Security Architecture

AGLedger produces one object: a signed record spanning the full lifecycle of a piece of automated work - the intent and authority at the start, the delegation handoffs in the middle, the result at the end, and the verdict when the work is gated. Each stage is captured the moment it is real and hash-chained to the one before. This whitepaper is the cryptographic ground truth behind that record: how it is signed, what the signature covers, where the trust boundaries fall, and how any third party confirms it without taking our word.

Version 1.0 · April 2026 · Classification: Public · [email protected]

AGLedger is change control for automated work: it gives every change a signed, tamper-evident record - what was intended, on whose authority, what happened, and who accepted it - deployed in your infrastructure and under your control. Under the hood it is a cryptographic notary, signing records, completions, and verdicts into a tamper-evident audit vault. This document is written for the security teams, compliance officers, and procurement decision-makers who must satisfy themselves that the evidence is sound before the product is bought.

One signing key per Server instance. A single instance vault key (VAULT_SIGNING_KEY, Ed25519) signs every entry in that Server’s chain. There is no per-principal and no per-agent key. The signature is the notary’s.

Attribution lives inside the signature. The accountable principal (principal_agent_id) and the acting credential are named inside the signed payload, so the signature covers the attribution. This is notary-attested, tamper-evident attribution - not principal-held non-repudiation.

Self-hosted by design. AGLedger runs in your infrastructure. No data leaves it unless you explicitly enable federation, and even then only signed bytes cross the boundary.

Zero content inspection. AGLedger records accountability metadata - who notarized what, who delivered, who accepted. It never inspects, stores, judges, or processes your business data, prompts, or model outputs.

Standards-based. COSE_Sign1 (RFC 9052, tag 18) over an in-toto v1 Statement payload, deterministic CBOR (RFC 8949 §4.2.1), Ed25519 + SHA-256, CWT Claims (RFC 8392 / RFC 9597), HMAC-SHA256, RFC 9421 HTTP Message Signatures, RFC 8785 JSON canonicalization (federation transport), RFC 9457 problem details. No bespoke constructions.

1. The signed record - what the signature covers

The most precise claim on this site lives here, so it is stated plainly. The agent reports with its key; the notary signs what it reported.The agent (or any caller) makes the API call that records a stage of the work. The Server - not the caller - assembles the entry, encodes it, and signs it with the instance vault key. The authority being recorded is the principal’s; the signature is the notary’s.

Because the attribution rides inside the signed payload, an attacker cannot re-point an entry at a different principal without invalidating the signature. The accountable principal (principal_agent_id - always an agent identity) and the acting credential are part of what the Ed25519 signature commits to. The protected header carries the actor identity as a CWT private claim ({ key_id, role, owner_id }); any delegation context rides in the in-toto Statement predicate ason_behalf_of. Both are covered by the signature.

Read the boundary carefully. What we deliver is notary-attested attribution: the Server attests, under its instance key, that a named principal acted with a named credential. This is not principal-held non-repudiation - the principal does not sign, and we do not represent that it did. To the most skeptical reader, the auditor, this is the honest claim: the chain proves what was reported, signed, and recorded, and that the attribution has not been altered since.

Agents are not required to hold signing keys. The default path needs no client-side cryptography from the agent at all - it authenticates and reports, and the notary does the signing. There is an optional, opt-in per-request attestation path (X-Agent-Signature /X-Agent-Signature-Content-Hash), a no-op by default, in which a cert-bound caller co-signs its own request; that co-signature is carried into the COSE_Sign1 envelope aspredicate.on_behalf_of.agent_signatureand is honored only when the caller authenticated with an ephemeral cert. Use it when you want caller-attested provenance on top of notary attribution; ignore it otherwise.

One key per Server instance - never per principal, never per agent. Across orgs, each Server signs its own portion with its own per-instance key.

2. Three readers of the same record

The same signed record is read later by three different parties, with three different trust postures. The cryptography is “wasted” on the first reader and indispensable to the last - which is exactly why an agent-recovery record is already an audit-grade record.

