Author: thePM_001 (https://x.com/thePM_001)
Research Paper: https://github.com/thePM001/AEP-research-paper-001
AEP 2.6 Agent Harness: https://github.com/thePM001/AEP-agent-element-protocol/tree/main/harness/aep-2.6-agent-harness
Major new AEP 2.6 features: Policy Builder + Schema Builder (improving mathematical/formal safety of policies/rules inserted into AEP lattices)
git clone https://github.com/thePM001/AEP-agent-element-protocol.git
cd AEP-agent-element-protocol
npm install
npm run build
npx aep assist setupnpm install github:thePM001/AEP-agent-element-protocol
npx aep assist setupgit clone https://github.com/thePM001/AEP-agent-element-protocol.git
cd AEP-agent-element-protocol && npm install && npm run build
claude mcp add aep -- node /path/to/AEP-agent-element-protocol/dist/cli.js serveThen in Claude Code: "Use the aepassist tool to set up governance."
Clone the repo first, then add to .cursor/mcp.json:
{
"mcpServers": {
"aep": {
"command": "node",
"args": ["/path/to/AEP-agent-element-protocol/dist/cli.js", "serve"]
}
}
}After setup, use the interactive assistant for everything:
npx aep assist # show menu
npx aep assist setup # first-time setup (3 questions)
npx aep assist status # current governance status
npx aep assist preset strict # switch governance preset
npx aep assist kill # emergency kill switch
npx aep assist covenant list # view active covenants
npx aep assist identity show # view agent identity
npx aep assist report json # generate audit report
npx aep assist schema build <domain> <data-file> # NEW v2.6: build schema from data
npx aep assist schema validate <schema-file> # NEW v2.6: validate schema
npx aep assist policy build <schema-file> # NEW v2.6: build Rego policy
npx aep assist policy validate <schema-file> <rego-dir> # NEW v2.6: validate policy coverageAEP is a 3-layer governance architecture originally developed to give every UI element a unique numerical identity, exact spatial coordinates, defined behaviour rules and themed visual properties. It treats the frontend as a topological coordinate system. The three layers are Structure (what exists and where), Behaviour (what each element does and cannot do) and Skin (what each element looks like). Changing one layer never requires changing another.
AEP applies beyond frontend development to ALL constrained knowledge domains with fixed rule sets and build schemas. Workflows, REST APIs, ML training pipelines, event-driven systems, infrastructure as code, smart contracts and agentic commerce all use the same architecture: agents propose, AEP validates, only compliant output executes.
Every agent action passes through a deterministic 15-step evaluation chain. The chain produces allow or deny. No ambiguity.
The mathematical foundation is the Deterministic Adjudication Lattice (DAL). A population of LLM candidate outputs is filtered through hierarchical verification predicates. The convergence theorem proves zero-defect selection with population size logarithmic in the inverse failure probability. Lattice memory stores every validated output as an immutable record. Known good proposals match against attractors and skip cold-path validation.
AEP v2.6 extends governance to the governance layer itself. The Schema Builder validates schema definitions using Maximum Likelihood Estimation (MLE), graph spectral analysis (Fiedler algebraic connectivity), permissiveness scoring (acceptance distribution entropy) and Louvain community detection. The Policy Builder detects domain invariants from data and generates Rego rules with coverage tracking. The protocol now validates its own constitutional layer with the same mathematical rigour it applies to agent outputs.
AEP separates every governed domain into three independent layers. Each layer has a single responsibility. No layer references another directly.
The scene graph. A flat JSON object where every element has a unique topological ID following the prefix convention (XX-NNNNN), a parent reference, spatial constraints, dimensions, a z-index and a visibility flag.
AEP Prefix Convention:
| Prefix | Type | Z-Band |
|---|---|---|
| SH | Shell | 0-9 |
| PN | Panel | 10-19 |
| NV | Navigation | 10-19 |
| CP | Component | 20-29 |
| FM | Form | 20-29 |
| IC | Icon | 20-29 |
| CZ | Cell Zone | 30-39 |
| CN | Cell Node | 30-39 |
| TB | Toolbar | 40-49 |
| WD | Widget | 50-59 |
| OV | Overlay | 60-69 |
| MD | Modal/Dialog | 70-79 |
| DD | Dropdown | 70-79 |
| TT | Tooltip | 80-89 |
| -- | System reserved | 90-99 |
Z-band hierarchy: an element's z-index MUST fall within its type's band. The validator rejects violations. A Modal (z: 70-79) always renders above a Data Grid (z: 30-39). A Tooltip (z: 80-89) always renders above a Modal. Mathematically enforced.
