AlgoVoi open Decision chain (Apache-2.0): Passport + Mandate + Policy + Gate + Guardrail + Cancellation + Refund + Trust query + Execution + Orchestrator + Delegation + Revocation + Journey #3170
Replies: 3 comments
-
Keystone Control Panel (open, Apache-2.0)A browser-based settings panel for the keystone ecosystem, available on request. What it does Auto-detects installed algovoi keystone packages and shows their configuration in one place. Each installed step gets its own settings row (gate config) and a substrate tab for the low-level canonicalisation variables ( Login and pin gate Two-tier access. A session token unlocks the view. A separate Falcon-1024 licence key unlocks editing. The licence key check is fully offline: signature verified against a bundled issuer public key, no network call. Keys are issued per deployment and last 90 days via a persisted pin cookie. Rate limiting (5 attempts per 60 s) and httponly / samesite cookies are in place. HTTPS Ships with a Screenshot: login Screenshot: panel with guard step detected The panel shows 1 installed step ( Available on request. Bring any variable, Keystone supports it (alias mapping, now live) Keystone does not hard-code a fixed set of layers. Any ref you define can be declared an alias of a canonical Keystone layer, and it then appears in the chain at that layer's position and recomputes the same way. Two paths, neither needs a catalogue edit or a rebuild:
|
Beta Was this translation helpful? Give feedback.
-
Keystone Control Panel: bolt-on ecosystemThe control panel is not just a settings UI. Each keystone stage is a defined integration surface. Any vendor whose package emits conformant content-addressed refs plugs straight in. The panel detects it, surfaces its config, and validates it against the chain's Stage surfaces
Cross-party layer
How bolt-ons work The entry point is open. Any package that registers Conformance is about interoperability, not permission. A bolt-on that emits a valid content-addressed ref using the JCS + integer-ms substrate can be verified by any other step in the chain, by any org, offline. The substrate is the shared language. The conformance check just confirms the bolt-on speaks it, so downstream steps can trust what it produces. Self-hosted today. A discoverable registry of conformance-validated bolt-ons is the natural next layer once the ecosystem has volume. |
Beta Was this translation helpful? Give feedback.
-
|
How to build a Keystone bolt-on The keystone control panel auto-detects bolt-ons through one small contract, so you can add your own step and have it recognised without us changing anything. A bolt-on is a Python package that declares an entry point and returns a short descriptor.
[project.entry-points."algovoi.keystone.steps"]
my_step = "my_package.keystone:keystone_step"
def keystone_step():
return {
"package": "my-package", # your distribution name
"step": "my_step", # the decision-flow stage you cover
"ref": "my_ref", # the *_ref your package emits
"order": 50, # optional: where it sits in the flow
"posture": "what it does", # optional: one line
}
That is the whole contract. Publish your package and anyone with the panel installed sees your step. Two tiers: Keystone Enabled (your package produces a keystone ref at a step, as above) and Keystone Integration (a |
Beta Was this translation helpful? Give feedback.


Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
The AlgoVoi Keystone
The Keystone is the complete decision chain behind an agent payment, expressed as one recomputable sequence of content-addressed references. Each link answers one question and binds to the next, so the whole chain verifies end to end offline, with no issuer contact: just RFC 8785 JCS canonicalization and SHA-256. Open, Apache-2.0.
The agentic lifecycle: identity to settlement. The Keystone chain in full, each reference
sha256:over JCS (RFC 8785) of its predecessor:Recompute any input field and the reference at that step plus every downstream reference diverges. One agent, one authority, one policy, one decision, one execution -- the whole chain is verifiable end to end with no issuer contact, using only JCS (RFC 8785) and SHA-256.
