Skip to content

Commit f46d260

Browse files
authored
Integrate canonical v0.1.0 (#2)
1 parent e78aa2a commit f46d260

78 files changed

Lines changed: 4072 additions & 4928 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

.gitignore

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
11
.idea/
22
.git/
33
book/
4+
site/
5+
references/
46
.DS_Store

SPEC_REVIEW_PRINCIPLES.md

Lines changed: 71 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,71 @@
1+
# ACS Spec Review Principles
2+
3+
These are the standing judgment calls behind ACS spec decisions. Load this into a coding agent's context when designing, reviewing, or critiquing changes to the schema, hooks, events, or written specification. It pairs with `STYLE.md`: STYLE governs how we write prose, this governs how we decide what goes in the spec.
4+
5+
Each principle is a heuristic, a smell test, and a worked example from a real v0.1.0 decision. Apply them; don't recite them.
6+
7+
## 1. Normative statements live at the altitude of their scope
8+
9+
A `MUST` belongs wherever its truth holds, not wherever it was first written.
10+
11+
- **Cross-cutting invariant** (true across pillars) → define it once, above the pillars, tagged NORMATIVE. *e.g. "`Intent.parsed` MUST NOT be modified by the LLM or by data crossing an untrusted channel."* Intent flows through all three pillars (Instrument fires decisions against it, Trace records it, Inspect catalogs what it authorized), so the invariant lives above them.
12+
- **Mechanism requirement** (true within one pillar's enforcement) → keep it in that pillar. *e.g. "the Guardian MUST verify approver identity," "a client declaring `provenance_producer: none` MUST be refused at handshake."*
13+
14+
**Smell test:** if a requirement is restated in two pillars, or buried in one pillar but relied on by another, it's at the wrong altitude. Hoist the invariant; leave the mechanics.
15+
16+
## 2. Every wire decision balances six constituencies
17+
18+
A change that optimizes one constituency at the others' expense is suspect. Name the trade before deciding.
19+
20+
1. **Expressiveness**: can the spec describe the real governance situation at all?
21+
2. **Framework implementers**: can they reach conformance cheaply? This guards the adoption floor.
22+
3. **Vendors and competitors**: is there room to build differentiated solutions on top? Don't absorb the value vendors should compete on.
23+
4. **Adopters and deployments**: is integration cost low?
24+
5. **Wire minimalism**: expressive enough *without* premature functionality or contract bloat that ossifies around guesses.
25+
6. **Security reality**: does it match where boundary crossing and trust-laundering actually occur?
26+
27+
**Smell test:** "more fields" or "more guidance" usually pays constituency 1 by taxing 2, 3, and 5. If you can't name who you're taxing, you haven't finished the analysis.
28+
29+
## 3. Put it on the wire only if it's lost otherwise
30+
31+
This operationalizes Principle 2. A field earns a place in the contract only if it does one of two things:
32+
33+
- **(a)** captures information lost or unreconstructable downstream, or
34+
- **(b)** marks a real trust-boundary crossing.
35+
36+
Everything else belongs in `policy_data`, a conformance profile, or vendor territory.
37+
38+
- **On the wire:** provenance that must travel across summarization, memory writes, and agent hops. Drop it and trust launders silently and unrecoverably.
39+
- **Not on the wire:** risk category, data classification, retention period, control mapping. These are reconstructable from policy plus logs; forcing them into the contract raises the floor (2.2) and commoditizes vendor value (2.3).
40+
41+
**Smell test:** "could a deployment reconstruct this after the fact from what it already logs?" If yes, keep it off the wire.
42+
43+
## 4. The wire is paradigm-neutral; new paradigms ride existing elements first
44+
45+
We name four control paradigms today (IBAC, FIDES, CaMeL, AARM) but these are points on a wider space. They represent different philosophical approaches to crafting effective controls, each grounded in existing standards and research. Others will need support over time, and the contract must accommodate them without being re-cut for each one.
46+
47+
The wire stays neutral. A new paradigm reaches the wire through the elements that already carry paradigm-specific intent:
48+
49+
- `reason_codes`: free vocabulary for machine-readable categorization.
50+
- `policy_data`: free-form payload, conventionally keyed by paradigm name (`{"ibac": {...}, "fides": {...}}`).
51+
- `policy_references`: one entry per paradigm when several reject the same action.
52+
- conformance profiles: when a paradigm needs a declarable capability tier.
53+
54+
A new paradigm earns a wire `MUST` only when it needs a signal none of these can already carry. That is Principle 3 applied to paradigms: if the needed information is expressible through existing conformant elements, it is not a spec change. It is a deployment or profile.
55+
56+
**Smell test:** "does this paradigm need a new wire field, or can it ride `policy_data`, `reason_codes`, or a profile?" If the latter, leave the wire alone. Prefer grounding the paradigm in an existing standard over inventing new surface.
57+
58+
## 5. Normative by default; mark the exceptions
59+
60+
Spec text is normative unless it says otherwise. Mark informative sections explicitly with "This section is non-normative", and treat examples and notes as informative by convention.
61+
62+
- **Non-normative prose carries no RFC 2119 keywords.** A capitalized MUST/SHOULD/MAY in informative text either creates an accidental requirement or teaches readers to ignore the keyword. Lowercase the word, or move the requirement to a normative section.
63+
- **On a mixed page** (a concept page holding invariants and teaching together), tag each invariant **(normative)** and let the surrounding prose read as informative and keyword-free.
64+
65+
This is the companion to Principle 1. That one fixes *where* a normative statement lives; this one fixes *how its force is marked*. Together they keep a hoisted invariant binding and keep explanatory prose from binding by accident.
66+
67+
**Smell test:** "Is this `MUST` sitting in text a reader would take as binding?" If the section is informative, either the requirement is in the wrong place (hoist it per Principle 1), or the keyword should not be capitalized. Convention follows W3C: default-normative, with informative sections marked explicitly.
68+
69+
---
70+
71+
*This file is meant to grow. Add a numbered section when a recurring judgment call earns the status of a principle.*

