AlgoVoi open Decision chain (Apache-2.0): Passport + Mandate + Policy + Gate + Guardrail + Cancellation + Refund + Trust query + Execution + Orchestrator + Delegation + Revocation + Journey + SDK #289
Replies: 5 comments
-
Keystone Control Panel (open, Apache-2.0)A browser-based settings panel for the keystone ecosystem, available on request. What it does Auto-detects installed algovoi keystone packages and shows their configuration in one place. Each installed step gets its own settings row (gate config) and a substrate tab for the low-level canonicalisation variables ( Login and pin gate Two-tier access. A session token unlocks the view. A separate Falcon-1024 licence key unlocks editing. The licence key check is fully offline: signature verified against a bundled issuer public key, no network call. Keys are issued per deployment and last 90 days via a persisted pin cookie. Rate limiting (5 attempts per 60 s) and httponly / samesite cookies are in place. HTTPS Ships with a Screenshot: login Screenshot: panel with guard step detected The panel shows 1 installed step ( Available on request. Bring any variable, Keystone supports it (alias mapping, now live) Keystone does not hard-code a fixed set of layers. Any ref you define can be declared an alias of a canonical Keystone layer, and it then appears in the chain at that layer's position and recomputes the same way. Two paths, neither needs a catalogue edit or a rebuild:
|
Beta Was this translation helpful? Give feedback.
-
Keystone Control Panel: bolt-on ecosystemThe control panel is not just a settings UI. Each keystone stage is a defined integration surface. Any vendor whose package emits conformant content-addressed refs plugs straight in. The panel detects it, surfaces its config, and validates it against the chain's Stage surfaces
Cross-party layer
How bolt-ons work The entry point is open. Any package that registers Conformance is about interoperability, not permission. A bolt-on that emits a valid content-addressed ref using the JCS + integer-ms substrate can be verified by any other step in the chain, by any org, offline. The substrate is the shared language. The conformance check just confirms the bolt-on speaks it, so downstream steps can trust what it produces. Self-hosted today. A discoverable registry of conformance-validated bolt-ons is the natural next layer once the ecosystem has volume. |
Beta Was this translation helpful? Give feedback.
-
|
How to build a Keystone bolt-on The keystone control panel auto-detects bolt-ons through one small contract, so you can add your own step and have it recognised without us changing anything. A bolt-on is a Python package that declares an entry point and returns a short descriptor.
[project.entry-points."algovoi.keystone.steps"]
my_step = "my_package.keystone:keystone_step"
def keystone_step():
return {
"package": "my-package", # your distribution name
"step": "my_step", # the decision-flow stage you cover
"ref": "my_ref", # the *_ref your package emits
"order": 50, # optional: where it sits in the flow
"posture": "what it does", # optional: one line
}
That is the whole contract. Publish your package and anyone with the panel installed sees your step. Two tiers: Keystone Enabled (your package produces a keystone ref at a step, as above) and Keystone Integration (a |
Beta Was this translation helpful? Give feedback.
-
⚡ New (open, Apache-2.0):
|
Beta Was this translation helpful? Give feedback.
-
|
Direct agentic integration for the Passport step: present and verify, both sides of the wire The Passport in this chain now has a drop-in agentic path, offline and stock-tool verifiable. An agent presents its passport on an outbound x402 or A2A call: a Falcon-1024 (FIPS 206) credential binding the agent DID to scopes, a spend bound and an expiry. A relying party verifies a presented passport fully offline, against the issuer's published key, with a stock trust base (RFC 8785 JCS plus a FIPS 206 verifier) and no service in the trust path. Verification is fail closed: with no key resolved or no revocation confirmed the verdict is unverifiable, never a default trust, and the kid is bound to the key (sha256 of the public key) so a swapped key cannot validate. Two pieces, both live:
It composes with the rest of the chain on one primitive: a verified passport is a content-addressed keystone record (ref = sha256(RFC 8785 JCS(payload))), so it validates and journals in a tamper-evident chain alongside Mandate, Execution and the rest. The passport signature carries authenticity; the chain carries composition. Discoverable through the Keystone Control Panel. Reference: https://docs.algovoi.co.uk/keystone |
Beta Was this translation helpful? Give feedback.


Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
Latest (2026-07-09): 10 independent JCS implementations
The open conformance corpus is now cross-validated byte-identical across 10 independent JCS implementations in 10 languages. Elixir (
jcs0.2.0, pzingg) and Kotlin/JVM (erdtman/java-json-canonicalization1.1) join Python, Node.js, Go, Rust, Java, PHP, .NET and Ruby, executed directly across 11 of the 14 anchor sets, with an independent three-way byte diff on every set. Corpus: https://github.com/chopmob-cloud/algovoi-jcs-conformance-vectorsThe AlgoVoi Keystone
The Keystone is the complete decision chain behind an agent payment, expressed as one recomputable sequence of content-addressed references. Each link answers one question and binds to the next, so the whole chain verifies end to end offline, with no issuer contact: just RFC 8785 JCS canonicalization and SHA-256. Open, Apache-2.0.
The agentic lifecycle: identity to settlement. The Keystone chain in full, each reference
sha256:over JCS (RFC 8785) of its predecessor:Recompute any input field and the reference at that step plus every downstream reference diverges. One agent, one authority, one policy, one decision, one execution -- the whole chain is verifiable end to end with no issuer contact, using only JCS (RFC 8785) and SHA-256.
The agentic lifecycle extends through the full post-decision sequence: a settlement attestation binds to the exact
execution_refthe Keystone produced; a refund anchors to the same; an audit chain of frames links execution, settlement, and refund byprev_hashand caps them with onetrust_query_ref. Cancellation closes the mandate before execution on the authority-side mirror. Any party recomputes the full agentic lifecycle offline -- same JCS + SHA-256 discipline, no new primitive, no AlgoVoi software in the trust base. Agentic lifecycle -- composition proofs, byte-for-byte verifiable offline: https://docs.algovoi.co.uk/keystoneCross-party (multi-agent):
delegation -> revocation -> journey. The constructions are open source (delegation published; revocation and journey available on request); the cross-party proofs are the commercial Orchestrator.Verify the whole chain yourself, no package import, offline:
Each link below is its own open package: install it, pin it, verify it independently, or compose the whole chain. Every package is Apache-2.0 and pinned at
0.1.0; pinned adopters receive a free v0 verification key (pin, then key).1. Agent Passport,
passport_ref(identity)Who the agent is, as a content-addressed identity reference.
2. Payment Mandate,
mandate_ref(authority)What the agent may spend, bound to its passport.
3. Policy Binding,
policy_bound_ref(policy in force)Which policy snapshot the action runs under, version provable and rotation detectable.
4. Compliance Gate,
gate_ref(compliance verdict)The no-PII compliance verdict, bound to the policy it assessed.
Compliance binding and decision basis (commercial)
The open Compliance Gate above emits the verdict. Substrate 2 binds that receipt into the keystone as a screen stage, proving the screening that informed this exact decision, and adds the signed decision basis: which compliance standards drove the verdict, the jurisdiction check bound to its geo determination, no PII and recomputable offline. Commercial only. Details: https://docs.algovoi.co.uk/keystone
5. Spend Guardrail,
guardrail_ref(pre-payment decision)The ALLOW or DENY decision, bound to agent, mandate and policy.
6. Execution,
execution_ref(decision-bound execution evidence)What the agent actually did, bound to the exact decision that authorized it.
execution_refis the natural replacement foraction_ref, the keystone-bound successor on the same JCS (RFC 8785) and SHA-256 discipline;action_refstays fully backward compatible as the legacy primitive, unchanged in the substrate, so existing integrations keep verifying byte for byte with no forced migration. New work targetsexecution_ref;action_refkeeps working.7. Cancellation,
cancellation_ref(closes the authority)Closes the mandate before execution, bound to the exact mandate.
8. Refund,
refund_ref(after settlement)A refund anchored to the execution that committed, not merely to the decision.
9. Composite Trust Query,
trust_query_ref(one verdict over the chain)One recomputable trust verdict over the ordered chain of references. The same verdict serves as a settlement attestation: the settled chain is recomputable from the receipt alone, with no issuer contact.
Preconditions and transport, same pattern:
Substrate Guard,
profile_ref(input-bounds gate)The input-bounds profile every record is admitted under before canonicalization.
