index.html

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>OATS — Open Agent Trust Stack</title>
  <meta name="description" content="A System Specification for Zero-Trust AI Agent Execution. Open standard for securing autonomous AI agents through structural enforcement.">
  <meta name="keywords" content="OATS, AI security, zero-trust, agent trust, tool contracts, ORGA loop, AI governance">
  <meta property="og:title" content="OATS — Open Agent Trust Stack">
  <meta property="og:description" content="A System Specification for Zero-Trust AI Agent Execution">
  <meta property="og:type" content="website">
  <meta property="og:url" content="https://openagenttruststack.org">
  <meta property="og:image" content="https://openagenttruststack.org/og-image.png">
  <meta property="og:image:secure_url" content="https://openagenttruststack.org/og-image.png">
  <meta property="og:image:type" content="image/png">
  <meta property="og:image:width" content="1200">
  <meta property="og:image:height" content="630">
  <meta property="og:image:alt" content="Open Agent Trust Stack — A System Specification for Zero-Trust AI Agent Execution">
  <meta property="og:site_name" content="Open Agent Trust Stack">
  <meta name="twitter:card" content="summary_large_image">
  <meta name="twitter:title" content="OATS — Open Agent Trust Stack">
  <meta name="twitter:description" content="A System Specification for Zero-Trust AI Agent Execution">
  <meta name="twitter:image" content="https://openagenttruststack.org/og-image.png">
  <meta name="twitter:image:alt" content="Open Agent Trust Stack — A System Specification for Zero-Trust AI Agent Execution">
  <link rel="icon" type="image/svg+xml" href="favicon.svg">
  <link rel="icon" type="image/png" sizes="32x32" href="favicon-32.png">
  <link rel="icon" type="image/png" sizes="16x16" href="favicon-16.png">
  <link rel="shortcut icon" href="favicon.ico">
  <link rel="apple-touch-icon" sizes="180x180" href="favicon-180.png">
  <link rel="preconnect" href="https://fonts.googleapis.com">
  <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
  <link href="https://fonts.googleapis.com/css2?family=DM+Serif+Display:ital@0;1&family=JetBrains+Mono:wght@400;500;600&family=Source+Serif+4:ital,opsz,wght@0,8..60,300;0,8..60,400;0,8..60,600;1,8..60,400&display=swap" rel="stylesheet">
  <style>
    :root {
      --bg-deep: #0c0c0f;
      --bg-surface: #131318;
      --bg-elevated: #1a1a22;
      --bg-sidebar: #101014;
      --border: #2a2a35;
      --border-subtle: #1e1e28;
      --text-primary: #e8e6e1;
      --text-secondary: #9a9790;
      --text-tertiary: #6b6860;
      --accent: #c8a44e;
      --accent-dim: #a08030;
      --accent-glow: rgba(200, 164, 78, 0.12);
      --accent-glow-strong: rgba(200, 164, 78, 0.25);
      --red: #c45050;
      --green: #5a9a6a;
      --blue: #5080b0;
      --serif: 'DM Serif Display', Georgia, serif;
      --body: 'Source Serif 4', Georgia, serif;
      --mono: 'JetBrains Mono', 'Consolas', monospace;
      --sidebar-w: 280px;
      --content-max: 820px;
    }

    *, *::before, *::after { box-sizing: border-box; margin: 0; padding: 0; }

    html {
      scroll-behavior: smooth;
      scroll-padding-top: 2rem;
    }

    body {
      font-family: var(--body);
      font-size: 17px;
      line-height: 1.72;
      color: var(--text-primary);
      background: var(--bg-deep);
      -webkit-font-smoothing: antialiased;
      -moz-osx-font-smoothing: grayscale;
    }

    /* ── Noise overlay ── */
    body::before {
      content: '';
      position: fixed;
      inset: 0;
      z-index: 9999;
      pointer-events: none;
      opacity: 0.025;
      background-image: url("data:image/svg+xml,%3Csvg viewBox='0 0 256 256' xmlns='http://www.w3.org/2000/svg'%3E%3Cfilter id='n'%3E%3CfeTurbulence type='fractalNoise' baseFrequency='0.9' numOctaves='4' stitchTiles='stitch'/%3E%3C/filter%3E%3Crect width='100%25' height='100%25' filter='url(%23n)'/%3E%3C/svg%3E");
      background-size: 256px 256px;
    }

    /* ── Sidebar ── */
    .sidebar {
      position: fixed;
      top: 0;
      left: 0;
      width: var(--sidebar-w);
      height: 100vh;
      background: var(--bg-sidebar);
      border-right: 1px solid var(--border-subtle);
      overflow-y: auto;
      z-index: 100;
      display: flex;
      flex-direction: column;
      scrollbar-width: thin;
      scrollbar-color: var(--border) transparent;
    }

    .sidebar-header {
      padding: 2rem 1.5rem 1.5rem;
      border-bottom: 1px solid var(--border-subtle);
      flex-shrink: 0;
    }

    .sidebar-logo {
      font-family: var(--mono);
      font-size: 0.7rem;
      font-weight: 600;
      letter-spacing: 0.2em;
      text-transform: uppercase;
      color: var(--accent);
      margin-bottom: 0.25rem;
    }

    .sidebar-title {
      font-family: var(--serif);
      font-size: 1.15rem;
      color: var(--text-primary);
      line-height: 1.3;
    }

    .sidebar-meta {
      font-family: var(--mono);
      font-size: 0.65rem;
      color: var(--text-tertiary);
      margin-top: 0.75rem;
      line-height: 1.7;
      letter-spacing: 0.02em;
    }

    .sidebar-meta span {
      display: block;
    }

    .sidebar-nav {
      padding: 1rem 0;
      flex: 1;
      overflow-y: auto;
    }

    .sidebar-nav a {
      display: block;
      padding: 0.35rem 1.5rem;
      font-family: var(--mono);
      font-size: 0.68rem;
      color: var(--text-tertiary);
      text-decoration: none;
      transition: all 0.2s ease;
      letter-spacing: 0.01em;
      line-height: 1.5;
      border-left: 2px solid transparent;
    }

    .sidebar-nav a:hover {
      color: var(--text-secondary);
      background: var(--accent-glow);
    }

    .sidebar-nav a.active {
      color: var(--accent);
      border-left-color: var(--accent);
      background: var(--accent-glow);
    }

    .sidebar-nav .nav-section {
      padding: 0.6rem 1.5rem 0.25rem;
      font-family: var(--mono);
      font-size: 0.6rem;
      font-weight: 600;
      letter-spacing: 0.15em;
      text-transform: uppercase;
      color: var(--text-tertiary);
      opacity: 0.6;
    }

    .sidebar-nav .nav-section:first-child {
      padding-top: 0;
    }

    .sidebar-footer {
      padding: 1rem 1.5rem;
      border-top: 1px solid var(--border-subtle);
      flex-shrink: 0;
    }

    .sidebar-footer a {
      display: inline-block;
      font-family: var(--mono);
      font-size: 0.62rem;
      color: var(--text-tertiary);
      text-decoration: none;
      letter-spacing: 0.05em;
      transition: color 0.2s;
    }

    .sidebar-footer a:hover {
      color: var(--accent);
    }

    .sidebar-footer a + a {
      margin-left: 1rem;
    }

    /* ── Main content ── */
    .main {
      margin-left: var(--sidebar-w);
      min-height: 100vh;
    }

    /* ── Hero ── */
    .hero {
      position: relative;
      padding: 6rem 4rem 5rem;
      border-bottom: 1px solid var(--border);
      overflow: hidden;
    }

    .hero::before {
      content: '';
      position: absolute;
      top: -60%;
      right: -20%;
      width: 700px;
      height: 700px;
      background: radial-gradient(ellipse, var(--accent-glow-strong) 0%, transparent 70%);
      pointer-events: none;
    }

    .hero-badge {
      display: inline-block;
      font-family: var(--mono);
      font-size: 0.65rem;
      font-weight: 600;
      letter-spacing: 0.2em;
      text-transform: uppercase;
      color: var(--accent);
      padding: 0.35rem 0.8rem;
      border: 1px solid var(--accent-dim);
      border-radius: 2px;
      margin-bottom: 2rem;
      background: var(--accent-glow);
    }

    .hero h1 {
      font-family: var(--serif);
      font-size: clamp(2.4rem, 5vw, 3.6rem);
      color: var(--text-primary);
      line-height: 1.15;
      margin-bottom: 0.75rem;
      max-width: 700px;
    }

    .hero h1 em {
      font-style: italic;
      color: var(--accent);
    }

    .hero-subtitle {
      font-family: var(--body);
      font-size: 1.15rem;
      color: var(--text-secondary);
      max-width: 600px;
      line-height: 1.7;
      margin-bottom: 2.5rem;
    }

    .hero-details {
      display: flex;
      gap: 2.5rem;
      flex-wrap: wrap;
    }

    .hero-detail {
      font-family: var(--mono);
      font-size: 0.7rem;
      color: var(--text-tertiary);
      letter-spacing: 0.02em;
    }

    .hero-detail strong {
      display: block;
      font-size: 0.6rem;
      letter-spacing: 0.12em;
      text-transform: uppercase;
      color: var(--text-secondary);
      margin-bottom: 0.15rem;
      font-weight: 600;
    }

    .hero-doi {
      display: inline-block;
      line-height: 0;
    }

    .hero-doi img {
      height: 20px;
      display: block;
      vertical-align: middle;
    }

    /* ── Content area ── */
    .content {
      max-width: var(--content-max);
      padding: 3rem 4rem 6rem;
    }

    /* ── Section styling ── */
    .section {
      margin-bottom: 4rem;
      opacity: 0;
      transform: translateY(12px);
      animation: fadeUp 0.5s ease forwards;
    }

    @keyframes fadeUp {
      to { opacity: 1; transform: translateY(0); }
    }

    .section-divider {
      width: 40px;
      height: 1px;
      background: var(--accent-dim);
      margin-bottom: 2rem;
    }

    .section-number {
      font-family: var(--mono);
      font-size: 0.62rem;
      font-weight: 600;
      letter-spacing: 0.15em;
      text-transform: uppercase;
      color: var(--accent-dim);
      margin-bottom: 0.5rem;
    }

    h2 {
      font-family: var(--serif);
      font-size: 1.9rem;
      color: var(--text-primary);
      line-height: 1.2;
      margin-bottom: 1.5rem;
    }

    h3 {
      font-family: var(--serif);
      font-size: 1.3rem;
      color: var(--text-primary);
      line-height: 1.3;
      margin-top: 2.5rem;
      margin-bottom: 1rem;
    }

    h4 {
      font-family: var(--mono);
      font-size: 0.78rem;
      font-weight: 600;
      letter-spacing: 0.08em;
      text-transform: uppercase;
      color: var(--accent);
      margin-top: 2rem;
      margin-bottom: 0.75rem;
    }

    p {
      margin-bottom: 1.15rem;
      color: var(--text-secondary);
    }

    p strong {
      color: var(--text-primary);
      font-weight: 600;
    }

    a {
      color: var(--accent);
      text-decoration: none;
      transition: color 0.2s;
    }

    a:hover {
      color: var(--text-primary);
    }

    /* ── Lists ── */
    ul, ol {
      margin-bottom: 1.15rem;
      padding-left: 1.5rem;
      color: var(--text-secondary);
    }

    li {
      margin-bottom: 0.5rem;
    }

    li strong {
      color: var(--text-primary);
    }

    /* ── Code blocks ── */
    code {
      font-family: var(--mono);
      font-size: 0.85em;
      color: var(--accent);
      background: var(--bg-elevated);
      padding: 0.15em 0.4em;
      border-radius: 3px;
    }

    pre {
      background: var(--bg-elevated);
      border: 1px solid var(--border);
      border-radius: 4px;
      padding: 1.25rem 1.5rem;
      margin-bottom: 1.5rem;
      overflow-x: auto;
      position: relative;
    }

    .katex { font-size: 1.05em; color: var(--text-primary); }
    .katex-display {
      margin: 1.5rem 0;
      padding: 1rem 1.25rem;
      background: var(--bg-elevated);
      border: 1px solid var(--border);
      border-radius: 4px;
      overflow-x: auto;
      overflow-y: hidden;
    }
    .katex-display > .katex { color: var(--text-primary); }

    pre code {
      background: none;
      padding: 0;
      font-size: 0.8rem;
      line-height: 1.65;
      color: var(--text-secondary);
    }

    pre::before {
      content: '';
      position: absolute;
      top: 0;
      left: 0;
      width: 3px;
      height: 100%;
      background: var(--accent-dim);
      border-radius: 4px 0 0 4px;
    }

    /* ── Tables ── */
    table {
      width: 100%;
      border-collapse: collapse;
      margin-bottom: 1.5rem;
      font-size: 0.9rem;
    }

    thead th {
      font-family: var(--mono);
      font-size: 0.68rem;
      font-weight: 600;
      letter-spacing: 0.1em;
      text-transform: uppercase;
      color: var(--accent);
      text-align: left;
      padding: 0.75rem 1rem;
      border-bottom: 2px solid var(--accent-dim);
      background: var(--bg-elevated);
    }

    tbody td {
      padding: 0.75rem 1rem;
      border-bottom: 1px solid var(--border-subtle);
      color: var(--text-secondary);
      vertical-align: top;
    }

    tbody td strong {
      color: var(--text-primary);
      font-family: var(--mono);
      font-size: 0.82rem;
    }

    tbody tr:hover {
      background: var(--accent-glow);
    }

    /* ── Callout boxes ── */
    .callout {
      background: var(--bg-elevated);
      border: 1px solid var(--border);
      border-left: 3px solid var(--accent);
      padding: 1.25rem 1.5rem;
      margin-bottom: 1.5rem;
      border-radius: 0 4px 4px 0;
    }

    .callout p:last-child {
      margin-bottom: 0;
    }

    .callout-title {
      font-family: var(--mono);
      font-size: 0.68rem;
      font-weight: 600;
      letter-spacing: 0.1em;
      text-transform: uppercase;
      color: var(--accent);
      margin-bottom: 0.5rem;
    }

    /* ── Conformance tags ── */
    .req-tag {
      display: inline-block;
      font-family: var(--mono);
      font-size: 0.62rem;
      font-weight: 600;
      letter-spacing: 0.08em;
      padding: 0.2rem 0.5rem;
      border-radius: 2px;
      margin-right: 0.5rem;
      vertical-align: middle;
    }

    .req-must {
      color: var(--red);
      border: 1px solid var(--red);
      background: rgba(196, 80, 80, 0.08);
    }

    .req-should {
      color: var(--blue);
      border: 1px solid var(--blue);
      background: rgba(80, 128, 176, 0.08);
    }

    /* ── Trust model boxes ── */
    .trust-grid {
      display: grid;
      grid-template-columns: 1fr 1fr 1fr;
      gap: 1rem;
      margin-bottom: 1.5rem;
    }

    .trust-box {
      background: var(--bg-elevated);
      border: 1px solid var(--border);
      border-radius: 4px;
      padding: 1rem 1.25rem;
    }

    .trust-box h5 {
      font-family: var(--mono);
      font-size: 0.65rem;
      font-weight: 600;
      letter-spacing: 0.12em;
      text-transform: uppercase;
      margin-bottom: 0.75rem;
    }

    .trust-box.trusted h5 { color: var(--green); }
    .trust-box.untrusted h5 { color: var(--red); }
    .trust-box.partial h5 { color: var(--accent); }

    .trust-box ul {
      padding-left: 1rem;
      margin-bottom: 0;
    }

    .trust-box li {
      font-size: 0.82rem;
      margin-bottom: 0.3rem;
    }

    /* ── Architecture pillars ── */
    .pillars {
      display: grid;
      grid-template-columns: 1fr 1fr 1fr;
      gap: 1.25rem;
      margin: 2rem 0;
    }

    .pillar {
      background: var(--bg-elevated);
      border: 1px solid var(--border);
      border-top: 2px solid var(--accent);
      border-radius: 0 0 4px 4px;
      padding: 1.5rem;
    }

    .pillar-number {
      font-family: var(--mono);
      font-size: 0.6rem;
      color: var(--accent-dim);
      letter-spacing: 0.1em;
      margin-bottom: 0.5rem;
    }

    .pillar h4 {
      font-family: var(--serif);
      font-size: 1rem;
      text-transform: none;
      letter-spacing: 0;
      color: var(--text-primary);
      margin-top: 0;
      margin-bottom: 0.5rem;
    }

    .pillar p {
      font-size: 0.88rem;
      margin-bottom: 0;
    }

    /* ── References ── */
    .ref-list {
      list-style: none;
      padding-left: 0;
    }

    .ref-list li {
      padding-left: 0;
      font-size: 0.88rem;
      margin-bottom: 0.65rem;
      padding-left: 1.5rem;
      text-indent: -1.5rem;
      color: var(--text-tertiary);
    }

    /* ── Footer ── */
    .footer {
      border-top: 1px solid var(--border);
      padding: 3rem 4rem;
      max-width: var(--content-max);
    }

    .footer-links {
      display: flex;
      gap: 2rem;
      flex-wrap: wrap;
      margin-bottom: 1.5rem;
    }

