AIKernel.NET
version: 0.0.2 / status: Refactor / edition: Draft / published: 2026-05-16 / updated: 2026-05-16

02. Signed Prompt Governance Spec

1. Purpose

Define a fail-closed governance contract that allows execution only for signed prompts. This spec also guarantees deterministic governance decisions and structurally prevents AI self-approval (hallucinated approval).

2. Scope

  • IPromptRepository
  • IPromptVerifier
  • IPromptSignatureProvider
  • ISignatureTrustStore
  • IPromptValidator

3. Normative Requirements

3.1 Deterministic PDP Requirement

  • SGS-PDP-001 Policy Decision Point (PDP) MUST be implemented only with deterministic code (algorithms).
  • SGS-PDP-002 Governance decisions (Allow / Deny / Indeterminate) MUST NOT involve LLM inference either directly or indirectly.
  • SGS-PDP-003 LLM-generated approval text or justification completion MUST NOT be used as decision evidence.

3.2 General Requirements

  • SGS-001 Artifacts without signatures MUST be rejected.
  • SGS-002 IPromptVerifier MUST verify hash integrity.
  • SGS-003 ISignatureTrustStore MUST evaluate signer trust and revocation.
  • SGS-004 IPromptValidator MUST validate expiry and scope.
  • SGS-005 Canonical Signing Payload: Signatures MUST be generated over a canonical semantic snapshot of ROM entity.id, version, policy, and prompt body.
  • SGS-006 Validation of Trust Chain: ISignatureTrustStore MUST prove that the signing key is approved by a valid issuer and not revoked at execution time.
  • SGS-007 Dynamic Scope Binding: IPromptValidator MUST verify immediately before execution that policy constraints (allowed_tools, max_token_budget, scopes) are within current runtime context (permissions and budget).

4. Fail-Closed

  • SGS-F000 Non-Deterministic Governance Rejection: If non-deterministic elements (for example LLM invocation) are detected in the PDP decision path, the system MUST immediately return Deny.
  • SGS-F001 Indeterminate decisions are treated as Deny.
  • SGS-F002 Verification infrastructure failures abort execution.
  • SGS-F003 Warning-only fallback execution mode is prohibited.
  • SGS-F004 Temporal Integrity Violation: Reject loading when created_at is in the future or expires_at has elapsed by even one second.
  • SGS-F005 Trusted Anchor Unreachability: If ISignatureTrustStore query times out or fails, treat as Indeterminate (effectively Deny) and block execution.

5. Anti-Pattern: Hallucinated Approval

Definition: The system incorrectly accepts LLM-generated text or reasoning steps as a valid approval decision.

Status: Forbidden anti-pattern.

Handling: If reasoning intervention is detected in PDP implementation, emit audit event GovernanceViolation.HallucinatedApproval and force execution block.

6. Acceptance Criteria

  • AC1: Unsigned artifacts are non-executable.
  • AC2: Implementations that embed LLM into governance logic are rejected at test phase.
  • AC3: Execution is allowed only with valid signature and scope.
  • AC4: TrustStore unreachability always resolves to Deny on the safe side.

7. Artifact Anatomy (ROM/YAML Structure)

Signed prompts are stored in IPromptRepository using the following structure.

---\n# Identity & Logic\nid: "logic.analyser.core"\nversion: "2.1.0"\ntype: "kernel.signed_prompt"\n\n# Policy & Constraints\npolicy:\n  trust_level_required: 0.9\n  allowed_providers: ["[[provider.secure_llm]]"]\n  scopes: ["read:financial_data", "write:audit_log"]\n\n# Governance & Signature\ngovernance:\n  issuer: "ai-kernel@tkysoftware.xsrv.jp"\n  signer_id: "gov-officer-01"\n  hash_alg: "SHA256"\n  hash: "sha256:7f8e9a1b..."\n  signature: "MEYCIQ... (ECDSA/RSA Signature)"\n---\n# Prompt Body (ROM Format)\n## Task: Analyze Financial Statements\n* [constraint]: Do not disclose PII.\n* [reference]: [[material.latest_report]]

8. Governance Workflow

IPromptVerifier validates prompt legitimacy in the following sequence.

  1. Format Validation
  2. Confirm required YAML fields (id, hash, signature).

  3. Integrity Check
  4. Canonicalize ROM body and verify hash integrity.

  5. Signature Authentication
  6. Use IPromptSignatureProvider to verify signature provenance.

  7. Trust Resolution
  8. Use ISignatureTrustStore to confirm signer trust and non-revoked key state.

  9. Policy Authorization
  10. Use deterministic PDP to validate policy against runtime constraints (budget/permissions/scopes).

  11. Unfreezing
  12. Only after all checks pass, expand into Orchestration and allow execution.


Changelog

  • v0.0.0 / v0.0.0.0: Initial draft
  • v0.0.1 (2026-05-06): Version upgrade aligned with documentation guidelines
Source: specs/02.SIGNED_PROMPT_GOVERNANCE_SPEC.md