The agentic lifecycle extends through the full post-decision sequence: a settlement attestation binds to the exact
execution_refthe Keystone produced; a refund anchors to the same; an audit chain of frames links execution, settlement, and refund byprev_hashand caps them with onetrust_query_ref. Cancellation closes the mandate before execution on the authority-side mirror. Any party recomputes the full agentic lifecycle offline -- same JCS + SHA-256 discipline, no new primitive, no AlgoVoi software in the trust base. Agentic lifecycle -- composition proofs, byte-for-byte verifiable offline: https://docs.algovoi.co.uk/keystoneCross-party (multi-agent):
delegation -> revocation -> journey. The constructions are open source (delegation published; revocation and journey available on request); the cross-party proofs are the commercial Orchestrator.Verify the whole chain yourself, no package import, offline:
Each link below is its own open package: install it, pin it, verify it independently, or compose the whole chain. Every package is Apache-2.0 and pinned at
0.1.0; pinned adopters receive a free v0 verification key (pin, then key).1. Agent Passport,
passport_ref(identity)Who the agent is, as a content-addressed identity reference.
2. Payment Mandate,
mandate_ref(authority)What the agent may spend, bound to its passport.
3. Policy Binding,
policy_bound_ref(policy in force)Which policy snapshot the action runs under, version provable and rotation detectable.
4. Compliance Gate,
gate_ref(compliance verdict)The no-PII compliance verdict, bound to the policy it assessed.
Compliance binding and decision basis (commercial)
The open Compliance Gate above emits the verdict. Substrate 2 binds that receipt into the keystone as a screen stage, proving the screening that informed this exact decision, and adds the signed decision basis: which compliance standards drove the verdict, the jurisdiction check bound to its geo determination, no PII and recomputable offline. Commercial only. Details: https://docs.algovoi.co.uk/keystone
5. Spend Guardrail,
guardrail_ref(pre-payment decision)The ALLOW or DENY decision, bound to agent, mandate and policy.
6. Execution,
execution_ref(decision-bound execution evidence)What the agent actually did, bound to the exact decision that authorized it.
execution_refis the natural replacement foraction_ref, the keystone-bound successor on the same JCS (RFC 8785) and SHA-256 discipline;action_refstays fully backward compatible as the legacy primitive, unchanged in the substrate, so existing integrations keep verifying byte for byte with no forced migration. New work targetsexecution_ref;action_refkeeps working.7. Cancellation,
cancellation_ref(closes the authority)Closes the mandate before execution, bound to the exact mandate.
8. Refund,
refund_ref(after settlement)A refund anchored to the execution that committed, not merely to the decision.
9. Composite Trust Query,
trust_query_ref(one verdict over the chain)One recomputable trust verdict over the ordered chain of references. The same verdict serves as a settlement attestation: the settled chain is recomputable from the receipt alone, with no issuer contact.
Preconditions and transport, same pattern:
Substrate Guard,
profile_ref(input-bounds gate)The input-bounds profile every record is admitted under before canonicalization.
PEF Keystone (signed transport frames)
Wraps and pins a Keystone reference into hash-linked evidence frames.
