OMNIX QUANTUM LTD Harold Nunes, Editor May 2026 Version 1.1

Runtime Legitimacy
Infrastructure

The technical case for cryptographically verifiable AI agent authority governance — post-quantum secured, formally specified, independently auditable.

40
Formal invariants across 8 families
RFC-ATF-1/2/3
66
Conformance test vectors, CI green
ci.yml → 66/66 pass
245+
Institutional test suite passing
pytest -v, May 2026
0
Platform access needed to verify
ATF-INV-006
Read the Whitepaper ⬇ Save as PDF Try the Verifier

Save as PDF: Use your browser's Print function (Ctrl+P / ⌘+P) and select "Save as PDF" for a clean institutional document.

Print / Save PDF
§ 1

The Runtime Legitimacy Problem

Modern AI and autonomous agent systems generate decisions at machine speed. These decisions may have regulatory, financial, or safety consequences. Every existing agent framework — LangChain, AutoGen, CrewAI, Microsoft Semantic Kernel — delegates authority implicitly, through environment variables, API keys, or runtime role assignments that are neither signed by the delegating principal nor verifiable by a third party.

This produces three structural failure categories:

Problem A — Opaque delegation. When an agent acts, there is no signed, auditable record linking that agent's authority to a human principal. Who authorized this agent? What scope? When did authorization expire?
Problem B — No runtime continuity guarantee. Autonomous sessions degrade — temporal windows close, authority budgets deplete, context drifts. There is no mechanism to detect when a session becomes illegitimate before the next decision executes.
Problem C — Evidence evaporation. Decision evidence exists only in live databases. After migration, decommissioning, or a security incident, the ability to independently verify past decisions is permanently lost.

OMNIX solves all three: explicit signed delegation (ATF), session legitimacy scoring (CES), and immutable evidence archive (EAP). Every component is formally specified, invariant-governed, and post-quantum hardened.

§ 2

Architecture Overview

OMNIX organizes governance into six layers. Authority propagates downward from a human root. Evidence flows upward, cryptographically signed at every layer. Click any layer for details.

L5
Immutable Evidence
COLD archive blocks · OEP bundles · Forensic verification · Evidence lifecycle (HOT→WARM→COLD)
OEPEAPArchiveFVP
L4
Execution Gate
Governance Receipt · Adaptive Veto Machine (AVM) · ATF compliance check before every decision
GRCAVMEIL
L3
Runtime Continuity
Runtime Continuity Record · CES scoring · HALT protocol · Cross-domain trust bridges
RCRCESHALTDTB
L2
Temporal Admissibility
Temporal Admissibility Record · Session bounds · TTL enforcement · nanosecond-precise admission
TARTTLWindow
L1
Delegation
Delegation Receipt · Scope assignment · MAR enforcement · Trust Lattice (DAG)
DRMARLattice
L0
Human Authority Root
Agent Identity Receipt (AIR) · TIER-1 registration · Root key issuance · budget = 100.0
AIRAIDRoot
Design principle: Every artifact at every layer carries an ML-DSA-65 signature over a deterministic canonical hash. A third party can reconstruct and verify the complete chain from L5 back to L0 without any platform access — only receipts and the root public key are required.
§ 3

Agent Trust Fabric (ATF)

The Agent Trust Fabric is the formal delegation and identity layer. Specified in RFC-ATF-1 (May 2026, DOI: 10.5281/zenodo.20155016).

Agent Identity Record (AIR)

Every agent must have an AIR — a PQC-signed document binding a unique AID-{DOMAIN}-{16HEX} identifier to an authority budget and Dilithium-3 public key. Tier-1 principals (human operators) have budget = 100.0. Every delegation step can only reduce the budget.

Delegation Receipt (DR)

Every authority transfer produces a Delegation Receipt — a PQC-signed artifact recording the exact budget transferred, task scope, delegator identity, and chain root. DRs form a directed acyclic graph (the Trust Lattice) with chain_root_id tracing back to the human Tier-1 principal.

