ArchitectureUpdated 2026-04-02

The Six-Layer Governance Stack

Architecture of the six governance layers: INTENT, BASIS, ENFORCE, COGNIGATE, PROOF, and TRUST ENGINE -- what each does and how they communicate.

The Six-Layer Governance Stack

Vorion processes every AI agent action through six governance layers. Each layer has a single responsibility, clear inputs and outputs, and communicates with other layers through the Trust Signal Bus.

This page explains what each layer does, where it runs, and how the layers compose into a complete governance pipeline.

Layer Overview

graph TD
    A[INTENT Layer] --> B[BASIS Layer]
    B --> C[ENFORCE Layer]
    C --> D[COGNIGATE Layer]
    D --> E[PROOF Layer]
    E --> F[TRUST ENGINE]
    F -.->|Trust Bus Signal| A
    F -.->|Trust Bus Signal| B
    F -.->|Trust Bus Signal| C
    F -.->|Trust Bus Signal| D
    F -.->|Trust Bus Signal| E

| Layer | Responsibility | Input | Output | |-------|---------------|-------|--------| | INTENT | Parse and classify agent actions | Raw goal / action request | Structured intent with risk level | | BASIS | Schema validation and compliance | Structured intent | Validated intent or rejection | | ENFORCE | Trust-based access control | Validated intent + trust posture | ALLOW / DENY / ESCALATE / DEGRADE | | COGNIGATE | Sandboxed execution | Allowed intent | Action result or failure | | PROOF | Immutable audit trail | Decision + outcome | Hash-chained, signed proof record | | TRUST ENGINE | Score and tier management | Proof events, canary results | Updated trust score + Bus signals |

Layer 1: INTENT

Purpose: Convert an agent's goal into a governance-evaluable structure.

The INTENT layer is the entry point. It takes a natural-language or structured action request and produces a parsed intent with:

Parsed action -- What the agent wants to do (read_database, send_email, write_external_api)
Risk level -- One of six levels from canonical.ts: READ (1), LOW (3), MEDIUM (5), HIGH (10), CRITICAL (15), LIFE_CRITICAL (30)
Required capabilities -- What permissions the agent needs
Confidence -- How certain the parser is about its classification

import { createIntentService } from '@vorionsys/atsf-core';

const intentService = createIntentService();
const intent = await intentService.submit({
  entityId: 'agent-001',
  goal: 'Read customer data from the sales database',
  context: { database: 'sales_db', table: 'customers' },
});
// intent.riskLevel === 'READ'
// intent.parsedAction === 'read_database'

Fail mode: If intent parsing fails, the action is blocked. An unparseable intent never reaches enforcement.

Layer 2: BASIS

Purpose: Validate the intent against the BASIS schema and compliance rules.

BASIS is the Baseline Authority for Safe and Interoperable Systems. At this layer, the system checks:

Agent has a valid CAR (Categorical Agentic Registry) record
Intent structure matches the expected schema
Risk classification is consistent with the action type
Required context fields are present
Agent lifecycle state allows operation (ACTIVE or AUDITED)

// Agent lifecycle states from canonical.ts
const AGENT_LIFECYCLE_STATES = {
  PROVISIONING: { canOperate: false, canGain: false, canLose: false },
  ACTIVE:       { canOperate: true,  canGain: true,  canLose: true },
  AUDITED:      { canOperate: true,  canGain: true,  canLose: true },
  DEGRADED:     { canOperate: true,  canGain: false, canLose: true },
  SUSPENDED:    { canOperate: false, canGain: false, canLose: true },
  TRIPPED:      { canOperate: false, canGain: false, canLose: false },
  RETIRED:      { canOperate: false, canGain: false, canLose: false },
  VANQUISHED:   { canOperate: false, canGain: false, canLose: false },
};

Only agents in ACTIVE or AUDITED state can operate. DEGRADED agents can operate but cannot gain trust. All other states block operations entirely.

Fail mode: Schema violations produce a structured rejection with error codes. No trust impact -- the action was never attempted.

Layer 3: ENFORCE

Purpose: Make the governance decision based on trust posture and policy.

ENFORCE is where the real governance happens. It reads the agent's Live Agent Anchor (real-time trust posture) and evaluates:

Trust threshold -- Does the agent's score meet the minimum for this risk level?
Capability check -- Does the agent have the required permissions?
Cooldown check -- Is the agent in a cooldown period for this risk level?
Risk accumulator -- Has the agent accumulated too much risk in 24 hours?
Circuit breaker -- Is the agent's circuit breaker tripped or degraded?
Observation ceiling -- Is the agent approaching its observation tier ceiling?
Operator policy -- Do any operator-defined rules override the default behavior?

Trust thresholds by risk level (from canonical.ts):

| Risk Level | Multiplier | Minimum Trust | Cooldown | |---------------|------------|---------------|----------| | READ | 1 | 0 | 0h | | LOW | 3 | 200 | 0h | | MEDIUM | 5 | 400 | 6h | | HIGH | 10 | 600 | 12h | | CRITICAL | 15 | 800 | 24h | | LIFE_CRITICAL | 30 | 951 | Human reinstatement |

Decisions:

ALLOW -- All checks pass. Proceed.
DENY -- Hard stop. Insufficient trust or policy violation.
ESCALATE -- Needs human approval. Action queued.
DEGRADE -- Partial access. Some capabilities granted.

Layer 4: COGNIGATE

Purpose: Execute the approved action within a governed sandbox.