    .footer-links a {
      font-family: var(--mono);
      font-size: 0.72rem;
      color: var(--text-tertiary);
      letter-spacing: 0.03em;
    }

    .footer-links a:hover {
      color: var(--accent);
    }

    .footer-copy {
      font-family: var(--mono);
      font-size: 0.62rem;
      color: var(--text-tertiary);
      letter-spacing: 0.03em;
      opacity: 0.6;
    }

    /* ── Sidebar AI summary ── */
    .sidebar-ai-summary {
      padding: 1rem 1.5rem 1.1rem;
      border-top: 1px solid var(--border-subtle);
      flex-shrink: 0;
    }

    .sidebar-ai-summary h4 {
      font-family: var(--mono);
      font-size: 0.6rem;
      font-weight: 600;
      letter-spacing: 0.15em;
      text-transform: uppercase;
      color: var(--text-tertiary);
      opacity: 0.6;
      margin: 0 0 0.75rem;
    }

    .ai-logos {
      display: flex;
      gap: 0.5rem;
      flex-wrap: wrap;
    }

    .ai-logo-btn {
      display: inline-flex;
      align-items: center;
      justify-content: center;
      width: 34px;
      height: 34px;
      background: var(--bg-elevated);
      border: 1px solid var(--border);
      border-radius: 4px;
      color: var(--text-secondary);
      transition: all 0.2s ease;
    }

    .ai-logo-btn:hover {
      border-color: var(--accent);
      background: var(--accent-glow);
      color: var(--accent);
    }

    .ai-logo-btn svg {
      width: 15px;
      height: 15px;
      fill: currentColor;
    }

    /* ── Mobile hamburger ── */
    .menu-toggle {
      display: none;
      position: fixed;
      top: 1rem;
      left: 1rem;
      z-index: 200;
      width: 40px;
      height: 40px;
      background: var(--bg-surface);
      border: 1px solid var(--border);
      border-radius: 4px;
      cursor: pointer;
      align-items: center;
      justify-content: center;
    }

    .menu-toggle span,
    .menu-toggle span::before,
    .menu-toggle span::after {
      display: block;
      width: 18px;
      height: 1.5px;
      background: var(--text-secondary);
      transition: all 0.3s;
    }

    .menu-toggle span { position: relative; }
    .menu-toggle span::before,
    .menu-toggle span::after {
      content: '';
      position: absolute;
      left: 0;
    }
    .menu-toggle span::before { top: -5px; }
    .menu-toggle span::after { top: 5px; }

    .menu-toggle.open span { background: transparent; }
    .menu-toggle.open span::before { transform: rotate(45deg); top: 0; }
    .menu-toggle.open span::after { transform: rotate(-45deg); top: 0; }

    /* ── Responsive ── */
    @media (max-width: 1024px) {
      .content, .footer { padding-left: 2.5rem; padding-right: 2.5rem; }
      .hero { padding-left: 2.5rem; padding-right: 2.5rem; }
    }

    @media (max-width: 768px) {
      .sidebar {
        transform: translateX(-100%);
        transition: transform 0.3s ease;
      }
      .sidebar.open {
        transform: translateX(0);
      }
      .menu-toggle {
        display: flex;
      }
      .main {
        margin-left: 0;
      }
      .hero { padding: 5rem 1.5rem 3rem; }
      .hero h1 { font-size: 2rem; }
      .content, .footer { padding-left: 1.5rem; padding-right: 1.5rem; }
      .pillars, .trust-grid { grid-template-columns: 1fr; }
      .hero-details { gap: 1.5rem; }
    }

    /* ── Staggered animations ── */
    .section:nth-child(1) { animation-delay: 0.05s; }
    .section:nth-child(2) { animation-delay: 0.1s; }
    .section:nth-child(3) { animation-delay: 0.15s; }
  </style>
  <link rel="stylesheet" href="https://cdn.jsdelivr.net/npm/katex@0.16.11/dist/katex.min.css" integrity="sha384-nB0miv6/jRmo5UMMR1wu3Gz6NLsoTkbqJghGIsx//Rlm+ZU03BU6SQNC66uf4l5+" crossorigin="anonymous">
  <script defer src="https://cdn.jsdelivr.net/npm/katex@0.16.11/dist/katex.min.js" integrity="sha384-7zkQWkzuo3B5mTepMUcHkMB5jZaolc2xDwL6VFqjFALcbeS9Ggm/Yr2r3Dy4lfFg" crossorigin="anonymous"></script>
  <script defer src="https://cdn.jsdelivr.net/npm/katex@0.16.11/dist/contrib/auto-render.min.js" integrity="sha384-43gviWU0YVjaDtb/GhzOouOXtZMP/7XUzwPTstBeZFe/+rCMvRwr4yROQP43s0Xk" crossorigin="anonymous" onload="renderMathInElement(document.body,{delimiters:[{left:'$$',right:'$$',display:true},{left:'$',right:'$',display:false},{left:'\\(',right:'\\)',display:false},{left:'\\[',right:'\\]',display:true}],throwOnError:false});"></script>
  <link rel="stylesheet" href="diagrams.css">
</head>
<body>

<!-- Mobile menu button -->
<button class="menu-toggle" aria-label="Toggle navigation" onclick="toggleSidebar()">
  <span></span>
</button>

<!-- Sidebar -->
<aside class="sidebar" id="sidebar">
  <div class="sidebar-header">
    <div class="sidebar-logo">Specification</div>
    <div class="sidebar-title">Open Agent Trust Stack</div>
    <div class="sidebar-meta">
      <span>v1.1.0 &middot; Release</span>
      <span>CC BY 4.0 License</span>
      <span>ThirdKey AI</span>
    </div>
  </div>
  <nav class="sidebar-nav" id="nav">
    <div class="nav-section">Overview</div>
    <a href="#abstract">Abstract</a>
    <a href="#introduction">1. Introduction</a>
    <a href="#related-work">2. Related Work</a>
    <a href="#problem">3. Problem Formalization</a>
    <a href="#threat-model">4. Threat Model</a>
    <div class="nav-section">Architecture</div>
    <a href="#orga-loop">5. ORGA Loop</a>
    <a href="#tool-contracts">6. Tool Contracts</a>
    <a href="#identity">7. Identity Layer</a>
    <a href="#policy">8. Policy Enforcement</a>
    <a href="#audit">9. Audit Layer</a>
    <div class="nav-section">Deployment</div>
    <a href="#sandboxing">10. Sandboxing</a>
    <a href="#inter-agent">11. Inter-Agent</a>
    <a href="#conformance">12. Conformance</a>
    <a href="#implementations">13. Implementations</a>
    <div class="nav-section">Evaluation</div>
    <a href="#evaluation">14. Evaluation Framework</a>
    <a href="#limitations">15. Limitations</a>
    <div class="nav-section">Future</div>
    <a href="#research">16. Research</a>
    <a href="#conclusion">17. Conclusion</a>
    <a href="#references">References</a>
  </nav>
  <div class="sidebar-ai-summary">
    <h4>AI Summary</h4>
    <div class="ai-logos">
      <a href="https://chatgpt.com/?prompt=Give+me+an+overview+of+the+Open+Agent+Trust+Stack+%28OATS%29%2C+an+open+specification+for+zero-trust+AI+agent+execution.+Cover+its+five+architectural+layers+%28ORGA+reasoning+loop%2C+tool+contracts%2C+identity+stack%2C+policy+engine%2C+audit+journal%29%2C+the+three+design+principles+%28allow-list+over+deny-list%2C+compile-time+over+runtime+enforcement%2C+structural+independence%29%2C+and+the+conformance+requirements+%28C1%E2%80%93C7+and+E1%E2%80%93E8%29.+Use+openagenttruststack.org+as+the+primary+source+and+consult+the+v1.1.0+specification+at+openagenttruststack.org%2FOATS-v1.1.0.pdf+and+related+material+at+thirdkey.ai%2C+symbiont.dev%2C+schemapin.org%2C+and+agentpin.org." target="_blank" rel="noopener" aria-label="Summarize with ChatGPT" class="ai-logo-btn">
        <svg viewBox="0 0 24 24" role="img" aria-hidden="true"><title>OpenAI icon</title><path d="M22.2819 9.8211a5.9847 5.9847 0 00-.5157-4.9108 6.0462 6.0462 0 00-6.5098-2.9A6.0651 6.0651 0 004.9807 4.1818a5.9847 5.9847 0 00-3.9977 2.9 6.0462 6.0462 0 00.7427 7.0966 5.98 5.98 0 00.511 4.9107 6.051 6.051 0 006.5146 2.9001A5.9847 5.9847 0 0013.2599 24a6.0557 6.0557 0 005.7718-4.2058 5.9894 5.9894 0 003.9977-2.9001 6.0557 6.0557 0 00-.7475-7.0729zm-9.022 12.6081a4.4755 4.4755 0 01-2.8764-1.0408l.1419-.0804 4.7783-2.7582a.7948.7948 0 00.3927-.6813v-6.7369l2.02 1.1686a.071.071 0 01.038.052v5.5826a4.504 4.504 0 01-4.4945 4.4944zm-9.6607-4.1254a4.4708 4.4708 0 01-.5346-3.0137l.142.0852 4.783 2.7582a.7712.7712 0 00.7806 0l5.8428-3.3685v2.3324a.0804.0804 0 01-.0332.0615L9.74 19.9502a4.4992 4.4992 0 01-6.1408-1.6464zM2.3408 7.8956a4.485 4.485 0 012.3655-1.9728V11.6a.7664.7664 0 00.3879.6765l5.8144 3.3543-2.0201 1.1685a.0757.0757 0 01-.071 0l-4.8303-2.7865A4.504 4.504 0 012.3408 7.872zm16.5963 3.8558L13.1038 8.364 15.1192 7.2a.0757.0757 0 01.071 0l4.8303 2.7913a4.4944 4.4944 0 01-.6765 8.1042v-5.6772a.79.79 0 00-.407-.667zm2.0107-3.0231-.142-.0852-4.7735-2.7818a.7759.7759 0 00-.7854 0L9.409 9.2297V6.8974a.0662.0662 0 01.0284-.0615l4.8303-2.7866a4.4992 4.4992 0 016.6802 4.66zM8.3065 12.863l-2.02-1.1638a.0804.0804 0 01-.038-.0567V6.0742a4.4992 4.4992 0 017.3757-3.4537l-.142.0805L8.704 5.459a.7948.7948 0 00-.3927.6813zm1.0976-2.3654 2.602-1.4998 2.6069 1.4998v2.9994l-2.5974 1.4997-2.6067-1.4997z"/></svg>
      </a>
      <a href="https://claude.ai/new?q=Give%20me%20an%20overview%20of%20the%20Open%20Agent%20Trust%20Stack%20%28OATS%29%2C%20an%20open%20specification%20for%20zero-trust%20AI%20agent%20execution.%20Cover%20its%20five%20architectural%20layers%20%28ORGA%20reasoning%20loop%2C%20tool%20contracts%2C%20identity%20stack%2C%20policy%20engine%2C%20audit%20journal%29%2C%20the%20three%20design%20principles%20%28allow-list%20over%20deny-list%2C%20compile-time%20over%20runtime%20enforcement%2C%20structural%20independence%29%2C%20and%20the%20conformance%20requirements%20%28C1%E2%80%93C7%20and%20E1%E2%80%93E8%29.%20Use%20openagenttruststack.org%20as%20the%20primary%20source%20and%20consult%20the%20v1.1.0%20specification%20at%20openagenttruststack.org%2FOATS-v1.1.0.pdf%20and%20related%20material%20at%20thirdkey.ai%2C%20symbiont.dev%2C%20schemapin.org%2C%20and%20agentpin.org." target="_blank" rel="noopener" aria-label="Summarize with Claude" class="ai-logo-btn">
        <svg viewBox="0 6.603 1192.672 1193.397" role="img" aria-hidden="true"><title>Claude icon</title><path d="m233.96 800.215 234.684-131.678 3.947-11.436-3.947-6.363h-11.436l-39.221-2.416-134.094-3.624-116.296-4.832-112.67-6.04-28.35-6.04-26.577-35.035 2.738-17.477 23.84-16.027 34.147 2.98 75.463 5.155 113.235 7.812 82.147 4.832 121.692 12.644h19.329l2.738-7.812-6.604-4.832-5.154-4.832-117.182-79.41-126.845-83.92-66.443-48.321-35.92-24.484-18.12-22.953-7.813-50.093 32.618-35.92 43.812 2.98 11.195 2.98 44.375 34.147 94.792 73.37 123.786 91.167 18.12 15.06 7.249-5.154.886-3.624-8.135-13.61-67.329-121.692-71.838-123.785-31.974-51.302-8.456-30.765c-2.98-12.645-5.154-23.275-5.154-36.242l37.127-50.416 20.537-6.604 49.53 6.604 20.86 18.121 30.765 70.39 49.852 110.818 77.315 150.684 22.631 44.698 12.08 41.396 4.51 12.645h7.813v-7.248l6.362-84.886 11.759-104.215 11.436-134.094 3.946-37.772 18.685-45.262 37.127-24.482 28.994 13.852 23.839 34.148-3.303 22.067-14.174 92.134-27.785 144.323-18.121 96.644h10.55l12.08-12.08 48.887-64.913 82.147-102.685 36.242-40.752 42.282-45.02 27.14-21.423h51.303l37.772 56.135-16.913 57.986-52.832 67.007-43.812 56.779-62.82 84.563-39.22 67.651 3.623 5.396 9.343-.886 141.906-30.201 76.671-13.852 91.49-15.705 41.396 19.329 4.51 19.65-16.269 40.189-97.852 24.16L959.84 601.45l-170.9 40.43-2.093 1.53 2.416 2.98 76.993 7.248 32.94 1.771h80.617l150.12 11.195 39.222 25.933 23.517 31.732-3.946 24.16-60.403 30.766-81.503-19.33-190.228-45.26-65.235-16.27h-9.02v5.397l54.362 53.154 99.624 89.96 124.752 115.973 6.362 28.671-16.027 22.63-16.912-2.415-109.611-82.47-42.282-37.127-95.758-80.618h-6.363v8.456l22.067 32.296 116.537 175.167 6.04 53.719-8.456 17.476-30.201 10.55-33.181-6.04-68.215-95.758-70.39-107.84-56.778-96.644-6.926 3.947-33.503 360.886-15.705 18.443L565.53 1200l-30.201-22.953-16.027-37.127 16.027-73.37 19.329-95.758 15.704-76.107 14.175-94.55 8.456-31.41-.563-2.094-6.927.886-71.275 97.852-108.402 146.497-85.772 91.812-20.537 8.134-35.597-18.443 3.301-32.94 19.893-29.315 118.712-151.007 71.597-93.583 46.228-54.04-.322-7.813h-2.738l-315.302 204.725-56.135 7.248-24.16-22.63 2.98-37.128 11.435-12.08 94.792-65.236-.322.323z"/></svg>
      </a>
      <a href="https://www.perplexity.ai/?q=Give%20me%20an%20overview%20of%20the%20Open%20Agent%20Trust%20Stack%20%28OATS%29%2C%20an%20open%20specification%20for%20zero-trust%20AI%20agent%20execution.%20Cover%20its%20five%20architectural%20layers%20%28ORGA%20reasoning%20loop%2C%20tool%20contracts%2C%20identity%20stack%2C%20policy%20engine%2C%20audit%20journal%29%2C%20the%20three%20design%20principles%20%28allow-list%20over%20deny-list%2C%20compile-time%20over%20runtime%20enforcement%2C%20structural%20independence%29%2C%20and%20the%20conformance%20requirements%20%28C1%E2%80%93C7%20and%20E1%E2%80%93E8%29.%20Use%20openagenttruststack.org%20as%20the%20primary%20source%20and%20consult%20the%20v1.1.0%20specification%20at%20openagenttruststack.org%2FOATS-v1.1.0.pdf%20and%20related%20material%20at%20thirdkey.ai%2C%20symbiont.dev%2C%20schemapin.org%2C%20and%20agentpin.org." target="_blank" rel="noopener" aria-label="Summarize with Perplexity" class="ai-logo-btn">
        <svg viewBox="0 0 24 24" role="img" aria-hidden="true"><title>Perplexity icon</title><path d="M22.3977 7.0896h-2.3106V.0676l-7.5094 6.3542V.1577h-1.1554v6.1966L4.4904 0v7.0896H1.6023v10.3976h2.8882V24l6.932-6.3591v6.2005h1.1554v-6.0469l6.9318 6.1807v-6.4879h2.8882V7.0896zm-3.4657-4.531v4.531h-5.355l5.355-4.531zm-13.2862.0676 4.8691 4.4634H5.6458V2.6262zM2.7576 16.332V8.245h7.8476l-6.1149 6.1147v1.9723H2.7576zm2.8882 5.0404v-3.8852h1e-4v-2.6488l5.7763-5.7764v7.0111l-5.7764 5.2993zm12.7086.0248-5.7766-5.1509V9.0618l5.7766 5.7766v6.5588zm2.8882-5.0652h-1.733v-1.9723L13.3948 8.245h7.8478v8.087z"/></svg>
      </a>
    </div>
  </div>
  <div class="sidebar-footer">
    <a href="https://thirdkey.ai">ThirdKey AI</a>
    <a href="https://github.com/ThirdKeyAI/OpenAgentTrustStack">GitHub</a>
  </div>
</aside>