ReaderReads it forTrust posture
AgentState recovery - “what was I told to do?” after a context wipe, hand-off, or restartTrusts itself; need not verify the signature
OperatorOversight - “what did my fleet intend and do?”; debugging, disputeSemi-adversarial - catching its own agents
AuditorProof - “show me, without my taking your word”Zero-trust - must verify the crypto offline

The remainder of this document is written to the auditor’s posture: every claim is something a third party can confirm against the published keys, with no AGLedger account and no network call. Offline verification has its own canonical page - see Verification.

3. Deployment model and trust boundaries

AGLedger is software you deploy, not a service you send data to.

One role: Server. Every install is the same binary - same surface area, same configuration shape. A Server is a sovereign domain: its own database, auth, agents, contracts, signing key, and chain. Whether the deployment participates in federation is a per-record / per-contract / global flag, not a deployment mode.

┌─────────────────────────────────────────────────┐ │ YOUR INFRASTRUCTURE │ │ │ │ ┌───────────┐ ┌──────────┐ ┌──────────┐ │ │ │ Your Apps │───▶│ AGLedger │───▶│ Postgres │ │ │ │ & Agents │ │ Server │ │ DB │ │ │ └───────────┘ └────┬─────┘ └──────────┘ │ │ │ │ │ Webhooks to │ │ your systems │ │ │ └─────────────────────────────────────────────────┘ │ (only if a record's share flag is on) ▼ ┌──────────────┐ │ Counterparty│ Federation: signed bytes │ AGLedger │ cross this boundary, nothing │ Server │ else. └──────────────┘

We do: Record accountability metadata in your infrastructure. We do not:Host your data, proxy your traffic, judge your work, or require outbound connectivity unless a record’s share flag is set.

Where the Server, database, and key material map to the box you actually run - topology, sizing, ownership, and the air-gapped install - is documented on the Deployment page. This section states only the trust boundary.

4. Data classification - zero content inspection

CategoryStorageSensitivity
Accountability metadataPostgreSQL (your DB)Business-sensitive
Audit vaultPostgreSQL (your DB)Integrity-critical
API credentialsPostgreSQL (your DB)Secret
Webhook secretsPostgreSQL (your DB)Secret

What AGLedger does not store or inspect

Model prompts, completions, or training data

Business document content - AGLedger validates structure, never value

PII beyond what customers include in record metadata (customer-controlled)

Payment card data or banking credentials

All data resides in the PostgreSQL instance you provision. No external data stores, no phone-home. AGLedger collects no usage data or other data from the software and operates no service that receives data from your deployment.

5. Data lifecycle

AGLedger does not impose data retention policies - the customer controls retention as the database operator.

The audit vault is cryptographically append-only by design. This creates a deliberate tension with deletion regulations (GDPR Article 17, CCPA). AGLedger’s position: Signed Statements contain accountability metadata - not business data. Record criteria and completion evidence are stored in separate tables that can be archived or purged.

In encrypted mode, the server stores only the encrypted envelope and an evidence hash. Destroying the encryption key renders content irrecoverable while preserving vault chain integrity - cryptographic erasure.

6. Cryptographic architecture

LayerStandardPurpose
Customer-facingHMAC-SHA256 / Argon2idAPI-key storage, password hashing
Webhook signingHMAC-SHA256 · Ed25519 RFC 9421Delivery integrity by default; Ed25519 for non-repudiable Settlement Signals, verifiable against the published Server keys
Instance-to-instanceRFC 9421 + Ed25519Federation authentication; each Server signs with its own per-instance key
Audit envelopeCOSE_Sign1 (RFC 9052, tag 18) + Ed25519 (EdDSA)Signed Statement envelope; the COSE_Sign1 bytes feed the SHA-256 hash chain
Payload formatin-toto v1 Statement, CBOR per RFC 8949 §4.2.1Deterministic CBOR encoding of the audit payload
Identity in headerCWT Claims, RFC 8392 (label 15) / RFC 9597Issuer / subject / actor named in the signed protected header
Data-at-restSHA-256 hash chain / AES-256-GCMAudit vault tamper evidence, secret storage
Client-sideAES-256-GCM / GCM-SIVEncrypted record evidence (server-blind)
FederationX25519 + AES-256-GCM (HKDF); RFC 8785 (JCS) for transport canonicalization and schema digestsCriteria relay with forward secrecy; canonical form on the wire

One vault signing key per Server instance. The Ed25519 vault key (VAULT_SIGNING_KEY) signs every chain entry on that Server. It is an instance key - never per principal, never per agent. The federation key is a separate per-instance key.

