Skip to content

Commit 0d65c9b

Browse files
ZeroXLaurenZeroXLauren
committed
rfc(governance): signed decision receipts for ABCA via AgentCore Gateway
Follow-up to closed #39. Per @krokoko's review feedback, this lands as an RFC / design document rather than an integration guide. Key properties: - The signing identity is a separate Lambda (Receipt Signer), outside the agent runtime's trust boundary. A compromised agent container cannot forge, alter, or suppress receipts. - Cedar policy evaluation stays native to AgentCore Gateway's built-in policy engine. This RFC does not reinvent Cedar evaluation; it adds a signed-receipt output alongside the existing CloudWatch log. - Signing key lives in KMS (Ed25519), scoped to the Receipt Signer IAM role only, with explicit deny on the agent runtime role. - Receipt chain is tamper-evident as a whole (hash-chained, JCS canonical, Ed25519 signed). Verifiable offline with @veritasacta/verify, no AWS credentials required. - Receipt format is tool-agnostic (IETF draft-farley-acta-signed-receipts, four independent conformant implementations). - CDK-managed infra: KMS key, S3 bucket with explicit denies, CloudTrail data events on kms:Sign for second-layer audit. Sections: 1. Problem statement 2. What AgentCore Gateway already provides (policy engine native) 3. Goals and non-goals 4. Trust model (explicit entity + boundary table) 5. Receipt contract (wire format + three invariants) 6. Reference implementation: AgentCore Gateway + Receipt Signer Lambda 7. CDK infrastructure (KMS, S3, Lambda, CloudTrail) 8. Verification flow (no AWS credentials required) 9. Compromise analysis (5 scenarios walked through) 10. Open questions (7 ABCA-specific unknowns) 11. References 12. Conformant signing implementations Appendix A: how this differs from the closed #39 guide Explicitly acknowledges the critique @krokoko raised on #39 that led to this rewrite. Author disclosure at the top of the document. This RFC references live AgentCore Gateway documentation at https://docs.aws.amazon.com/bedrock-agentcore/latest/devguide/policy-getting-started.html provided by @krokoko. The open questions in Section 10 are the places where AgentCore team guidance is needed before a reference- implementation PR can follow.
1 parent 396a245 commit 0d65c9b

1 file changed

Lines changed: 428 additions & 0 deletions

File tree

0 commit comments

Comments
 (0)