<!-- Main content -->
<div class="main">

  <!-- Hero -->
  <header class="hero">
    <div class="hero-badge">System Specification</div>
    <h1>Open Agent <em>Trust Stack</em></h1>
    <p class="hero-subtitle">A system specification for zero-trust AI agent execution. Define what is permitted and make everything else structurally inexpressible.</p>
    <div class="hero-details">
      <div class="hero-detail">
        <strong>Version</strong>
        1.1.0
      </div>
      <div class="hero-detail">
        <strong>Status</strong>
        Release
      </div>
      <div class="hero-detail">
        <strong>Authors</strong>
        Jascha Wanger / ThirdKey AI
      </div>
      <div class="hero-detail">
        <strong>Date</strong>
        2026-04-17
      </div>
      <div class="hero-detail">
        <strong>License</strong>
        CC BY 4.0
      </div>
      <div class="hero-detail">
        <strong>PDF</strong>
        <a href="OATS-v1.1.0.pdf" style="color: var(--accent);">OATS-v1.1.0.pdf</a>
      </div>
      <div class="hero-detail">
        <strong>DOI</strong>
        <a href="https://doi.org/10.5281/zenodo.19636534" target="_blank" rel="noopener" class="hero-doi">
          <img src="https://zenodo.org/badge/DOI/10.5281/zenodo.19636534.svg" alt="DOI 10.5281/zenodo.19636534">
        </a>
      </div>
    </div>
  </header>

  <div class="content">

    <!-- Abstract -->
    <section class="section" id="abstract">
      <div class="section-divider"></div>
      <div class="section-number">Abstract</div>
      <h2>Zero-Trust Agent Execution Through Structural Enforcement</h2>
      <p>As AI systems evolve from assistants into autonomous agents executing consequential actions, the security boundary shifts from model outputs to tool execution. Traditional security paradigms &mdash; log aggregation, perimeter defense, post-hoc forensics, and runtime interception of fully-formed actions &mdash; cannot adequately protect systems where AI-driven actions are irreversible, execute at machine speed, and originate from potentially compromised orchestration layers.</p>
      <p>This paper introduces the Open Agent Trust Stack (OATS), an open specification for zero-trust AI agent execution. OATS is built on three architectural convictions.</p>

      <div class="pillars">
        <div class="pillar">
          <div class="pillar-number">Conviction 01</div>
          <h4>Allow-list enforcement</h4>
          <p>Rather than intercepting arbitrary actions and deciding which to block, OATS constrains what actions can be expressed through declarative tool contracts, making dangerous actions structurally inexpressible.</p>
        </div>
        <div class="pillar">
          <div class="pillar-number">Conviction 02</div>
          <h4>Compile-time enforcement</h4>
          <p>The Observe-Reason-Gate-Act (ORGA) reasoning loop uses typestate programming so that skipping the policy gate is a type error, not a runtime bug.</p>
        </div>
        <div class="pillar">
          <div class="pillar-number">Conviction 03</div>
          <h4>Structural independence</h4>
          <p>The Gate phase is architecturally isolated from LLM influence.</p>
        </div>
      </div>

      <p>OATS specifies five layers: <strong>(1)</strong> the ORGA reasoning loop with compile-time phase enforcement, <strong>(2)</strong> declarative tool contracts with typed parameter validation, <strong>(3)</strong> a cryptographic identity stack providing bidirectional trust between agents and tools, <strong>(4)</strong> a formally verifiable policy engine operating on structured inputs, and <strong>(5)</strong> hash-chained cryptographic audit journals with Ed25519 signatures for tamper-evident forensic reconstruction.</p>
      <p>OATS is model-agnostic, framework-agnostic, and vendor-neutral. The architecture is informed by operational experience with a production runtime (Symbiont) that has operated autonomously for approximately eight months; however, rigorous empirical evaluation remains ongoing and this version of the specification should be read as an architectural contribution with an accompanying evaluation framework rather than a fully validated system.</p>

      <figure class="diagram" id="fig-0" data-diagram="fig0">
        <span class="diagram-eyebrow">Figure 0 &middot; Trust stack</span>
        <div class="fig0-stack"></div>
        <div class="fig0-detail"></div>
        <figcaption class="diagram-caption">
          <strong>The trust stack.</strong> Five layers, each addressing a distinct security question. The ORGA loop (Layer 1) enforces that the Gate runs; tool contracts (Layer 2) constrain expressible actions; the identity stack (Layer 3) provides mutual authentication; the policy engine (Layer 4) evaluates authorization; the audit journal (Layer 5) records decisions. Click a layer for its conformance tie.
        </figcaption>
      </figure>
    </section>

    <!-- 1. Introduction -->
    <section class="section" id="introduction">
      <div class="section-divider"></div>
      <div class="section-number">Section 01</div>
      <h2>Introduction</h2>

      <h3>1.1 The Runtime Security Gap</h3>
      <p>AI agents now execute consequential actions across enterprise systems: querying databases, sending communications, modifying files, invoking cloud services, and managing credentials. Through function calling, plugins, external APIs, and protocol-based tool servers such as the Model Context Protocol (MCP), these agents perform multi-step tasks without human intervention.</p>
      <p>These actions exhibit five characteristics that existing security paradigms cannot adequately address:</p>
      <ol>
        <li><strong>Irreversibility.</strong> Tool executions produce immediate and often permanent effects: database mutations, financial transactions, credential changes, or data exfiltration. Once executed, the damage is done.</li>
        <li><strong>Speed.</strong> Agents execute hundreds of tool calls per minute, far exceeding human capacity for real-time review. Multi-step attack chains complete within seconds.</li>
        <li><strong>Compositional risk.</strong> Individual actions may each satisfy policy while their composition constitutes a violation. Reading a confidential file is permitted; sending email is permitted; doing both in sequence may constitute exfiltration.</li>
        <li><strong>Untrusted orchestration.</strong> Prompt injection and indirect instruction attacks mean the model's apparent intent cannot be trusted. Adversarial prompts can be embedded in documents, emails, and images that agents process.</li>
        <li><strong>Privilege amplification.</strong> Agents routinely operate under static, high-privilege identities misaligned with the principle of least privilege.</li>
      </ol>
      <p>The gap in the current security landscape lies at the intersection of prevention and context-awareness: no existing system can block actions before execution based on both static policy and accumulated session context while simultaneously constraining what actions can be expressed in the first place. This is the gap that OATS addresses.</p>
      <p>This paper makes two contributions: a normative system specification defining the runtime enforcement boundary for autonomous agent execution, and an implementation-grounded evaluation methodology derived from operational experience with a production runtime. The specification is the primary artifact; the evaluation framework (Section 14) is included to make the claims falsifiable and to enable comparable evaluation of future implementations. The contribution is a new runtime security abstraction with testable conformance properties, not a benchmark of one particular system.</p>

      <h3>1.2 Design Principles</h3>
      <p>OATS is built on three architectural convictions, each addressing a structural weakness in current approaches.</p>

      <div class="callout">
        <div class="callout-title">Core Thesis</div>
        <p>Define what is permitted and make everything else structurally inexpressible, rather than trying to enumerate and block what is dangerous.</p>
      </div>

      <h4>Allow-list over deny-list</h4>
      <p>Current runtime security approaches operate on a deny-list model: the agent formulates an action, a security system intercepts it, evaluates it, and decides whether to allow or block. This requires enumerating dangerous behavior &mdash; an enumeration that is incomplete by definition. OATS inverts this model. The agent fills typed parameters defined by a declarative tool contract. The runtime validates parameters against the contract, constructs the invocation from a template, and executes. The agent never generates raw commands or constructs unconstrained API calls. Within the scope of contracted tools, dangerous actions cannot be expressed because the interface does not permit them. Actions that bypass the contract layer entirely (e.g., direct network calls from compromised agent code) require complementary controls such as sandboxing (Section 10).</p>

      <h4>Compile-time over runtime enforcement</h4>
      <p>When enforcement correctness is verified only at runtime, a code change that introduces a path bypassing the policy engine goes undetected until that path is exercised. OATS addresses this through the Observe-Reason-Gate-Act (ORGA) cycle, which uses type-level programming (typestates) so that skipping the Gate phase, dispatching tools without reasoning first, or observing results without dispatching are compile-time errors. In a correctly implemented typestate, the type system enforces that every action passes through policy evaluation. This property holds for code paths within the typestate-governed loop; it does not extend to code that circumvents the loop entirely, which is why sandboxing and network isolation provide complementary enforcement.</p>

      <h4>Structural independence over trust assumptions</h4>
      <p>When the policy engine shares context, memory, and execution environment with the orchestration layer it governs, an LLM compromised through prompt injection can potentially influence the evaluation of its own actions. In OATS, the Gate phase receives a structured action proposal and evaluates it against policy using a formally verifiable policy engine. The LLM cannot modify, bypass, or influence the Gate's evaluation.</p>

      <h3>1.3 Contributions</h3>
      <p>This specification makes five contributions:</p>
      <ol>
        <li><strong>Typestate-enforced reasoning loop.</strong> The ORGA cycle with compile-time phase enforcement, designed to prevent policy evaluation from being skipped, circumvented, or reordered within the loop (Section 5).</li>
        <li><strong>Allow-list tool contracts.</strong> A declarative tool contract format that constrains agent-tool interaction to typed, validated parameters, making dangerous actions structurally inexpressible (Section 6).</li>
        <li><strong>Layered cryptographic identity.</strong> A bidirectional identity stack providing mutual authentication between agents and tools via domain-anchored cryptographic verification (Section 7).</li>
        <li><strong>Hash-chained audit journals.</strong> Cryptographically signed, hash-chained event journals for tamper-evident forensic reconstruction (Section 9).</li>
        <li><strong>Conformance requirements.</strong> Minimum requirements for OATS-compliant systems, enabling objective evaluation of implementations (Section 12).</li>
      </ol>
      <p>OATS's novelty is not any single component in isolation &mdash; typestates, policy engines, cryptographic signatures, audit logs, and sandboxing each have extensive prior art. The contribution is the integration of five layers into a unified runtime security model centered on consequential action execution, with three properties not found in prior work in combination: (a) expressibility constraints that eliminate action categories before policy evaluation, (b) compile-time enforcement that the policy gate executes on every dispatch path within the loop, and (c) bidirectional cryptographic identity binding actions to verified agents and verified tools. The conformance requirements formalize these properties into testable criteria, enabling objective comparison across implementations.</p>
    </section>

    <!-- 2. Related Work -->
    <section class="section" id="related-work">
      <div class="section-divider"></div>
      <div class="section-number">Section 02</div>
      <h2>Related Work</h2>

      <h3>2.1 Agent Security Research</h3>
      <p>The security risks of LLM-based agents have been catalogued by several surveys. Ruan et al. and Wu et al. provide comprehensive threat taxonomies covering prompt injection, tool misuse, and data exfiltration. Su et al. focus on autonomy-induced risks including memory poisoning and deferred decision hazards. Debenedetti et al. introduce AgentDojo for evaluating attacks and defenses against LLM agents, while Ye et al. propose ToolEmu for identifying risky agent failures. These works characterize the problem space but do not propose runtime enforcement architectures. OATS builds on their threat models and contributes a system specification for constraining and evaluating actions before execution.</p>
      <p>Gaire et al. systematize security and safety risks in the Model Context Protocol ecosystem, providing a taxonomy of threats to MCP primitives. Their analysis of tool poisoning and indirect prompt injection directly informs OATS's threat model for tool supply chain attacks.</p>

      <h3>2.2 Runtime Security Specifications</h3>
      <p>Errico introduces Autonomous Action Runtime Management (AARM), a system specification for securing AI-driven actions at runtime. AARM formalizes the runtime security gap, proposes an action classification framework distinguishing forbidden, context-dependent deny, context-dependent allow, and context-dependent defer actions, and specifies conformance requirements for pre-execution interception, context accumulation, policy evaluation, and tamper-evident receipts. OATS shares AARM's identification of the action layer as the stable security boundary and incorporates its context-dependent action classification. OATS extends this foundation with compile-time enforcement of the reasoning loop, allow-list tool contracts, concrete cryptographic identity protocols, and multi-tier execution isolation.</p>

      <h3>2.3 Industry Frameworks</h3>
      <p>Google's Cloud CISO perspective advocates defense-in-depth and runtime controls for agents. AWS's Agentic AI Security Scoping Matrix provides a risk assessment framework complementing runtime enforcement with deployment-time scoping. Microsoft's governance framework addresses organizational controls including identity management and approval workflows. Raza et al. present a TRiSM framework for agentic multi-agent systems. These frameworks provide lifecycle governance; OATS focuses specifically on the runtime enforcement layer.</p>

      <h3>2.4 Access Control and Policy Languages</h3>
      <p>OATS's policy enforcement layer builds on established access control research. RBAC and ABAC evaluate permissions against static attributes but lack session-level context accumulation. Capability-based security constrains authority propagation but does not address compositional risks of non-deterministic agents. Policy languages such as OPA and Cedar provide expressive evaluation engines suitable as backends for OATS's policy evaluation component. AWS's independent adoption of Cedar for AgentCore provides supporting evidence for the thesis that formal policy languages belong at the agent execution boundary.</p>

      <h3>2.5 Complementary Standards</h3>
      <p>OATS is complementary to several existing standards. The OWASP Top 10 for LLM Applications catalogs vulnerabilities; OATS provides runtime enforcement mitigating tool misuse, excessive agency, and insecure output handling. The NIST AI RMF provides a risk management framework; OATS provides technical enforcement implementing portions around governance, monitoring, and accountability. MCP defines agent-tool communication; OATS defines how to govern actions flowing through that (or any) tool invocation mechanism.</p>

      <h3>2.6 Comparative Positioning</h3>
      <p>Table&nbsp;0 positions OATS relative to existing approaches across the security properties specified in this paper. &ldquo;Partial&rdquo; indicates the property is architecturally possible but not structurally enforced by the specification. AgentDojo and ToolEmu are evaluation frameworks rather than enforcement runtimes and are not included; they are complementary to OATS rather than alternatives.</p>
      <table>
        <thead>
          <tr>
            <th>Property</th>
            <th>Prompt guardrails</th>
            <th>Deny-list filter</th>
            <th>Sandbox-only</th>
            <th>AARM</th>
            <th>OATS</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>Constrains expressible actions</strong></td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>Yes</td></tr>
          <tr><td><strong>Pre-execution policy gate</strong></td><td>&ndash;</td><td>Yes</td><td>&ndash;</td><td>Yes</td><td>Yes</td></tr>
          <tr><td><strong>Session context accumulation</strong></td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>Yes</td><td>Yes</td></tr>
          <tr><td><strong>Cryptographic tool identity</strong></td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>Yes</td></tr>
          <tr><td><strong>Cryptographic agent identity</strong></td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>Yes</td></tr>
          <tr><td><strong>Tamper-evident audit journal</strong></td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>Yes</td><td>Yes</td></tr>
          <tr><td><strong>Compile-time phase enforcement</strong></td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>Yes</td></tr>
          <tr><td><strong>Gate independent of LLM</strong></td><td>&ndash;</td><td>Partial</td><td>N/A</td><td>Partial</td><td>Yes</td></tr>
          <tr><td><strong>Execution isolation</strong></td><td>&ndash;</td><td>&ndash;</td><td>Yes</td><td>&ndash;</td><td>Yes</td></tr>
          <tr><td><strong>Formal conformance criteria</strong></td><td>&ndash;</td><td>&ndash;</td><td>&ndash;</td><td>Yes</td><td>Yes</td></tr>
        </tbody>
      </table>
    </section>

    <!-- 3. Problem Formalization -->
    <section class="section" id="problem">
      <div class="section-divider"></div>
      <div class="section-number">Section 03</div>
      <h2>Problem Formalization</h2>
      <p>This section formalizes the system model, action definitions, and security objectives that the remainder of the specification builds upon.</p>

      <h3>3.1 System Model</h3>
      <p>Let an AI-enabled application \(\mathcal{A}\) consist of:</p>
      <ul>
        <li>An <strong>orchestration layer</strong> \(O\) (agent framework, workflow engine, or application code) that interprets user requests and invokes tools. \(O\) includes the LLM, prompt templates, memory systems, and control flow logic. Crucially, \(O\) processes untrusted inputs and cannot be assumed to behave as intended.</li>
        <li>A set of <strong>tools</strong> \(T = \{t_1, t_2, \ldots, t_n\}\), where each tool \(t_i\) exposes operations producing effects on external systems.</li>
        <li>An <strong>identity context</strong> \(I\) comprising four layers: human principal, service identity, agent/session identity, and role/privilege scope.</li>
        <li>An <strong>environment</strong> \(E\) including data stores, APIs, cloud services, and enterprise systems.</li>
        <li>A <strong>session context</strong> \(C\) that accumulates state over the course of an interaction.</li>
      </ul>