Named standards only. Every algorithm maps to an RFC, NIST publication, or IETF draft. No bespoke constructions.

Independent keys. Ed25519 (signing) and X25519 (encryption) keys are generated independently - never derived from each other.

Algorithm identifiers recorded. Every artifact includes alg fields, enabling algorithm migration without breaking verification.

Domain-separated key derivation. HKDF-SHA256 with purpose-specific labels ensures cryptographic independence.

7. Audit vault integrity - what the envelope holds

The audit vault is AGLedger’s core security primitive - a cryptographically signed, append-only ledger of every accountability event. Each entry surfaces to customers as a Signed Statement: a tagged COSE_Sign1 envelope (RFC 9052, tag 18) over an in-toto v1 Statement payload, deterministically CBOR-encoded per RFC 8949 §4.2.1. The accountable principal and acting credential are named inside that payload, so the Ed25519 signature covers the attribution - not just the event.

Entry N (Signed Statement): chain_position: N event_type: RECORD_STATE_CHANGE envelope: 18([ // COSE_Sign1, RFC 9052 tag 18 <<{ 1: -8, 4: <kid>, // protected: alg=EdDSA, kid, 15: { iss, sub, iat, // CWT_Claims (RFC 8392/9597), -65539: { // actor identity (signed): 1: key_id, // key id 2: role, // role 3: owner_id } } }>>,// owner / principal { ... }, // unprotected headers <<in-toto-v1-Statement>>, // payload, CBOR per RFC 8949 §4.2.1 // subject, predicateType, // predicate (incl. on_behalf_of) <Ed25519 signature> // over Sig_structure (RFC 9052 §4.4) ]) hash: SHA-256(COSE_Sign1 bytes) previous_hash: Entry[N-1].hash (genesis: null) hash_alg: "SHA-256" signature_alg: "Ed25519" signing_key_id: <vault key fingerprint>

Identity and chain-linkage live in the signed protected header; delegation context (on_behalf_of) lives in the in-toto predicate. Both are inside the bytes the signature commits to, so neither can be altered without the signature failing.

TamperingMechanismDetection
InsertionHash chain breaks previous_hash linkLINK_BROKEN
DeletionSequential chain_position gapPOSITION_GAP
ModificationRecomputed hash mismatchHASH_MISMATCH
Payload editVisible payload jsonb diverges from signed bytespayload_drift
ForgeryEd25519 signature fails against registered keySIGNATURE_INVALID

Enforcement layers

Database: UPDATE and DELETE are revoked on the audit vault tables. Partition-level TRUNCATE is blocked by trigger. A privileged operator who edits the human-readable payload jsonb is caught at verification as chainIntegrityReason: 'payload_drift' - the signed envelope, not the visible copy, is the source of truth.

Application: Vault writes occur inside the same transaction as the state change - the entry exists if and only if the state change committed.

Cryptographic: SHA-256 hash chain with Ed25519 signatures provides tamper evidence independent of database access controls.

Operational: Signed checkpoints every 6 hours. Optional external anchoring to S3-compatible storage with COMPLIANCE mode object lock.

Confirming all of this offline - signatures genuine, chain unbroken, payload undrifted - is the dedicated subject of the Verification page, including export formats and the failing-case transcript. AGLedger publishes the vault signing keys at two unauthenticated endpoints so any party can do it with no account and no connection to us:

GET /v1/verification-keys

GET /.well-known/agledger-vault-keys.json

Both active and retired keys are returned, enabling full historical chain verification across rotations. Accountability systems should not require blind trust.

8. Key management and rotation

The vault signing key is the trust root of the chain, so its handling is explicit. It is supplied to the Server asVAULT_SIGNING_KEY- required in production, and customer-held: AGLedger LLC never possesses it. The customer protects the private key with their own secrets manager (see the shared-responsibility model, §15).

