Signed Prompt Governance Workflow
Defines the fail-closed verification sequence and governance structure for prompts, constraints, and pipeline configurations.
1. Goal
In LLM applications, prompts effectively carry code-level execution authority. AIKernel treats prompts as signed artifacts, not plain text, to provide:
- Strict execution authorization: only approved and signed prompt artifacts are executable.
- Tamper detection: prompt or constraint modifications during storage/transfer are blocked immediately.
- Enterprise auditability: who approved which intent and when is provable through cryptographic trust chains.
2. Actors and Responsibilities
2.1 IPromptRepository
- Responsibility: store and serve signed prompt artifacts (Markdown + YAML metadata).
- Note: integrates with Git or secure DBs for versioned artifact loading.
2.2 IPromptSignatureProvider
- Responsibility: generate and verify digital signatures using PKI-like trust infrastructure.
2.3 IPromptHashCalculator
- Responsibility: compute canonical hashes from prompt text, constraints, and pipeline structure.
2.4 IPromptVerifier
- Responsibility: verify artifact integrity and tamper absence.
2.5 IPromptValidator
- Responsibility: validate signer authorization, expiry window, and execution scope policy.
2.6 ISignatureTrustStore
- Responsibility: resolve trust-anchor state (trusted signer list, key revocation, certificate validity) and provide it to
IPromptVerifier/IPromptValidator.
3. Verification Sequence (Detailed)
sequenceDiagram\n participant App as Application / KernelHost\n participant Rep as IPromptRepository\n participant Ver as IPromptVerifier\n participant Val as IPromptValidator\n participant Exec as ExecutionPipeline\n\n App->>Rep: Load Artifact (ID: "OrderProcessing")\n Rep-->>App: Return Signed Artifact (Content + Hash + Sig)\n \n App->>Ver: VerifyIntegrity(Artifact)\n Note over Ver: Compute Hash and Check Signature\n Ver-->>App: Integrity OK / Fail\n \n App->>Val: ValidatePolicy(Artifact, CurrentContext)\n Note over Val: Check Signer Trust and Expiry and Scope\n Val-->>App: Policy OK / Fail\n\n alt Success\n App->>Exec: Unfreeze and Execute\n else Failure\n App->>App: Abort and Emit Audit Log (Security Event)\n end
4. Rejection Triggers
Execution is denied if any of the following is true.
- Missing Signature: artifact lacks
signaturefield. - Hash Mismatch: recomputed prompt hash differs from signed hash.
- Untrusted Signer: signer certificate is not in trusted signer registry.
- Scope Violation: signed scope (for example Read-Only) conflicts with requested operation (for example Delete).
- Expiration:
expires_athas passed.
5. Fail-Closed Rule
AIKernel governance follows "when in doubt, stop."
- Indeterminate State: auth server outage or verifier exception yields
Deny. - No Fallback: no warning-and-continue mode is allowed.
- Signature Mandatory for Production: unsigned prompt loading is disabled in production environments.
6. Artifact Example (Markdown and YAML)
---\nversion: 1.0.2\nid: "task-analyzer"\nsigner: "governance-team-01"\nhash_alg: "SHA256"\nhash: "a1b2c3d4..."\nsignature: "MEUCIQ..."\npolicy:\n max_token_budget: 4000\n allowed_tools: ["search", "calculator"]\n---\n# Task Analyzer\n...prompt body...
Changelog
- v0.0.0 / v0.0.0.0: Initial draft
- v0.0.1 (2026-05-06): Version upgrade aligned with documentation guidelines
Source:
architecture/14.SIGNED_PROMPT_GOVERNANCE_WORKFLOW.md