ATF-INV-001: Monotonic Authority Reduction (MAR)

budget_granted ≤ budget_delegator — enforced at every delegation step.

Authority can only decrease through the chain. No agent may possess or exercise authority exceeding what was explicitly delegated. This invariant is formally model-checked in TLA+ and verified by the conformance test suite (V-ATF-001-N tests the violation case).

Registration Tiers

TierMax BudgetDescription
TIER-1100.0Human operator, full authority, chain root
TIER-280.0Operational agent, direct delegation from human
TIER-350.0Supervised agent, default authority
TIER-420.0Read-only agent, minimal scope
§ 4

Runtime Continuity & CES

Specified in RFC-ATF-2 (SSRN: 6763978). The Continuity Eligibility Score measures session legitimacy in real-time before every execution decision.

CES = T × 0.30 + B × 0.30 + D × 0.20 + I × 0.20
30%
Temporal
ces_temporal (T)
30%
Budget
ces_budget (B)
20%
Context Drift
ces_context (D)
20%
Chain Integrity
ces_integrity (I)

The CES formula is fixed by RGC-INV-001 — it cannot be changed by configuration or runtime parameters. This is a protocol invariant, not an operational setting.

Continuity Status Stages

CES RangeStatusAction
≥ 75NOMINALContinue execution normally
50 – 74MONITORINGIncrease sampling frequency
25 – 49WARNINGAlert operator, reduce scope
10 – 24CRITICALRequire reauthorization
< 10HALTImmediate cessation — RGC-INV-003
RGC-INV-003 (HALT Protocol): When CES < 10.0, execution MUST cease immediately. The agent cannot continue until reauthorization by the delegating principal. This is an invariant — not a configurable threshold.
§ 5

Evidence Archive Pipeline (EAP)

Specified in RFC-ATF-3. The EAP provides forensic-grade chain of custody from genesis event to permanent cold storage, with cryptographic linkage between every tier.

HOT
Active evidence
Redis/DB
Real-time access
90 days SLA
WARM
Recent evidence
Compressed store
Hours access
1 year retention
COLD
Archived evidence
Merkle-chained
Days access
7 year retention
ARCHIVE
Permanent store
OEP bundles
Regulator delivery
Indefinite

Each transition between tiers is governed by invariants (ELR-INV-001–004). Evidence classes include: Delegation Events, Runtime Snapshots, Execution Decisions, Policy Changes, and Security Events. Every ARCHIVE block carries a root Merkle hash covering all HOT evidence that entered it — EAP-INV-005 (Merkle Completeness).

OMNIX Evidence Package (OEP)

The terminal artifact of the EAP — a self-contained, cryptographically sealed bundle that enables full chain reconstruction years after the originating system is decommissioned. OEP packages are signed with the platform's ML-DSA-65 key and include the public key for verification. OEP-INV-001 through OEP-INV-006 govern package integrity, self-containment, and two-plane verification independence.

§ 6

Post-Quantum Cryptography

ATF is PQC-first by protocol invariant (ATF-INV-002). All receipts — DR, TAR, RCR, OEP — are signed with ML-DSA-65 (Dilithium-3), the NIST FIPS 204 post-quantum digital signature standard.

ML-DSA-65
NIST FIPS 204 · Dilithium-3
Security: NIST Level 3
Signature: 3,293 bytes
Public key: 1,952 bytes
Threat model: Harvest-now

Why PQC now?

"Harvest now, decrypt later" attacks mean that data signed today with classical algorithms (RSA, ECDSA) may be forged retroactively once quantum computers mature. ATF receipts are designed to be verifiable for years — potentially decades — after issuance. ML-DSA-65 provides 128-bit post-quantum security, ensuring chain integrity against future quantum adversaries.

Implementations claiming ATF-INV-002 compliance must use ML-DSA-65 or a NIST-approved PQC equivalent. Classical signature algorithms are explicitly rejected.

§ 7

40 Formal Invariants

Every invariant is formally specified in the RFC stack and covered by the conformance test suite. Invariants are grouped by family; colors indicate the RFC/layer each family belongs to.

