|
| 1 | +# AgentPlane Trust Gate |
| 2 | + |
| 3 | +Status: v0.1 local gate |
| 4 | + |
| 5 | +`sourceos-syncd` now emits AgentPlane-compatible trust decisions from State Integrity Reports. The local gate gives agents a deterministic way to decide whether a state substrate is safe to use before reading, writing, traversing memory, or acting against a lane. |
| 6 | + |
| 7 | +## Purpose |
| 8 | + |
| 9 | +Agents should not treat every local substrate as trustworthy. Before action, an agent should know: |
| 10 | + |
| 11 | +- whether the State Integrity Report contract is valid; |
| 12 | +- whether the requested lane exists; |
| 13 | +- whether the report diagnosis is healthy, degraded, unsafe, stale, or unknown; |
| 14 | +- whether degraded mode was explicitly allowed; |
| 15 | +- whether signed evidence is required and present; |
| 16 | +- whether policy counts indicate restricted state. |
| 17 | + |
| 18 | +## Decision contract |
| 19 | + |
| 20 | +Schema: |
| 21 | + |
| 22 | +```text |
| 23 | +sourceos.agent-trust-decision/v1alpha1 |
| 24 | +``` |
| 25 | + |
| 26 | +Canonical schema file: |
| 27 | + |
| 28 | +```text |
| 29 | +schemas/sourceos.agent-trust-decision.v1alpha1.schema.json |
| 30 | +``` |
| 31 | + |
| 32 | +Decision shape: |
| 33 | + |
| 34 | +```json |
| 35 | +{ |
| 36 | + "schema": "sourceos.agent-trust-decision/v1alpha1", |
| 37 | + "decision_id": "trust-example", |
| 38 | + "generated_at": "2026-05-05T00:00:00Z", |
| 39 | + "engine": "agentplane-local-trust-gate", |
| 40 | + "subject": "agentplane", |
| 41 | + "action": "read", |
| 42 | + "lane": "normal", |
| 43 | + "status": "allowed", |
| 44 | + "reason": "state_integrity_allows_agent_action", |
| 45 | + "report_digest": "sha256:...", |
| 46 | + "report_status": "healthy", |
| 47 | + "allow_degraded": false, |
| 48 | + "require_attestation": false, |
| 49 | + "evidence": {} |
| 50 | +} |
| 51 | +``` |
| 52 | + |
| 53 | +## Status values |
| 54 | + |
| 55 | +- `allowed`: report is healthy enough for the requested lane/action. |
| 56 | +- `degraded_allowed`: report is degraded, but the caller explicitly allowed degraded mode. |
| 57 | +- `blocked`: lane/action should not proceed. |
| 58 | +- `unknown`: reserved for future remote AgentPlane states. |
| 59 | + |
| 60 | +## CLI |
| 61 | + |
| 62 | +Evaluate a report: |
| 63 | + |
| 64 | +```bash |
| 65 | +sourceos-syncd trust evaluate \ |
| 66 | + --file /tmp/sourceos-syncd.snapshot.json \ |
| 67 | + --subject agentplane \ |
| 68 | + --action read \ |
| 69 | + --lane normal |
| 70 | +``` |
| 71 | + |
| 72 | +Allow degraded mode explicitly: |
| 73 | + |
| 74 | +```bash |
| 75 | +sourceos-syncd trust evaluate \ |
| 76 | + --file /tmp/sourceos-syncd.snapshot.json \ |
| 77 | + --subject agentplane \ |
| 78 | + --action read \ |
| 79 | + --lane normal \ |
| 80 | + --allow-degraded |
| 81 | +``` |
| 82 | + |
| 83 | +Require signed attestation: |
| 84 | + |
| 85 | +```bash |
| 86 | +sourceos-syncd trust evaluate \ |
| 87 | + --file /tmp/sourceos-syncd.snapshot.json \ |
| 88 | + --subject agentplane \ |
| 89 | + --action read \ |
| 90 | + --lane normal \ |
| 91 | + --require-attestation |
| 92 | +``` |
| 93 | + |
| 94 | +Validate a decision artifact: |
| 95 | + |
| 96 | +```bash |
| 97 | +sourceos-syncd trust validate \ |
| 98 | + --file examples/trust/normal-read.allowed.json |
| 99 | +``` |
| 100 | + |
| 101 | +## Local gate rules |
| 102 | + |
| 103 | +The local gate blocks when: |
| 104 | + |
| 105 | +- the report contract is invalid; |
| 106 | +- the requested lane is absent; |
| 107 | +- signed attestation is required but missing; |
| 108 | +- the report status is unsafe, stale, or unknown; |
| 109 | +- the report is degraded and degraded mode was not explicitly allowed; |
| 110 | +- the requested lane is secure or repair and policy counts indicate restrictions. |
| 111 | + |
| 112 | +The local gate allows when: |
| 113 | + |
| 114 | +- the report contract is valid; |
| 115 | +- the requested lane exists; |
| 116 | +- the report is healthy; |
| 117 | +- attestation requirements are satisfied; |
| 118 | +- policy counts do not indicate lane restriction. |
| 119 | + |
| 120 | +## Evidence relationship |
| 121 | + |
| 122 | +A trust decision is itself an evidence candidate. It can be wrapped with: |
| 123 | + |
| 124 | +```bash |
| 125 | +sourceos-syncd evidence wrap \ |
| 126 | + --file /tmp/trust-decision.json \ |
| 127 | + --type agent-trust-decision \ |
| 128 | + --subject agentplane |
| 129 | +``` |
| 130 | + |
| 131 | +This gives AgentPlane and Delivery Excellence a chain: |
| 132 | + |
| 133 | +```text |
| 134 | +State Integrity Report -> Agent Trust Decision -> Lampstand Evidence Envelope |
| 135 | +``` |
| 136 | + |
| 137 | +## Replacement path for AgentPlane |
| 138 | + |
| 139 | +The local gate should later become an AgentPlane consumer contract: |
| 140 | + |
| 141 | +1. AgentPlane asks for trust evaluation before acting. |
| 142 | +2. SourceOS provides a State Integrity Report digest and diagnosis. |
| 143 | +3. PolicyFabric provides lane/action authorization. |
| 144 | +4. Lampstand provides evidence and attestation state. |
| 145 | +5. AgentPlane records which report and decision it relied on. |
| 146 | + |
| 147 | +## Current limits |
| 148 | + |
| 149 | +The local gate is not yet a distributed authorization system. It does not yet perform remote identity checks, capability credential validation, or signed evidence lookup. Those belong in AgentPlane, PolicyFabric, and Lampstand integration work. |
0 commit comments