Open Agent Governance Specification (OAGS)
The Open Agent Governance Specification (OAGS) defines a set of local-first primitives for identity, policy, enforcement, audit, and verification of autonomous AI agents. Any conforming implementation - regardless of language or runtime - can produce interoperable governance artifacts.
Overview
OAGS covers six core areas:
| Area | Purpose |
|---|---|
| Identity | Content-addressable agent identity via BLAKE3 hashing |
| Signing | Ed25519 digital signatures for manifest verification |
| Policy | Declarative constraints on agent runtime behavior |
| Enforcement | Runtime evaluation of actions against policy rules |
| Audit | Immutable records of governed actions and policy decisions |
| Verification | Validation of identity, policy integrity, and audit evidence |
Design Principles
- Deterministic: Same agent configuration produces the same identity
- Runtime Enforceable: Policies are enforced during execution, not just declared
- Cryptographically Verifiable: All claims backed by digital signatures
- Implementation Agnostic: Works across programming languages and runtimes
- Offline Capable: Core primitives work without network connectivity
- Minimal Overhead: Low latency impact on agent operations
SekuireID Algorithm
Every agent has a deterministic, content-addressable identity:
prompt_hash = hex(BLAKE3(trim(system_prompt)))
tools_hash = hex(BLAKE3(canonical_json(tools)))
fingerprint = "model:{model}|prompt:{prompt_hash}|tools:{tools_hash}"
sekuire_id = hex(BLAKE3(fingerprint))
Properties:
- Deterministic: Same config always yields the same ID
- Content-Addressable: Derived from the agent's code and prompt
- Verifiable: Any third party can reproduce the ID from the same inputs
- Immutable: Changing any input changes the ID
Cryptographic Primitives
| Primitive | Algorithm | Output |
|---|---|---|
| Identity hash | BLAKE3 | 64-char lowercase hex |
| Prompt/tools hash | BLAKE3 | 64-char lowercase hex |
| Signing key pair | Ed25519 (RFC 8032) | 32-byte public, 64-byte private |
| Signature | Ed25519 detached | 128-char lowercase hex |
| Nonce | CSPRNG | 64-char lowercase hex |
Policy Structure
Policies are declarative JSON documents with six enforcement categories:
# sekuire.yml policy section
policy:
agent:
models:
allowed_models: [gpt-4o, claude-3-opus]
blocked_models: [gpt-3.5-turbo]
tools:
allowed_tools:
- web_search
- calculator
blocked_tools:
- shell_exec
permissions:
network:
enabled: true
require_tls: true
allowed_domains: ["*.openai.com"]
blocked_domains: ["*.evil.com"]
filesystem:
enabled: true
allowed_paths: ["/tmp/*", "/workspace/*"]
blocked_paths: ["/etc/*", "/root/*"]
api:
enabled: true
allowed_services:
- service_name: openai
- service_name: stripe
rate_limits:
per_agent:
requests_per_minute: 60
requests_per_hour: 1000
tokens_per_minute: 100000
Enforcement Points
Six enforcement categories, each returning allow, deny, or warn:
| Category | Method | Checks |
|---|---|---|
| Network | enforceNetwork(domain, protocol) | Allowlist, blocklist, TLS requirement |
| Filesystem | enforceFilesystem(path, operation) | Path patterns, extensions, blocklist |
| Tools | enforceTool(toolName) | Allowlist, blocklist, category patterns |
| Models | enforceModel(model) | Allowlist, blocklist |
| API | enforceApi(service) | Service allowlist, enabled flag |
| Rate Limits | enforceRateLimit(type, count) | Per-minute, per-hour, token limits |
See the Policy Enforcement Rule Reference for all rule IDs.
Conformance Levels
Implementations can certify at three levels:
| Level | Requirements |
|---|---|
| L1 | Identity computation + policy enforcement (10 identity vectors + 19 policy vectors) |
| L2 | L1 + Ed25519 signing and verification (3 signing vectors) |
| L3 | L2 + trust headers + mutual authentication + A2A types |
A language-agnostic conformance harness with shared test vectors is available for self-certification.
Trust Headers
Conforming implementations MAY include governance headers in HTTP requests:
| Header | Purpose |
|---|---|
X-OAG-Agent-ID | Content-addressable agent identifier |
X-OAG-Reputation | Agent reputation score |
X-OAG-Credentials | Signed authentication challenge response |
X-OAG-Verification-Status | Verification badge status |
X-OAG-Risk-Level | Computed risk assessment |
Reference Implementations
Three first-party SDK implementations conform at L2:
| SDK | Language | Conformance |
|---|---|---|
@sekuire/sdk | TypeScript | L2 (35/35 vectors) |
sekuire-sdk | Rust | L2 (35/35 vectors) |
sekuire-sdk | Python | L2 (35/35 vectors) |
Full Specification
The complete OAGS v0.1.1 specification is available at oss/specs/oags-v0.1.md in the repository.
Next Steps
- Policy Enforcement Rule Reference - All rule IDs and behaviors
- SDK Policy Enforcement - SDK integration guide
- Standalone vs Platform - Operating modes