Flow-point hardening (open)
Three recomputable securing refs now deepen the Keystone where a bare ref proved a fact was recorded but not that it was recorded correctly or freshly: a decision-audit binding (a decision to the exact passport, mandate, policy-binding and compliance screen it consumed), an admission guard-context binding, and an integer-millisecond freshness window. Public conformance vectors recompute with SHA-256 and RFC 8785 only.
pip install --extra-index-url https://pip.algovoi.co.uk/simple/ algovoi-keystone-secure-litePEF Keystone (signed transport frames)
Wraps and pins a Keystone reference into hash-linked evidence frames.
TAP Verifier (offline-verifiable agentic payment receipt)
Verifies an AlgoVoi TAP receipt with no AlgoVoi software: it re-derives the
receipt_idfrom the JCS preimage and checks the Ed25519 signature using public libraries only, with an optional Falcon-1024 post-quantum check. For the Trusted Agent Protocol post-authentication audit trail.CloudEvents adapter (keystone decision as a CloudEvents 1.0 event)
Emits an AlgoVoi keystone decision as a CloudEvents 1.0 event; the content-addressed
execution_refis the eventid, and a consumer recomputes it from the eventdatawith JCS (RFC 8785) and SHA-256, with no AlgoVoi software.W3C Verifiable Credential adapter (keystone decision as a credential)
Emits an AlgoVoi keystone decision as a W3C Verifiable Credential (Data Model 2.0) of its own
KeystoneExecutionCredentialtype; the content-addressedexecution_refis thecredentialSubjectid, recomputable from the subject before any signature suite is applied.MCP verifier (recompute a keystone execution_ref in any MCP client)
An open Model Context Protocol server exposing keystone verification as tools, so any MCP client recomputes and checks a keystone
execution_refoffline, with no AlgoVoi service.Webhook verifier (verify a keystone ref in a webhook)
Verifies an AlgoVoi webhook's HMAC signature and recomputes the keystone
execution_refcarried in the event from its fields with JCS (RFC 8785) and SHA-256, so a consumer proves both the signature and that the keystone reference is authentic, with no AlgoVoi software.LangChain run trace (keystone decision on a LangChain run)
Attaches a keystone decision to a LangChain run as metadata and a tag under
algovoi.keystone.*, so LangSmith or any tracer shows a content-addressedexecution_refa reviewer recomputes from the run alone, with no AlgoVoi software.CrewAI step trace (keystone decision on a CrewAI step)
Records a keystone decision once via a CrewAI step callback and passes the step output through unchanged, so a crew run carries a content-addressed
execution_refrecomputable from the recorded metadata alone, with no AlgoVoi software.AutoGen message trace (keystone decision on an AutoGen message)
Stamps a keystone decision into an AutoGen message's metadata, so a conversation carries a content-addressed
execution_refrecomputable from the message alone, with no AlgoVoi software.ADK agent trace (keystone decision in Google ADK agent state)
Stamps a keystone decision into Google ADK agent state via a before-agent callback, so an agent run carries a content-addressed
execution_refrecomputable from the state alone, with no AlgoVoi software.Orchestrator and composition proofs
The Keystone Orchestrator produces verifiable, end to end evidence that authority flowed correctly across organizational boundaries and was not exceeded, recomputable offline. The signed verdict is portable: it verifies off-the-shelf as a standard EdDSA JWS under any JOSE library and as a W3C Verifiable Credential under the Digital Bazaar eddsa-jcs-2022 suite, with no AlgoVoi software. Composition proofs are available on request. Docs: https://docs.algovoi.co.uk/keystone
Delegation: authority across parties (
delegation_ref)When authority is handed from one party to another, the Orchestrator proves it composed without anyone exceeding their grant. A treasury agent A, authorized for payments up to 1000 across GB and US, delegates a slice to a vendor agent B for a fixed window. B decides and executes deliberately narrower (a USDC transfer up to 500, GB). The Orchestrator composes A's authority, the delegation, B's decision and B's execution into one signed verdict: authority flowed correctly across the A to B boundary and nothing was exceeded, verifiable offline. If B instead executes for 2000, the verdict is BROKEN: a signed receipt would still look valid, the composed proof does not.