Topological constraints: relational anchors (position relative to parents/siblings), flex/grid spatial rules, viewport breakpoint matrices for responsive behaviour.
Structure rules:
- Every element MUST have a unique ID following the prefix convention.
- Every element MUST have a parent (except root Shell).
- Children MUST be topologically contained within their parent.
- Z-index values MUST follow the z-band hierarchy.
- The scene graph is the single source of truth for layout.
The component registry (AEP-FCR). Every element that renders pixels has an entry defining what it does, its states, events, constraints and what it is forbidden from doing. The Behaviour layer contains no visual properties. All styling is delegated to Layer 3 through skin_binding.
Required fields: label, category, function, component_file, parent, skin_binding, states, constraints.
Category taxonomy: action, data-input, data-display, feedback, layout, system.
Template Nodes: elements spawned dynamically (grid rows, list items) are governed by templates. The validator checks the template at build time. Runtime instances inherit its proven safety. Validate the mould, not every item poured from it.
Forbidden patterns: Rego policies define patterns that must never occur (z-band violations, orphaned elements, missing skin bindings).
All colours, fonts, spacing, borders, shadows and animations. Components reference theme variables through skin_binding. No component ever contains hardcoded visual values.
Skin binding resolution: registry entry -> skin_binding key -> theme component_styles block -> resolved properties.
To add dark/light mode: create a new YAML with different values. Structure and Behaviour remain untouched.
Changing one layer never requires changing another. Five scenarios:
- Add dark mode: Skin only changes.
- Move sidebar to the right: Structure only changes.
- Add keyboard shortcut: Behaviour only changes.
- AI agent repositions a panel: Structure only changes.
- Complete visual rebrand: Skin only changes.
If you find yourself editing two layers for one change, the separation is broken. Fix it.
For non-UI domains, the three layers map to:
- Structure -> What entities exist and their relationships (API endpoints, workflow steps, IaC resources, accounting entries).
- Behaviour -> What operations are permitted on each entity (allowed HTTP methods, valid state transitions, permitted mutations).
- Skin -> How entities are presented or serialized (response formats, output templates, report styling).
The separation principle holds: changing presentation never requires changing structure or rules.
Every agent action passes through these 15 steps. The chain produces allow or deny.
| Step | Name | Description |
|---|---|---|
| 0 | Task scope | Current action within subtask scope |
| 1 | Session state | Session active and valid |
| 2 | Ring capability | Agent's ring permits operation |
| 3 | System rate limit | Planetwide cap not exceeded |
| 4 | Session rate limit | Per-session cap not exceeded |
| 5 | Intent drift | Action aligns with baseline behaviour |
| 6 | Escalation | Action requires higher authority |
| 7 | Covenant evaluation | Agent's permit/forbid/require rules |
| 8 | Rego check | Environment-specific forbidden patterns |
| 9 | Capability + trust | Agent capabilities and trust tier sufficient |
| 10 | Budget/limit | Token, cost and spend limits not exceeded |
| 11 | Gate check | Human or webhook approval required |
| 12 | Cross-agent verification | Multi-agent identity and covenant check |
| 13 | Knowledge validation | Covenant-scoped KB access |
| 14 | Content scanners | Active scanners (up to 11) |
Always-mode steps (run every time): 1, 2, 3, 4, 7, 8, 9, 14.
Active-mode steps (short-circuit when precondition not met): 0, 5, 6, 10, 11, 12, 13.
| Scanner | What It Checks | Default Severity |
|---|---|---|
| PII | Names, emails, phone numbers, SSNs, addresses | hard |
| Injection | Prompt injection and code injection patterns | hard |
| Secrets | API keys, tokens, credentials, private keys | hard |
| Jailbreak | Jailbreak attempts, system prompt extraction | hard |
| Toxicity | Threats, decay-promotion, toxic language | hard |
| URL | URLs against allowlist and blocklist | soft |
| Data profiler | Null rates, duplicates, outliers, schema drift, class imbalance | soft |
| Prediction | Percentage claims, absolute-confidence language, horizon limits | soft |
| Brand | Required/forbidden phrases, competitor mentions, trademarks | soft |
| Regulatory | Ad, financial, medical, affiliate and age disclosures | soft |
| Temporal | Stale references, future horizons, undated statistics, expired content | soft |
Data-driven schema creation and validation. Four mathematical foundations:
MLE Estimation: derives constraint parameters (min, max, precision, pattern, enum) from historical data using maximum likelihood. Welford's online algorithm for streaming updates. Confidence intervals. Divergence scoring between candidate schemas and MLE ground truth.
