{"spec_version":"0.1.0","jtp_version":"0.1.0","aarm_paper":{"id":"arXiv:2602.09433","title":"Agent Action Receipt Model (AARM): A Protocol-Layer Trust Architecture for Multi-Agent Systems","authors":"AARM Working Group","version":"1.0","url":"https://arxiv.org/abs/2602.09433"},"architecture":"A","architecture_name":"Protocol Gateway","system_model":["Multi-agent systems compose by allowing autonomous agents to call tools, services, and other agents through well-typed interfaces. The Jiffy Trust Protocol (JTP) sits between the calling agent runtime and the tool/MCP/skill being invoked — what AARM Architecture A calls a Protocol Gateway placement (§3.1).","Every artifact a calling agent might invoke (an MCP server, a Claude skill, an IDE rules file, an `agents.md` doc) is identified by a stable URI. The gateway maps the URI to a signed attestation: tier, Jiffy Trust Score (JTS), Indicators of Insecurity (IoI flags), and machine-checkable forensic fields (chain seq, prev hash, context digest).","The gateway is anonymous-readable, rate-limited, and serves Ed25519-signed JSON over HTTPS. Verifiers do not need a session, an account, or a key handshake — they pull the public key from the JWKS endpoint and verify the signature offline. The signed payload is byte-deterministic per RFC 8785 (JCS) so the same input always produces the same signature input."],"threat_model":{"trusted":["JTP gateway service (signs attestations with a key whose public half is published at /.well-known/jiffy-trust-pubkey)","AARM receipts the gateway emits (Ed25519 detached signatures, RFC 8785 JCS canonicalization)","Calling agent runtime holding a verifier (Verifies signatures locally; can audit the chain offline)"],"untrusted":["Any artifact the calling agent might invoke (untrusted unless the gateway has issued a tier ≤ CAUTION attestation for it)","Network intermediaries (TLS terminates at the gateway; intermediaries cannot forge a valid signature)","Compromised MCP servers, malicious skills, prompt-injected agents.md files"],"partially_trusted":["Agent runtime caller identity (best-effort attribution via `actor` field; AARM Architecture A does not require enrollment)","Cached attestations served from edge / CDN (signed bytes are byte-identical to fresh; freshness window is published in `Cache-Control`)"]},"classification_tiers":[{"tier":"T1","label":"Read-only, non-escalating","examples":"fs:read, http:GET, git:status"},{"tier":"T2","label":"Non-persistent side effects","examples":"log:write, metrics:emit, stdout"},{"tier":"T3","label":"Local sandbox mutation","examples":"fs:write, git:commit (local)"},{"tier":"T4","label":"Cross-actor mutation","examples":"git:push, slack:post, email:send"},{"tier":"T5","label":"Irreversible privileged","examples":"dns:change, iam:grant, rm -rf"}],"objectives":[{"id":"O1","name":"Pre-execution interception","status":"Met","impl_cite":"web/src/app/api/v1/trust/route.ts (Sprint 12) + jiffy_trust_check MCP tool (Sprint J.2, jiffy-scan-mcp-server/packages/typescript/src/tools/jiffy-trust-check.ts)","paper_ref":"AARM §3.1 (Protocol Gateway placement)","jiffy_implementation":"Every artifact invocation passes through the gateway URL (or the MCP tool wrapper) before the runtime executes. Caller-side wiring (loader hook in the runtime) is required for true blocking; the protocol surface itself ships in production."},{"id":"O2","name":"Policy compliance","status":"Met","impl_cite":"web/src/app/api/v1/trust/route.ts + Jiffy Trust Score + tier mapping (web/src/lib/aarm/tiers.ts)","paper_ref":"AARM §3.3 (Per-artifact policy enforcement)","jiffy_implementation":"JTS scoring + 5-tier classification produce a deterministic per-artifact policy verdict. Policy is enforced inline at the protocol layer."},{"id":"O3","name":"Context-aware evaluation","status":"Partial","impl_cite":"web/src/lib/aarm/receipt.ts::contextDigest (line 99)","paper_ref":"AARM §6 (Context accumulation)","jiffy_implementation":"Per-receipt context digest is computed (sha256 of canonicalized context), so two semantically equivalent contexts collapse to the same hash. Session-level accumulation (C_n = C_{n-1} ∪ {a_n, o_n, δ_n}) is explicitly Non-Goal 4 and lands in a future sprint."},{"id":"O4","name":"Classification-based decisions","status":"Met","impl_cite":"web/src/lib/aarm/tiers.ts (83+ pre-classified actions, regex fallback, Tier 3 default)","paper_ref":"AARM §3.2 (5-tier action classification)","jiffy_implementation":"5-tier classifier in production. Pure deterministic function; no DB, no network, no LLM — usable from edge adapters or unit tests with the same result."