02. Signed Prompt Governance Spec
1. Purpose
Define a fail-closed governance contract that allows execution only for signed prompts. This spec also guarantees deterministic governance decisions and structurally prevents AI self-approval (hallucinated approval).
2. Scope
IPromptRepositoryIPromptVerifierIPromptSignatureProviderISignatureTrustStoreIPromptValidator
3. Normative Requirements
3.1 Deterministic PDP Requirement
SGS-PDP-001Policy Decision Point (PDP) MUST be implemented only with deterministic code (algorithms).SGS-PDP-002Governance decisions (Allow/Deny/Indeterminate) MUST NOT involve LLM inference either directly or indirectly.SGS-PDP-003LLM-generated approval text or justification completion MUST NOT be used as decision evidence.
3.2 General Requirements
SGS-001Artifacts without signatures MUST be rejected.SGS-002IPromptVerifierMUST verify hash integrity.SGS-003ISignatureTrustStoreMUST evaluate signer trust and revocation.SGS-004IPromptValidatorMUST validate expiry and scope.SGS-005Canonical Signing Payload: Signatures MUST be generated over a canonical semantic snapshot of ROMentity.id,version,policy, and prompt body.SGS-006Validation of Trust Chain:ISignatureTrustStoreMUST prove that the signing key is approved by a valid issuer and not revoked at execution time.SGS-007Dynamic Scope Binding:IPromptValidatorMUST verify immediately before execution that policy constraints (allowed_tools,max_token_budget, scopes) are within current runtime context (permissions and budget).
4. Fail-Closed
SGS-F000Non-Deterministic Governance Rejection: If non-deterministic elements (for example LLM invocation) are detected in the PDP decision path, the system MUST immediately returnDeny.SGS-F001Indeterminate decisions are treated asDeny.SGS-F002Verification infrastructure failures abort execution.SGS-F003Warning-only fallback execution mode is prohibited.SGS-F004Temporal Integrity Violation: Reject loading whencreated_atis in the future orexpires_athas elapsed by even one second.SGS-F005Trusted Anchor Unreachability: IfISignatureTrustStorequery times out or fails, treat asIndeterminate(effectivelyDeny) and block execution.
5. Anti-Pattern: Hallucinated Approval
Definition: The system incorrectly accepts LLM-generated text or reasoning steps as a valid approval decision.
Status: Forbidden anti-pattern.
Handling: If reasoning intervention is detected in PDP implementation, emit audit event GovernanceViolation.HallucinatedApproval and force execution block.
6. Acceptance Criteria
- AC1: Unsigned artifacts are non-executable.
- AC2: Implementations that embed LLM into governance logic are rejected at test phase.
- AC3: Execution is allowed only with valid signature and scope.
- AC4: TrustStore unreachability always resolves to
Denyon the safe side.
7. Artifact Anatomy (ROM/YAML Structure)
Signed prompts are stored in IPromptRepository using the following structure.
---\n# Identity & Logic\nid: "logic.analyser.core"\nversion: "2.1.0"\ntype: "kernel.signed_prompt"\n\n# Policy & Constraints\npolicy:\n trust_level_required: 0.9\n allowed_providers: ["[[provider.secure_llm]]"]\n scopes: ["read:financial_data", "write:audit_log"]\n\n# Governance & Signature\ngovernance:\n issuer: "ai-kernel@tkysoftware.xsrv.jp"\n signer_id: "gov-officer-01"\n hash_alg: "SHA256"\n hash: "sha256:7f8e9a1b..."\n signature: "MEYCIQ... (ECDSA/RSA Signature)"\n---\n# Prompt Body (ROM Format)\n## Task: Analyze Financial Statements\n* [constraint]: Do not disclose PII.\n* [reference]: [[material.latest_report]]
8. Governance Workflow
IPromptVerifier validates prompt legitimacy in the following sequence.
- Format Validation
- Integrity Check
- Signature Authentication
- Trust Resolution
- Policy Authorization
- Unfreezing
Confirm required YAML fields (id, hash, signature).
Canonicalize ROM body and verify hash integrity.
Use IPromptSignatureProvider to verify signature provenance.
Use ISignatureTrustStore to confirm signer trust and non-revoked key state.
Use deterministic PDP to validate policy against runtime constraints (budget/permissions/scopes).
Only after all checks pass, expand into Orchestration and allow execution.
Changelog
- v0.0.0 / v0.0.0.0: Initial draft
- v0.0.1 (2026-05-06): Version upgrade aligned with documentation guidelines
specs/02.SIGNED_PROMPT_GOVERNANCE_SPEC.md