HomeDocsGovernance Execution Interface

Technical Documentation · v1-enforced-irreversible

Governance Execution Interface

The enforcement kernel. No token, no execution.

Overview

The GEI is a cryptographic enforcement primitive. It sits between policy decision and tool execution. Before any agent action runs, the GEI evaluates the request against the governing policy, signs a token binding the decision to the exact parameters, and logs the decision to a tamper-evident ledger. If any step fails, execution does not proceed.

The kernel is deterministic. Given identical inputs — same request, same policy, same timestamp — it produces byte-identical decisions, tokens, and ledger entries. This is not a design preference. It is a requirement for forensic replay.

Architecture

The GEI separates into two principals with asymmetric authority:

GEI Issuer

The authority. Holds the signing key. Evaluates policy. Signs governance tokens. Cannot execute tools.

Broker (Verifier)

Holds public keys only. Cannot sign. Cannot issue. Validates tokens before permitting execution. Can be deployed independently — in a different process, on a different machine, in a different cloud.

This separation is structural. The signing key never leaves the trust boundary. The broker can run anywhere the fleet runs.

Execution Model

1. Agent requests tool execution

2. GEI evaluates request against active policy bundle

3. Decision logged to tamper-evident ledger (before execution)

4. If allowed: GEI signs token binding decision to parameters

5. Agent presents token to broker

6. Broker validates the token cryptographically

7. If valid: tool executes

8. If any step fails: execution does not proceed. No fallback.

HARD INVARIANT:Decision before execution. If the ledger write fails, the tool does not run.

Key Properties

Cryptographic parameter binding.

The token is bound to the exact parameters via cryptographic hash. Modifying parameters after authorization invalidates the token.

Replay prevention.

Each token includes a one-time-use nonce. Replaying a valid token is denied.

Tamper-evident audit chain.

The decision ledger is append-only and hash-chained. Any modification — deletion, insertion, reordering — is detectable.

Scope isolation.

A token for one tool cannot authorize a different tool. A token for one tenant cannot authorize a different tenant.

Fail-closed.

Unknown key, malformed payload, unavailable nonce store, ledger write failure — all result in deny. No exceptions.

Deterministic replay.

Given a trace identifier, the complete governed action can be forensically reconstructed and its cryptographic integrity verified.

Policy version binding.

Every token references the specific policy version that authorized the action. The full decision provenance is preserved.

Frozen State

The kernel is frozen at v1-enforced-irreversible. This means:

  • No new features are added to the kernel.
  • No existing invariants are relaxed.
  • The token structure and serialization format are locked.
  • The trusted computing base is minimal and closed.

Policy evaluation, the DSL, integration adapters, and tooling are built around the kernel — not inside it.

Validated Environments

The GEI kernel has been validated with full test coverage across token signing and verification, replay prevention, ledger integrity, forensic reconstruction, adversarial inputs, and end-to-end governed execution — both locally and inside Azure Confidential Compute (AMD SEV-SNP) with vTPM attestation.

Full Technical Specification

The complete GEI specification — including token structure, serialization rules, verification sequence, ledger schema, and invariant definitions — is available to qualified partners and investors.

Request Technical Access →

AmplefAI · Because the system being governed cannot govern itself.