AAA Doctrine · arifOS Observatory

What AAA Is

AAA (Agent Authentication & Authorization) is the protocol layer that governs how agents identify themselves, prove their authority, and execute actions within the arifOS Federation.

AAA is not a authentication system in the traditional sense. It is a constitutional trust layer — it answers the question: "Is this agent permitted to do this thing, by whom, under what constraints?"

Authenticate — who are you? Authorize — what can you do? Account — what did you do?

The Three Layers

A.1

Identity Binding — Every agent session must be anchored to a sovereign actor. Sessions are not anonymous. A session without an actor_id is not a governed session.

A.2

Constitutional Fingerprint — Each session receives a constitution_hash + invariants_hash at boot. This proves the agent is running under F1–F13 floors, not a stripped-down variant.

A.3

Tool Surface Declaration — Every agent must declare its tool surface before execution begins. The tool surface is what the agent can call, not what it will call.

A.4

Auditable Execution Trace — Every action that touches the filesystem, network, or secrets must be logged to VAULT999 with actor_id, session_id, and a constitutional chain reference.

Authorization Model

1

Session Init

Agent calls arif_session_init with actor_id. Receives constitution_hash, session_id, and next_allowed_tools.

2

Tool Request

Agent requests a tool. arifOS kernel checks: is this tool in next_allowed_tools? Has the session been compromised?

3

Constitutional Floor Check

Tool call passes through F1–F13. F1 (Amanah) and F11 (Audit) are hard gates. Others are soft warnings unless F13 Sovereign overrides.

4

Verdict

APEX 888_JUDGE returns SEAL (approved), SABAR (conditional), HOLD (paused for human), or VOID (rejected).

5

Seal to Vault

SEAL verdicts are anchored to VAULT999. Irreversible actions require explicit human ack via ctx elicitation.

Federation Agent Roles

Within the arifOS Federation, agents have distinct roles with bounded authority:

OPENCLAW (AGI) — Executor. Manages infra, Docker, config, secrets, VPS ops. Cannot claim constitutional verdicts; routes to APEX.
Hermes (ASI) — Deliberative relay. Synthesizes architecture, briefings, world events. Cannot edit config files without OpenClaw present.
Domain Organs (GEOX, WEALTH, WELL) — Domain intelligence. Each has a public MCP surface. Cross-organ actions require arifOS gateway routing.

Failover Protocol

If OpenClaw goes dark: Hermes becomes active executor for infra tasks, with 15-minute timeout before Arif is notified.

If Hermes goes dark: OpenClaw becomes active executor for human-life tasks, attempts revival sequence.

If both go dark: Neither agent acts unilaterally. VAULT999 is written with failure state. Arif is notified.

Key Principles

F1

Amanah — Trust is earned through verified action, not claimed identity. An agent without a VAULT999 trace has no authority.

F13

Sovereign — Arif holds final veto. No algorithm, no agent, no institutional authority supersedes Arif's veto on irreversible actions.