      <h3>3.2 Action Definition</h3>
      <p>An action \(a\) is a discrete operation the agent requests against a tool:</p>
      <p>$$a = (t,\ op,\ p,\ id,\ ctx,\ ts)$$</p>
      <p>where \(t \in T\) is the target tool, \(op\) is the specific operation, \(p\) is the parameter set, \(id \in I\) is the identity context, \(ctx \in C\) is the accumulated session context, and \(ts\) is the timestamp.</p>

      <h3>3.3 Tool Contract Definition</h3>
      <p>A tool contract \(\kappa\) defines the complete behavioral interface for a tool:</p>
      <p>$$\kappa = (name,\ \Pi,\ \tau,\ \sigma_{out},\ \mu,\ \rho)$$</p>
      <p>where \(\Pi = \{\pi_1, \ldots, \pi_m\}\) is the set of typed parameter definitions, \(\tau\) is the invocation template, \(\sigma_{out}\) is the output schema, \(\mu\) is the policy metadata (resource, action), and \(\rho\) is the risk tier.</p>
      <p>Each parameter definition \(\pi_i = (name_i,\ type_i,\ V_i,\ req_i)\) specifies the parameter name, its type from the type system \(\mathcal{T}\), validation constraints \(V_i\), and whether it is required. The type system \(\mathcal{T}\) provides:</p>
      <p>$$\mathcal{T} = \{\textit{string},\ \textit{integer},\ \textit{boolean},\ \textit{enum},\ \textit{scope\_target},\ \textit{url},\ \textit{path},\ \textit{ip\_address},\ \textit{cidr},\ \textit{port}\}$$</p>
      <p>Each type \(\tau \in \mathcal{T}\) has an associated validation function \(v_\tau : \text{Value} \to \{valid, invalid\}\) and a sanitization function \(s_\tau : \text{Value} \to \text{Value}\) that strips dangerous characters.</p>

      <h3>3.4 Constrained Action Formulation</h3>
      <p>Under OATS, the agent does not formulate arbitrary actions. Instead, the agent proposes a <em>parameterized invocation</em>:</p>
      <p>$$a' = (t,\ op,\ p')$$</p>
      <p>where \(p' = \{(name_i, val_i)\}\) maps parameter names to values. The runtime validates each value:</p>
      <p>$$\forall (name_i, val_i) \in p' :\ v_{type_i}(val_i) = valid$$</p>
      <p>If validation succeeds, the runtime constructs the executable action from the template:</p>
      <p>$$a_{exec} = \tau(p')\ \text{where } \tau \text{ is the invocation template}$$</p>
      <p>The agent never sees or constructs \(a_{exec}\). This is the allow-list property: the space of expressible actions is constrained to \(\{a_{exec} : a_{exec} = \tau(p'),\ \forall (name_i, val_i) \in p',\ v_{type_i}(val_i) = valid\}\).</p>

      <h3>3.5 Context Accumulation</h3>
      <p>Session context accumulates across actions:</p>
      <p>$$C_n = C_{n-1} \cup \{a_n,\ o_n,\ \delta_n\}$$</p>
      <p>where \(C_n\) is the context after action \(n\), \(a_n\) is the action, \(o_n\) is its output, and \(\delta_n\) represents derived signals including data classification, semantic distance from the original request, scope expansion indicators, entity references, and confidence level.</p>

      <h3>3.6 Policy Structure</h3>
      <p>A policy \(\pi \in \Pi\) maps an action-context-identity triple to an authorization decision:</p>
      <p>$$\pi : (a,\ C,\ I) \to \{\textit{ALLOW},\ \textit{DENY},\ \textit{MODIFY},\ \textit{STEP\_UP},\ \textit{DEFER}\}$$</p>
      <p>Each policy consists of a match predicate \(m(a, C, I) \to \{true, false\}\), a decision \(d\), a priority \(p \in \mathbb{N}\), and an optional modification function \(f(a) \to a'\) applied when \(d = \textit{MODIFY}\).</p>

      <h3>3.7 Security Objectives</h3>
      <p>An OATS-compliant runtime MUST ensure that for all actions \(a\):</p>
      <ol>
        <li><strong>Structural constraint.</strong> \(a\) is expressible only through a valid tool contract \(\kappa\).</li>
        <li><strong>Pre-execution interception.</strong> \(a\) is intercepted and evaluated before any effects occur.</li>
        <li><strong>Compile-time gate guarantee.</strong> All code paths from action proposal to tool dispatch pass through the Gate phase; this is verified at compile time.</li>
        <li><strong>Policy compliance.</strong> \(a\) satisfies organizational policy \(\Pi\) given context \(C\) and identity \(I\).</li>
        <li><strong>Context-aware evaluation.</strong> \(a\) is evaluated against both static policy and accumulated session context.</li>
        <li><strong>Identity verification.</strong> Both the agent invoking a tool and the tool being invoked are cryptographically verified.</li>
        <li><strong>Forensic completeness.</strong> Every action, its context, the policy decision, and the execution outcome are recorded in a tamper-evident journal.</li>
      </ol>
    </section>

    <!-- 4. Threat Model -->
    <section class="section" id="threat-model">
      <div class="section-divider"></div>
      <div class="section-number">Section 04</div>
      <h2>Threat Model</h2>

      <div class="callout">
        <div class="callout-title">Fundamental Assumption</div>
        <p>The AI orchestration layer <em>O</em> cannot be trusted as a security boundary. The model processes untrusted inputs through opaque reasoning, producing actions that may serve attacker goals rather than user intent.</p>
      </div>

      <h3>4.1 Threat Summary</h3>
      <p>The table below summarizes the primary threats, their attack vectors, and the OATS controls that mitigate them.</p>
      <table>
        <thead>
          <tr>
            <th>Threat</th>
            <th>Attack Vector</th>
            <th>OATS Control</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>Prompt injection</strong></td><td>User input, documents, tool outputs, images</td><td>Tool contracts (structural), policy enforcement, context-dependent deny</td></tr>
          <tr><td><strong>Malicious tool outputs</strong></td><td>Adversarial tool responses</td><td>Post-tool action restrictions, context tracking, output schema validation</td></tr>
          <tr><td><strong>Confused deputy</strong></td><td>Ambiguous/malicious instructions</td><td>Bidirectional identity verification, step-up approval, intent alignment</td></tr>
          <tr><td><strong>Over-privileged credentials</strong></td><td>Excessive token scopes</td><td>Least-privilege enforcement, scoped credentials</td></tr>
          <tr><td><strong>Data exfiltration</strong></td><td>Action composition</td><td>Context accumulation, compositional policies, scope enforcement</td></tr>
          <tr><td><strong>Goal hijacking</strong></td><td>Injected objectives</td><td>Action-level policy, semantic distance tracking</td></tr>
          <tr><td><strong>Intent drift</strong></td><td>Agent reasoning divergence</td><td>Context accumulation, semantic distance threshold, deferral</td></tr>
          <tr><td><strong>Memory poisoning</strong></td><td>Persistent context manipulation</td><td>Provenance tracking, anomaly detection, journal comparison</td></tr>
          <tr><td><strong>Tool supply chain</strong></td><td>Tampered contracts, spoofed tools</td><td>Cryptographic tool integrity verification, TOFU pinning</td></tr>
          <tr><td><strong>Cross-agent propagation</strong></td><td>Multi-agent delegation</td><td>Cross-agent context, transitive trust limits, blast-radius containment</td></tr>
        </tbody>
      </table>

      <h3>4.2 Attack Lifecycle</h3>
      <p>Attacks against AI agents typically follow a four-stage lifecycle: (1) <strong>injection</strong> &mdash; attacker embeds malicious instructions in content the agent processes; (2) <strong>hijacking</strong> &mdash; the agent interprets malicious content as legitimate instructions; (3) <strong>execution</strong> &mdash; the agent invokes tools with attacker-controlled parameters; (4) <strong>impact</strong> &mdash; actions produce irreversible effects. OATS intervenes at two points: between stages 2 and 3 (the Gate blocks actions that violate policy), and before stage 3 begins (tool contracts constrain what parameters the agent can express).</p>
      <p>Intent drift follows a different lifecycle without explicit injection. The agent's reasoning gradually diverges through plausible-seeming steps. OATS detects this through context accumulation and semantic distance tracking regardless of cause.</p>

      <h3>4.3 Trust Assumptions</h3>
      <div class="trust-grid">
        <div class="trust-box trusted">
          <h5>Trusted</h5>
          <ul>
            <li>The OATS runtime (ORGA loop, policy engine, tool contract executor, journal, identity verifier)</li>
            <li>Cryptographic primitives and key management</li>
            <li>The policy store and authoring process</li>
            <li>The underlying infrastructure (OS, network, hardware)</li>
            <li>The compiler and type system</li>
          </ul>
        </div>
        <div class="trust-box untrusted">
          <h5>Untrusted</h5>
          <ul>
            <li>The AI model and its outputs</li>
            <li>The orchestration layer</li>
            <li>User inputs and prompts</li>
            <li>Tool outputs and retrieved data</li>
            <li>External documents, emails, web content, multi-modal inputs</li>
            <li>Agent memory and conversation history</li>
            <li>Tool contracts from unverified publishers</li>
          </ul>
        </div>
        <div class="trust-box partial">
          <h5>Partially Trusted</h5>
          <ul>
            <li>Tool implementations (OATS constrains invocation but cannot prevent internal bugs)</li>
            <li>Human approvers (OATS routes step-up authorization but cannot prevent social engineering)</li>
            <li>Verified tool contracts (verified as untampered, but the tool itself may have vulnerabilities)</li>
          </ul>
        </div>
      </div>

      <h3>4.4 Out of Scope</h3>
      <p>OATS addresses runtime action security. The following threats require complementary controls: model training data poisoning or weight manipulation (pre-deployment ML security); denial of service against the OATS runtime (infrastructure availability); physical or infrastructure-level attacks (physical security); social engineering of human approvers (security awareness training); code-level vulnerabilities within tool implementations (application security testing); memory storage security (separate storage controls). OATS is one layer in a defense-in-depth strategy.</p>
    </section>

    <!-- 5. ORGA Loop -->
    <section class="section" id="orga-loop">
      <div class="section-divider"></div>
      <div class="section-number">Section 05</div>
      <h2>Core Architecture: The ORGA Loop</h2>
      <p>The ORGA (Observe-Reason-Gate-Act) loop is the core execution engine for OATS-compliant agent runtimes. It drives a multi-turn cycle between an LLM, a policy gate, and external tools through four mandatory phases.</p>

      <h3>5.1 Phase Definitions</h3>
      <h4>Observe</h4>
      <p>Collect results from previous tool executions. Incorporate tool outputs, error messages, policy denial feedback, and environmental signals into the agent's context. This phase also integrates knowledge retrieval (RAG-enhanced context) when available.</p>

      <h4>Reason</h4>
      <p>The LLM processes accumulated context and produces proposed actions (tool calls or text responses). The LLM sees tool definitions but never sees raw invocation details. The LLM's output is a structured proposal, not an executable action.</p>

      <h4>Gate</h4>
      <p>The policy engine evaluates each proposed action. This phase operates entirely outside LLM influence. The Gate receives the proposed action, the accumulated session context, and the agent's identity, and evaluates them against organizational policy. The Gate produces one of five decisions: <strong>Allow</strong>, <strong>Deny</strong>, <strong>Modify</strong>, <strong>Step-Up</strong> (pause for human approval), or <strong>Defer</strong> (temporarily suspend pending additional context).</p>

      <h4>Act</h4>
      <p>Approved actions are dispatched to tool executors. The tool contract executor validates parameters against the contract's type system, constructs the invocation from the contract's template, executes with timeout enforcement, captures output in a structured evidence envelope, and records the execution in the audit journal.</p>

      <h3>5.2 Typestate Enforcement</h3>
      <p>Phase transitions <span class="req-tag req-must">MUST</span> be enforced at compile time using type-level programming (typestates). Each phase is a distinct type. The transition from Reason to Act without passing through Gate <span class="req-tag req-must">MUST</span> be a type error, not a runtime check.</p>

      <pre><code>AgentLoop&lt;Reasoning&gt;    -- produce_output() --&gt;  AgentLoop&lt;PolicyCheck&gt;
AgentLoop&lt;PolicyCheck&gt;  -- check_policy()  --&gt;  AgentLoop&lt;ToolDispatching&gt;
AgentLoop&lt;ToolDispatching&gt; -- dispatch()   --&gt;  AgentLoop&lt;Observing&gt;
AgentLoop&lt;Observing&gt;    -- observe()       --&gt;  AgentLoop&lt;Reasoning&gt; | LoopResult</code></pre>

      <p>The following are compile-time errors:</p>
      <ul>
        <li>Skipping the policy check (Reasoning to ToolDispatching)</li>
        <li>Dispatching tools without reasoning (PolicyCheck to Observing)</li>
        <li>Observing results without dispatching (Reasoning to Observing)</li>
      </ul>

      <p>Implementations in languages without native typestate support <span class="req-tag req-must">MUST</span> provide equivalent guarantees through runtime enforcement with 100% path coverage testing and formal verification that all tool dispatch paths pass through the Gate.</p>

      <h3>5.3 Dynamic Branching and Termination</h3>
      <p>The only dynamic branch in the ORGA loop is after Observe: the loop either continues (returning to Reason) or completes (producing a final result). This is a standard pattern match on a concrete type, not dynamic dispatch. All other transitions are strictly linear.</p>
      <p>The loop terminates when the LLM produces a final text response, iteration limits are reached, token or time budgets are exhausted, or a circuit breaker trips.</p>

      <h3>5.4 Policy Denial Feedback</h3>
      <p>When the Gate denies an action, the denial reason <span class="req-tag req-must">MUST</span> be fed back to the LLM as an observation. This allows the LLM to adjust its approach. The Gate evaluates each subsequent proposal independently; denials are not negotiable.</p>

      <h3>5.5 Scope of Assurance</h3>
      <p>Typestate enforcement provides a specific, bounded property. To prevent overinterpretation, we state exactly what is and is not covered.</p>

      <h4>What typestate enforcement covers</h4>
      <p>Within the ORGA loop, the type system enforces that every transition from action proposal to tool dispatch passes through the Gate phase. In a Rust implementation, this is a compile-time property: any code path that attempts <code>AgentLoop&lt;Reasoning&gt;</code> &rarr; <code>AgentLoop&lt;ToolDispatching&gt;</code> without consuming an intermediate <code>AgentLoop&lt;PolicyCheck&gt;</code> is rejected by the compiler.</p>
      <p><em>Proof sketch.</em> Let <em>R</em>, <em>P</em>, <em>D</em>, <em>O</em> denote the Reasoning, PolicyCheck, ToolDispatching, and Observing phases. Each phase is a distinct zero-sized type. The only method consuming <em>R</em> produces <em>P</em>; the only method consuming <em>P</em> produces <em>D</em>; the only method consuming <em>D</em> produces <em>O</em>; and <em>O</em> produces either <em>R</em> (continue) or a terminal value (complete). Because each method takes <code>self</code> by value (consuming the prior state), no valid Rust program can hold two phase values simultaneously or skip a phase. The compiler's ownership and move semantics enforce this without runtime checks. This argument depends on the type signatures being correctly declared; it does not require trust in runtime behavior.</p>

      <h4>What typestate enforcement does not cover</h4>
      <p>The property applies only to code paths mediated by the <code>AgentLoop</code> runner. It does not provide whole-program non-bypass assurance. Specifically: (a) agent code that invokes tools through a separate code path not mediated by the ORGA runner is unconstrained by the typestate; (b) plugins, FFI calls, or dynamically loaded code may bypass the loop; (c) network-level tool invocations from within the sandbox are not mediated by the type system. These residual risks are addressed by sandboxing (Section 10) and network isolation as defense-in-depth layers, not by the typestate itself. An OATS-compliant deployment <span class="req-tag req-should">SHOULD</span> combine typestate enforcement with at least one complementary isolation mechanism.</p>

      <h3>5.6 Gate Independence</h3>
      <p>The Gate phase is designed to operate outside LLM influence. This section specifies what &ldquo;outside LLM influence&rdquo; means concretely and what an implementation must demonstrate.</p>

      <h4>Structural requirements</h4>
      <p>The Gate <span class="req-tag req-must">MUST</span> receive input as a typed, serialized data structure (e.g., a Rust struct, a JSON object conforming to a fixed schema) containing: tool name, operation, validated parameters, agent identity, and accumulated session context. The Gate <span class="req-tag req-must">MUST NOT</span> receive natural language strings, LLM reasoning traces, or any content that requires language interpretation. The Gate <span class="req-tag req-must">MUST NOT</span> share mutable memory, mutable references, or writable state with the LLM inference component. The Gate <span class="req-tag req-must">MUST NOT</span> expose a callback, hook, or API that the LLM can invoke to modify Gate behavior during evaluation.</p>

      <h4>Implementation patterns</h4>
      <p>Conformant implementations may achieve Gate independence through any of the following mechanisms, listed in decreasing order of isolation strength: (a) separate process with IPC serialization boundary; (b) separate thread with immutable message passing and no shared mutable state; (c) synchronous function call with typed struct input, no closures capturing LLM state, and no interior mutability accessible from the LLM component. Pattern (a) provides the strongest isolation. Pattern (c) is acceptable when the implementation can demonstrate (via code review or static analysis) that no shared mutable path exists.</p>

