Skip to content

Mission-log completeness under agent–PS partition: a gap §14.16 and §12.7.4.1 don't close #49

Description

@ZeeshanKhanSA

v08's §14.16 (non-repudiation after key rotation) and §12.7.4.1 (freshness and replay) close the request-level cases well: archive-at-verification preserves "key K signed request R at time T," and the created-window replay cache rejects duplicate request tuples. Both operate on the signed HTTP request at the resource/verifier. I want to surface a residual case they don't reach, at the mission-governance layer, when the agent is partitioned from its PS — a long-running, intermittent, or workload/self-hosted (§16.9) agent acting across a network gap.

The setup: §7.5.2 keeps audit fire-and-forget ("the agent SHOULD NOT block on the response"), and approved_tools (§7.4, §8.2) let the agent act locally without reaching the PS per action. §8.3 keeps the asymmetry — the mission description is s256-immutable, but the mission log is a PS-maintained ordered record with no expected-sequence integrity of its own. Two cases follow:

  1. Suppression / tail-truncation. A partitioned agent performs approved_tools actions and never emits the corresponding audit records. §14.16's archive-at-verification doesn't help here: the agent made no request to any verifier while disconnected, so there's nothing to archive. The PS can't distinguish "agent did nothing during the gap" from "agent acted and didn't report it," because the log has no issued sequence the agent must account for. (This is the tail-truncation @jagmarques flagged in Non-repudiation and key rotation: audit trail considerations? #3 — an external witness catches mid-log edits but not a silently short tail.)
  2. Stale-mission replay. Distinct from §12.7.4.1's request replay. The agent re-presents an earlier validly-signed mission state as current after the surrounding context moved on — e.g. the mission was revoked per §8.5/§12.6 during the partition. s256 still verifies (the mission is immutable by design), and §12.7.4.1's cache is scoped to the created window (default 60s) and to duplicate request tuples, so neither signals that the mission state is stale at the multi-hour timescale of a partition.

The distinction I'd want explicit: §14.16 gives durable evidence of requests that were made and verified; §12.7.4.1 bounds replay of a single signed request within its window. Neither makes a gap in what the agent should have logged, or a replayed-stale mission state, detectable after reconnection. Closing those needs something at the agent↔PS contract level — a per-mission monotonic counter or pre-issued jti/nonce range the PS issues and the agent must consume in order, so a missing index is detectable rather than invisible. That's wire surface (what the PS hands the agent), not PS storage internals — which is why I think it's protocol-shaped rather than the kind of PS-implementation detail that closed PR #10.

So, concretely: (a) Is offline/deferred governance in scope — may an agent perform approved_tools actions while it can't reach the PS, or is the model strictly online? (b) If deferred governance is in scope, does the expected-sequence contract belong in the §8.5 companion spec for mission state transitions, or is mission-log completeness considered out of protocol scope entirely (as PR #10's chaining was)? Genuinely unsure where the line sits, which is why I'm asking. Happy to write the partition cases up as concrete sequences.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions