Skip to content
TruCore logoTruCore

ATF Architecture

ATF Architecture & Enforcement Model

This document defines the execution path from agent intent to deterministic approval or denial, then receipt generation.

Threat Model (zero-trust agents)

ATF assumes that model-generated intent can be malformed, policy-violating, stale, or adversarially influenced. Enforcement does not rely on model confidence.

  • Agent may request unsupported protocol calls.
  • Agent may exceed notional limits or slippage bounds.
  • Request may be replayed if permit freshness is not enforced.
  • Post-facto logs are insufficient for real-time loss prevention.

Permit Schema Overview

Permit payloads encode the minimum execution authority required for one intent domain.

{
  "permit_id": "permit_01J9QJ...",
  "subject": "agent:desk-7",
  "scope": "swap.execute",
  "policy_id": "policy_mainnet_v1",
  "constraints": {
    "max_notional_usd": 10000,
    "max_slippage_bps": 40,
    "protocol_allowlist": ["jupiter", "orca", "raydium", "solend", "marginfi", "kamino"]
  },
  "issued_at": "2026-02-23T18:40:00Z",
  "expires_at": "2026-02-23T18:41:00Z",
  "nonce": "8f16e8f4-5a0d-4a72-ae0c-3dc67f8ed8f1",
  "signature": "ed25519:..."
}

Deterministic Invariant Evaluation

Invariants are evaluated with deterministic inputs and fail-closed semantics. Any failed check returns a denied decision.

const decision = evaluateInvariants({
  policy,
  permit,
  intent,
  marketSnapshot,
});

if (!decision.allowed) {
  return { status: "denied", reason: decision.reason };
}
{
  "status": "allowed",
  "invariant_checks": [
    { "name": "protocol_allowlist", "ok": true },
    { "name": "max_notional", "ok": true },
    { "name": "max_slippage", "ok": true }
  ]
}

Replay Protection + TTL

Replay protection combines single-use nonce tracking with strict permit expiration. A reused nonce or expired permit is denied before protocol submission.

if (now > permit.expires_at) deny("permit_expired");
if (nonceStore.has(permit.nonce)) deny("nonce_replay_detected");
nonceStore.markUsed(permit.nonce);

Receipt Hash Generation

Receipts are normalized, hashed, and persisted with decision metadata so audit systems can verify integrity.

const canonicalReceipt = canonicalize({
  policy_id,
  permit_id,
  intent_hash,
  decision,
  invariant_checks,
  timestamp,
});

const receipt_hash = sha256(canonicalReceipt);

Optional On-chain Anchoring (future path)

Future versions may anchor batched receipt hashes on-chain for external timestamping and third-party verification. This path is optional and not required for current deterministic enforcement.

Related pages

Demo Policy

Public simulator constraints are documented at:

/demo-policy