Cryptographic runtime governance for AI infrastructure.
AGA generates sealed, cryptographically signed Policy Artifacts that bind subject identity to authorized behavior and enforce that binding continuously at runtime. A two-process Portal architecture holds all cryptographic keys while the governed agent holds none -- the agent cannot self-authorize, bypass enforcement, or forge receipts.
Seal. Enforce. Prove.
- Seal: Attest subject state, compute sealed hash (SHA-256, no delimiters), sign with Ed25519 over RFC 8785 canonical JSON
- Enforce: Portal measures runtime state against sealed reference, executes enforcement on drift (7 graduated actions including phantom execution for forensic capture)
- Prove: Evidence Bundles with Merkle inclusion proofs enable offline verification by any third party using only standard cryptographic libraries
git clone https://github.com/attestedintelligence/AGA.git
cd AGA
npm install
npm test # 112+ tests covering all 20 patent claims
npm run demo # 10-phase interactive demonstrationThe independent-verifier/ directory contains a standalone verifier that
imports zero modules from the AGA codebase. It uses only
@noble/ed25519 and @noble/hashes to independently verify Evidence
Bundles, proving that AGA's tamper-evident properties are real cryptographic
guarantees, not implementation artifacts.
cd independent-verifier
npm install
npm test # Verifies bundles from all 3 deployment scenarios+---------------------------------------------------+
| POLICY ARTIFACT (sealed) |
| Subject ID + Sealed Hash + Enforcement Params |
| + Disclosure Policy + Ed25519 Signature |
+-------------------------+-------------------------+
|
v
+---------------------------------------------------+
| PORTAL (holds all keys) |
| Parse artifact -> Measure -> Compare -> Enforce |
| 6-state machine: INIT -> VERIFY -> MONITOR -> |
| DRIFT -> QUARANTINE/TERMINATE |
| |
| Agent holds NO keys. Cannot self-authorize. |
+-------------------------+-------------------------+
|
v
+---------------------------------------------------+
| CONTINUITY CHAIN (append-only) |
| Structural metadata linking (payload excluded) |
| -> Privacy-preserving third-party verification |
| -> Merkle checkpoint anchoring |
| -> Evidence Bundles for offline audit |
+---------------------------------------------------+
| Scenario | Measurement Cadence | Enforcement | Key Feature |
|---|---|---|---|
| SCADA Process | 100ms | QUARANTINE + actuator disconnect | Phantom execution forensics |
| Autonomous Vehicle | 1000ms | SAFE_STATE (return-to-home) | Safe-state transition |
| AI Agent | 1000ms | QUARANTINE | Behavioral drift detection + delegation |
| Primitive | Usage | Library |
|---|---|---|
| Ed25519 | Artifact/receipt/event signatures | @noble/ed25519 |
| SHA-256 | Sealed hash, leaf hash, payload hash | @noble/hashes |
| BLAKE2b-256 | Alternative hash, domain separation | @noble/hashes |
| RFC 8785 (JCS) | Canonical JSON for deterministic signing | Manual |
| Merkle Trees | Checkpoint anchoring, inclusion proofs | Manual |
| Framework | AGA Implementation |
|---|---|
| SP 800-53 SI (Integrity) | Portal continuous measurement with signed receipts |
| AI RMF Measure function | Continuous hash comparison with cryptographic receipts |
| SP 800-218A (SSDF) PS.3 | Runtime verification; RV.1: Forensic capture |
| SP 800-207 (Zero Trust) | Portal as PEP, artifact as PDP payload |
Full measurement cycle: <5ms (seal + measure + compare + receipt + chain append)
This software implements technology described in USPTO Application No. 19/433,835.