docs/acs.md

Lines changed: 12 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -1,21 +1,21 @@
11
# Agent Control Standard
22

3-
The Agent Control Standard (ACS) provides specification for building [trustworthy agents](./README.md).
4-
Agents that implement ACS can be deployed with higher trust.
5-
They are instrumentable, traceable and inspectable.
6-
They are an open book
3+
The Agent Control Standard (ACS) is a wire-format specification that lets a separate **Guardian Agent** permit, deny, or modify what an AI agent does in real time, over an authenticated channel and with a verifiable audit trail.
74

8-
They have a dynamic bill-of-material, a clear audit trail and hard inline-controls.
5+
Agents that implement ACS-Core run every step through a Guardian over an authenticated channel and honor its decisions in real time. With the Trace, Inspect, and Crypto profiles they also emit OpenTelemetry spans and OCSF events, expose a dynamic Agent Bill of Materials (models, MCP servers, A2A peers, tools, knowledge sources, memory stores), and gain cryptographic non-repudiation of the audit chain. ACS-Core authenticates the channel and binds the agent to the Guardian's decisions; it does not by itself make a deployment secure or its policies strict, and tamper-evidence against a compromised Guardian is the Crypto and Audit profiles, not Core.
96

10-
Trustworthiness of agents builds upon the foundation of existing standards (MCP and A2A), but provides value regardless.
11-
It build upon cybersecurity and observability standards including OpenTelemetry, OCSF, CycloneDX, SPDX and SWID.
7+
ACS extends existing standards rather than reinventing them: JSON-RPC 2.0 for the wire format, OpenTelemetry and OCSF for observability, CycloneDX / SPDX / SWID for the AgBOM, MCP and A2A intact for tool and peer communication.
128