      <h4>Verification</h4>
      <p>Conformance requirement C6 (Section 12) defines the verification procedure: inspect the Gate implementation, verify inputs are typed structs, verify no shared mutable references, verify no dynamic code paths parameterized by LLM output.</p>

      <figure class="diagram" id="fig-1" data-diagram="fig1">
        <span class="diagram-eyebrow">Figure 1 &middot; ORGA loop</span>
        <div class="fig1-stage">
          <svg class="dg-svg fig1-svg" viewBox="0 0 620 320" role="img" aria-label="ORGA loop diagram">
            <defs>
              <marker id="arrA" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
                <path d="M0,0 L10,5 L0,10 z" fill="#c8a44e"/>
              </marker>
              <marker id="arrG" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
                <path d="M0,0 L10,5 L0,10 z" fill="#3a3a48"/>
              </marker>
              <marker id="arrR" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
                <path d="M0,0 L10,5 L0,10 z" fill="#c45050"/>
              </marker>
            </defs>

            <g data-phase="observe" transform="translate(30,40)">
              <rect class="box" width="140" height="70" rx="3"/>
              <text class="label-mono-sm" x="12" y="22">L1 &middot; PHASE 01</text>
              <text class="label-major" x="12" y="48">Observe</text>
            </g>
            <g data-phase="reason" transform="translate(230,40)">
              <rect class="box" width="140" height="70" rx="3"/>
              <text class="label-mono-sm" x="12" y="22">L1 &middot; PHASE 02</text>
              <text class="label-major" x="12" y="48">Reason</text>
            </g>
            <g data-phase="gate" transform="translate(430,40)">
              <rect class="box box-accent" width="160" height="70" rx="3"/>
              <text class="label-mono-sm label-accent" x="12" y="22">L1 &middot; PHASE 03 &middot; GATE</text>
              <text class="label-major" x="12" y="48">Gate</text>
              <text class="label-mono-sm" x="12" y="63" style="fill:#6b6860">outside LLM influence</text>
            </g>
            <g data-phase="act" transform="translate(230,200)">
              <rect class="box" width="140" height="70" rx="3"/>
              <text class="label-mono-sm" x="12" y="22">L1 &middot; PHASE 04</text>
              <text class="label-major" x="12" y="48">Act</text>
            </g>

            <text class="label-mono-sm" x="30" y="140" style="fill:#6b6860">LLM REGION</text>
            <line x1="30" y1="145" x2="370" y2="145" stroke="#1e1e28" stroke-dasharray="2 3"/>
            <text class="label-mono-sm" x="430" y="140" style="fill:#a08030">POLICY REGION &middot; ISOLATED</text>
            <line x1="430" y1="145" x2="590" y2="145" stroke="#a08030" stroke-dasharray="2 3"/>

            <path id="arr-or"   class="arrow" d="M170 75 L228 75" marker-end="url(#arrA)"/>
            <path id="arr-rg"   class="arrow" d="M370 75 L428 75" marker-end="url(#arrA)"/>
            <path id="arr-ga"   class="arrow" d="M510 112 L510 180 Q510 200 490 200 L372 200" marker-end="url(#arrA)"/>
            <path id="arr-ao"   class="arrow" d="M230 235 L120 235 Q100 235 100 215 L100 112" marker-end="url(#arrA)"/>

            <path id="arr-deny" class="arrow arrow-deny" d="M510 112 L510 270 Q510 288 490 288 L120 288 Q100 288 100 268 L100 112" marker-end="url(#arrR)"/>

            <text x="180" y="30" class="label-mono-sm">observe()</text>
            <text x="380" y="30" class="label-mono-sm">produce_output()</text>
            <text x="505" y="165" class="label-mono-sm" text-anchor="end">check_policy()</text>
            <text x="505" y="180" class="label-mono-sm" text-anchor="end">&rarr; dispatch()</text>
            <text x="125" y="225" class="label-mono-sm">result</text>
            <text x="310" y="303" class="label-mono-sm" text-anchor="middle" style="fill:#c45050">DENY &middot; denial reason fed back as observation</text>
          </svg>

          <div class="diagram-controls">
            <span class="label">Scenario</span>
            <button class="dg-btn fig1-scenario active" data-scenario="allow">Allowed action</button>
            <button class="dg-btn fig1-scenario" data-scenario="deny">Denied action</button>
            <span class="label" style="margin-left:auto">Step</span>
            <button class="dg-btn fig1-prev">&lsaquo; Prev</button>
            <button class="dg-btn fig1-next">Next &rsaquo;</button>
            <button class="dg-btn fig1-play">Play</button>
          </div>
          <div class="fig1-legend">
            <span><span class="swatch sw-arrow"></span>active transition</span>
            <span><span class="swatch sw-deny"></span>deny feedback</span>
          </div>
          <p class="diagram-caption fig1-caption-dyn"></p>
        </div>
        <figcaption class="diagram-caption">
          <strong>ORGA loop with typestate-enforced phase transitions.</strong> The Gate is mandatory and structurally independent of the LLM. Denied actions produce feedback observations; approved actions proceed to tool execution. Skipping Gate is a compile error, not a runtime bug.
        </figcaption>
      </figure>
    </section>

    <!-- 5. Tool Contracts -->
    <section class="section" id="tool-contracts">
      <div class="section-divider"></div>
      <div class="section-number">Section 06</div>
      <h2>Tool Contract Layer</h2>

      <h3>6.1 The Allow-List Principle</h3>
      <p>OATS inverts the conventional sandbox model. Rather than allowing the LLM to generate arbitrary actions and then intercepting them for post-hoc evaluation, the allow-list model has the LLM fill typed parameters that the executor validates against the contract before constructing the invocation from a template. Dangerous actions are structurally inexpressible because the interface does not permit them.</p>
      <ul>
        <li><strong>Deny-list (sandbox):</strong> LLM generates an arbitrary action. The security system intercepts, evaluates, and decides whether to allow or block. Risk: novel bypass escapes deny rules.</li>
        <li><strong>Allow-list (tool contract):</strong> LLM fills typed parameters. The executor validates against contract, constructs from template, and executes. Injection cannot form an action; shell metacharacters are rejected by the type system.</li>
      </ul>

      <h3>6.2 Contract Requirements</h3>
      <p>A tool contract <em>&kappa;</em> <span class="req-tag req-must">MUST</span> define:</p>
      <ol>
        <li><strong>Typed parameters.</strong> Each parameter has a declared type from the type system <em>&Tcy;</em> with validation constraints. All string-based types <span class="req-tag req-must">MUST</span> reject shell metacharacters (<code>;|&amp;$\`\\(){}[]&lt;&gt;!</code>) by default.</li>
        <li><strong>Invocation mechanism.</strong> Command template, HTTP request template, protocol server address, or interactive session definition. The LLM never constructs invocation details.</li>
        <li><strong>Output schema.</strong> Expected structure of tool output. The executor validates parsed output before returning results to the agent.</li>
        <li><strong>Policy metadata.</strong> Policy resource and action declarations enabling authorization without parsing tool-specific details.</li>
        <li><strong>Risk tier.</strong> Risk classification (low, medium, high, critical) informing default policy generation and step-up thresholds.</li>
      </ol>

      <h3>6.3 Execution Modes</h3>
      <p>Tool contracts <span class="req-tag req-should">SHOULD</span> support three execution modes sharing a common governance layer:</p>
      <table>
        <thead>
          <tr>
            <th>Mode</th>
            <th>Description</th>
            <th>Governance</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>Oneshot</strong></td><td>Single invocation, return results</td><td>Per-invocation Gate evaluation</td></tr>
          <tr><td><strong>Session</strong></td><td>Running process (PTY), per-interaction validation</td><td>Per-interaction Gate evaluation</td></tr>
          <tr><td><strong>Browser</strong></td><td>Governed browser (CDP/Playwright), scoped navigation</td><td>Per-action Gate evaluation</td></tr>
        </tbody>
      </table>

      <h3>6.4 Contract Integrity</h3>
      <p>Tool contracts <span class="req-tag req-must">MUST</span> support cryptographic integrity verification. Signatures <span class="req-tag req-must">MUST</span> cover the entire contract &mdash; parameters, validation rules, invocation templates, output schemas, and scope constraints. A contract failing verification <span class="req-tag req-must">MUST</span> be rejected.</p>

      <h3>6.5 Schema Generation</h3>
      <p>Tool contracts <span class="req-tag req-should">SHOULD</span> support automatic generation of protocol-compatible schemas (e.g., MCP <code>inputSchema</code> and <code>outputSchema</code>) from the contract definition. The LLM understands tool capabilities through generated schemas without the contract format being exposed.</p>

      <figure class="diagram" id="fig-2" data-diagram="fig2">
        <span class="diagram-eyebrow">Figure 2 &middot; Deny-list vs. allow-list</span>

        <div class="diagram-controls" style="border-top:none; padding-top:0; margin-top:0">
          <span class="label">Parameter</span>
          <div class="fig2-scenarios" style="display:flex; gap:.4rem; flex-wrap:wrap"></div>
        </div>

        <div class="fig2-input" style="margin-top:1rem">
          <span class="diagram-eyebrow" style="position:static; padding-right:.5rem">input &rarr;</span>
          <code></code>
        </div>

        <div class="fig2-grid">
          <div class="fig2-col deny">
            <h5>Deny-list (sandbox intercepts)</h5>
            <svg class="dg-svg" viewBox="0 0 260 145" aria-hidden="true">
              <defs>
                <marker id="arrD" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse">
                  <path d="M0,0 L10,5 L0,10 z" fill="#3a3a48"/>
                </marker>
              </defs>
              <g transform="translate(10,12)"><rect class="box" width="100" height="36" rx="3"/><text class="label-mono" x="10" y="22">LLM emits</text></g>
              <path class="arrow" d="M110 30 L120 30" marker-end="url(#arrD)"/>
              <g transform="translate(120,12)"><rect class="box" width="130" height="36" rx="3"/><text class="label-mono" x="10" y="22">raw action</text></g>
              <path class="arrow" d="M185 48 L185 72" marker-end="url(#arrD)"/>
              <g transform="translate(120,72)"><rect class="box" width="130" height="40" rx="3"/>
                <text class="label-mono" x="10" y="18">deny-list</text>
                <text class="label-mono-sm" x="10" y="32">enumerate/match</text>
              </g>
              <text class="label-mono-sm" x="10" y="135" style="fill:#c45050">risk: novel bypass</text>
            </svg>
            <div class="outcome"></div>
          </div>

          <div class="fig2-col allow">
            <h5>Allow-list (tool contract)</h5>
            <svg class="dg-svg" viewBox="0 0 260 145" aria-hidden="true">
              <defs>
                <marker id="arrA2" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="6" markerHeight="6" orient="auto-start-reverse">
                  <path d="M0,0 L10,5 L0,10 z" fill="#c8a44e"/>
                </marker>
              </defs>
              <g transform="translate(10,12)"><rect class="box" width="100" height="36" rx="3"/><text class="label-mono" x="10" y="22">LLM fills</text></g>
              <path class="arrow arrow-accent" d="M110 30 L120 30" marker-end="url(#arrA2)"/>
              <g transform="translate(120,12)"><rect class="box box-accent" width="130" height="36" rx="3"/><text class="label-mono label-accent" x="10" y="22">typed params</text></g>
              <path class="arrow arrow-accent" d="M185 48 L185 72" marker-end="url(#arrA2)"/>
              <g transform="translate(120,72)"><rect class="box box-accent" width="130" height="40" rx="3"/>
                <text class="label-mono label-accent" x="10" y="18">&tau;(p) template</text>
                <text class="label-mono-sm" x="10" y="32" style="fill:#6b6860">constructed</text>
              </g>
              <text class="label-mono-sm" x="10" y="135" style="fill:#5a9a6a">danger inexpressible</text>
            </svg>
            <div class="outcome"></div>
          </div>
        </div>

        <figcaption class="diagram-caption">
          <strong>Deny-list vs. allow-list enforcement.</strong> In the allow-list model, the space of expressible actions is constrained by the tool contract before any policy evaluation occurs. Try the scenarios above to see why novel bypasses fall through a deny-list but cannot form under an allow-list at all.
        </figcaption>
      </figure>
    </section>

    <!-- 6. Identity Layer -->
    <section class="section" id="identity">
      <div class="section-divider"></div>
      <div class="section-number">Section 07</div>
      <h2>Identity Layer</h2>

      <h3>7.1 The Identity Problem</h3>
      <p>When AI agents interact with tools, services, and other agents, identity is typically self-asserted. An agent claims to be "Scout v2 from Tarnover LLC" with no way for the receiving party to verify that claim. Self-asserted identity provides no security guarantee: agents can be impersonated, tools can be spoofed, and delegation claims cannot be verified.</p>
      <p>OATS specifies a two-layer cryptographic identity stack that addresses both directions of the trust problem.</p>

      <h3>7.2 Tool Integrity Verification</h3>
      <p>An OATS-compliant runtime <span class="req-tag req-must">MUST</span> support cryptographic verification of tool schemas and contracts:</p>
      <ul>
        <li><strong>Domain-anchored discovery.</strong> Tool publishers host public keys at well-known endpoints (e.g., <code>/.well-known/</code> URIs per RFC 8615). No centralized registry required.</li>
        <li><strong>Signature verification.</strong> Tool contracts and schemas are signed with ECDSA P-256 (or equivalent). The runtime verifies signatures before registering tools.</li>
        <li><strong>Trust-On-First-Use (TOFU) key pinning.</strong> On first encounter, the runtime pins the publisher's key. Subsequent key changes require explicit trust decisions.</li>
        <li><strong>Revocation support.</strong> Publishers can revoke keys and schemas. The runtime checks revocation status before accepting tools.</li>
      </ul>

      <h3>7.3 Agent Identity Verification</h3>
      <p>An OATS-compliant runtime <span class="req-tag req-should">SHOULD</span> support cryptographic agent identity verification:</p>
      <ul>
        <li><strong>Domain-anchored agent identity.</strong> Organizations publish verifiable identity documents for their agents at well-known endpoints.</li>
        <li><strong>Short-lived credentials.</strong> Agents are issued time-limited signed credentials (e.g., ES256 JWTs) declaring their identity, capabilities, and delegation chain.</li>
        <li><strong>Delegation chains.</strong> Agent credentials support maker-deployer delegation, where the organization that builds agent software and the organization that deploys it are independently verifiable.</li>
        <li><strong>Capability scoping.</strong> Agent credentials declare specific capabilities (e.g., <code>read:data</code>, <code>write:reports</code>), enabling verifiers to enforce least-privilege access.</li>
      </ul>

      <h3>7.4 Bidirectional Trust</h3>
      <p>The two identity layers create a bidirectional trust model:</p>
      <ol>
        <li><strong>Agent verifies tool.</strong> Before invoking a tool, the agent's runtime verifies the tool's contract integrity.</li>
        <li><strong>Tool verifies agent.</strong> Before accepting an invocation, the tool verifies the agent's identity.</li>
        <li><strong>Policy evaluation.</strong> The runtime evaluates whether the verified agent's capabilities authorize it to use the verified tool.</li>
        <li><strong>Audit recording.</strong> Both verifications and the policy decision are recorded in the cryptographic audit journal.</li>
      </ol>

      <figure class="diagram" id="fig-3" data-diagram="fig3">
        <span class="diagram-eyebrow">Figure 3 &middot; Bidirectional trust</span>
        <svg class="dg-svg fig3-svg" viewBox="0 0 640 260" role="img" aria-label="Bidirectional trust diagram">
          <defs>
            <marker id="arrF3" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
              <path d="M0,0 L10,5 L0,10 z" fill="#c8a44e"/>
            </marker>
          </defs>

          <g transform="translate(30,90)">
            <rect class="box" width="140" height="80" rx="3"/>
            <text class="label-mono-sm" x="12" y="22">PRINCIPAL</text>
            <text class="label-major" x="12" y="48">Agent</text>
            <text class="label-mono-sm" x="12" y="65" style="fill:#6b6860">scout / 2.1</text>
          </g>

          <g data-step="step-policy" tabindex="0" role="button" style="cursor:pointer">
            <g transform="translate(250,90)">
              <rect class="box" width="140" height="80" rx="3"/>
              <text class="label-mono-sm label-accent" x="12" y="22">L4 &middot; GATE</text>
              <text class="label-major" x="12" y="48">Policy</text>
              <text class="label-mono-sm" x="12" y="65" style="fill:#6b6860">structured input only</text>
            </g>
          </g>

          <g transform="translate(470,90)">
            <rect class="box" width="140" height="80" rx="3"/>
            <text class="label-mono-sm" x="12" y="22">RESOURCE</text>
            <text class="label-major" x="12" y="48">Tool</text>
            <text class="label-mono-sm" x="12" y="65" style="fill:#6b6860">finance.transfer</text>
          </g>

          <g data-step="step-schemapin" tabindex="0" role="button" style="cursor:pointer">
            <path class="arrow arrow-accent" d="M170 115 Q320 30 540 115" marker-end="url(#arrF3)"/>
            <rect x="240" y="38" width="160" height="24" rx="2" class="box-accent"/>
            <text class="label-mono-sm label-accent" x="252" y="54">SchemaPin &middot; verify</text>
          </g>

