ArchitectureUpdated 2026-04-02

Live Agent Anchor

Real-time trust posture per agent: AgentCircuitState, LayerHealth, compositeHealth, and how the anchor aggregates state from all governance layers.

Live Agent Anchor

The Live Agent Anchor is the real-time trust posture of a governed agent. It is the mutable convergence point for all Trust Bus signals -- the "digital twin" of an agent's governance state.

Trust Bus signals write to the anchor (via delta application)
Enforcement decisions read from the anchor (current trust context)
Dashboards subscribe to anchor state changes

Defined in @vorionsys/contracts/canonical/live-agent-anchor.ts.

Architecture

graph TD
    subgraph "Trust Bus Signals"
        S1[TRUST_UPDATED]
        S2[CANARY_FAILED]
        S3[CIRCUIT_BREAKER_TRIPPED]
        S4[DORMANCY_DEDUCTION]
    end

    subgraph "Live Agent Anchor"
        TS[Trust Score: 580]
        TT[Trust Tier: T3]
        TC[Trust Ceiling: 600]
        LS[Layer States]
        CH[Composite Health]
        CB[Circuit State: CLOSED]
        DM[Dormancy State]
    end

    S1 --> TS
    S2 --> TS
    S3 --> CB
    S4 --> DM

    subgraph "Consumers"
        ENF[Enforcement Engine]
        DASH[Dashboard]
        ORC[Orchestrator]
    end

    TS --> ENF
    CH --> ENF
    TS --> DASH
    CB --> DASH
    TS --> ORC

Core Fields

The anchor captures everything the enforcement engine needs to make a decision:

Identity

{
  agentId: 'data-sync-bot',
  tenantId: 'acme-corp',
  carString: 'CAR-A3I-ACME-DATASYNC-V1',  // Immutable classification
}

Trust State

{
  trustScore: 580,              // 0-1000
  trustTier: 'T3',             // Must match score per TRUST_TIERS
  trustCeiling: 600,           // Determined by observation tier
  observationTier: 'BLACK_BOX', // How much model visibility
}

The trustCeiling is determined by the observation tier from canonical.ts:

| Observation Tier | Ceiling | Max Trust Tier | Description | |-----------------|---------|----------------|-------------| | BLACK_BOX | 600 | T3 | I/O only -- proprietary API models | | GRAY_BOX | 750 | T4 | I/O + logs -- platform-hosted models | | WHITE_BOX | 900 | T6 | Full code access -- open-source models | | ATTESTED_BOX | 950 | T6 | TEE-verified execution environment | | VERIFIED_BOX | 1000 | T7 | TEE + zkML + interpretability stack |

An agent cannot exceed its ceiling regardless of performance. A BLACK_BOX agent maxes out at T3 (score 600). To reach T7, an agent needs VERIFIED_BOX observation -- full cryptographic attestation of its execution environment.

Layer Health

Each governance layer independently reports its health for this agent:

enum LayerHealth {
  HEALTHY  = 'healthy',   // Operating normally
  DEGRADED = 'degraded',  // Warnings but functional
  IMPAIRED = 'impaired',  // Active blocks or failures
  UNKNOWN  = 'unknown',   // No data yet
}

The anchor maintains a layerStates array with one entry per active layer:

const layerStates = [
  {
    layer: 'identity',
    health: 'healthy',
    lastSignalHash: 'sha256:a1b2c3...',
    lastReportedAt: '2026-04-02T10:30:00Z',
  },
  {
    layer: 'governance',
    health: 'healthy',
    lastSignalHash: 'sha256:d4e5f6...',
    lastReportedAt: '2026-04-02T10:30:05Z',
  },
  {
    layer: 'containment',
    health: 'degraded',
    lastSignalHash: 'sha256:g7h8i9...',
    lastReportedAt: '2026-04-02T10:29:50Z',
    details: { reason: 'Elevated anomaly rate in sandbox' },
  },
  {
    layer: 'orchestration',
    health: 'healthy',
    lastSignalHash: 'sha256:j0k1l2...',
    lastReportedAt: '2026-04-02T10:30:02Z',
  },
  {
    layer: 'observation',
    health: 'healthy',
    lastSignalHash: 'sha256:m3n4o5...',
    lastReportedAt: '2026-04-02T10:30:01Z',
  },
];

Composite Health

The compositeHealth field is the worst-of across all layers:

compositeHealth = worst(identity, governance, containment, orchestration, observation)

If any layer is IMPAIRED, composite health is IMPAIRED. The enforcement engine uses composite health as a fast check -- an IMPAIRED composite triggers enhanced scrutiny for all decisions.

graph LR
    ID[Identity: HEALTHY] --> CH{Composite Health}
    GOV[Governance: HEALTHY] --> CH
    CON[Containment: DEGRADED] --> CH
    ORC[Orchestration: HEALTHY] --> CH
    OBS[Observation: HEALTHY] --> CH
    CH --> |worst-of| RESULT[DEGRADED]