IDNameRFC / Layer
ATF-INV-001ATFMonotonic Authority Reduction (MAR)RFC-ATF-1 §7.1
ATF-INV-002ATFReceipt Signing — ML-DSA-65 requiredRFC-ATF-1 §7.2
ATF-INV-003ATFChain Root Traceability — TIER-1 human rootRFC-ATF-1 §7.3
ATF-INV-004ATFBudget Ceiling — granted ≤ delegator budgetRFC-ATF-1 §7.4
ATF-INV-005ATFReceipt Immutability — SHA-256 content hashRFC-ATF-1 §7.5
ATF-INV-006ATFIndependent Verifiability — no platform access neededRFC-ATF-1 §7.6
RGC-INV-001RGCCES Formula Fixed — T×0.30+B×0.30+D×0.20+I×0.20RFC-ATF-2 §5.1
RGC-INV-002RGCRCR Chain Integrity — predecessor linkageRFC-ATF-2 §5.2
RGC-INV-003RGCHALT Protocol — CES < 10.0 → immediate cessationRFC-ATF-2 §5.3
RGC-INV-004RGCEscalation Event IntegrityRFC-ATF-2 §5.4
RGC-INV-005RGCAuthority Fragmentation Guard (AFG)RFC-ATF-2 §5.5
RGC-INV-006RGCReauthorization Challenge IntegrityRFC-ATF-2 §5.6
RGC-INV-007RGCThreshold Immutability — thresholds not runtime-configurableRFC-ATF-2 §5.7
RGC-INV-008RGCTAR Anchor — every RCR anchored to admission TARRFC-ATF-2 §5.8
GPIL-INV-001GPILCryptographic Interoperability — shared PQC primitivesRFC-ATF-3 §4.1
GPIL-INV-002GPILProtocol Interoperability — wire format compatibilityRFC-ATF-3 §4.2
GPIL-INV-003GPILGovernance Policy Divergence SovereigntyRFC-ATF-3 §4.3
ELR-INV-001ELREvidence Class Assignment ImmutabilityRFC-ATF-3 §5.1
ELR-INV-002ELRLifecycle Tier Ordering (HOT→WARM→COLD only)RFC-ATF-3 §5.2
ELR-INV-003ELRRetention Threshold ImmutabilityRFC-ATF-3 §5.3
ELR-INV-004ELRTier Transition Cryptographic ProofRFC-ATF-3 §5.4
EAP-INV-001EAPArchive Append-Only — no deletion or modificationRFC-ATF-3 §6.1
EAP-INV-002EAPCross-Block Hash ContinuityRFC-ATF-3 §6.2
EAP-INV-003EAPBlock Signing — PQC signature on every archive blockRFC-ATF-3 §6.3
EAP-INV-004EAPTemporal Monotonicity — timestamps strictly increasingRFC-ATF-3 §6.4
EAP-INV-005EAPMerkle Completeness — root covers all HOT evidenceRFC-ATF-3 §6.5
EAP-INV-006EAPArchive Block Finality — finalized blocks are immutableRFC-ATF-3 §6.6
EAP-INV-007EAPEvidence Chain of Custody CompletenessRFC-ATF-3 §6.7
OEP-INV-001OEPPackage Integrity — root signature covers all componentsRFC-ATF-3 §7.1
OEP-INV-002OEPSelf-Containment — all verification material includedRFC-ATF-3 §7.2
OEP-INV-003OEPChain of Custody Completeness in OEPRFC-ATF-3 §7.3
OEP-INV-004OEPPackage Immutability after issuanceRFC-ATF-3 §7.4
OEP-INV-005OEPTemporal Admissibility of Bundled EvidenceRFC-ATF-3 §7.5
OEP-INV-006OEPKey Isolation — platform key not embedded in packageRFC-ATF-3 §7.6
FEA-INV-001FEARBAC Export Gate — authenticated export onlyRFC-ATF-3 §8.1
FEA-INV-002FEAExport Audit Trail — every export loggedRFC-ATF-3 §8.2
FEA-INV-003FEAKey Isolation in Export OperationsRFC-ATF-3 §8.3
FEA-INV-004FEAExport Scope Binding — OEP tied to authorizationRFC-ATF-3 §8.4
FEA-INV-005FEACaller Key Isolation — platform keys not exportedRFC-ATF-3 §8.5
FVP-INV-007FVPTwo-Plane Verification IndependenceRFC-ATF-3 §9.1
§ 8

Regulatory Alignment

ATF is designed to meet the auditability and accountability requirements of the regulatory frameworks most relevant to regulated AI deployments.