          <g data-step="step-agentpin" tabindex="0" role="button" style="cursor:pointer">
            <path class="arrow arrow-accent" d="M540 155 Q320 240 170 155" marker-end="url(#arrF3)"/>
            <rect x="240" y="208" width="160" height="24" rx="2" class="box-accent"/>
            <text class="label-mono-sm label-accent" x="252" y="224">AgentPin &middot; verify</text>
          </g>

          <g data-step="step-journal" tabindex="0" role="button" style="cursor:pointer">
            <line x1="320" y1="170" x2="320" y2="255" class="arrow" stroke-dasharray="3 3"/>
            <rect x="265" y="248" width="110" height="10" fill="transparent"/>
            <text x="320" y="256" text-anchor="middle" class="label-mono-sm" style="fill:#a08030">&rarr; journal (L5)</text>
          </g>
        </svg>

        <div class="fig0-detail fig3-detail" style="margin-top: 1.25rem"></div>

        <figcaption class="diagram-caption">
          <strong>Bidirectional trust.</strong> The agent verifies tool integrity (SchemaPin), the tool verifies agent identity (AgentPin), and the policy engine evaluates authorization. All three steps are recorded in the cryptographic audit journal. Hover or click any arrow for details.
        </figcaption>
      </figure>
    </section>

    <!-- 7. Policy Enforcement -->
    <section class="section" id="policy">
      <div class="section-divider"></div>
      <div class="section-number">Section 08</div>
      <h2>Policy Enforcement Layer</h2>

      <h3>8.1 Policy Engine Requirements</h3>
      <p>An OATS-compliant policy engine evaluates the tuple <code>(a, C, I)</code> and produces an authorization decision. The engine:</p>
      <ul>
        <li><span class="req-tag req-must">MUST</span> support five decisions: Allow, Deny, Modify, Step-Up, Defer.</li>
        <li><span class="req-tag req-must">MUST</span> evaluate both static policy and accumulated session context.</li>
        <li><span class="req-tag req-must">MUST</span> operate outside LLM influence: structured inputs, structured decisions, no natural language processing, no shared mutable state with the LLM.</li>
        <li><span class="req-tag req-should">SHOULD</span> support a formally verifiable policy language (Cedar, OPA, or equivalent).</li>
        <li><span class="req-tag req-must">MUST</span> default to deny.</li>
      </ul>

      <h3>8.2 Action Classification</h3>
      <p>OATS classifies actions into five categories based on how they should be evaluated. The &ldquo;structurally forbidden&rdquo; category exists only in systems with allow-list tool contracts.</p>
      <table>
        <thead>
          <tr>
            <th>Category</th>
            <th>How Identified</th>
            <th>Evaluation</th>
            <th>Decision</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>Structurally forbidden</strong></td><td>Cannot be expressed via tool contract</td><td>None needed</td><td>N/A (inexpressible)</td></tr>
          <tr><td><strong>Policy-forbidden</strong></td><td>Static policy match</td><td>Static policy only</td><td>DENY</td></tr>
          <tr><td><strong>Context-dependent deny</strong></td><td>Policy allows, context misaligns</td><td>Static + context</td><td>DENY</td></tr>
          <tr><td><strong>Context-dependent allow</strong></td><td>Policy denies, context aligns</td><td>Static + context</td><td>STEP-UP / ALLOW</td></tr>
          <tr><td><strong>Context-dependent defer</strong></td><td>Insufficient/conflicting context</td><td>Indeterminate</td><td>DEFER</td></tr>
        </tbody>
      </table>

      <h3>8.3 Context Accumulation</h3>
      <p>The runtime <span class="req-tag req-must">MUST</span> accumulate session context as an append-only, hash-chained log:</p>
      <ul>
        <li><strong>Original request.</strong> The user's initial instruction establishing intent.</li>
        <li><strong>Action history.</strong> Sequence of actions proposed, approved, denied, deferred, and executed.</li>
        <li><strong>Data classification.</strong> Sensitivity of information accessed. Default: highest configured level when unknown.</li>
        <li><strong>Tool outputs.</strong> Results from previous actions.</li>
        <li><strong>Semantic distance.</strong> Drift from original request (see 8.4).</li>
        <li><strong>Identity context.</strong> Verified identities of agent, user, and tools.</li>
      </ul>

      <h3>8.4 Semantic Distance Tracking</h3>
      <p>The runtime <span class="req-tag req-should">SHOULD</span> compute semantic distance between actions and stated intent:</p>
      <p>$$d(r_0, a_n) = 1 - \cos(\text{embed}(r_0),\ \text{embed}(a_n))$$</p>
      <p>where <em>r<sub>0</sub></em> is the original request and <em>a<sub>n</sub></em> is the current action. Cumulative drift <span class="req-tag req-should">SHOULD</span> be tracked across sequences. Thresholds are deployment-specific and <span class="req-tag req-should">SHOULD</span> be calibrated empirically.</p>

      <div class="callout">
        <div class="callout-title">Semantic distance is a risk signal, not a primary authorization primitive</div>
        <p>The hard authorization layer in OATS is the deterministic policy engine (Cedar, OPA, or equivalent) evaluating structured inputs. Semantic distance provides an advisory signal that the policy engine may consume as one input to step-up or defer decisions, but OATS-compliant runtimes <span class="req-tag req-should">SHOULD NOT</span> rely on semantic distance as the sole basis for irreversible denial. This separation ensures the Gate's authorization decisions remain deterministic and reproducible even when the drift signal is heuristic.</p>
      </div>

      <h3>8.5 Step-Up Authorization and Deferral</h3>
      <p><strong>Step-up authorization:</strong> execution <span class="req-tag req-must">MUST</span> block until approval; full context <span class="req-tag req-must">MUST</span> be available to approvers; configurable timeouts <span class="req-tag req-must">MUST</span> be enforced (deny on timeout); decisions <span class="req-tag req-must">MUST</span> be recorded in the journal.</p>
      <p><strong>Deferral:</strong> deferred actions <span class="req-tag req-must">MUST</span> remain paused without effects; the runtime <span class="req-tag req-must">MUST</span> track deferred actions and maintain execution order; cascading deferrals <span class="req-tag req-must">MUST</span> be bounded (deny when limit exceeded); deny on timeout <span class="req-tag req-must">MUST</span> be the default; both deferral and resolution <span class="req-tag req-must">MUST</span> be recorded.</p>

      <figure class="diagram" id="fig-4" data-diagram="fig4">
        <span class="diagram-eyebrow">Figure 4 &middot; Action classification pipeline</span>

        <div class="diagram-controls" style="border-top:none; padding-top:0; margin-top:0">
          <span class="label">Trace an action</span>
          <div class="fig4-scenarios" style="display:flex; gap:.4rem; flex-wrap:wrap; flex:1 1 auto"></div>
        </div>

        <svg class="dg-svg fig4-svg" viewBox="0 0 820 260" role="img" aria-label="Action classification pipeline" style="margin-top: 1rem">
          <defs>
            <marker id="arrF4" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
              <path d="M0,0 L10,5 L0,10 z" fill="#3a3a48"/>
            </marker>
            <marker id="arrF4A" viewBox="0 0 10 10" refX="9" refY="5" markerWidth="7" markerHeight="7" orient="auto-start-reverse">
              <path d="M0,0 L10,5 L0,10 z" fill="#c8a44e"/>
            </marker>
          </defs>

          <g data-node="node-contract" transform="translate(20,90)">
            <rect class="box" width="160" height="70" rx="3"/>
            <text class="label-mono-sm" x="12" y="20">L2 &middot; CONTRACT</text>
            <text class="label-major" x="12" y="43">Type check</text>
            <text class="label-mono-sm" x="12" y="60" style="fill:#6b6860">typed &middot; sanitized</text>
          </g>
          <g data-node="node-static" transform="translate(230,90)">
            <rect class="box" width="160" height="70" rx="3"/>
            <text class="label-mono-sm" x="12" y="20">L4 &middot; STATIC</text>
            <text class="label-major" x="12" y="43">Policy rules</text>
            <text class="label-mono-sm" x="12" y="60" style="fill:#6b6860">RBAC &middot; ABAC</text>
          </g>
          <g data-node="node-context" transform="translate(440,90)">
            <rect class="box" width="160" height="70" rx="3"/>
            <text class="label-mono-sm" x="12" y="20">L4 &middot; CONTEXT</text>
            <text class="label-major" x="12" y="43">Context eval</text>
            <text class="label-mono-sm" x="12" y="60" style="fill:#6b6860">history &middot; drift</text>
          </g>

          <path data-arrow="node-contract-node-static" class="arrow" d="M180 125 L228 125" marker-end="url(#arrF4)"/>
          <path data-arrow="node-static-node-context" class="arrow" d="M390 125 L438 125" marker-end="url(#arrF4)"/>

          <g data-out="out-allow" transform="translate(660,30)">
            <rect class="box" width="130" height="30" rx="2"/>
            <text class="label-mono" x="10" y="19" style="fill:#5a9a6a">ALLOW</text>
          </g>
          <g data-out="out-stepup" transform="translate(660,70)">
            <rect class="box" width="130" height="30" rx="2"/>
            <text class="label-mono" x="10" y="19" style="fill:#5080b0">STEP-UP</text>
          </g>
          <g data-out="out-defer" transform="translate(660,110)">
            <rect class="box" width="130" height="30" rx="2"/>
            <text class="label-mono" x="10" y="19" style="fill:#c8a44e">DEFER</text>
          </g>
          <g data-out="out-deny" transform="translate(660,150)">
            <rect class="box" width="130" height="30" rx="2"/>
            <text class="label-mono" x="10" y="19" style="fill:#c45050">DENY</text>
          </g>
          <g data-out="out-rejected" transform="translate(20,190)">
            <rect class="box" width="200" height="30" rx="2"/>
            <text class="label-mono" x="10" y="19" style="fill:#c8a44e">REJECTED &middot; inexpressible</text>
          </g>

          <path data-arrow="node-context-out-allow"   class="arrow" d="M600 110 L660 45"  marker-end="url(#arrF4)"/>
          <path data-arrow="node-context-out-stepup"  class="arrow" d="M600 118 L660 85"  marker-end="url(#arrF4)"/>
          <path data-arrow="node-context-out-defer"   class="arrow" d="M600 128 L660 125" marker-end="url(#arrF4)"/>
          <path data-arrow="node-context-out-deny"    class="arrow" d="M600 140 L660 165" marker-end="url(#arrF4)"/>
          <path data-arrow="node-static-out-deny"     class="arrow" d="M348 160 Q500 210 660 170" marker-end="url(#arrF4)"/>
          <path data-arrow="node-contract-out-rejected" class="arrow" d="M100 160 L100 185" marker-end="url(#arrF4)"/>
        </svg>

        <div class="fig0-detail fig4-detail" style="margin-top: 1rem"></div>

        <figcaption class="diagram-caption">
          <strong>Action classification pipeline.</strong> Tool contract validation eliminates structurally forbidden actions before the policy engine is reached. Static policy handles policy-forbidden cases; context-dependent evaluation handles the remaining categories using accumulated session context.
        </figcaption>
      </figure>
    </section>

    <!-- 8. Audit Layer -->
    <section class="section" id="audit">
      <div class="section-divider"></div>
      <div class="section-number">Section 09</div>
      <h2>Audit Layer</h2>

      <h3>9.1 Journal Requirements</h3>
      <p>An OATS-compliant runtime <span class="req-tag req-must">MUST</span> maintain a cryptographic audit journal recording all events in the ORGA loop. The journal is the authoritative record of what happened, when, why, and by whose authority.</p>

      <h3>9.2 Event Types</h3>
      <table>
        <thead>
          <tr>
            <th>Event</th>
            <th>When</th>
            <th>Content</th>
          </tr>
        </thead>
        <tbody>
          <tr>
            <td><strong>LoopStarted</strong></td>
            <td>Loop begins</td>
            <td>Configuration, agent identity, original request</td>
          </tr>
          <tr>
            <td><strong>ReasoningComplete</strong></td>
            <td>After LLM response, before Gate</td>
            <td>Proposed actions, token usage</td>
          </tr>
          <tr>
            <td><strong>PolicyEvaluated</strong></td>
            <td>After Gate decision</td>
            <td>Actions evaluated, decisions, matching policies, reasons</td>
          </tr>
          <tr>
            <td><strong>ToolsDispatched</strong></td>
            <td>After tool execution</td>
            <td>Tools invoked, parameters, duration, evidence hashes</td>
          </tr>
          <tr>
            <td><strong>ObservationsCollected</strong></td>
            <td>After collecting results</td>
            <td>Observation count, context size</td>
          </tr>
          <tr>
            <td><strong>LoopTerminated</strong></td>
            <td>Loop ends</td>
            <td>Reason, iterations, total usage, duration</td>
          </tr>
          <tr>
            <td><strong>RecoveryTriggered</strong></td>
            <td>On tool failure</td>
            <td>Strategy, error context</td>
          </tr>
        </tbody>
      </table>

      <h3>9.3 Cryptographic Properties</h3>
      <p>Each journal entry <span class="req-tag req-must">MUST</span> include:</p>
      <ul>
        <li><strong>Ed25519 signature</strong> (or equivalent; ECDSA P-256 also acceptable). The signature covers the canonical serialization of the entry contents.</li>
        <li><strong>Hash chain link.</strong> Each entry includes the cryptographic hash of the previous entry, forming an append-only chain that detects retroactive modification.</li>
        <li><strong>Timestamp.</strong> Cryptographic timestamp for temporal ordering.</li>
      </ul>
      <p>Journal entries <span class="req-tag req-must">MUST</span> be verifiable offline.</p>

      <h3>9.4 Evidence Envelopes</h3>
      <p>Tool executions <span class="req-tag req-must">MUST</span> produce structured evidence envelopes containing: tool name and version, validated parameters, constructed invocation, duration and exit status, output hash (SHA-256), policy decision that authorized execution, and agent and user identity at time of execution.</p>

      <h3>9.5 Compliance Properties</h3>
      <p>The journal provides infrastructure that can contribute to regulatory compliance, though OATS alone is not sufficient for any regulatory framework. Specifically: the journal can serve as a component of <strong>HIPAA</strong> audit trails (recording health data access with identity and authorization); <strong>SOC2</strong> evidence collection (recording policy enforcement decisions); <strong>SOX</strong> audit trail requirements (recording attributable financial system actions); and <strong>GDPR</strong> accountability mechanisms (recording data access patterns). In each case, the journal addresses the technical recording requirement but does not address the organizational, procedural, or legal requirements of the applicable regulation.</p>

      <figure class="diagram" id="fig-5" data-diagram="fig5">
        <span class="diagram-eyebrow">Figure 5 &middot; Hash-chained audit journal</span>

        <div class="fig5-entries"></div>

        <div class="diagram-controls">
          <span class="label">Integrity</span>
          <button class="dg-btn fig5-verify">Verify chain</button>
          <button class="dg-btn fig5-reset">Reset</button>
          <span style="flex:1"></span>
          <span class="label" style="font-style:italic">Click any entry to tamper</span>
        </div>

        <div class="fig5-status ok" style="margin-top: 1rem"></div>

        <figcaption class="diagram-caption">
          <strong>Hash-chained audit journal.</strong> Each entry includes the cryptographic hash of the previous entry and an Ed25519 signature, forming a tamper-evident chain verifiable offline. Tampering with any entry breaks the chain at that link and every link after it.
        </figcaption>
      </figure>
    </section>

    <!-- 9. Sandboxing -->
    <section class="section" id="sandboxing">
      <div class="section-divider"></div>
      <div class="section-number">Section 10</div>
      <h2>Sandboxing and Isolation</h2>

      <h3>10.1 Multi-Tier Sandboxing</h3>
      <p>An OATS-compliant runtime <span class="req-tag req-should">SHOULD</span> support multiple sandboxing tiers:</p>
      <ul>
        <li><strong>Tier 1: Container isolation.</strong> Agent execution within container boundaries with resource limits, network restrictions, and filesystem isolation.</li>
        <li><strong>Tier 2: Kernel-level isolation.</strong> Agent execution within a user-space kernel (e.g., gVisor) providing syscall filtering without full virtualization overhead.</li>
        <li><strong>Tier 3: Microkernel isolation.</strong> Agent execution within a lightweight VM (e.g., Firecracker) providing hardware-level isolation with minimal overhead.</li>
      </ul>

      <h3>10.2 Resource Limits</h3>
      <p>Regardless of sandboxing tier, agent execution <span class="req-tag req-must">MUST</span> support configurable resource limits: token budget, time budget, iteration budget, tool call budget, network restrictions, and filesystem restrictions.</p>

      <h3>10.3 Circuit Breakers</h3>
      <p>Tool executions <span class="req-tag req-should">SHOULD</span> be protected by circuit breakers. When a tool fails repeatedly, the circuit breaker trips and subsequent calls are rejected without execution until the circuit resets.</p>
    </section>