Circuit Breaker State

The anchor tracks the agent-level circuit breaker:

enum AgentCircuitState {
  CLOSED    = 'closed',    // Normal operation
  OPEN      = 'open',      // All requests blocked
  HALF_OPEN = 'half_open', // Cooling down, probe requests only
}

Circuit breaker triggers (from canonical.ts):

| Trigger | Threshold | |---------|-----------| | Trust score drop | Score < 100 = tripped, < 200 = degraded | | Oscillation | 3 direction changes in 24 hours | | Same-methodology failures | 3 in 72 hours | | Cross-methodology failures | 6 total | | Risk accumulator | 240 in rolling 24h window |

When the circuit breaker trips:

circuitState changes to OPEN
circuitTrippedAt records the timestamp
A CIRCUIT_BREAKER_TRIPPED signal broadcasts on the Trust Bus
All subsequent ENFORCE decisions return DENY

Recovery requires human reinstatement. The HALF_OPEN state allows probe requests to test whether the agent has been remediated.

Dormancy State

The anchor tracks inactivity-based trust deduction:

{
  dormancy: {
    daysInactive: 21,
    dormancyMultiplier: 0.88,  // Two milestones hit (7d + 14d)
    currentMilestone: 2,
    preDormancyScore: 660,
    lastActivityAt: '2026-03-12T14:00:00Z',
  },
}

Nine stepped milestones from canonical.ts:

| Day | Deduction | Cumulative | |-----|-----------|------------| | 7 | 6% | 6% | | 14 | 6% | 12% | | 28 | 6% | 18% | | 42 | 6% | 24% | | 56 | 6% | 30% | | 84 | 5% | 35% | | 112 | 5% | 40% | | 140 | 5% | 45% | | 182 | 5% | 50% (floor)|

The floor is 50%. An agent can never lose more than half its pre-dormancy score to inactivity. Any qualifying activity resets the dormancy clock.

Integrity

The anchor is protected by two integrity mechanisms:

{
  // SHA-256 over all mutable fields, recomputed on every update
  aggregateStateHash: 'sha256:p6q7r8...',

  // Ed25519 signature attesting integrity of current state
  stateSignature: 'base64:...',

  // Links to the most recent Trust Bus signal applied
  lastSignalHash: 'sha256:s9t0u1...',
  signalCount: 1247,
}

Every update recomputes the aggregateStateHash and re-signs with Ed25519. The lastSignalHash links the anchor to the Trust Bus signal chain, providing a verifiable audit trail from current state back through every signal that produced it.

State Change Events

When the anchor updates, it emits a state change event for subscribers:

interface AnchorStateChange {
  agentId: string;
  tenantId: string;
  changedFields: string[];       // Which fields changed
  previousScore?: number;        // If trust changed
  newScore?: number;
  previousTier?: string;         // If tier changed
  newTier?: string;
  triggerSignalId?: string;      // Signal that caused the change
  timestamp: string;
}

Dashboards subscribe to these events for real-time display. The enforcement engine does not subscribe -- it reads the anchor synchronously during decision evaluation.

ParameSphere (Future)

The anchor includes a placeholder for model-interior trust evidence:

{
  parameSphere: {
    available: false,            // Not yet implemented
    integrityMultiplier: undefined,  // I(theta) when available
    fingerprintHash: undefined,
    baselineMatch: undefined,
    envelopeCompliant: undefined,
    lastAnalyzedAt: undefined,
  },
}

When ParameSphere ships (target H2 2026), the composite trust score will incorporate model weight integrity: S_composite = S_behavioral x I(theta). This moves trust assessment from purely behavioral observation to structural verification of the model itself.

Creating an Anchor

New agents get an anchor at registration:

import { createLiveAgentAnchorSchema } from '@vorionsys/contracts';

const newAnchor = createLiveAgentAnchorSchema.parse({
  agentId: 'new-agent-001',
  tenantId: 'acme-corp',
  trustScore: 0,               // INITIAL_TRUST_SCORE from canonical.ts
  trustTier: 'T0',             // Starts in Sandbox
  observationTier: 'BLACK_BOX',
});

Every agent starts at score 0 in PROVISIONING state. The observation tier is set at registration and determines the trust ceiling for the agent's lifetime (unless the operator upgrades inspection capability).

Anchor Invariants

These invariants are enforced by the schema and runtime:

trustScore is always in [0, 1000]
trustTier must match the score per the tier table
trustCeiling is determined by observationTier
layerStates has exactly one entry per active governance layer
signalHash links to the most recent Trust Bus signal
compositeHealth equals the worst health across all layers

Any violation of these invariants is itself a governance signal -- it indicates either a bug or tampering.

Next Steps

Trust Signal Bus -- How signals reach the anchor
Proof Chain -- The immutable audit trail behind the mutable anchor
Six-Layer Stack -- The governance layers that report health
Risk-Weighted Formulas -- How trust scores are computed

All Documentation