TAP Verifier (offline-verifiable agentic payment receipt)
Verifies an AlgoVoi TAP receipt with no AlgoVoi software: it re-derives the
receipt_idfrom the JCS preimage and checks the Ed25519 signature using public libraries only, with an optional Falcon-1024 post-quantum check. For the Trusted Agent Protocol post-authentication audit trail.CloudEvents adapter (keystone decision as a CloudEvents 1.0 event)
Emits an AlgoVoi keystone decision as a CloudEvents 1.0 event; the content-addressed
execution_refis the eventid, and a consumer recomputes it from the eventdatawith JCS (RFC 8785) and SHA-256, with no AlgoVoi software.W3C Verifiable Credential adapter (keystone decision as a credential)
Emits an AlgoVoi keystone decision as a W3C Verifiable Credential (Data Model 2.0) of its own
KeystoneExecutionCredentialtype; the content-addressedexecution_refis thecredentialSubjectid, recomputable from the subject before any signature suite is applied.MCP verifier (recompute a keystone execution_ref in any MCP client)
An open Model Context Protocol server exposing keystone verification as tools, so any MCP client recomputes and checks a keystone
execution_refoffline, with no AlgoVoi service.Webhook verifier (verify a keystone ref in a webhook)
Verifies an AlgoVoi webhook's HMAC signature and recomputes the keystone
execution_refcarried in the event from its fields with JCS (RFC 8785) and SHA-256, so a consumer proves both the signature and that the keystone reference is authentic, with no AlgoVoi software.LangChain run trace (keystone decision on a LangChain run)
Attaches a keystone decision to a LangChain run as metadata and a tag under
algovoi.keystone.*, so LangSmith or any tracer shows a content-addressedexecution_refa reviewer recomputes from the run alone, with no AlgoVoi software.CrewAI step trace (keystone decision on a CrewAI step)
Records a keystone decision once via a CrewAI step callback and passes the step output through unchanged, so a crew run carries a content-addressed
execution_refrecomputable from the recorded metadata alone, with no AlgoVoi software.AutoGen message trace (keystone decision on an AutoGen message)
Stamps a keystone decision into an AutoGen message's metadata, so a conversation carries a content-addressed
execution_refrecomputable from the message alone, with no AlgoVoi software.ADK agent trace (keystone decision in Google ADK agent state)
Stamps a keystone decision into Google ADK agent state via a before-agent callback, so an agent run carries a content-addressed
execution_refrecomputable from the state alone, with no AlgoVoi software.Orchestrator and composition proofs
The Keystone Orchestrator produces verifiable, end to end evidence that authority flowed correctly across organizational boundaries and was not exceeded, recomputable offline. The signed verdict is portable: it verifies off-the-shelf as a standard EdDSA JWS under any JOSE library and as a W3C Verifiable Credential under the Digital Bazaar eddsa-jcs-2022 suite, with no AlgoVoi software. Composition proofs are available on request. Docs: https://docs.algovoi.co.uk/keystone
Delegation: authority across parties (
delegation_ref)When authority is handed from one party to another, the Orchestrator proves it composed without anyone exceeding their grant. A treasury agent A, authorized for payments up to 1000 across GB and US, delegates a slice to a vendor agent B for a fixed window. B decides and executes deliberately narrower (a USDC transfer up to 500, GB). The Orchestrator composes A's authority, the delegation, B's decision and B's execution into one signed verdict: authority flowed correctly across the A to B boundary and nothing was exceeded, verifiable offline. If B instead executes for 2000, the verdict is BROKEN: a signed receipt would still look valid, the composed proof does not.
The open
delegation_refis the tamper-evident binding for each hand-off. The cross-party scope-consistency proof is the Orchestrator capability; composition proofs available on request.Revocation: pulling authority back (
revocation_ref)Authority can be withdrawn before it expires. When a grantor revokes a delegation, the Orchestrator proves that every downstream action which happened at or after the revocation no longer holds, even across several hops. A treasury agent A delegates to B, B sub-delegates to C, then A revokes the original grant. Any action C takes after that revocation composes to BROKEN, because C's authority derived from a grant A had already pulled, recomputable offline. An action that happened before the revocation stays valid: revocation is prospective and provable from the bytes, not a mutable status flag. The open
revocation_refis available on request (Apache-2.0); the cross-party cascade proof is the commercial Orchestrator capability.Journey: the whole multi-agent task as one proof (
journey_ref)One reference binds an entire multi-agent task end to end: every hop's execution and the delegations between them. Verifying a single
journey_refproves the whole A to B to C task at once: identity and authority continuity, scope never widened at any boundary, nothing acted under a revoked grant, and no hop omitted from the record. Drop a hop or widen scope anywhere and the journey composes to BROKEN. The openjourney_refis available on request (Apache-2.0); the end to end aggregation proof is the commercial Orchestrator capability.Journey adapters: bind the whole run in your framework (commercial)
The CrewAI, LangGraph, AutoGen, and A2A journey adapters each record a multi-agent run's hops and the delegations between them, then emit one
journey_refover the whole task: a crew, a graph, a group chat, or an agent-to-agent task verifies as a single proof.Commercial full Orchestrator (delegation proofs + PQC sign + CCC): in the on-prem bundle.