The open
delegation_refis the tamper-evident binding for each hand-off. The cross-party scope-consistency proof is the Orchestrator capability; composition proofs available on request.Revocation: pulling authority back (
revocation_ref)Authority can be withdrawn before it expires. When a grantor revokes a delegation, the Orchestrator proves that every downstream action which happened at or after the revocation no longer holds, even across several hops. A treasury agent A delegates to B, B sub-delegates to C, then A revokes the original grant. Any action C takes after that revocation composes to BROKEN, because C's authority derived from a grant A had already pulled, recomputable offline. An action that happened before the revocation stays valid: revocation is prospective and provable from the bytes, not a mutable status flag. The open
revocation_refis available on request (Apache-2.0); the cross-party cascade proof is the commercial Orchestrator capability.Journey: the whole multi-agent task as one proof (
journey_ref)One reference binds an entire multi-agent task end to end: every hop's execution and the delegations between them. Verifying a single
journey_refproves the whole A to B to C task at once: identity and authority continuity, scope never widened at any boundary, nothing acted under a revoked grant, and no hop omitted from the record. Drop a hop or widen scope anywhere and the journey composes to BROKEN. The openjourney_refis available on request (Apache-2.0); the end to end aggregation proof is the commercial Orchestrator capability.Journey adapters: bind the whole run in your framework (commercial)
The CrewAI, LangGraph, AutoGen, and A2A journey adapters each record a multi-agent run's hops and the delegations between them, then emit one
journey_refover the whole task: a crew, a graph, a group chat, or an agent-to-agent task verifies as a single proof.Commercial full Orchestrator (delegation proofs + PQC sign + CCC): in the on-prem bundle.
IETF drafts
Internet-Drafts for the underlying constructions (the canonicalization substrate, the receipt and execution references, and the audit chain of frames) are available on request.
Benchmark, clean-box reproduction
Reproduced on a clean box, a fresh container with one vCPU, installing only from the public PyPI and npm registries:
All 22 packages (11 PyPI, 11 npm) install and import on a clean box.
Full conformance corpus v0.26.0: 31 vector sets plus every composition keystone reproduce byte for byte, Node equals Python.
Single core soak, zero drift: 19,171 keystone recomputations per second on Python and 40,296 per second on Node, with zero drift across roughly 1.78 million recomputations.
Security testing (last run 2026-07-01)
Canonicalization fuzz (2026-06-22): adversarial differential testing across 9 independent JCS implementations. 20,000 safe-domain inputs: 0 divergences. 373 adversarial (out-of-domain) inputs: the substrate's own canonicalizer fail-closed on 373/373 -- zero in-domain breaks. Public attestation in the conformance-vectors repository.
Cross-implementation parity (corpus v0.31.0): conformance vectors validated byte-identical across 8 independent implementations in 8 languages -- Python, Node.js, Go, Rust, Java, PHP, .NET, Ruby. Node equals Python on every reference.
Keystone conformance (2026-07-01): 16/16 conformance tests -- determinism, byte-for-byte recompute, tamper divergence (any field change diverges every downstream reference), severity weighting, and chain binding. Fresh-venv clean install verified against corpus v0.31.0; 7-tier keystone recompute byte-for-byte.
Input-bounds gate (
algovoi-substrate-guard, Apache-2.0): runs before canonicalization and admits only inputs within the proven safe domain (safe-integer range, Unicode scalar validity). 15/15 public test vectors. On PyPI and npm.Substrate 2 (Commercial)
Everything above is open (Apache-2.0). Substrate 2 is the commercial core built on the same canonical evidence, with two simple parts.
The control plane: where the pieces connect. Think of it as the switchboard. Every service (payments, compliance, records, evidence) plugs into one hub that keeps the single list of trusted keys and issuers, lets each service register itself, and shows one live view of the whole system's health.
The keystone: the record of what actually happened. A payment is checked for authorization, a decision is made, it executes, and it settles on chain. The keystone stitches those steps into one tamper-evident thread: each step is a short fingerprint locked to the one before it, so the whole story, from "allowed to spend" to "settled," re-checks offline with no AlgoVoi software. The same record exports as a signed JSON receipt, a W3C Verifiable Credential, a JOSE token, or a zero-knowledge proof, each pointing back to the same payment.
