedCES = T×0.30 + B×0.30 + D×0.20 + I×0.20. Weights immutable.
RGC-INV-002
RCR Chain IntegrityEach RCR must reference predecessor_rcr_id forming a verified chain from TAR.
RGC-INV-003
HALT ProtocolCES < 10.0 → all execution blocked. Emergency evidence seal triggered.
RGC-INV-004
Escalation Event IntegrityCEEs must carry escalation_event_id and signed audit trail.
RGC-INV-005
AFG Budget CeilingSum of granted budgets across concurrent sub-agents ≤ chain root budget × AFG_LIMIT.
RGC-INV-006
Reauthorization IntegrityRC must reference originating CEE and be approved by TIER-1.
RGC-INV-007
CES Threshold ImmutabilityStage thresholds are protocol constants, not runtime configuration.
RGC-INV-008
TAR Anchor IntegrityEvery RCR must carry the TAR ID of the originating admission event.

Authority Fragmentation Guard (AFG)

Closes an attack vector that MAR alone cannot detect: authority amplification through concurrent sub-agents each receiving near-full delegations from the same chain root.

  • AFG_FRAGMENTATION_LIMIT default: 0.90
  • Never exceed 0.95 in production
  • Values > 1.0 are rejected by protocol
  • Enforced aggregate-level, not per-agent

Runtime Continuity Record (RCR)

A PQC-signed, TAR-anchored authority health artifact emitted at governed intervals. Key fields:

  • rcr_id — format: ATFRCR-{16HEX}
  • ces_score — computed CES value
  • continuity_status — NOMINAL/MONITORING/WARNING/CRITICAL/HALT
  • tar_id — anchor to admission TAR
  • predecessor_rcr_id — chain linkage
RFC-ATF-3 · v1.0.0 · Extension to RFC-ATF-1 and RFC-ATF-2 · OMNIX QUANTUM LTD · May 2026

Governance Policy Interoperability, Evidence Lifecycle & Forensic Verification

Three coordinated extensions: GPIL (cross-runtime governance compatibility at three interoperability levels), ELP (eight evidence classes, HOT/WARM/COLD retention tiers), and FVP (OEP forensic packages, two-plane verification, key identity fingerprinting). Adds 26 invariants bringing the total to 40.

+26 Invariants (40 total)GPILEAPOEPFVP
Full Text on GitHub ↗

GPIL — Three Interoperability Levels

Level 1 — Cryptographic (CI)
Binary: a receipt either passes ML-DSA-65 verification or it does not. Unconditional. Requires only the platform public key. Defined by ATF-INV-006.
Level 2 — Protocol (PI)
All ATF-RGC-Compliant runtimes share the identical CES formula, threshold values, and invariant table. Changing the formula means non-compliance.
Level 3 — Governance Policy (GPI)
Sovereign runtimes may configure policy parameters within protocol-bounded ranges. Two PI-compliant runtimes may reach different verdicts for the same receipt.

Evidence Lifecycle Pipeline

Three retention tiers with Merkle-chained block sealing:
HOT Tier
Active evidence in live database. Sub-second query access. Signature verification on every read. Max 90 days default.
WARM Tier
Merkle-sealed Parquet blocks. Read-optimized, near-line. Predecessor hash chaining. 90 days – 7 years.
COLD Tier
Immutable ML-DSA-65–signed blocks. Offline. Verifiable without platform. Emergency seal protocol. 7+ years.

26 New Invariants

GPIL × 3
INV-001: Layer hierarchy
INV-002: Param bounds
INV-003: CRGC integrity
ELR × 4
INV-001: Class assignment
INV-002: Tier ordering
INV-003: Seal integrity
INV-004: Transition audit
EAP × 7
INV-001–007: Archive pipeline, hash chain, emergency seal, tier ordering, entry hash determinism
OEP × 6
INV-001–006: Package integrity, self-containment, offline verifiability
FEA × 5
INV-001–005: Export RBAC, key isolation, caller key prohibition
FVP × 1
INV-007: Two-plane verification independence

OMNIX Evidence Package (OEP)

A cryptographically sealed, self-contained forensic ZIP package. Contains everything needed to verify a complete authority chain offline, years after the issuing system is decommissioned:

  • All receipts (DR + TAR + RCR chain)
  • COLD archive blocks with Merkle proofs
  • Platform public key at time of export
  • Forensic HTML report
  • ML-DSA-65 package signature over canonical manifest
  • Custody log with RBAC-controlled export record