Graph Spectral Analysis: builds a constraint graph from schema + Rego rules. Computes the Laplacian eigenvalues. The Fiedler value (lambda_2) measures how tightly coupled the constraints are. The Fiedler vector identifies the weakest structural boundary. Based on Fiedler (1973) algebraic connectivity.
Permissiveness Scoring: estimates acceptance distribution entropy. Tighter schemas have lower entropy. Computes excess permissiveness vs. MLE reference. Identifies weakest constraints via principal components.
Module Detection: Louvain community detection on the constraint graph. Decomposes schemas into independently verifiable modules. Identifies inter-module gaps.
Composite score: C = 0.35*(1-MLE_divergence) + 0.25*spectral_score + 0.25*(1-excess_permissiveness) + 0.15*modularity
Decision: pass >= 0.8, review 0.5-0.8, reject < 0.5.
npx aep assist schema build <domain> <data-file>
npx aep assist schema validate <schema-file>Data-driven Rego policy generation:
Invariant Detection: scans historical data for domain invariants (equality, inequality, membership, exclusion, conditional, temporal). Each detected invariant gets a confidence score.
Rego Generation: generates deny[msg] rules from detected invariants. Covers MLE outliers and spectral gap suggestions.
Coverage Tracking: invariant manifest lists required domain rules. Coverage rate = rules present / rules required.
Spectral Impact: projects the Fiedler value improvement if proposed rules are adopted.
npx aep assist policy build <schema-file>
npx aep assist policy validate <schema-file> <rego-dir>Trust scoring. Continuous 0-1000 score with five tiers: untrusted, provisional, standard, trusted, privileged. Time-based erosion. Configurable penalties per violation type and rewards per successful action.
Execution rings. Four-ring privilege model. Ring 0 (kernel): full access. Ring 1: read/write/delete/network. Ring 2 (default): read/create/update. Ring 3 (sandbox): read-only. Automatic demotion when trust drops below threshold.
Behavioural covenants. Agent-declared constraint DSL with three keywords: permit, forbid (always wins), require. Each rule tagged [hard] (immediate reject) or [soft] (recovery attempt). Evaluated at Step 7.
Intent drift detection. Five heuristics: tool category distribution, target scope shifts, AEP prefix drift, frequency anomalies and repetition detection. Configurable warmup period. Actions on drift: warn, gate, deny or kill.
Kill switch. killAll(reason) terminates every active session. killSession(id, reason) targets one. Optional rollback and trust reset to zero.
Rollback. Every mutation stores a compensation plan. Rollback works per action or per session in reverse chronological order.
Hard/soft violation model. Hard violations reject immediately. Soft violations trigger the recovery engine with corrective feedback and a configurable number of retry attempts.
Governance presets. Four presets control the strictness level. See below.
Sessions can follow sequential workflows with typed verdicts per phase:
- advance - proceed to next phase (+15 trust)
- rework - repeat with feedback (-20 trust)
- skip - bypass with justification (-5 trust)
- fail - terminate or escalate (-100 trust)
Max rework limits enforced per phase. Fine-tuning workflow template provides six governed phases: DATA_PREPARATION, DATA_VALIDATION, TRAINING_CONFIG, TRAINING_EXECUTION, EVALUATION, DEPLOYMENT.
Agent identity. Ed25519/RSA identity per agent with verifyCounterparty() handshake and ProofBundle exchange.
Fleet governance. Enable with fleet.enabled: true. Enforces agent limits, hourly cost caps, ring saturation limits and drift clustering thresholds across all agents.
Spawn governance. Child agents inherit parent covenant as a subset with reduced trust and same or lower ring. A child can never have more access than its parent.
Message scanning. Inter-agent messages pass through PII, injection and secrets scanners.
Four providers: Anthropic, OpenAI, Ollama, custom (any OpenAI-compatible endpoint). Every request and response passes through the full governance chain including scanner pipeline and budget tracking. Streaming support with governed chunks and early abort on violation.
Governed ingestion. Content passes through the full scanner pipeline before storage. Hard failures reject. Soft failures flag for review.
Scoped retrieval. Covenant-scoped filtering ensures agents only see what their covenant permits. Flagged chunks receive double scanning.
Anti-context-rot. Most relevant chunks placed at positions 1 and N (context boundaries) to counteract U-shaped LLM attention erosion in long contexts.
Eval runner. Replays dataset entries through the full policy chain and scanner pipeline. Tracks pass/fail rates, false positives and false negatives.