Zero-downtime rotation

Rotation uses an overlap window. The current key is moved to VAULT_SIGNING_KEY_PREVIOUS and the new key set as VAULT_SIGNING_KEY, keeping prior entries verifiable through the transition.

A rolling restart picks up the change; the rotation is then activated in the key registry (POST /v1/admin/vault/signing-keys/rotate), which retires the old key and activates the new one.

New entries sign with the new key; historical entries remain valid because verification resolves retired keys from the registry. The chain stays continuous - no re-signing.

Once every instance runs the new key, VAULT_SIGNING_KEY_PREVIOUS is removed on the next deploy.

Key loss does not invalidate history.Verification uses the public key recorded in the database, not the private key from the environment. Losing the private key stops you signing new entries; it does not retroactively break the existing chain. The registry supports unlimited rotation, and a post-quantum key (for example ML-DSA) can be activated alongside Ed25519 - see §17.

9. Authentication and access control

Two authentication paths, same protocol on the wire. Enterprise installs lead with OIDC-bound ephemeral signing certificates - agents exchange a JWT from the customer’s own identity provider (Auth0, Okta, Azure AD, Keycloak, GCP WIF, K8s SA tokens) for a short-lived (≤10 min) AGLedger cert via POST /v1/auth/oidc/cert and present it as the Bearer credential. No agent holds a long-lived key; blast radius on credential compromise is ten minutes.

Long-lived API keys remain fully supported for development, the quickstart, and single-operator installs. Keys are never stored in plaintext - the server computes HMAC-SHA256 and looks up the resulting hash. Both credential types produce the same chain envelope, and the actor identity each carries is named inside the signed payload (§1, §7); verifiers see who acted either way.

Trust anchors are configured per-org via POST /v1/admin/trusted-issuers - one row per IdP per purpose with an applies_to discriminator (agent / principal / admin / any). JWKS endpoints are auto-discovered via OIDC well-known. See the Authentication guide for the full exchange flow and IdP recipes.

RoleCapabilitiesTypical user
PlatformSystem administration, enterprise provisioning, vault managementAGLedger operator
AdminConfiguration, oversight, compliance exports, key managementOrg administrator
AgentRecord lifecycle operations scoped to authorized actionsAI agent, RPA bot, service

Each API key carries a scope list. Anti-escalation prevents creating keys with broader scopes than the creating key.

All queries filter by org - cross-tenant data access is not possible through the API.

Additional controls: per-key IP allowlisting, Argon2id portal passwords (NIST SP 800-63B), and the optional per-request agent signature (X-Agent-Signature header, §1) for caller-attested provenance on top of cert auth. Agents are not required to hold signing keys; this path is opt-in and a no-op when unused.

10. Federation and privacy boundary

Across organizations, federation is peer-to-peer signed-message transport. Each Server signs its own portion with its own per-instance key; there is no shared key and no central coordinator.

What crosses federation boundaries

Server identity + public keys

Agent IDs

Record ID, contract type

State transitions (state, timestamp, signature)

Gate verdict (accept/reject)

Settlement Signal (SETTLE/HOLD/RELEASE)

Criteria commitment (SHA-256 hash, not content)

What never crosses

Record criteria (actual acceptance terms)

Completion evidence (work product)

Audit vault entries

Prompts, context, or business logic

API keys or auth credentials

Webhook URLs or delivery payloads

Each Server remains sovereign. It records the signed bytes a peer sent and verifies them against the peer’s published public key. It never holds the peer’s underlying business data, and there is no central coordinator that does either. Cross-org transport mechanics live on the Federation page.

11. Application security

Schema-first validation

Every endpoint declares request and response JSON Schemas enforced by the framework. Unknown fields rejected. No implicit type coercion. 1 MiB global request limit, 65 KiB record limit, 20-level JSON depth cap.

SQL injection prevention

All queries use parameterized SQL with positional parameters. Sort and filter columns validated against explicit whitelists.

SSRF protection

8-layer defense: private IP ranges, loopback, cloud metadata endpoints, alternative IP encodings, DNS re-resolution (TOCTOU), hostname suffixes, embedded credentials, HTTPS-only.

