Trust Layer
Trust Layer
This document refers to the Beacon Hub Trust Layer, not verification
descent.
Purpose
The Beacon Hub Trust Layer gives a relay hub a narrowly-scoped way to
warn or constrain an agent without decrypting its session payloads.
What shipped in this phase
internal/beacon/trust: pinned-root verification, signed signal
frames, freshness checks, and nonce replay rejection.
internal/beacon/trust/kinds: the hardcoded signal kinds from the
canonical scope.
internal/ledger/nodes/trust.go: ledger-native trust signal,
cooldown, ban, device attestation, and federation signal nodes.
Signal model
The agent only accepts these kinds:
displaytouseraskuserandexecuteonapprovepauserotatesessionkeyforce_resurgenceattest_staterequestofflinereview
Unknown kinds are rejected. A hub cannot extend the protocol by sending
arbitrary action names.
Verification chain
Every signal goes through the same pre-dispatch checks:
1. The hub identity must be pinned in the local trust root.
2. The frame signature must verify with the pinned Ed25519 key.
3. The frame must still be within its freshness window.
4. The nonce must not have been seen before.
5. The kind must be one of the hardcoded protocol kinds.
Rejected signals still produce ledger output so the operator can audit
why the frame was dropped.
Pages in this directory
- AGENTIC-API-CATALOG.md
- AGENTIC-API.md
- ANTI-TRUNCATION.md
- ARCHITECTURE.md
- BEACON-PRIMITIVES.md
- BEACON-PROTOCOL.md
- BUSINESS-VALUE.md
- DEPLOYMENT.md
- FEATURE-MAP.md
- HOW-IT-WORKS.md
- MIGRATION-MARKDOWN-TO-DETERMINISTIC.md
- README.md
- ROADMAP.md
- SKILL-WIZARD.md
- SKILLS-DETERMINISTIC.md
- TRUST-LAYER.md
- anti-deception-matrix.md
- bench-corpus-format.md
- bench-swebench.md
- benchmark-stance.md
- browser-executor.md
- deploy-executor.md
- gates-yaml.md
- harness-architecture.md
- mcp-security.md
- operator-guide.md
- provider-pool.md
- r1-serve.md
- s6-deprecation-closures.md
- stoke-agent-serve.md
- stoke-protocol.md
- stoke-spec-final.md
- trustplane-integration.md
- upgrades-sow-verification.md
- wave-a-wal.md
- wave-b-receipts-honesty.md
- wave-b-wal.md
- wave-c-wal.md
- wave-d-expansion.md
- websearch.md