IETF drafts
Internet-Drafts for the underlying constructions (the canonicalization substrate, the receipt and execution references, and the audit chain of frames) are available on request.
Benchmark, clean-box reproduction
Reproduced on a clean box, a fresh container with one vCPU, installing only from the public PyPI and npm registries:
Security testing (last run 2026-07-01)
Canonicalization fuzz (2026-06-22): adversarial differential testing across 9 independent JCS implementations. 20,000 safe-domain inputs: 0 divergences. 373 adversarial (out-of-domain) inputs: the substrate's own canonicalizer fail-closed on 373/373 -- zero in-domain breaks. Public attestation in the conformance-vectors repository.
Cross-implementation parity (corpus v0.31.0): conformance vectors validated byte-identical across 8 independent implementations in 8 languages -- Python, Node.js, Go, Rust, Java, PHP, .NET, Ruby. Node equals Python on every reference.
Keystone conformance (2026-07-01): 16/16 conformance tests -- determinism, byte-for-byte recompute, tamper divergence (any field change diverges every downstream reference), severity weighting, and chain binding. Fresh-venv clean install verified against corpus v0.31.0; 7-tier keystone recompute byte-for-byte.
Input-bounds gate (
algovoi-substrate-guard, Apache-2.0): runs before canonicalization and admits only inputs within the proven safe domain (safe-integer range, Unicode scalar validity). 15/15 public test vectors. On PyPI and npm.Substrate 2 (Commercial)
Everything above is open (Apache-2.0). Substrate 2 is the commercial core built on the same canonical evidence, with two simple parts.
The control plane: where the pieces connect. Think of it as the switchboard. Every service (payments, compliance, records, evidence) plugs into one hub that keeps the single list of trusted keys and issuers, lets each service register itself, and shows one live view of the whole system's health.
The keystone: the record of what actually happened. A payment is checked for authorization, a decision is made, it executes, and it settles on chain. The keystone stitches those steps into one tamper-evident thread: each step is a short fingerprint locked to the one before it, so the whole story, from "allowed to spend" to "settled," re-checks offline with no AlgoVoi software. The same record exports as a signed JSON receipt, a W3C Verifiable Credential, a JOSE token, or a zero-knowledge proof, each pointing back to the same payment.
The control plane connects the apps; the keystone is the thread that runs through a payment. Details: https://docs.algovoi.co.uk/substrate-2
Keystone config panel
The keystone is an evolving ecosystem: each step has configurable parameters that shift as the platform grows.
algovoi-keystone-controlsurfaces those parameters in a browser UI, auto-detects which algovoi packages are installed, and lets operators edit them via a pin-gated HTTPS panel. Open (Apache-2.0).Docs: https://docs.algovoi.co.uk/keystone
Keystone connectors -- drop-in adapters that bind a data-layer operation to the keystone decision that authorised it, emitting a content-addressed
execution_ref(verifiable offline withkeystone-verify. Open Apache-2.0, available on request):algovoi-keystone-odbc-- wraps any ODBC / DB-API cursor; every execute (insert / update / delete) is bound to itsdecision_ref, so a write can be proven consistent with the decision that allowed it.algovoi-keystone-sqlalchemy-- onebind_session()call registers anafter_flushlistener; each flushed ORM change is bound to the keystone, no model or query changes.algovoi-keystone-kafka-- wraps any producer (kafka-python / confluent-kafka / aiokafka); each produced message carries anexecution_ref, with failed sends recorded asFAILED.algovoi-keystone-openlineage-- attaches a keystone run facet to each OpenLineage RunEvent, so the lineage standard's own events carry theexecution_ref; outcome derived fromeventType.algovoi-keystone-asgi-- one ASGI / WSGI middleware (FastAPI / Starlette / Flask / Django) binds every state-changing HTTP request to itsdecision_ref; outcome from the response