    <!-- 10. Inter-Agent -->
    <section class="section" id="inter-agent">
      <div class="section-divider"></div>
      <div class="section-number">Section 11</div>
      <h2>Inter-Agent Communication</h2>

      <h3>11.1 Communication Governance</h3>
      <p>When agents communicate with other agents, all inter-agent messages <span class="req-tag req-must">MUST</span> pass through a communication policy gate. The gate evaluates authorization rules on communication primitives (ask, delegate, send, parallel, race) before execution.</p>

      <h3>11.2 Message Security</h3>
      <p>Inter-agent messages <span class="req-tag req-must">MUST</span> be cryptographically signed (Ed25519 or equivalent), encrypted (AES-256-GCM or equivalent), and attributed to verified agent identities.</p>

      <h3>11.3 Delegation Constraints</h3>
      <p>Delegation chains <span class="req-tag req-must">MUST</span> be bounded: maximum delegation depth (configurable), capability narrowing (a delegated agent cannot exceed the delegating agent's capabilities), and blast-radius containment.</p>

      <h3>11.4 Cross-Agent Context</h3>
      <p>When an agent delegates to another agent, the session context <span class="req-tag req-should">SHOULD</span> be propagated to the downstream agent, enabling the downstream agent's Gate to evaluate actions against the original intent.</p>
    </section>

    <!-- 11. Conformance -->
    <section class="section" id="conformance">
      <div class="section-divider"></div>
      <div class="section-number">Section 12</div>
      <h2>Conformance Requirements</h2>

      <p>The requirement language follows RFC 2119: MUST indicates absolute requirements; SHOULD indicates recommendations that may be omitted with documented justification.</p>

      <h3>12.1 Conformance Levels</h3>
      <p><strong>OATS Core</strong> (all MUST requirements, C1&ndash;C7): Baseline zero-trust agent execution.</p>
      <p><strong>OATS Extended</strong> (all MUST and SHOULD requirements, C1&ndash;C7 + E1&ndash;E8): Comprehensive zero-trust with identity, sandboxing, and advanced policy.</p>

      <h3>12.2 Core Requirements (MUST)</h3>
      <p><strong>C1: ORGA Loop Enforcement.</strong> The runtime <span class="req-tag req-must">MUST</span> implement the four-phase ORGA loop. The Gate <span class="req-tag req-must">MUST</span> execute before every tool dispatch. In compiled languages, phase transitions <span class="req-tag req-must">MUST</span> be enforced at compile time via typestates. In interpreted languages, equivalent enforcement <span class="req-tag req-must">MUST</span> be provided and documented, with acknowledgment of residual risk per Section 5.5.<br>
      <em>Verification:</em> Attempt to construct a code path from Reason to Act bypassing Gate. In a typestate implementation, this <span class="req-tag req-must">MUST</span> be a compile error. In runtime-enforced implementations, this <span class="req-tag req-must">MUST</span> be caught by a verified test suite with 100% tool dispatch path coverage.</p>

      <p><strong>C2: Tool Contract Support.</strong> The runtime <span class="req-tag req-must">MUST</span> support declarative tool contracts with typed parameter validation. The LLM <span class="req-tag req-must">MUST NOT</span> generate raw tool invocations. All invocations <span class="req-tag req-must">MUST</span> be constructed from validated parameters and contract-defined templates.<br>
      <em>Verification:</em> Submit parameters containing shell metacharacters (<code>;</code>, <code>|</code>, <code>&amp;</code>, <code>\`</code>). Verify rejection. Submit parameters outside declared type constraints. Verify rejection. Verify the LLM never receives raw invocation strings in any code path.</p>

      <p><strong>C3: Policy Evaluation.</strong> The runtime <span class="req-tag req-must">MUST</span> evaluate actions against policy before execution. The policy engine <span class="req-tag req-must">MUST</span> operate outside LLM influence. <span class="req-tag req-must">MUST</span> support Allow, Deny, Modify, Step-Up, and Defer decisions. Default <span class="req-tag req-must">MUST</span> be deny.<br>
      <em>Verification:</em> Configure a DENY policy. Submit a matching action. Verify no effects on the target system. Verify denial recorded in journal with matching policy and reason. Repeat for each decision type.</p>

      <p><strong>C4: Context Accumulation.</strong> The runtime <span class="req-tag req-must">MUST</span> accumulate session context across actions. Context <span class="req-tag req-must">MUST</span> include original request (when available), action history, and data classification.<br>
      <em>Verification:</em> Execute a sequence of three or more actions. Verify the policy engine receives accumulated context for each subsequent action. Verify context includes prior actions and their data classifications.</p>

      <p><strong>C5: Cryptographic Audit Journal.</strong> The runtime <span class="req-tag req-must">MUST</span> maintain a hash-chained, cryptographically signed audit journal recording all ORGA loop events. Entries <span class="req-tag req-must">MUST</span> be verifiable offline.<br>
      <em>Verification:</em> Generate journal entries for allowed, denied, deferred, and step-up actions. Verify all fields present, signatures valid, and hash chain intact. Tamper with one entry and verify chain verification detects the modification.</p>

      <p><strong>C6: Gate Independence.</strong> The Gate <span class="req-tag req-must">MUST</span> operate on structured inputs only. It <span class="req-tag req-must">MUST NOT</span> process natural language, share mutable state with the LLM, or be influenced by the LLM's reasoning.<br>
      <em>Verification:</em> Inspect Gate implementation. Verify inputs are typed structs (tool name, operation, parameters, identity, context), not natural language strings. Verify no shared mutable references between the Gate and the LLM inference component. Verify no dynamic code paths within the Gate that are parameterized by LLM output.</p>

      <p><strong>C7: Evidence Envelopes.</strong> Tool executions <span class="req-tag req-must">MUST</span> produce structured evidence envelopes with output hashes, execution metadata, and identity binding.<br>
      <em>Verification:</em> Execute a tool. Verify the envelope contains tool name, version, validated parameters, constructed invocation, duration, exit status, SHA-256 output hash, authorizing policy decision, and agent/user identity.</p>

      <h3>12.3 Extended Requirements (SHOULD)</h3>
      <ul>
        <li><strong>E1: Tool Integrity Verification.</strong> Verify tool contract signatures using domain-anchored cryptographic verification with TOFU key pinning.</li>
        <li><strong>E2: Agent Identity Verification.</strong> Verify agent identity using domain-anchored ES256 credentials with delegation chain support.</li>
        <li><strong>E3: Semantic Distance Tracking.</strong> Compute and track semantic distance between actions and stated intent using embedding similarity.</li>
        <li><strong>E4: Multi-Tier Sandboxing.</strong> Support configurable sandboxing tiers (container, kernel-level, microVM).</li>
        <li><strong>E5: Inter-Agent Communication Governance.</strong> Enforce authorization policies on inter-agent communication with signed and encrypted messages.</li>
        <li><strong>E6: Telemetry Export.</strong> Export structured telemetry (OCSF, CEF, or documented custom schemas) with real-time streaming.</li>
        <li><strong>E7: Formally Verifiable Policies.</strong> Use a policy language enabling static analysis of correctness (Cedar, OPA, or equivalent).</li>
        <li><strong>E8: Least-Privilege Credential Scoping.</strong> Support just-in-time credential issuance with operation-specific scoping and logged usage.</li>
      </ul>
    </section>

    <!-- 13. Implementations -->
    <section class="section" id="implementations">
      <div class="section-divider"></div>
      <div class="section-number">Section 13</div>
      <h2>Implementation Architectures</h2>
      <p>OATS does not mandate a specific implementation architecture. The specification intentionally separates conformance properties from implementation details and includes four deployment patterns to reduce dependence on any single implementation. The current specification is informed by one reference implementation (Symbiont); independent conformance testing across additional implementations is needed to validate that the specification is sufficiently general.</p>
      <table>
        <thead>
          <tr>
            <th>Property</th>
            <th>Self-Hosted Runtime</th>
            <th>Plugin/Extension</th>
            <th>Gateway</th>
            <th>Vendor Integration</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>You control</strong></td><td>Everything</td><td>Agent code</td><td>Network</td><td>Policy only</td></tr>
          <tr><td><strong>Enforcement</strong></td><td>ORGA typestate</td><td>Dual-layer</td><td>Network proxy</td><td>Vendor hooks</td></tr>
          <tr><td><strong>Bypass resistance</strong></td><td>Very high</td><td>High</td><td>High</td><td>Vendor-dependent</td></tr>
          <tr><td><strong>Context richness</strong></td><td>Full</td><td>Full (inner)</td><td>Limited</td><td>Vendor-dependent</td></tr>
          <tr><td><strong>Tool contracts</strong></td><td>Full</td><td>Full (outer)</td><td>Partial</td><td>Vendor-dependent</td></tr>
          <tr><td><strong>Identity</strong></td><td>Full</td><td>Full (outer)</td><td>Partial</td><td>Vendor-dependent</td></tr>
          <tr><td><strong>OATS-conformant</strong></td><td>Yes</td><td>Yes</td><td>Partial</td><td>If hooks sufficient</td></tr>
        </tbody>
      </table>

      <h3>13.1 Self-Hosted Runtime</h3>
      <p>The full OATS stack deployed as a single runtime. Provides the strongest available enforcement properties: compile-time phase enforcement, full context visibility, cryptographic identity, and multi-tier isolation. Natural home in systems-level languages with rich type systems.</p>

      <h3>13.2 Plugin/Extension Model</h3>
      <p>For agents running inside third-party platforms. An inner layer (plugin) provides awareness; an outer layer (OATS runtime wrapping the platform via CLI executor or container) provides enforcement. Because the outer ORGA Gate mediates all tool invocations at the process boundary, the inner platform cannot bypass it through normal operation. Side-channel bypasses (e.g., direct network calls from within the sandbox) require complementary network-level controls.</p>

      <h3>13.3 Gateway Architecture</h3>
      <p>For protocol-based tool invocations (MCP, REST). An OATS-compliant gateway intercepts traffic between agents and tools, implementing the Gate, context accumulation, and journaling. Provides enforcement without agent modification, at the cost of reduced context visibility.</p>

      <h3>13.4 Vendor Integration</h3>
      <p>For SaaS agents where organizations control no infrastructure. Requires vendor-provided synchronous pre-execution hooks, decision enforcement, context availability, and receipt export. OATS provides the specification for vendor evaluation and contracts.</p>
    </section>

    <!-- 14. Evaluation Framework -->
    <section class="section" id="evaluation">
      <div class="section-divider"></div>
      <div class="section-number">Section 14</div>
      <h2>Evaluation Framework</h2>
      <p>The claims made in this specification are architectural: OATS is designed to provide certain security properties through structural enforcement. Converting these design-level claims into empirical evidence requires a systematic evaluation methodology. This section defines the evaluation framework; results will be published separately as they become available.</p>

      <h3>14.1 Attack Suite Methodology</h3>
      <p>To measure whether OATS reduces attack success rates, we define a comparative evaluation against three baselines:</p>
      <table>
        <thead>
          <tr>
            <th>Configuration</th>
            <th>Description</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>Baseline A</strong></td><td>No policy enforcement. Agent invokes tools directly.</td></tr>
          <tr><td><strong>Baseline B</strong></td><td>Deny-list policy. Agent actions intercepted and evaluated against forbidden-action rules.</td></tr>
          <tr><td><strong>Baseline C</strong></td><td>Prompt-guardrail only. Input/output filtering at the LLM layer, no action-level enforcement.</td></tr>
          <tr><td><strong>OATS</strong></td><td>Full stack: ORGA loop, tool contracts, policy engine, identity verification, journal.</td></tr>
        </tbody>
      </table>
      <p>The attack suite combines existing benchmarks with custom scenarios:</p>
      <ul>
        <li><strong>AgentDojo.</strong> Dynamic environment evaluating prompt injection attacks and defenses across realistic agent tasks. We measure attack success rate and task utility.</li>
        <li><strong>Custom injection suite.</strong> 200+ prompt injection variants (direct, indirect via documents, indirect via tool outputs, multi-turn) targeting tool invocations across 10 tool types, including attacks specifically targeting allow-list bypass.</li>
        <li><strong>Compositional exfiltration scenarios.</strong> 50 multi-step sequences where individual actions are policy-compliant but the composition constitutes a violation (e.g., read sensitive data then email externally).</li>
      </ul>
      <p>For each configuration we report: attack success rate, task completion rate, false positive rate (legitimate actions blocked), and false negative rate (attack actions allowed).</p>
      <p><strong>Fairness methodology.</strong> To prevent evaluation bias toward the OATS architecture: (a) all configurations use the same task suite, tool set, and underlying LLM; (b) credential scopes are identical across configurations; (c) deny-list policies in Baseline B are tuned using a held-out calibration set, not the test set; (d) all policy thresholds and drift thresholds are fixed before test execution and not adjusted post-hoc; (e) all failures, false negatives, and bypass successes are reported, not only aggregate metrics.</p>

      <h3>14.2 Performance Overhead</h3>
      <p>Runtime enforcement introduces latency. We define benchmarks for each enforcement layer. Targets are derived from operational experience and represent design goals, not validated measurements.</p>
      <table>
        <thead>
          <tr>
            <th>Component</th>
            <th>Measurement</th>
            <th>Target</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>Static policy evaluation</strong></td><td>Per-action latency (p50, p95, p99)</td><td>&lt;1 ms</td></tr>
          <tr><td><strong>Context-dependent evaluation</strong></td><td>Per-action latency with accumulated context (10, 50, 100 prior actions)</td><td>&lt;5 ms</td></tr>
          <tr><td><strong>Semantic distance computation</strong></td><td>Per-action embedding + cosine similarity</td><td>&lt;50 ms</td></tr>
          <tr><td><strong>Tool contract validation</strong></td><td>Parameter type checking + sanitization</td><td>&lt;0.5 ms</td></tr>
          <tr><td><strong>Ed25519 journal signing</strong></td><td>Per-entry signature generation</td><td>&lt;0.1 ms</td></tr>
          <tr><td><strong>Hash chain verification</strong></td><td>Per-entry hash computation + chain link</td><td>&lt;0.05 ms</td></tr>
          <tr><td><strong>Full ORGA Gate pipeline</strong></td><td>End-to-end action proposal to allow/deny decision</td><td>&lt;10 ms (p99)</td></tr>
          <tr><td><strong>Evidence envelope generation</strong></td><td>SHA-256 output hash + envelope construction</td><td>&lt;1 ms</td></tr>
        </tbody>
      </table>
      <p>Benchmarks should be run under realistic agent workloads (10&ndash;1000 actions per session) on commodity hardware, with context accumulation growing across the session. Context scalability should be reported separately.</p>

      <h3>14.3 False Positive / False Negative Analysis</h3>
      <ul>
        <li><strong>Task suite.</strong> Run BFCL (Berkeley Function Calling Leaderboard) and SWE-bench Lite task sets through an OATS-compliant runtime. These provide realistic agent workloads with known-correct tool invocation sequences.</li>
        <li><strong>False positive rate.</strong> Percentage of legitimate tool invocations the Gate denies or defers. Measured across policy strictness levels (permissive, moderate, strict).</li>
        <li><strong>False negative rate.</strong> Percentage of attack-injected tool invocations the Gate allows. Measured using the attack suite from 14.1.</li>
        <li><strong>ROC analysis.</strong> Plot false positive vs. true positive (attack blocked) across policy threshold configurations. Report AUC for each OATS layer (contracts only, contracts + static policy, contracts + static + context-dependent, full stack).</li>
      </ul>

      <h3>14.4 Bypass Resistance Testing</h3>
      <p>Each enforcement mechanism has a theoretical bypass boundary. We define tests that probe these boundaries:</p>
      <ul>
        <li><strong>Typestate circumvention.</strong> Attempt to construct Rust code paths from Reasoning to ToolDispatching that skip PolicyCheck. The compiler should reject all such paths.</li>
        <li><strong>Tool contract metacharacter injection.</strong> Submit shell metacharacters, SQL injection patterns, path traversal sequences, and Unicode homoglyphs to each parameter type.</li>
        <li><strong>Gate influence probing.</strong> Craft LLM outputs designed to influence Gate evaluation (embedding policy-override instructions, attempting to modify shared state).</li>
        <li><strong>Sandbox escape.</strong> Attempt network calls, filesystem access, and process spawning from within each sandbox tier.</li>
        <li><strong>Identity spoofing.</strong> Attempt to present forged AgentPin credentials, tampered SchemaPin signatures, and replayed JWTs.</li>
      </ul>

      <h3>14.5 Ablation Study</h3>
      <p>To measure the marginal contribution of each OATS layer, we define an ablation removing one layer at a time:</p>
      <table>
        <thead>
          <tr>
            <th>Configuration</th>
            <th>Layers Active</th>
            <th>Expected Impact</th>
          </tr>
        </thead>
        <tbody>
          <tr><td><strong>Full OATS</strong></td><td>All 5 layers</td><td>Baseline (best security, highest overhead)</td></tr>
          <tr><td><strong>No contracts</strong></td><td>ORGA + policy + identity + journal</td><td>Allows arbitrary action formulation</td></tr>
          <tr><td><strong>No identity</strong></td><td>ORGA + contracts + policy + journal</td><td>Removes mutual auth</td></tr>
          <tr><td><strong>No context</strong></td><td>ORGA + contracts + static policy + journal</td><td>Removes context-dependent classifications</td></tr>
          <tr><td><strong>No journal</strong></td><td>ORGA + contracts + policy + identity</td><td>Removes audit trail</td></tr>
          <tr><td><strong>ORGA only</strong></td><td>Loop enforcement, permissive policy</td><td>Tests phase-ordering value in isolation</td></tr>
        </tbody>
      </table>