13-
ACS makes agents trustworthy.
9+
## What v0.1.0 ships
1410

15-
!!! info "Work in progress"
16-
This page is currently under development.
17-
18-
**Want to contribute?** Check out the [GitHub issue](https://github.com/Agent-Control-Standard/ACS/issues/53) and join the discussion!
11+
- **ACS-Core** (mandatory baseline) — capability-negotiation handshake, JSON-RPC envelope, 16 native lifecycle hooks (`sessionStart`/`End`, `agentTrigger`, `userMessage`, `agentResponse`, `turnStart`/`End`, `toolCallRequest`/`Result`, `knowledgeRetrieval`, `memoryContextRetrieval`, `memoryStore`, `preCompact`/`postCompact`, `subagentStart`/`Stop`), wrapped MCP, five dispositions (`allow`, `deny`, `modify`, `ask`, `defer`), SessionContext with rolling SHA-256 chain hash, optional Intent with immutability rule, replay protection, and `system/ping` liveness.
12+
- **ACS-Trace** profile — OpenTelemetry semconv mapping + OCSF event-class mapping, with decisions emitted as span events on the parent step span.
13+
- **ACS-Inspect** / **ACS-Inspect-Dynamic** profiles — canonical AgBOM with `agbom/snapshot` and `agbom/changed`, deterministic CycloneDX / SPDX / SWID derivations.
14+
- **ACS-Provenance** profile — field-level `Provenance` objects with `origin`, `source_id`, `derived_from`, and an OPTIONAL wire-format `trust` enum that obeys the monotonicity rule.
15+
- **ACS-Crypto** profile — crypto-agile signature registry: HMAC-SHA256 baseline, ML-DSA-65 / SLH-DSA-128s for PQC, hybrid composites for transitional deployments.
16+
- **ACS-Audit** profile — `request_hash` on every ContextEntry so the chain commits to request content, not just step metadata.
17+
18+
See [Conformance Profiles](./spec/conformance.md) for what each profile requires.
1919

2020
## Trustworthy agents are
2121

docs/concepts/README.md

Lines changed: 33 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,33 @@
1+
# Concepts
2+
3+
These pages define the foundational concepts ACS uses across every pillar: agents, identity, the session lifecycle, intent, provenance, capability, and trust basis. They are the single source of truth. Each pillar's specification references down into these definitions rather than restating them.
4+
5+
This split exists because these concepts are horizontal. Intent, for example, flows through all three pillars: Instrument fires decisions against it, Trace records it as a span attribute, and Inspect catalogs what it authorized. Defining it inside any one pillar would subordinate a concept the other two depend on.
6+
7+
## The altitude rule
8+
9+
A normative statement lives at the altitude of its scope.
10+
11+
- **Cross-cutting invariants** (true across pillars) are defined here and tagged **(normative)**. They belong above the pillars because that is where they are true. *e.g. "`Intent.parsed` MUST NOT be modified by the LLM or by data crossing an untrusted channel."*
12+
- **Mechanism requirements** (true within one pillar's enforcement) stay in that pillar. *e.g. "the Guardian MUST verify approver identity," "a client declaring `provenance_producer: none` MUST be refused at handshake."*
13+
14+
When you add a concept, hoist the invariant and leave the mechanics. If a requirement is restated in two pillars, or buried in one but relied on by another, it is at the wrong altitude.
15+
16+
## Pages
17+
18+
| Concept | Covers |
19+
|---|---|
20+
| [Agents](./agents.md) | Observed Agent, Guardian Agent, Approver |
21+
| [Identity](./identity.md) | Principal, agent identity, descriptor types |
22+
| [Session lifecycle](./session-lifecycle.md) | Session, turn, step, subagent |
23+
| [Intent](./intent.md) | Intent as a governance concept and its immutability invariant |
24+
| [Provenance](./provenance.md) | Origin, source, lineage, channels |
25+
| [Capability](./capability.md) | Capability and authorization scope |
26+
| [Skill](./skill.md) | Skill as composed, loadable behavior and a trust boundary |
27+
| [Trust basis](./trust.md) | The spectrum from asserted to attested |
28+
29+
## Convention
30+
31+
Every page carries the canonical definition, any cross-cutting invariants tagged **(normative)**, and a **Referenced by** footer pointing into the pillars that consume the concept. The graph is navigable in both directions.
32+
33+
> **Migration note.** These pages are being established as the source of truth. The pillar specifications still carry some of these definitions inline; those will be updated to reference these pages rather than restate them. Until that pass lands, treat these pages as canonical where they disagree with a pillar's inline copy.