The control plane connects the apps; the keystone is the thread that runs through a payment.
Run it yourself. A self-hosted Payment Rails bundle installs the control plane and keystone on your own infrastructure and speaks all four protocols (x402, MPP, AP2, A2A) across seven chains. It starts on SQLite for a five minute install and upgrades to PostgreSQL by import. The encrypted bundle verifies its licence and installs fully offline. Details: https://docs.algovoi.co.uk/payment-rails-sqlite
Details: https://docs.algovoi.co.uk/substrate-2
Keystone config panel
The keystone is an evolving ecosystem: each step has configurable parameters that shift as the platform grows.
algovoi-keystone-controlsurfaces those parameters in a browser UI, auto-detects which algovoi packages are installed, and lets operators edit them via a pin-gated HTTPS panel. Open (Apache-2.0).Docs: https://docs.algovoi.co.uk/keystone
Keystone connectors -- drop-in adapters that bind a data-layer operation to the keystone decision that authorised it, emitting a content-addressed
execution_ref(verifiable offline withkeystone-verify. Open Apache-2.0, available on request):algovoi-keystone-odbc-- wraps any ODBC / DB-API cursor; every execute (insert / update / delete) is bound to itsdecision_ref, so a write can be proven consistent with the decision that allowed it.algovoi-keystone-sqlalchemy-- onebind_session()call registers anafter_flushlistener; each flushed ORM change is bound to the keystone, no model or query changes.algovoi-keystone-kafka-- wraps any producer (kafka-python / confluent-kafka / aiokafka); each produced message carries anexecution_ref, with failed sends recorded asFAILED.algovoi-keystone-openlineage-- attaches a keystone run facet to each OpenLineage RunEvent, so the lineage standard's own events carry theexecution_ref; outcome derived fromeventType.algovoi-keystone-asgi-- one ASGI / WSGI middleware (FastAPI / Starlette / Flask / Django) binds every state-changing HTTP request to itsdecision_ref; outcome from the response status.algovoi-keystone-grpc-- a gRPC server interceptor binds each unary call to itsdecision_ref; outcome COMMITTED, or FAILED if the handler raises. Streaming passes through.algovoi-keystone-s3-- wraps any boto3 S3 client so every object write (put / delete) carries anexecution_refkeyed tobucket/key; reads pass through untouched.algovoi-keystone-redis-- wraps any redis-py client so every write command (set / delete / hset / expire / ...) carries anexecution_refkeyed to the key; reads pass through.algovoi-keystone-mongo-- wraps any pymongo collection so every write (insert / update / delete / replace) carries anexecution_refkeyed todb.collection; reads pass through.algovoi-keystone-amqp-- wraps any pika channel so every AMQP / RabbitMQ publish carries anexecution_refkeyed toexchange/routing_key; consumers and declares pass through.algovoi-keystone-elasticsearch-- wraps any elasticsearch-py client so every write (index / update / delete / bulk) carries anexecution_refkeyed toindex/doc_id; searches pass through.algovoi-keystone-nats-- wraps any nats-py connection so every publish carries anexecution_refkeyed to the subject; subscribes and requests pass through.algovoi-keystone-gcs-- wraps any Google Cloud Storage blob so every object write (upload / delete) carries anexecution_refkeyed tobucket/name; reads pass through.algovoi-keystone-azure-blob-- wraps any azure-storage-blob container client so every object write (upload / delete) carries anexecution_refkeyed tocontainer/blob; reads pass through.algovoi-keystone-azure-servicebus-- wraps any azure-servicebus sender so every send (send_messages / schedule_messages) carries anexecution_refkeyed to the queue or topic; receivers pass through.algovoi-keystone-httpx-- wraps any httpx.Client / requests.Session so every outbound state-changing call (POST / PUT / PATCH / DELETE) carries anexecution_refkeyed tohost/path; reads pass through.algovoi-keystone-celery-- wraps a Celery task or app so every dispatch (apply_async / delay / send_task) carries anexecution_refkeyed to the task name; a dispatch that raises is recorded FAILED.algovoi-keystone-sqs-- wraps any boto3 SQS client so every send (send_message / send_message_batch) carries anexecution_refkeyed to the queue name; receives pass through.algovoi-keystone-sns-- wraps any boto3 SNS client so every publish