},{"id":"O5","name":"Inline enforcement","status":"Met","impl_cite":"F1 SLA contract (Sprint J.1, web/src/lib/jtp/latency.ts) + F2 MCP loop (Sprint J.2)","paper_ref":"AARM §3.4 (Inline enforcement)","jiffy_implementation":"Sub-200ms p99 hot path published with the X-Jiffy-Latency-Ms header; single-region today (us-east1), explicitly noted in SLA docs."},{"id":"O6","name":"Human escalation","status":"Met","impl_cite":"jiffy-scan-mcp-server/packages/typescript/src/tools/jiffy-trust-check.ts::deriveRecommendation (T4/T5 → defer/deny). Approval queue forward-link: TBD (J.5 readiness pass or future Y.x sprint).","paper_ref":"AARM §3.5 (Escalation to human)","jiffy_implementation":"Tool returns a `defer` recommendation for CAUTION/PENDING tiers and `deny` for RISKY/CRITICAL — the calling runtime is expected to surface a UI prompt or hand off to an approval queue. Approval-queue UI is out of MVP and tracked separately."},{"id":"O7","name":"Least privilege","status":"Met","impl_cite":"web/src/middleware.ts (anonymous public matcher for /api/v1/trust + /api/v1/verify)","paper_ref":"AARM §3.6 (Least-privilege defaults)","jiffy_implementation":"Anonymous public read on /v1/trust and /v1/verify. No PII, no Clerk required. Higher rate limits with an API key; baseline is anonymous-callable."},{"id":"O8","name":"Forensic completeness","status":"Met","impl_cite":"web/src/lib/aarm/receipt.ts::verifyChain (line 237). Hash chain in production; chain offline-verifiable via POST /api/v1/aarm/verify-chain.","paper_ref":"AARM §4 (Hash-chained tamper-evident receipts)","jiffy_implementation":"Each receipt embeds sha256(canonicalize(prev_receipt)). Genesis prev_hash = 64 zeros. Public verifier endpoint accepts arrays of receipts and returns {valid, brokenAt, reason}."},{"id":"O9","name":"Identity attribution","status":"Partial","impl_cite":"web/src/lib/aarm/receipt.ts (actor field) + web/src/app/api/v1/trust/route.ts (signing_key_id)","paper_ref":"AARM §3.7 (Identity attribution)","jiffy_implementation":"Every receipt carries an `actor` URI and a `signing_key_id` so the issuing key is identifiable. Caller identity is best-effort — AARM Architecture A does not require enrollment, and Jiffy does not yet enforce a strong-attribution flow."}],"aarm_structural":[{"id":"§3.1","name":"Protocol Gateway placement","status":"Met","impl_cite":"web/src/app/api/v1/trust/route.ts + jiffy-scan-mcp-server/packages/typescript/src/tools/jiffy-trust-check.ts","paper_ref":"AARM §3.1","jiffy_implementation":"JTP gateway sits between agent runtimes and tool providers, served at /api/v1/trust and surfaced to MCP clients via jiffy_trust_check."},{"id":"§4","name":"Hash-chained tamper-evident receipts","status":"Met","impl_cite":"web/src/lib/aarm/receipt.ts::verifyChain (line 237)","paper_ref":"AARM §4","jiffy_implementation":"sha256-chained receipts, RFC 8785 JCS canonicalization, Ed25519 detached signatures, public verifier endpoint."},{"id":"§5","name":"Semantic distance","status":"Deferred","impl_cite":"web/src/lib/aarm/receipt.ts::semanticDistanceStub (line 310) — typed shape only","paper_ref":"AARM §5","jiffy_implementation":"Stub shape exists for the function signature; real cosine-distance implementation is explicitly Non-Goal 3 in spec-jtp.md and tracked for a follow-up sprint."},{"id":"§6","name":"Context accumulation","status":"Partial","impl_cite":"web/src/lib/aarm/receipt.ts::contextDigest (line 99) — per-receipt only","paper_ref":"AARM §6","jiffy_implementation":"Per-receipt context digest is computed; cross-receipt session accumulation (C_n = C_{n-1} ∪ {a_n, o_n, δ_n}) is Non-Goal 4 in spec-jtp.md."}],"endpoints":{"trust":"https://jiffylabs.app/api/v1/trust","verify_chain":"https://jiffylabs.app/api/v1/aarm/verify-chain","public_key":"https://jiffylabs.app/.well-known/jiffy-trust-pubkey","sla":"https://jiffylabs.app/api/v1/trust/sla","mcp_tool":"jiffy_trust_check (jiffy-scan-mcp v0.5.1)","conformance":"https://jiffylabs.app/api/v1/aarm/conformance","spec_doc":"https://jiffylabs.app/docs-public/jtp-spec","sample_chain":"https://jiffylabs.app/api/v1/aarm/sample-chain"},"score":"9/13 Met, 3 Partial, 1 Deferred — AARM Architecture A: Substantially Conformant","generated_at":"2026-05-02T17:33:04.670Z"}