EU AI Act
  • Art. 9 Risk management — MAR invariant provides bounded authority
  • Art. 13 Transparency — DR chain enables human-readable authority trace
  • Art. 17 Quality management — EAP provides forensic audit trail
  • Art. 61 Post-market monitoring — OEP enables long-term evidence retention
  • Annex IV Technical documentation — full receipt stack satisfies
NIST AI RMF
  • GOVERN 1.1 — ATF establishes formal authority boundaries
  • MAP 2.3 — Trust Lattice maps all agent relationships
  • MEASURE 2.5 — CES provides continuous runtime legitimacy metric
  • MANAGE 2.4 — HALT protocol enforces automated governance response
  • GOVERN 6.1 — GPIL enables cross-runtime policy alignment
UAE DFSA / ADGM
  • DFSA MKT 2.3 — AI trading decisions traceable to human principal
  • DFSA AMI — MAR invariant prevents unauthorized scope expansion
  • ADGM FinTech — OEP bundles satisfy long-term evidence requirements
  • UAE AI Strategy 2031 — ATF provides auditable foundation for AI deployment
§ 9

Verification Claims

Every technical claim in this whitepaper is backed by a specific test or formal specification. The following table maps claims to evidence.

ClaimEvidenceTest / Spec
MAR invariant enforced at delegationConformance vector V-ATF-001-N rejects budget_granted > budget_delegatortest_conformance_vectors.py
CES formula is fixed (RGC-INV-001)Tampered CES rejected by conformance verifierV-RGC-002-N
HALT at CES < 10 (RGC-INV-003)Unit test confirms cessation triggertest_rcr_halt_protocol
Content hash verified offlineSHA-256 recomputation without platform accesstest_atf_conformance.py
OEP package self-containedOEP bundle verifier requires only public keytest_oep_package_verification
EAP tier ordering enforced (ELR-INV-002)HOT→COLD transition tested; COLD→HOT rejectedtest_eap_extended_audit.py
PQC signatures on all receiptsMissing pqc_signature field causes conformance failureV-ATF-002-N
GPIL supports 3 interoperability levelsPolicy registry and CRGC tests passingtest_governance_integrity.py
Test coverage as of May 2026: 245+ passing tests across GPIL, OEP, EAP, and ATF conformance suites. CI: 34/34 conformance vectors green. All claims are independently reproducible by cloning the repository and running pytest tests/ -v.
§ 10

References

ReferenceTitleDOI / SSRN
[RFC-ATF-1]Agent Trust Fabric Delegation Protocol, v1.0.0DOI: 10.5281/zenodo.20155016 · SSRN: 6757339
[RFC-ATF-2]Runtime Governance Continuity Protocol, v1.0.0SSRN: 6763978
[RFC-ATF-3]Evidence Lifecycle, Policy Interoperability & Forensic VerificationZenodo: pending
[FIPS-204]Module-Lattice-Based Digital Signature Standard (ML-DSA)NIST FIPS 204
[TLA+]ATF Formal Specification, 5 model-checked propertiesGitHub: atf-protocol-standard
[EU-AIA]EU AI Act, Regulation (EU) 2024/1689OJ L, 2024
[NIST-RMF]NIST AI Risk Management Framework (AI RMF 1.0)NIST AI 100-1

OMNIX QUANTUM LTD · Harold Nunes, Editor
United Arab Emirates / United Kingdom · standards@omnixquantum.com
Protocol website: costenho19.github.io/atf-protocol-standard
License: CC BY 4.0 · © 2026 OMNIX QUANTUM LTD