Dataset management. Versioned evaluation datasets. Create manually, import from production ledgers or load from JSON. Each modification bumps patch version. Export to JSON or CSV.
Rule generator. Analyses violation patterns and produces covenant rules or scanner regex patterns when confidence exceeds threshold.
Prompt versioning. Save, load, list and diff prompt versions with SHA-256 content hashes. Inject governance context into prompts. Compare two prompt variants against the same dataset.
Four metric families:
- Classification - accuracy, precision, recall, F1, confusion matrix
- Regression - MSE, RMSE, MAE, R2, MAPE
- Retrieval - precision@k, recall@k, MRR, NDCG
- Generation - exact match, avg length, empty rate
Composite score integrates into ReliabilityIndex as optional mlScore field weighted into theta.
Governed agentic commerce covering 12 actions: discover, add_to_cart, remove_from_cart, update_cart, checkout_start, checkout_complete, payment_negotiate, payment_authorize, fulfillment_query, order_status, return_initiate, refund_request.
Policy controls: merchant allow/blocklists, product category blocking, transaction amount limits, daily spend accumulation, human gate thresholds, payment method restrictions. Spend tracking with JSONL persistence.
| Subprotocol | What It Validates |
|---|---|
| UI | Scene graph elements, z-bands, skin bindings, spatial rules |
| Workflows | Actions, state transitions, payload schemas, approval gates |
| REST APIs | HTTP methods, endpoint paths, request bodies, headers, query params |
| Events / Pub-Sub | Topics, payload schemas, producer permissions, correlation IDs |
| Infrastructure as Code | Resource kinds, required fields, forbidden fields, type constraints |
| Commerce | Cart, checkout, payment, fulfillment, spend limits, merchant restrictions |
Real-time streaming governance. Fuses AEP with AG-UI. Delta processor validates live events against the scene graph. Under-construction pattern prevents interaction with elements not yet validated. Conflict resolution via last-write-wins or optimistic locking. Human-in-the-loop approval policies for high-risk mutations.
Higher-order contextual policy validation. Element + context tuple. Cross-field constraints enforce rules that depend on combinations of element properties. State freshness enforcement ensures validation uses current data.
Evidence integrity. SHA-256 hash-chained evidence ledger. Every entry contains sequence number, ISO 8601 timestamp, hash and previous hash. Tamper detection by recomputing the chain.
Proof bundles. Portable .aep-proof.json files containing agent identity, covenant, trust score, ring, drift score, reliability index (theta), Merkle root and Ed25519 signature. ML-DSA-65 post-quantum signatures available. RFC 3161 timestamp authority tokens. Offline signing for air-gapped environments.
OWASP coverage. Every OWASP Agentic AI Top 10 risk is addressed by specific AEP 2.6 defence mechanisms. See docs/OWASP-MAPPING.md.
Compliance targets. EU AI Act transparency requirements, SOC 2 audit trail requirements.
OTEL exporter. OpenTelemetry export for session telemetry. Emits spans for policy evaluations, scanner runs, gateway calls and workflow phase transitions. Compatible with any OTEL collector.
Token and cost tracking. Per-action token usage and cost recording via ActionResult.tokens and ActionResult.cost. Session reports include totalTokens, totalCost and costSaved.
Reliability index (theta). Single numeric session quality measure computed from trust score, drift score, violation rate, ML score and session duration. Included in proof bundles for external auditing.
AEP ships with four presets selectable via /aepassist preset or npx aep assist preset:
- strict - Trust starts at 200. Human gates on destructive actions. Post-quantum signatures enabled. All 11 scanners active (hard severity). Recovery engine with max 1 attempt. Workflow phases required. Fleet max 3 agents.
- standard - Trust starts at 500. Webhook gates. Drift warnings enabled. 7 core scanners active. Recovery engine with max 2 attempts. Workflow phases optional.
- relaxed - Trust starts at 600. No gates. Basic evidence ledger. 4 core scanners (PII, injection, secrets and jailbreak). No recovery engine. No workflow phases.
