Protocol Specification
ACP is an open specification. All 38 documents are publicly available on GitHub under an open specification license. The specification is organized into five conformance levels — implementations may adopt any level incrementally.
L1 — Core Identity · Capability · Delegation · Handshake
The minimum viable governance layer. L1 establishes cryptographic identity, scoped capability tokens, and a verifiable delegation chain from human principal to agent.
| Spec | Package | Description |
|---|---|---|
ACP-AGENT-1.0 |
pkg/agent |
Agent identity, Ed25519 key pairs, institutional binding |
ACP-CT-1.0 |
pkg/ct |
Capability tokens — scoped, time-bounded, signed by issuing institution |
ACP-HP-1.0 |
pkg/hp |
Handshake protocol, AuthorizationDecision (permit / deny / escalate) |
ACP-DCMA-1.1 |
pkg/delegation |
Delegated chain multi-agent — max depth 7 hops, no-escalation, transitive revocation |
L2 — Security Risk · Policy
Adds a risk scoring engine and atomic policy snapshots. Every admission check is evaluated against the currently active policy — no stale parameters, no policy drift.
| Spec | Package | Description |
|---|---|---|
ACP-RISK-1.0 |
pkg/risk |
Risk scoring, approve / escalate / deny decisions |
ACP-PSN-1.0 |
pkg/psn |
Policy snapshots — atomic transitions, exactly one ACTIVE snapshot at all times |
L3 — Full Ledger · Execution · Liability · History
Adds an immutable audit trail, cryptographic execution tokens, and liability attribution. Every admitted action produces verifiable proof of what was authorized, by whom, and under which policy.
| Spec | Package | Description |
|---|---|---|
ACP-LEDGER-1.3 |
pkg/ledger |
SHA-256 hash-chained event ledger, 12 error codes, Ed25519 signatures |
ACP-EXEC-1.0 |
pkg/exec |
Execution tokens, double-spend prevention, 7 error codes |
ACP-LIA-1.0 |
pkg/lia |
Liability attribution — maps outcomes to responsible institution |
ACP-HIST-1.0 |
pkg/hist |
History queries — paginated access to ledger events with filters |
L4 — Extended Notify · Discovery · Bulk · Cross-Org · Payments
Production-grade operational extensions for multi-institution deployments.
| Spec | Package | Description |
|---|---|---|
ACP-NOTIFY-1.0 |
pkg/notify |
Signed event notifications with subscription management and secret rotation |
ACP-DISC-1.0 |
pkg/disc |
Service discovery with TTL, capability filter, and pagination |
ACP-BULK-1.0 |
pkg/bulk |
Bulk operation validation — up to 100 requests per batch |
ACP-CROSS-ORG-1.1 |
pkg/crossorg |
Fault-tolerant bilateral cross-organization protocol — interaction_id (UUIDv7), retry with backoff, derived status model, pending_review SLA (24h), CROSS_ORG_ACK as first-class ledger event |
ACP-PAY-1.0 |
pkg/pay |
Payment governance — verification, double-spend detection, signed PaymentVerifiedEvent |
Compliance Test Suite
ACP ships 138 single-shot test vectors (73 signed L1–L4 + 65 unsigned RISK-2.0) plus 5 stateful sequence scenarios executed by the ACR-1.0 compliance runner. Any implementation claiming conformance must pass all vectors for the levels it claims to support.
(POS + NEG)
(POS + NEG)
ACR-1.0 runner
RFC 8037 test key A
Formal Verification
The ACP execution model is formally verified with TLC model checking. Two TLA+ modules are included: the base model (ACP.tla, v1.17) and the extended model (ACP_Extended.tla, v1.27) with cooldown temporal state, denial accumulation, delegation chain integrity, failure condition preservation, and non-degenerate admissibility enforcement. Two-agent safety was verified at the correct ledger bound (LEDGER_BOUND=11) across 4.29 billion distinct states with zero violations.
(extended model)
incl. liveness
2-agent · 0 violations
Java 21 · 15 workers
Run: java -jar tla/tla2tools.jar -deadlock -config tla/ACP_Extended.cfg tla/ACP_Extended.tla
Technical Paper
The formal specification paper is available with a permanent DOI and on arXiv.