AIKernel.NET
version: 0.0.2 / status: Refactor / edition: Draft / published: 2026-05-16 / updated: 2026-05-16

Signed Prompt Governance Workflow

Defines the fail-closed verification sequence and governance structure for prompts, constraints, and pipeline configurations.

1. Goal

In LLM applications, prompts effectively carry code-level execution authority. AIKernel treats prompts as signed artifacts, not plain text, to provide:

  • Strict execution authorization: only approved and signed prompt artifacts are executable.
  • Tamper detection: prompt or constraint modifications during storage/transfer are blocked immediately.
  • Enterprise auditability: who approved which intent and when is provable through cryptographic trust chains.

2. Actors and Responsibilities

2.1 IPromptRepository

  • Responsibility: store and serve signed prompt artifacts (Markdown + YAML metadata).
  • Note: integrates with Git or secure DBs for versioned artifact loading.

2.2 IPromptSignatureProvider

  • Responsibility: generate and verify digital signatures using PKI-like trust infrastructure.

2.3 IPromptHashCalculator

  • Responsibility: compute canonical hashes from prompt text, constraints, and pipeline structure.

2.4 IPromptVerifier

  • Responsibility: verify artifact integrity and tamper absence.

2.5 IPromptValidator

  • Responsibility: validate signer authorization, expiry window, and execution scope policy.

2.6 ISignatureTrustStore

  • Responsibility: resolve trust-anchor state (trusted signer list, key revocation, certificate validity) and provide it to IPromptVerifier / IPromptValidator.

3. Verification Sequence (Detailed)

sequenceDiagram\n    participant App as Application / KernelHost\n    participant Rep as IPromptRepository\n    participant Ver as IPromptVerifier\n    participant Val as IPromptValidator\n    participant Exec as ExecutionPipeline\n\n    App->>Rep: Load Artifact (ID: "OrderProcessing")\n    Rep-->>App: Return Signed Artifact (Content + Hash + Sig)\n    \n    App->>Ver: VerifyIntegrity(Artifact)\n    Note over Ver: Compute Hash and Check Signature\n    Ver-->>App: Integrity OK / Fail\n    \n    App->>Val: ValidatePolicy(Artifact, CurrentContext)\n    Note over Val: Check Signer Trust and Expiry and Scope\n    Val-->>App: Policy OK / Fail\n\n    alt Success\n        App->>Exec: Unfreeze and Execute\n    else Failure\n        App->>App: Abort and Emit Audit Log (Security Event)\n    end

4. Rejection Triggers

Execution is denied if any of the following is true.

  1. Missing Signature: artifact lacks signature field.
  2. Hash Mismatch: recomputed prompt hash differs from signed hash.
  3. Untrusted Signer: signer certificate is not in trusted signer registry.
  4. Scope Violation: signed scope (for example Read-Only) conflicts with requested operation (for example Delete).
  5. Expiration: expires_at has passed.

5. Fail-Closed Rule

AIKernel governance follows "when in doubt, stop."

  • Indeterminate State: auth server outage or verifier exception yields Deny.
  • No Fallback: no warning-and-continue mode is allowed.
  • Signature Mandatory for Production: unsigned prompt loading is disabled in production environments.

6. Artifact Example (Markdown and YAML)

---\nversion: 1.0.2\nid: "task-analyzer"\nsigner: "governance-team-01"\nhash_alg: "SHA256"\nhash: "a1b2c3d4..."\nsignature: "MEUCIQ..."\npolicy:\n  max_token_budget: 4000\n  allowed_tools: ["search", "calculator"]\n---\n# Task Analyzer\n...prompt body...

Changelog

  • v0.0.0 / v0.0.0.0: Initial draft
  • v0.0.1 (2026-05-06): Version upgrade aligned with documentation guidelines
Source: architecture/14.SIGNED_PROMPT_GOVERNANCE_WORKFLOW.md