- audit - Read-only mode. No mutations permitted. Full evidence collection. All 11 scanners active (soft severity). Complete OTEL export. Proof bundles generated for every session.
| Policy | Description |
|---|---|
| coding-agent | General development sessions. Ring 2, trust 500. |
| aep-builder | AEP element creation and modification. Ring 1, trust 600. |
| readonly-auditor | Read-only code review and audit. Ring 3, trust 300. |
| strict-production | Production with identity requirements. Ring 3, trust 200. |
| multi-agent | Multi-agent orchestration with identity and verification. Ring 2, trust 400. |
| covenant-only | Minimal policy relying on covenant enforcement. Ring 2, trust 500. |
| full-governance | All capabilities with knowledge base and scanners. Ring 1, trust 600. |
| content-safety | All scanners at hard severity with knowledge base. Ring 2, trust 500. |
- Three-layer separation (Structure, Behaviour, Skin)
- Topological coordinate system with z-band hierarchy
- AEP prefix convention (14 element types)
- Template nodes for dynamic elements
- Schema versioning (aep_version + schema_revision)
- 15-step deterministic evaluation chain
- Short-circuit pattern with step activation modes (always/active)
- Step activation profiles per preset
- AOT (ahead-of-time) build validation
- JIT (just-in-time) delta validation
- PII scanner
- Injection scanner
- Secrets scanner
- Jailbreak scanner
- Toxicity scanner
- URL scanner
- Data profiler scanner
- Prediction scanner
- Brand scanner
- Regulatory scanner
- Temporal scanner
- Trust scoring (0-1000, 5 tiers)
- Execution rings (4 rings)
- Behavioural covenants (permit/forbid/require)
- Intent drift detection (5 heuristics)
- Kill switch (session and fleet)
- Rollback with compensation plans
- Hard/soft violation model with recovery engine
- Governance presets (strict, standard, relaxed, audit)
- Agent identity (Ed25519/RSA)
- Fleet governance (limits, cost caps, ring saturation)
- Spawn governance (covenant subset inheritance)
- Inter-agent message scanning
- Cross-agent verification handshake
- Fleet API (status, agents, alerts, pause, resume, kill)
- Anthropic provider
- OpenAI provider
- Ollama provider
- Custom provider (any OpenAI-compatible endpoint)
- Governed ingestion (scanner pipeline)
- Scoped retrieval (covenant-filtered)
- Anti-context-rot ordering
- Knowledge base CLI
- Eval runner
- Dataset management (versioned)
- Rule generator
- Prompt versioning (SHA-256 hashes)
- Governance context injection
- Eval-based refinement
- Prompt comparison
- Classification metrics
- Regression metrics
- Retrieval metrics
- Generation metrics
- Workflow phases with typed verdicts
- Max rework limits
- Fine-tuning workflow template (6 phases)
- 12 governed commerce actions
- Merchant registry with CRUD
- Spend tracking with persistence
- UI subprotocol
- Workflows subprotocol
- REST APIs subprotocol
- Events/Pub-Sub subprotocol
- Infrastructure as Code subprotocol
- Commerce subprotocol
- AG-UI event bridge
- Delta processor with transaction log
- Under-construction pattern
- Conflict resolution (LWW + optimistic locking)
- Human-in-the-loop approval policies
- SHA-256 hash-chained evidence ledger
- Proof bundles (.aep-proof.json)
- OTEL exporter
- Reliability index (theta)
- Schema Builder (MLE, spectral analysis, permissiveness, modularity)
- Policy Builder (invariant detection, Rego generation, coverage tracking)
AEP Research Paper - formal specification and theoretical foundations of deterministic adjudication lattices for AI agent governance.
AEP v2.6 is backwards-compatible with v2.5. All existing config files, policies, sessions, ledgers and SDK modules continue to work without modification.
To adopt v2.6 features:
- Update
versionto"2.6"in policy files. - For Schema Builder: use
SchemaBuilderclass ornpx aep assist schemacommands. - For Policy Builder: use
PolicyBuilderclass ornpx aep assist policycommands. - For Schema Builder via gateway: call
gateway.validateSchemaProposal(). - For Policy Builder via gateway: call
gateway.validatePolicyProposal(). - All v2.5 features remain unchanged.
Licensed under the Apache License, Version 2.0. See LICENSE for the full text and NOTICE for attribution.
The names AEP, Agent Element Protocol, AEP-compliant, dynAEP, AEP Lattice Memory, AEP Basic Resolver, AEP Hyper-Resolver and AEP Memory Fabric are reserved. See NAME-POLICY.md for permitted and prohibited uses.
Patent grant: Apache 2.0 includes an explicit patent covenant from contributors. Previous versions under MIT remain valid under their original terms.
To win the fight against the synthetic nano-parasites (SNP/NanoSinp) alien WMD, we must be intelligent and biosecure. It is recommended that bioinsecure humans do not use the provided technology/protocol to avoid bad techno-spiritual AI outcomes for them. [*"bioinsecure" = has installed injectable synthetic nano-parasites growth medium controllers - SNP GMCs]