Cognigate is the execution runtime. When ENFORCE returns ALLOW, Cognigate runs the action with:

Timeout enforcement -- Actions must complete within SLA
Resource limits -- Bounded CPU, memory, network
Output validation -- Results are checked for anomalies
Behavioral monitoring -- Execution pattern compared against baseline

For higher observation tiers (WHITE_BOX, ATTESTED_BOX), Cognigate can also monitor model internals during execution through the Phantom Runtime isolation layer.

Cognigate runs as a centralized service providing cross-agent governance, intent parsing, policy enforcement, and the proof chain. The local ATSF engine handles edge and offline deployments.

Layer 5: PROOF

Purpose: Create an immutable, tamper-evident record of every decision.

Every governance decision -- ALLOW, DENY, ESCALATE, or DEGRADE -- produces a proof record. Proofs form a hash-chained audit trail:

SHA-256 hash chain -- Each proof references the previous proof's hash
SHA3-256 integrity anchor -- Dual-hash for defense in depth
Ed25519 signature -- Cryptographic non-repudiation
Deterministic serialization -- Sorted keys ensure consistent hashing

import { createProofService } from '@vorionsys/atsf-core';

const proofService = createProofService();
const proof = await proofService.create({
  intent,
  decision: 'ALLOW',
  outcome: 'SUCCESS',
  inputs: {},
  outputs: { recordsUpdated: 42 },
});

// Verify chain integrity at any time
const verification = await proofService.verify(proof.id);
// verification.valid === true

Proofs are the system's memory. They can never be modified -- only appended to.

Layer 6: TRUST ENGINE

Purpose: Compute trust scores, manage tiers, and emit Trust Bus signals.

The Trust Engine processes proof events and canary probe results to maintain each agent's trust score on a 0-1000 scale across 8 tiers (T0-T7).

Core formulas (from canonical.ts):

Gain (on success):

gain = 0.05 x ln(1 + C - S) x cube_root(R)

Loss (on failure):

loss = -P(T) x R x 0.05 x ln(1 + C/2)

Where P(T) = 3 + T (penalty ratio: 3x at T0, 10x at T7).

The Trust Engine also manages:

16 trust factors across 5 groups (Foundation, Security, Agency, Maturity, Evolution)
Canary probes -- 9 categories mapped to 7 trust factors
Dormancy deduction -- 9 stepped milestones, 50% floor
Circuit breaker -- Tripped at score < 100, degraded at < 200
Hysteresis -- Graduated [25, 25, 20, 20, 15, 10, 10, 10] per tier

On every trust update, the engine emits a Trust Bus signal that propagates to all other governance layers.

How Layers Communicate

Layers communicate through two mechanisms:

1. Pipeline (synchronous)

The six layers execute in sequence for each action: INTENT -> BASIS -> ENFORCE -> COGNIGATE -> PROOF -> TRUST ENGINE. Each layer passes its output to the next.

2. Trust Signal Bus (asynchronous)

The Trust Bus carries governance signals between layers outside the action pipeline. When the Trust Engine updates a score, when a canary probe fires, or when a circuit breaker trips, the signal propagates to all subscribed layers.

// Five governance layers on the Trust Bus
enum GovernanceLayer {
  IDENTITY      = 'identity',      // CAR Registry, Paramesphere
  GOVERNANCE    = 'governance',    // CogniGate, Policy Engine
  CONTAINMENT   = 'containment',   // Phantom Runtime
  ORCHESTRATION = 'orchestration', // A3I Orchestrator, Council
  OBSERVATION   = 'observation',   // Observer, dashboards
}

The Bus has four priority levels: CRITICAL (<20ms), HIGH (<50ms), NORMAL (<50ms), and LOW (best-effort). Circuit breaker signals always travel at CRITICAL priority.

Layer Independence

Each layer is independently deployable and testable:

| Layer | Package / Service | Can Run Locally | |--------------|-------------------------------|-----------------| | INTENT | @vorionsys/atsf-core | Yes | | BASIS | @vorionsys/basis | Yes | | ENFORCE | @vorionsys/atsf-core | Yes | | COGNIGATE | Cognigate cloud service | Via SDK | | PROOF | @vorionsys/proof-plane | Yes | | TRUST ENGINE | @vorionsys/atsf-core | Yes |

The local packages (atsf-core, basis, proof-plane) enable edge deployment without cloud connectivity. Cognigate provides centralized coordination for multi-agent and cross-tenant governance.

Security Pipeline Within Layers

Within each layer, security checks run through a typed pipeline (L0-L46) with six tiers:

| Tier | Layers | Purpose | |---------------------|---------|-----------------------------------| | Input Validation | L0-L5 | Input sanitization | | Intent Analysis | L6-L15 | Intent parsing and risk assessment| | Trust Evaluation | L16-L25 | Trust scoring and capability checks| | Policy Enforcement | L26-L35 | Rule evaluation and decision | | Output Validation | L36-L42 | Response sanitization | | Audit Compliance | L43-L46 | Proof generation and compliance |

Each security layer has explicit fail modes: block, degrade, escalate, warn, or log_only. Required layers cannot be skipped.

Next Steps

Intent to Proof Flow -- Trace a single action through all six layers
Trust Signal Bus -- Cross-layer signal propagation
Live Agent Anchor -- Real-time trust posture aggregation
Governance Pipeline -- The CAR > INTENT > ENFORCE > PROOF pipeline

All Documentation