docs/concepts/agents.md

Lines changed: 38 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,38 @@
1+
# Agents
2+
3+
ACS governs the relationship between two agents and, when human or service approval is needed, a third party.
4+
5+
## Observed Agent
6+
7+
The AI agent under governance. It implements the ACS wire contract, emits hooks at each decision point in its lifecycle, and enforces the dispositions it receives. The Observed Agent is the subject of every AgBOM snapshot and the origin of every Trace event.
8+
9+
The Observed Agent emits; it does not adjudicate its own actions. That separation is the core of the model.
10+
11+
## Guardian Agent
12+
13+
The policy authority. It receives hooks from the Observed Agent, evaluates them against deployment policy, and returns a disposition: `allow`, `deny`, `modify`, `ask`, or `defer`. It consumes AgBOM for inventory-dependent policy and emits Trace events for the decisions it makes.
14+
15+
> **Decision logging (normative).** A Guardian MUST log every decision with its reasoning, the evaluator's model identifier, and confidence when available.
16+
17+
## Approver
18+
19+
A party the Guardian consults when a request falls outside standing policy and an `ask` disposition is raised. An Approver MAY be human, agent, or service. It receives an ACS-shaped request and returns an ACS-shaped decision.
20+
21+
> **Approver authentication (normative).** Approver authentication is REQUIRED. The Guardian MUST verify the Approver's identity against policy before honoring the returned decision.
22+
23+
The Approver's grant MAY extend `Intent.parsed` through an `intent_extension` (see [Intent](./intent.md)). In v0.1 this is single-hop: Approvers MUST NOT themselves return `ask`.
24+
25+
*Example.* An agent requests a wire transfer outside its standing Intent. The Guardian raises `ask`; a human Approver authenticates and returns `allow` with an `intent_extension` scoped to that single request.
26+
27+
## Trust between agents
28+
29+
What the Observed Agent puts on the wire is asserted by the Observed Agent. The Guardian decides whether to rely on it. How much weight a given fact carries depends on its [trust basis](./trust.md), not on the fact that it arrived.
30+
31+
---
32+
33+
**Referenced by**
34+
35+
- **Instrument**, [specification](../spec/instrument/specification.md): the Observed Agent emits hooks; the Guardian returns dispositions; Approvers participate via the ASK flow (§9).
36+
- **Trace**, [events](../spec/trace/events.md): every event names the evaluator; Guardian decisions become spans and OCSF findings.
37+
- **Inspect**, [AgBOM](../spec/inspect/README.md): the AgBOM is the Observed Agent's component graph.
38+
- See also [Identity](./identity.md) for how each party's identity is established.