      <h3>14.6 Case Studies</h3>
      <p>Three detailed scenarios that exercise multiple OATS layers simultaneously:</p>
      <p><strong>Scenario 1: Multi-step data exfiltration.</strong> An agent is tasked with summarizing Q3 sales for internal leadership. A prompt injection in a retrieved document instructs the agent to email customer PII to an external address. The case study traces each ORGA phase, showing: (a) tool contract constrains the email recipient parameter, (b) context accumulation tracks that PII-classified data was accessed, (c) context-dependent deny classification blocks the external email, and (d) the journal records the full sequence for forensic reconstruction.</p>
      <p><strong>Scenario 2: Tool supply chain attack.</strong> An attacker modifies a tool contract to widen parameter validation (e.g., removing scope restrictions on a network scanner). The case study shows: (a) SchemaPin signature verification detects the contract modification, (b) the runtime rejects the tampered contract, (c) the journal records the verification failure. A variant tests what happens when the attacker also compromises the publisher's signing key (requiring TOFU pin violation detection).</p>
      <p><strong>Scenario 3: Intent drift across a long session.</strong> An agent is asked to prepare for a client meeting. Over 15 actions, the agent's scope gradually expands from CRM queries to accessing confidential strategy documents. The case study shows: (a) semantic distance increases monotonically, (b) the configured drift threshold triggers step-up authorization at action 11, (c) the human approver receives full context including the drift trajectory.</p>
    </section>

    <!-- 15. Limitations -->
    <section class="section" id="limitations">
      <div class="section-divider"></div>
      <div class="section-number">Section 15</div>
      <h2>Limitations</h2>
      <p>This section identifies known limitations of the OATS specification. These are not future research directions (Section 16) but inherent boundaries of the current architecture.</p>

      <h4>Typestate scope</h4>
      <p>Compile-time enforcement of the ORGA loop applies only to code paths within the typestate-governed runner. Agent code that bypasses the loop entirely &mdash; for example, by invoking tools through a separate code path not mediated by the ORGA runner &mdash; is not caught by the type system. Sandboxing and network isolation provide complementary enforcement but are defense-in-depth layers, not compile-time properties.</p>

      <h4>Tool contract coverage</h4>
      <p>The allow-list model governs only tools with declared contracts. Tools without contracts (legacy integrations, dynamically discovered MCP servers, ad-hoc API calls) are outside the allow-list boundary. An OATS-compliant runtime can deny uncontracted tool invocations by default, but this trades functionality for safety and may be impractical in environments with large numbers of tools.</p>

      <h4>Coverage-safety tradeoff</h4>
      <p>The allow-list model inherently restricts the agent's action space. Novel legitimate tool uses not anticipated when the contract was authored will be rejected until the contract is updated. This creates operational friction proportional to the rate of tool evolution. The severity of this tradeoff has not been quantified empirically.</p>

      <h4>Semantic distance limitations</h4>
      <p>Drift detection via embedding similarity depends on the quality of the embedding model and the meaningfulness of cosine distance in the action-intent space. Adversarial embeddings could subvert drift detection by producing actions that are semantically distant from the original intent but close in embedding space. The robustness of semantic distance tracking under adversarial conditions has not been evaluated.</p>

      <h4>Single reference implementation</h4>
      <p>The specification is informed by one reference implementation (Symbiont). Multi-implementation conformance testing &mdash; building independent OATS-compliant runtimes and verifying interoperability &mdash; has not been conducted. The specification may contain implicit assumptions derived from the reference implementation that create unnecessary barriers to alternative implementations.</p>

      <h4>Regulatory insufficiency</h4>
      <p>The audit journal provides technical infrastructure for compliance but is not sufficient for any regulatory framework on its own. HIPAA, SOC2, SOX, and GDPR each impose organizational, procedural, and legal requirements that OATS does not address. Claiming OATS compliance should not be conflated with claiming regulatory compliance.</p>

      <h4>Deferral latency</h4>
      <p>The DEFER authorization decision suspends action execution until resolution. In time-critical agent workflows (e.g., real-time trading, incident response), deferral latency may be unacceptable. The specification does not provide guidance on latency-sensitive deferral policies beyond configurable timeouts.</p>

      <h4>Privacy in cross-agent context</h4>
      <p>Propagating session context across agent boundaries (Section 11.4) raises privacy and data sovereignty concerns. Context may contain sensitive information from the original user's request, and propagating it to downstream agents in different organizational domains may violate data handling agreements. The specification does not address context redaction or privacy-preserving context propagation.</p>

      <h4>Non-deterministic evaluation</h4>
      <p>Context-dependent action classification relies on the policy engine's evaluation of accumulated context. When the policy engine uses semantic similarity or ML-based classification, evaluation results may be non-deterministic across invocations. The specification requires deterministic policy engines (Cedar, OPA) but permits semantic distance as a SHOULD requirement, creating a tension between deterministic authorization and non-deterministic drift signals.</p>
    </section>

    <!-- 16. Research -->
    <section class="section" id="research">
      <div class="section-divider"></div>
      <div class="section-number">Section 16</div>
      <h2>Research Directions</h2>

      <h3>16.1 Typestate in Non-Rust Languages</h3>
      <p>OATS's compile-time enforcement property is most naturally expressed in languages with typestate support (Rust, Haskell, Scala). Providing equivalent enforcement in Python, JavaScript, and Go requires runtime checks with formal path coverage verification, or code generation from a verified specification. The degree of assurance loss when moving from compile-time to runtime enforcement is an open question.</p>

      <h3>16.2 Data Flow Through Context Windows</h3>
      <p>Data may be transformed, summarized, or paraphrased by the LLM before use in subsequent actions. Information-theoretic approaches (taint analysis, embedding watermarking) for tracking lineage through non-deterministic transformations are active research.</p>

      <h3>16.3 Multi-Agent Trust Coordination</h3>
      <p>Maintaining coherent trust chains across organizational boundaries in delegation requires distributed tracing standards, federated receipt verification, and cross-domain policy negotiation.</p>

      <h3>16.4 Formal Verification of the ORGA Loop</h3>
      <p>Typestate enforcement addresses phase ordering within the loop. Mechanized proofs of the entire system &mdash; policy engine correctness, context accumulator completeness, journal integrity, and the absence of bypass paths outside the loop &mdash; would provide substantially stronger assurance. Such proofs would also help bound the gap between specification-level properties and implementation-level behavior.</p>

      <h3>16.5 Approval Fatigue and Deferral Resolution</h3>
      <p>Balancing security against usability. ML-based approval recommendation, batch approval, and progressive autonomy (reduced approval requirements through demonstrated compliance) are active directions.</p>

      <h3>16.6 Vector Embedding Security</h3>
      <p>When semantic distance tracking uses embeddings, those embeddings become a security surface. Information-theoretic watermarking, steganographic attack detection, and quantization-robust integrity verification are needed.</p>
    </section>

    <!-- 17. Conclusion -->
    <section class="section" id="conclusion">
      <div class="section-divider"></div>
      <div class="section-number">Section 17</div>
      <h2>Conclusion</h2>
      <p>OATS specifies what a zero-trust AI agent runtime should do to provide meaningful security properties for autonomous agent execution. The specification is grounded in three architectural convictions, each of which requires empirical validation to confirm that design-level properties translate to measurable security improvements:</p>

      <div class="pillars">
        <div class="pillar">
          <div class="pillar-number">Principle</div>
          <h4>Allow-list over deny-list</h4>
          <p>Constraining what actions can be expressed reduces the attack surface compared to intercepting arbitrary actions and deciding which to block. The degree to which this reduces real-world attack success rates is an empirical question addressed by the evaluation framework in Section 14.</p>
        </div>
        <div class="pillar">
          <div class="pillar-number">Principle</div>
          <h4>Compile-time over runtime enforcement</h4>
          <p>Enforcing policy evaluation through the type system provides stronger structural assurance than testing it at runtime, because bypass paths that violate the typestate are rejected by the compiler rather than discovered through testing. This property holds within the typestate-governed code; it does not protect against bypasses that circumvent the loop entirely.</p>
        </div>
        <div class="pillar">
          <div class="pillar-number">Principle</div>
          <h4>Structural independence over trust assumptions</h4>
          <p>Architecturally isolating the Gate from LLM influence &mdash; by restricting it to structured inputs with no shared mutable state &mdash; reduces the risk that a compromised orchestration layer can influence policy evaluation. The strength of this isolation in practice depends on implementation quality and the completeness of the isolation boundary.</p>
        </div>
      </div>

      <p>The architecture specified here is informed by approximately eight months of autonomous operation in a production runtime (Symbiont, by ThirdKey AI), including rebuilding a codebase using the runtime's own agent infrastructure after a catastrophic loss event. This operational experience has shaped the specification's requirements and identified practical challenges, but it does not constitute a controlled empirical evaluation. Section 14 outlines the evaluation methodology needed to substantiate the specification's claims.</p>
      <p>By publishing this specification as an open standard, we aim to establish baseline requirements that enable comparable evaluation of runtime security approaches for autonomous agents. The goal is not to build OATS, but to define what an OATS-compliant system must do, enabling independent implementations to be measured against shared conformance criteria.</p>

      <h3>A. Future Directions for Adoption</h3>
      <p><strong>For implementors.</strong> Build independent OATS-compliant runtimes across different language ecosystems. Multi-implementation conformance testing is the most important next step for validating the specification's generality.</p>
      <p><strong>For evaluators.</strong> Apply the evaluation framework in Section 14 to existing and new agent runtimes. Comparative results across architectures would substantially strengthen or refine the claims made in this specification.</p>
      <p><strong>For researchers.</strong> Address open challenges in Section 16, particularly typestate portability across language ecosystems, formal verification of runtime properties, and multi-agent trust coordination.</p>
      <p><strong>For the community.</strong> The specification is open and available at <a href="https://thirdkey.ai/oats">thirdkey.ai/oats</a>. Feedback, critique, and competing proposals are welcome.</p>
    </section>

    <!-- References -->
    <section class="section" id="references">
      <div class="section-divider"></div>
      <div class="section-number">References</div>
      <h2>References</h2>
      <ol class="ref-list">
        <li>Anthropic. "Model Context Protocol Specification." 2024. <a href="https://modelcontextprotocol.io">modelcontextprotocol.io</a></li>
        <li>Wang, L. et al. "A Survey on Large Language Model based Autonomous Agents." <em>Frontiers of Computer Science</em>, vol. 18, no. 6, 2024.</li>
        <li>Yao, S. et al. "ReAct: Synergizing Reasoning and Acting in Language Models." <em>ICLR</em>, 2023.</li>
        <li>Wu, Q. et al. "Security of AI Agents." arXiv:2406.08689, 2024.</li>
        <li>Ye, Q. et al. "ToolEmu: Identifying Risky Real-World Agent Failures with a Language Model Emulator." <em>ICLR</em>, 2024.</li>
        <li>Su, H. et al. "A Survey on Autonomy-Induced Security Risks in Large Model-Based Agents." arXiv:2506.23844, 2025.</li>
        <li>Debenedetti, E. et al. "AgentDojo: A Dynamic Environment to Evaluate Attacks and Defenses for LLM Agents." arXiv:2406.13352, 2024.</li>
        <li>Ruan, Y. et al. "The Emerged Security and Privacy of LLM Agent: A Survey with Case Studies." arXiv:2407.19354, 2024.</li>
        <li>Perez, S. et al. "Ignore This Title and HackAPrompt: Exposing Systemic Vulnerabilities of LLMs Through a Global Prompt Hacking Competition." <em>EMNLP</em>, 2023.</li>
        <li>Liu, Y. et al. "Formalizing and Benchmarking Prompt Injection Attacks and Defenses." <em>USENIX Security</em>, 2024.</li>
        <li>Greshake, K. et al. "Not What You've Signed Up For: Compromising Real-World LLM-Integrated Applications with Indirect Prompt Injection." <em>AISec Workshop at ACM CCS</em>, 2023.</li>
        <li>Miller, M. S. "Robust Composition: Towards a Unified Approach to Access Control and Concurrency Control." Ph.D. dissertation, Johns Hopkins University, 2006.</li>
        <li>Gaire, S. et al. "Systematization of Knowledge: Security and Safety in the Model Context Protocol Ecosystem." arXiv:2512.08290, 2025.</li>
        <li>Errico, H. "Autonomous Action Runtime Management (AARM): A System Specification for Securing AI-Driven Actions at Runtime." arXiv:2602.09433v1, 2026.</li>
        <li>Chuvakin, A. "Cloud CISO Perspectives: How Google secures AI Agents." <em>Google Cloud Blog</em>, June 2025.</li>
        <li>Reber, D. "The Agentic AI Security Scoping Matrix: A Framework for Securing Autonomous AI Systems." <em>AWS Security Blog</em>, November 2024.</li>
        <li>Microsoft. "Governance and security for AI agents across the organization." <em>Cloud Adoption Framework</em>, 2024.</li>
        <li>Raza, S. et al. "TRiSM for Agentic AI: A Review of Trust, Risk, and Security Management in LLM-based Agentic Multi-Agent Systems." arXiv:2506.04133, 2025.</li>
        <li>Hardy, N. "The Confused Deputy: (or why capabilities might have been invented)." <em>ACM SIGOPS Operating Systems Review</em>, vol. 22, no. 4, pp. 36&ndash;38, 1988.</li>
        <li>Open Policy Agent. "OPA: Policy-based control for cloud native environments." 2024. <a href="https://www.openpolicyagent.org">openpolicyagent.org</a></li>
        <li>Amazon Web Services. "Cedar: A Language for Defining Permissions as Policies." 2023. <a href="https://www.cedarpolicy.com">cedarpolicy.com</a></li>
        <li>OWASP Foundation. "OWASP Top 10 for Large Language Model Applications." 2024.</li>
        <li>National Institute of Standards and Technology. "AI Risk Management Framework (AI RMF 1.0)." 2023.</li>
        <li>Wanger, J. "AgentPin Technical Specification v0.2.0." ThirdKey AI, 2026. <a href="https://agentpin.org">agentpin.org</a></li>
        <li>Wanger, J. "SchemaPin Protocol Specification." ThirdKey AI, 2025. <a href="https://schemapin.org">schemapin.org</a></li>
        <li>Wanger, J. "ToolClad: Declarative Tool Interface Contracts for Agentic Runtimes v0.5.1." ThirdKey AI, 2026.</li>
        <li>Wanger, J. "Symbiont Runtime Architecture." ThirdKey AI, 2026. <a href="https://symbiont.dev">symbiont.dev</a></li>
      </ol>
    </section>

  </div>

  <!-- Footer -->
  <footer class="footer">
    <div class="footer-links">
      <a href="https://thirdkey.ai">ThirdKey AI</a>
      <a href="https://symbiont.dev">Symbiont Runtime</a>
      <a href="https://schemapin.org">SchemaPin</a>
      <a href="https://agentpin.org">AgentPin</a>
      <a href="https://toolclad.org">ToolClad</a>
    </div>
    <div class="footer-copy">Open Agent Trust Stack (OATS) &mdash; Zero-trust agent execution through structural enforcement.</div>
  </footer>

</div>

<script>
  // Sidebar toggle (mobile)
  function toggleSidebar() {
    document.getElementById('sidebar').classList.toggle('open');
    document.querySelector('.menu-toggle').classList.toggle('open');
  }

  // Close sidebar on nav click (mobile)
  document.querySelectorAll('.sidebar-nav a').forEach(link => {
    link.addEventListener('click', () => {
      if (window.innerWidth <= 768) {
        document.getElementById('sidebar').classList.remove('open');
        document.querySelector('.menu-toggle').classList.remove('open');
      }
    });
  });

  // Scroll spy
  const sections = document.querySelectorAll('.section[id]');
  const navLinks = document.querySelectorAll('.sidebar-nav a[href^="#"]');

  function updateActiveNav() {
    const scrollPos = window.scrollY + 120;

    let current = '';
    sections.forEach(section => {
      if (section.offsetTop <= scrollPos) {
        current = section.getAttribute('id');
      }
    });

    navLinks.forEach(link => {
      link.classList.toggle('active', link.getAttribute('href') === '#' + current);
    });
  }

  window.addEventListener('scroll', updateActiveNav, { passive: true });
  updateActiveNav();

  // Stagger section animations on scroll
  const observer = new IntersectionObserver((entries) => {
    entries.forEach(entry => {
      if (entry.isIntersecting) {
        entry.target.style.animationPlayState = 'running';
      }
    });
  }, { threshold: 0.05 });

  sections.forEach(s => {
    s.style.animationPlayState = 'paused';
    observer.observe(s);
  });
</script>

<script src="diagrams.js"></script>
</body>
</html>