MandateZ Protocol Specification
Version: 0.1.0 Status: Draft Date: 2026-03-21 Authors: MandateZ ContributorsAbstract
MandateZ is an open protocol for cryptographic identity, authorization, and audit logging of autonomous AI agents. It defines a vendor-neutral standard for proving which agent performed an action, enforcing what agents are permitted to do, and producing tamper-proof compliance audit trails. This specification defines the wire format, cryptographic operations, policy evaluation semantics, and human oversight behavior that any conforming implementation MUST support.1. Terminology
- Agent: An autonomous software entity (LLM-based or otherwise) that performs actions on behalf of an owner.
- Owner: The individual or organization that controls one or more agents.
- Event: A signed record of a single agent action.
- Policy: An ordered set of rules that determine whether an action is allowed, blocked, or flagged.
- Oversight Gate: A mechanism that pauses execution and requests human approval before proceeding.
- Transport: The system that receives and stores signed events.
2. Agent Identity
2.1 Agent ID Format
An agent identifier MUST conform to the following format:- The prefix
ag_is fixed and MUST be present. <nanoid>is a 21-character string drawn from the alphabetA-Za-z0-9_-(URL-safe base64).- This provides 126 bits of entropy, sufficient for collision resistance at scale.
^ag_[A-Za-z0-9_-]{21}$
2.2 Cryptographic Keypair
Each agent MUST possess an Ed25519 keypair:- Public key: 32 bytes, encoded as standard base64 (RFC 4648 Section 4).
- Private key: 64 bytes (32-byte seed + 32-byte public key), encoded as standard base64.
- The public key MUST be derivable from the private key (bytes 32-63 of the 64-byte secret key).
2.3 Identity Generation
A conforming implementation MUST:- Generate an Ed25519 keypair using a cryptographically secure random number generator.
- Assign a unique
agent_idusing the format defined in Section 2.1. - Return the
agent_id, base64-encodedpublic_key, and base64-encodedprivate_key.
3. Agent Event Schema
3.1 Event Structure
Every agent action produces exactly one event. An event is a JSON object with the following fields:3.2 Action Types
Implementations MUST NOT extend this enum without a protocol version bump.
3.3 Outcomes
4. Event Signing
4.1 Canonicalization
Before signing, the event MUST be canonicalized as follows:- Construct a JSON object containing all event fields except
signature. - Serialize to a JSON string with keys sorted alphabetically at the top level.
- Encode the resulting string as UTF-8 bytes.
4.2 Signing
- Compute the Ed25519 detached signature over the canonical message bytes using the agent’s private key.
- Base64-encode the 64-byte signature (standard base64, RFC 4648 Section 4).
- Set the
signaturefield of the event to this value. - Set the
public_keyfield to the agent’s base64-encoded public key.
4.3 Verification
To verify an event:- Remove the
signaturefield from the event. - Canonicalize the remaining fields per Section 4.1.
- Base64-decode the
signatureandpublic_keyfields. - Verify the Ed25519 detached signature against the canonical message bytes and the public key.
- Return
trueif valid,falseotherwise.
false (not throw an exception) on any error,
including malformed base64, incorrect key length, or tampered data.
4.4 Event Construction
When creating a new event, the implementation MUST:- Generate a new UUID v4 for
event_id. - Set
timestampto the current UTC time in ISO 8601 format. - Derive
public_keyfrom the agent’s private key. - Canonicalize, sign, and attach the signature.
- Validate the complete event against the schema before returning.
5. Policy Engine
5.1 Policy Structure
A policy is an ordered collection of rules belonging to an owner:5.2 Rule Fields
5.3 Resource Pattern Matching
Resource patterns support three forms:
Path segments are delimited by
/.
5.4 Evaluation Semantics
- Rules MUST be evaluated in declaration order.
- The first rule that matches both the
action_typeandresourcewins. - If no rule matches, the default outcome is
allowed. - Effect mapping:
allow->allowed,block->blocked,flag->flagged. - Multiple policies are evaluated in the order they were added. First match across all policies wins.
6. Human Oversight Gate
6.1 Configuration
The oversight gate is configured with:6.2 Gate Behavior
When an action’saction_type is in require_human_approval:
- Fire alerts to all configured channels. Channel failures MUST be collected, not thrown — one failing channel MUST NOT prevent others from firing.
- Wait for human decision by racing an approval callback against the timeout.
- Resolve outcome:
- If a human approves:
allowed - If a human rejects:
blocked - If timeout expires: apply
timeout_action(block->blocked,allow->allowed)
- If a human approves:
- If no approval callback is provided,
timeout_actionMUST be applied immediately.
6.3 Alert Channels
An alert channel is any system that implements thesend(alert) interface:
- Slack: POST to a webhook URL with mrkdwn-formatted text.
- Webhook: POST the alert as JSON to an arbitrary URL.
6.4 Integration with Policy
The oversight gate operates after policy evaluation:- If the policy engine returns
blocked, the oversight gate is skipped. - If the policy engine returns
allowedorflagged, and the action type requires approval, the oversight gate fires. - The oversight gate’s outcome overrides the policy outcome.
7. Transport Contract
7.1 Requirements
A conforming transport MUST:- Accept a fully signed, schema-validated
AgentEvent. - Persist the event durably.
- Return the event on success or throw/return an error on failure.
- MUST NOT modify the event payload (including signature).
7.2 Supabase Reference Transport
The reference transport inserts events into a PostgreSQL table via Supabase:
Row Level Security MUST be enabled so each owner sees only their own events.
7.3 Alternative Transports
Implementations MAY provide transports for other storage backends (S3, Kafka, filesystem, etc.) as long as they satisfy the contract in Section 7.1.8. Client Integration Flow
The fulltrack() flow for a conforming client:
9. Security Considerations
- Private keys MUST be stored securely and MUST NOT be transmitted or logged.
- Event signatures provide tamper detection, not encryption. Event payloads are plaintext.
- The
metadatafield MAY contain sensitive data. Implementations SHOULD apply appropriate access controls. - Transport channels (Supabase, webhooks) SHOULD use TLS.
- Slack webhook URLs are bearer tokens and MUST be treated as secrets.
10. Versioning
This specification follows Semantic Versioning:- Major: Breaking changes to the event schema, signing algorithm, or policy semantics.
- Minor: New action types, outcome types, or optional fields.
- Patch: Clarifications and editorial fixes.
Appendix A: Example Event
Appendix B: Example Policy
Appendix C: Reference Implementations
- TypeScript/Node.js:
@mandatez/sdk— github.com/mandatez/core
This specification is open for public contribution. File issues and pull requests at github.com/mandatez/core.