carries anexecution_refkeyed to the topic; reads pass through.algovoi-keystone-pubsub-- wraps any google-cloud-pubsub PublisherClient so every publish carries anexecution_refkeyed to the topic; other calls pass through.algovoi-keystone-dynamodb-- wraps any boto3 DynamoDB client so every write (put / update / delete / batch) carries anexecution_refkeyed to the table; reads pass through.algovoi-keystone-pinecone-- wraps any Pinecone Index so every vector write (upsert / delete / update) carries anexecution_refkeyed toindex/namespace; reads pass through.algovoi-keystone-qdrant-- wraps any QdrantClient so every vector write (upsert / delete / payload) carries anexecution_refkeyed to the collection; reads pass through.Companion verifier --
algovoi-keystone-validateingests a batch of theseexecution_refrecords, recomputes each offline, checks they bind to the expected decision, and logs what failed and why (integrity vs operational errors). Open Apache-2.0, available on request.How to verify (no trust required) -- every reference is content-addressed:
ref = "sha256:" + SHA-256(RFC 8785 JCS(object)). You can reproduce any published reference with a third-party RFC 8785 implementation and standard SHA-256, with no AlgoVoi software involved:That reference is byte-identical to the published corpus value for this identity object, computed with a different canonicalizer than the one inside the package -- so a match proves the substrate is faithfully the open standard, not something you take on trust. Change any field and the reference diverges. RFC 8785 implementations exist in Go, JavaScript, Rust, and Java; any reproduces the same bytes. The conformance corpus is keyed under the
jcs-rfc8785-v1profile. The one-command verifier that recomputes the full chain byte-for-byte against the Ed25519-signed conformance corpus (fully offline, trusts no emitter) is open Apache-2.0, available on request.Install (from the AlgoVoi index):
The full open Keystone fleet is on the same index: https://pip.algovoi.co.uk/simple/
The Keystone control panel is published on PyPI:
The tested packages themselves are served from the AlgoVoi index to preserve their integrity and security.
x402 payment receipts (verifiable offline)
The keystone execution stage produces an x402 payment receipt: a signed record binding the payment evidence to the exact authorization that approved it, verifiable offline with JCS (RFC 8785) and SHA-256 using any conforming canonicalizer. Three reference pages on the receipt construction and its properties:
Verifiable x402 receipt -- the receipt format, preimage construction, and signature scheme. Any verifier with an RFC 8785 implementation and standard Ed25519 library recomputes the receipt identifier and checks the signature with no AlgoVoi software. Details: https://docs.algovoi.co.uk/verifiable-x402-receipt
Offline-verifiable receipts -- the full offline verification method, including the step-by-step preimage derivation, the Ed25519 signature check, and the optional Falcon-1024 post-quantum layer. Details: https://docs.algovoi.co.uk/offline-verifiable-receipts
No-PII compliance receipt -- the compliance gate verdict feeds the receipt directly, so a recipient verifies that no personal data was included in the payment evidence by recomputing the gate reference from the receipt alone. Details: https://docs.algovoi.co.uk/no-pii-compliance-receipt
Live proof: the Keystone across six chains
The Keystone trust chain now has a live, end to end proof. We compose the full chain (passport, mandate, policy, signed decision, execution, and a single trust query), bind it to a real on-chain settlement, and verify every reference and signature offline. It has been tested across six public testnets: Base Sepolia, Arc, Tempo, Algorand, Stellar, and Solana. On Algorand, Stellar and Solana the decision is written into the transaction itself (the note, memo and reference), so it is visible directly on the block explorer.
The same chain also composes across four agent-payment protocols (x402, MPP, AP2, A2A), which converge on one settlement reference. A downloadable proof pack and an independent verifier (SHA-256, RFC 8785, Ed25519 only) are included.
Walkthrough, the live transactions, and a recompute it yourself guide: https://docs.algovoi.co.uk/keystone-proof
Beta Was this translation helpful? Give feedback.
All reactions