TG-01 // DETERMINISTIC AUTHORIZATION PROTOCOL
0. ABSTRACT
TG-01 defines deterministic authorization between automation (including agents) and execution surfaces. It establishes a non-bypassable boundary: intent is evaluated against signed policy before commit, and execution is blocked unless a cryptographic Commit Permit is issued. No silent fallbacks.
1. THE EXECUTION HANDSHAKE
Latency is scoped: <5ms p99 kernel hot path; <15ms p99 end-to-end finite-state evaluation under normal load. The handshake follows a 3-step verification model:
1.1 Intent Submission (POST)
The agent or coordinator submits an ActionSchema to the Authorization Layer.
{
"action": "system.filesystem.write",
"params": {
"path": "/etc/config",
"content_hash": "sha256:e3b0c442..."
},
"context": { "trace_id": "trc_9921", "priority": "high" }
}1.2 Deterministic Evaluation
The request is evaluated against a pre-compiled state machine. TG-01 is fail-closed: UNKNOWN, TIMEOUT, or incomplete context is a hard DENY—execution does not proceed and there is no silent PERMIT.
1.3 The Signed Receipt (SAR)
Upon a PERMIT decision, the system issues a Signed Authorization Receipt (SAR) using Ed25519.
- Header: Algorithm and Version metadata.
- Payload: Decision, Timestamp, Action Fingerprint.
- Signature: EdDSA cryptographic proof.
2. COMPLIANCE & SYSTEM PROPERTIES
- DETERMINISM: Identical inputs across identical state environments MUST produce identical decisions.
- IMMUTABILITY: Once a receipt is signed, it is a permanent record of authority.
- NON-REPUDIATION: The execution surface MUST verify the Ed25519 signature before the commit is performed.
3. THREAT VECTORS ADDRESSED
- TV-01: Unauthorized Privilege Escalation via Prompt Injection.
- TV-02: State-drift during autonomous multi-step execution.
- TV-03: Non-auditable system commits.
APPENDIX A // COMPLIANCE_MAPPING [SOC2_TSC]
Direct mapping of TG-01 Protocol features to the AICPA Trust Services Criteria (SOC2). Use as reference for internal control documentation.
| SOC2 Control Area | TG-01 Protocol Feature | Implementation Evidence |
|---|---|---|
| CC6.1 (Logical Access) | Non-bypassable Execution Boundary | Every system commit requires a signed Ed25519 permit. |
| CC7.2 (System Ops) | Deterministic Auth Engine | Fail-Closed logic ensures no unauthorized Default-Allow states. |
| CC7.1 (System Monitoring) | Signed Authorization Receipts | Immutably signed JSON records for every PERMIT/DENY/SILENCE decision. |
| CC8.1 (Change Management) | Policy Versioning | The logic_ref in the SAR traces decisions to specific policy commits. |
| A1.2 (Availability) | Local Sidecar Deployment | Line-rate authorization maintains system availability during network lag. |
AUDITOR_NOTE: TrigGuard is a primary control point for automated execution. Proposed intent (from any runtime, including agents) is separated from execution authority: only policy-backed PERMIT with a valid receipt authorizes commit—supporting segregation of duties (SoD) in automated environments.
DOC_HASH: sha256:7a3f...e91b // TG-01-SPEC-1.0.4