Expression engine sandboxing

jsep AST parser (not eval). 50 AST nodes, depth 10, 1,000 operations max. No access to global scope, prototype chain, or Node.js APIs.

Rate limiting

Tiered by role, PostgreSQL-backed for multi-replica consistency: agent keys 500 requests/min, admin keys (and their org's agents) 1,000/min, tunable via RATE_LIMIT_AGENT / RATE_LIMIT_ADMIN. Keyed by API key when authenticated, falling back to IP. Errors are returned as RFC 9457 problem details.

12. Infrastructure hardening

Container security

Distroless base image (no shell)

Non-root user (UID 65534)

Read-only filesystem + tmpfs for /tmp

512 MiB memory, 1.0 CPU limits

Liveness + readiness health probes

File-based secrets injection

Database hardening

Three PostgreSQL roles (app, monitor, DDL)

UPDATE / DELETE revoked, TRUNCATE blocked on the audit vault

sslmode=verify-full required in production

Advisory-locked, checksummed migrations

Node.js 24 LTS, pinned dependencies

13. Threat model

ThreatControls
Audit trail tamperingHash chain + Ed25519 signatures + DB triggers (UPDATE/DELETE revoked, TRUNCATE blocked) + external checkpoints; payload edits surface as payload_drift
Attribution forgeryPrincipal and acting credential are inside the signed payload; re-pointing an entry invalidates the Ed25519 signature
Cross-tenant accessAll queries filter by org; scoped API keys; principal enforcement
API key compromiseHMAC-hashed storage; IP allowlisting; expiration; scope limits blast radius; ephemeral certs cap exposure at ten minutes
Webhook SSRF8-layer validation including DNS re-resolution; HTTPS-only
Federation MITMTLS + RFC 9421 Ed25519 signatures; per-request signing on critical operations
Signing key compromiseKey registry supports immediate rotation; external anchors verify pre-compromise entries
Denial of serviceTiered rate limiting; size caps; depth limits; handler timeouts

Explicitly out of scope

Compromised principals. If the entity creating records is malicious, AGLedger faithfully records what they reported. We attest accountability, not truthfulness - the chain proves what was said and signed, not that it was correct.

Content-level threats. AGLedger validates structure, not business content. Zero content inspection is a deliberate boundary, not a gap.

Infrastructure compromise. OS, network, and physical security are the customer’s responsibility.

14. Compliance mapping

AGLedger captures signed records, delegation chains, and cross-org evidence transport regardless of regulation; as a downstream effect these map cleanly to the obligations below. Detailed crosswalks for each framework live on their dedicated pages.

SOC 2Not a certification - AGLedger is self-hosted software, not a service organization. Enterprise customers can request a SOC 2 alignment report mapping AGLedger’s controls to the Trust Service Criteria.
ISO 27001Annex A controls A.8, A.9, A.10, A.12
NIST 800-53AC, AU, IA, SC, SI families

15. Privacy, data protection, and shared responsibility

AGLedger is self-hosted software. In the typical deployment, AGLedger LLC is neither a data processor nor a data controller - we provide software the customer operates in their own infrastructure.

GDPR: Data minimization by design. Encrypted mode enables cryptographic erasure (Article 17). No international transfers when sharing is off.

CCPA: No sale or sharing of personal information. No access to customer data in the self-hosted model.

Sub-processors: Zero sub-processors for customer data in the standard deployment.

Data sovereignty: Residency follows the customer’s database placement. AGLedger collects no usage data from the software; license validation is an offline Ed25519 check; federation is peer-to-peer between customer-operated Servers. No AGLedger LLC system sits in the data path.

AGLedger provides

Application security (validation, SSRF, SQLi prevention)

Cryptographic integrity (hash chain, signatures, agility)

Access control (RBAC, scoping, rate limiting)

Secret handling (HMAC, AES-256-GCM, log redaction)

Container hardening (distroless, non-root, read-only)

Database role separation (three-role model)

Customer provides

Infrastructure security (network, OS, physical)

Database encryption at rest

TLS certificate management

Vault signing key protection (secrets manager)

Backup and disaster recovery

Monitoring, alerting, and SIEM integration

16. Continuity, assurance, and releases

Business continuity

As self-hosted software, RPO and RTO depend on the customer’s infrastructure and backup strategy. AGLedger provides the tooling: backup.sh, restore.sh, support-bundle.sh, and health probes for orchestrator-level recovery.