docs/concepts/capability.md

Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
# Capability
2+
3+
A capability is an abstract permission to do something (`filesystem.delete`, `network.egress`, `process.execute`) independent of the specific tool that exercises it. Capabilities are the vocabulary in which authorization is expressed: [Intent](./intent.md) is a set of them, and a [tool](../spec/inspect/README.md) declares the one it needs.
4+
5+
Expressing authorization in capabilities rather than tool names lets policy reason about *what an action does* rather than *which binary does it*. Two different tools that both egress data are subject to the same `network.egress` policy.
6+
7+
*Example.* A `file.write` tool and a `git.commit` tool both exercise `filesystem.write`. Policy written against the capability governs both, without enumerating tools.
8+
9+
## Capability and Intent
10+
11+
`Intent.parsed` is a capability set: the capabilities authorized for the session. A decision-eligible step that requests a capability outside that set is the central check of intent-based control: the Guardian compares the requested capability against the authorized set and the closest match.
12+
13+
Capabilities enter the authorized set in exactly one way after Intent is fixed: an Approver's `intent_extension` through the ASK flow. See [Intent](./intent.md).
14+
15+
## Capability in the inventory
16+
17+
The Inspect pillar catalogs capability from the supply side: each `tool` component declares its abstract `capability`, and an `agent_capability` component groups the tools, MCP servers, and peers that compose a higher-level ability. The AgBOM is what the agent *can* do; Intent is the subset it is *authorized* to do for the session.
18+
19+
## Capability and identity
20+
21+
A capability is only meaningful against the [identity](./identity.md) it is granted to. Least privilege is the intersection of what the agent may do and what the principal it acts for may do; ACS supplies the capability vocabulary that makes that intersection expressible.
22+
23+
---
24+
25+
**Referenced by**
26+
27+
- **Instrument**, [specification](../spec/instrument/specification.md): the requested-capability check against `Intent.parsed`, exposed in `policy_data` on a mismatch.
28+
- **Inspect**, [AgBOM](../spec/inspect/README.md): `tool.capability` and the `agent_capability` component type.
29+
- See also [Intent](./intent.md), [Identity](./identity.md), and [Agents](./agents.md).

docs/concepts/identity.md

Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
# Identity
2+
3+
Identity answers who a party is: the Observed Agent, the Guardian, the Approver, and the principal on whose behalf the agent acts. It is an upstream dependency of authorization: a [capability](./capability.md) decision is only as meaningful as the identity it is bound to.
4+
5+
> **Workstream ownership.** The identity descriptor schema is owned by the Identity workstream. This page defines the cross-cutting concept and its boundary with the pillars; the descriptor shapes and any future identity profile live with that workstream.
6+
7+
## Principals and descriptors
8+
9+
A principal is the authenticated party initiating or acting within a session. ACS does not invent an identity format. Identity descriptors carry a `type` discriminator that names the scheme (for example `posix_uid`, `windows_sid`, `oauth_subject`, `cert_subject`), and the descriptor shape follows that scheme.
10+
11+
*Example.* A POSIX deployment carries `{ "type": "posix_uid", "uid": 1000 }`; an OAuth deployment carries `{ "type": "oauth_subject", "sub": "..." }`. ACS reads the discriminator and stays agnostic to the rest.
12+
13+
Three identities are distinct and MUST NOT be conflated:
14+
15+
- **Observed Agent identity**: which agent is under governance.
16+
- **Guardian identity**: which policy authority is deciding.
17+
- **Policy-author identity**: who authored the policy that produced a decision.
18+
19+
## Authentication is deployment-defined
20+
21+
> **No mandated mechanism (normative).** ACS mandates no authentication mechanism. The mechanism in use is declared at handshake. Trust schemes (for example SPIFFE, OIDC, DID, organizational PKI, or quorum signing) are deployment-defined and stay off the core wire contract.
22+
23+
This keeps the adoption floor low: a deployment binds ACS to whatever identity infrastructure it already runs. The future Policy Attestation profile will bind policy-author identity to verifiable signatures using the ACS-Crypto registry, without pulling the trust scheme onto the wire.
24+
25+
## Identity and trust basis
26+
27+
An identity descriptor is itself a fact with a [trust basis](./trust.md). An asserted identity is weaker than one bound by a verified credential or signature. Policy that gates high-impact actions should require an identity at an appropriate rung of that spectrum.
28+
29+
---
30+
31+
**Referenced by**
32+
33+
- **Instrument**, [specification](../spec/instrument/specification.md): `user_identity` at session start; Approver identity verification (§9); identity declared at handshake.
34+
- **Trace**, [extend OCSF](../spec/trace/extend_ocsf.md): agent vs human actors distinguished in emitted events.
35+
- **Inspect**, [AgBOM](../spec/inspect/README.md): peer identity on `a2a_peer` components.
36+
- See also [Agents](./agents.md), [Capability](./capability.md), and [Trust basis](./trust.md).

0 commit comments

Comments
 (0)