status.algovoi-keystone-grpc-- a gRPC server interceptor binds each unary call to itsdecision_ref; outcome COMMITTED, or FAILED if the handler raises. Streaming passes through.algovoi-keystone-s3-- wraps any boto3 S3 client so every object write (put / delete) carries anexecution_refkeyed tobucket/key; reads pass through untouched.algovoi-keystone-redis-- wraps any redis-py client so every write command (set / delete / hset / expire / ...) carries anexecution_refkeyed to the key; reads pass through.algovoi-keystone-mongo-- wraps any pymongo collection so every write (insert / update / delete / replace) carries anexecution_refkeyed todb.collection; reads pass through.algovoi-keystone-amqp-- wraps any pika channel so every AMQP / RabbitMQ publish carries anexecution_refkeyed toexchange/routing_key; consumers and declares pass through.algovoi-keystone-elasticsearch-- wraps any elasticsearch-py client so every write (index / update / delete / bulk) carries anexecution_refkeyed toindex/doc_id; searches pass through.algovoi-keystone-nats-- wraps any nats-py connection so every publish carries anexecution_refkeyed to the subject; subscribes and requests pass through.algovoi-keystone-gcs-- wraps any Google Cloud Storage blob so every object write (upload / delete) carries anexecution_refkeyed tobucket/name; reads pass through.Companion verifier --
algovoi-keystone-validateingests a batch of theseexecution_refrecords, recomputes each offline, checks they bind to the expected decision, and logs what failed and why (integrity vs operational errors). Open Apache-2.0, available on request.How to verify (no trust required) -- every reference is content-addressed:
ref = "sha256:" + SHA-256(RFC 8785 JCS(object)). You can reproduce any published reference with a third-party RFC 8785 implementation and standard SHA-256, with no AlgoVoi software involved:That reference is byte-identical to the published corpus value for this identity object, computed with a different canonicalizer than the one inside the package -- so a match proves the substrate is faithfully the open standard, not something you take on trust. Change any field and the reference diverges. RFC 8785 implementations exist in Go, JavaScript, Rust, and Java; any reproduces the same bytes. The conformance corpus is keyed under the
jcs-rfc8785-v1profile. The one-command verifier that recomputes the full chain byte-for-byte against the Ed25519-signed conformance corpus (fully offline, trusts no emitter) is open Apache-2.0, available on request.Install (from the AlgoVoi index):
The full open Keystone fleet is on the same index: https://pip.algovoi.co.uk/simple/
The Keystone control panel is published on PyPI:
The tested packages themselves are served from the AlgoVoi index to preserve their integrity and security.
x402 payment receipts (verifiable offline)
The keystone execution stage produces an x402 payment receipt: a signed record binding the payment evidence to the exact authorization that approved it, verifiable offline with JCS (RFC 8785) and SHA-256 using any conforming canonicalizer. Three reference pages on the receipt construction and its properties:
Live proof: the Keystone across six chains
The Keystone trust chain now has a live, end to end proof. We compose the full chain (passport, mandate, policy, signed decision, execution, and a single trust query), bind it to a real on-chain settlement, and verify every reference and signature offline. It has been tested across six public testnets: Base Sepolia, Arc, Tempo, Algorand, Stellar, and Solana. On Algorand, Stellar and Solana the decision is written into the transaction itself (the note, memo and reference), so it is visible directly on the block explorer.
The same chain also composes across four agent-payment protocols (x402, MPP, AP2, A2A), which converge on one settlement reference. A downloadable proof pack and an independent verifier (SHA-256, RFC 8785, Ed25519 only) are included.
Walkthrough, the live transactions, and a recompute it yourself guide: https://docs.algovoi.co.uk/keystone-proof
Beta Was this translation helpful? Give feedback.
All reactions