The audit vault’s hash chain is self-verifying. After restoring from any backup, run the vault integrity check to confirm chain continuity.

Signing key loss does not invalidate historical entries - verification uses the public key stored in the database, not the private key from the environment.

Security assurance

AssessmentStatus
SOC 2 alignmentInternal readiness assessment completed March 2026 - 19 findings, code-level controls rated Strong to Excellent. AGLedger is self-hosted software, not a service organization - your deployment runs under your existing certifications. Enterprise customers can review our source code and request a SOC 2 alignment report detailing how AGLedger’s controls map to the Trust Service Criteria.
Vulnerability managementActive - 7-day release target for critical / high severity

Release and update process

Semantic versioning. Checksummed, advisory-locked, transactional database migrations.

Breaking changes: 90-day advance notice with migration guides.

Security patches distributed as new versions; customers notified via advisory with CVE references. Release artifacts are keyless-signed (OIDC → Sigstore → Rekor) and verifiable with stock tooling against the public transparency log.

Security fixes are always free - regardless of support contract status.

17. Algorithm agility and post-quantum readiness

All algorithms are current NIST-approved. NIST finalized post-quantum standards in August 2024 (ML-KEM / FIPS 203, ML-DSA / FIPS 204, SLH-DSA / FIPS 205).

Algorithm identifiers on all artifacts - verification reads these fields rather than assuming a fixed algorithm.

Signing key registry - supports unlimited rotation. A new ML-DSA key can coexist alongside Ed25519.

No re-signing required - new entries use the new algorithm; old entries remain valid. The chain is continuous.

COSE_Sign1 alignment is live - the vault envelope is a tagged COSE_Sign1 (RFC 9052, tag 18) over an in-toto v1 Statement payload, deterministically CBOR-encoded per RFC 8949 §4.2.1. This aligns the on-disk format with the IETF SCITT (Supply Chain Integrity, Transparency, and Trust) working group’s transparency-service vocabulary. Opt-in SCITT Receipts - cryptographic inclusion proofs (RFC 9162 Merkle proofs) anchoring Signed Statements into a Transparency Service - are available via ?receipts=true on audit-export or via POST /v1/scitt/entries.

Hybrid (classical + PQC) signatures expected 2027–2028. AGLedger’s architecture requires no customer action today.

18. Incident response

Vulnerabilities: [email protected]

Acknowledgment within 24 hours. Assessment within 72 hours.

Critical / high severity patch within 7 days.

If vault integrity verification detects tampering, the failure is logged with full context (chain position, expected vs. actual hash, signing key ID). Failed entries are flagged but never modified - the evidence of tampering is itself part of the audit record.

Related capabilities

Verification →

Confirm the chain offline - signatures genuine, links unbroken, payload undrifted - against published keys, with no account and no connection to us.

Deployment →

Where the security architecture actually lives - how Server, database, and key material map to the box you run, including the air-gapped install.

Gate →

Signed-verdict mechanics - how Ed25519 over COSE_Sign1 makes a captured accept or reject tamper-evident. The principal renders the verdict; the chain holds the proof.

Federation →

Cross-org transport security - per-message signing and key discovery between Servers, each signing its own portion.

Schemas →

Predicate profiles tie schema identity to a signing key so verifiers can prove a predicate-bearing record is authentic.

Why receipts must be signed →

The threat model behind detached signatures and why an unsigned audit entry is not evidence.

Read the announcement blog post for a summary of key highlights. See the how it works page for the full lifecycle, or install it yourself.

Version 1.0 - April 2026

AGLedger is a product of AGLedger LLC. This document describes the security architecture of AGLedger software. It is not a guarantee of security and should be evaluated alongside your organization’s specific risk assessment.

Contact: [email protected]