TG-01
Deterministic Authorization Protocol
Reference Specification
Protocol series TG-01 Family TrigGuard Authorization Protocol
0. ABSTRACT
TG-01 defines deterministic authorization between automation (including agents) and execution surfaces. It establishes a non-bypassable boundary: intent is evaluated against signed policy before commit, and execution is blocked unless a cryptographic Commit Permit is issued. No silent fallbacks.
1. THE EXECUTION HANDSHAKE
Latency is scoped: <5ms p99 kernel hot path; <15ms p99 end-to-end finite-state evaluation under normal load. Measured envelope (kernel p99 0.018 ms, sequential pipeline p99 1.28 ms, 10 VU concurrent p99 4.59 ms) is published with raw artifacts under /benchmarks. The handshake follows a 3-step verification model:
1.1 Intent Submission (POST)
The agent or coordinator submits an ActionSchema to the Authorization Layer.
{
"action": "system.filesystem.write",
"params": {
"path": "/etc/config",
"content_hash": "sha256:e3b0c442..."
},
"context": { "trace_id": "trc_9921", "priority": "high" }
}1.2 Deterministic Evaluation
The request is evaluated against a pre-compiled state machine. TG-01 is fail-closed: UNKNOWN, TIMEOUT, or incomplete context is a hard DENY, execution does not proceed and there is no silent PERMIT.
1.3 The Signed Receipt (SAR)
Upon a PERMIT decision, the system issues a Signed Authorization Receipt (SAR) using Ed25519 over a canonicalized JSON payload.
- Header: Algorithm and Version metadata.
- Payload: Decision, Timestamp, Execution surface, Action Fingerprint, optional
payload_hashanchor (hex SHA-256 of the canonical signed payload). - Signature: Ed25519 cryptographic proof, base64-encoded, over the canonical payload.
2. COMPLIANCE & SYSTEM PROPERTIES
- DETERMINISM: Identical inputs across identical state environments MUST produce identical decisions.
- IMMUTABILITY: Once a receipt is signed, the signed payload is a permanent record of authority. Validator judgments live in separate validation artifacts and never mutate the receipt.
- OFFLINE VERIFIABILITY: Receipts MUST be verifiable using only the receipt, the issuer's public key, and the protocol specification — with no live service dependency.
- NON-REPUDIATION: The execution surface MUST verify the Ed25519 signature against the issuer's published public key before the commit is performed.
3. THREAT VECTORS ADDRESSED
- TV-01: Unauthorized Privilege Escalation via Prompt Injection.
- TV-02: State-drift during autonomous multi-step execution.
- TV-03: Non-auditable system commits.
APPENDIX A · COMPLIANCE MAPPING [SOC2 TSC]
Direct mapping of TG-01 Protocol features to the AICPA Trust Services Criteria (SOC2). Use as reference for internal control documentation.
| SOC2 Control Area | TG-01 Protocol Feature | Implementation Evidence |
|---|---|---|
| CC6.1 (Logical Access) | Non-bypassable Execution Boundary | Every system commit requires a valid Ed25519-signed permit, verified against the issuer's published public key. |
| CC7.2 (System Ops) | Deterministic Auth Engine | Fail-Closed logic ensures no unauthorized Default-Allow states. |
| CC7.1 (System Monitoring) | Signed Authorization Receipts | Immutably signed JSON records for every PERMIT/DENY/SILENCE decision. |
| CC8.1 (Change Management) | Policy Versioning | The logic_ref in the SAR traces decisions to specific policy commits. |
| A1.2 (Availability) | Local Sidecar Deployment | Line-rate authorization maintains system availability during network lag. |
AUDITOR_NOTE: TrigGuard is a primary control point for automated execution. Proposed intent (from any runtime, including agents) is separated from execution authority: only policy-backed PERMIT with a valid receipt authorizes commit, supporting segregation of duties (SoD) in automated environments.
DOC_HASH: sha256:7a3f...e91b · TG-01-SPEC-1.0.4