Agent Control Protocol: Admission Control for Agent Actions

from arxiv, v1.19: adversarial evaluation (cooldown evasion, distributed multi-agent, state-backend stress; compliance/adversarial/). v1.18: performance benchmarks, security/threat model, comparison table. v1.17: TLA+ (3 invariants, 0 violations), ACR-1.0 runner, 5 sequence vectors, ACP-SIGN-2.0 stub. v1=v1.13, v2=v1.14, v3=v1.15, v4=v1.17, v5=v1.19

Agent Control Protocol (ACP) is a formal technical specification for admission control governance of autonomous agents in B2B institutional environments. Before any agent action reaches execution, it passes a cryptographic admission check validating identity, capability scope, delegation chain, and policy compliance -- an admission control layer between agent intent and system state mutation. ACP defines cryptographic identity (Ed25519, JCS), capability-based authorization, deterministic risk evaluation (integer arithmetic, no ML inference), chained delegation, transitive revocation, and cryptographically-chained auditing. It operates on top of RBAC and Zero Trust, addressing what neither model solves: governing agent actions with deterministic enforcement, temporal limits, and full traceability across organizational boundaries. The protocol is compute-cheap but state-sensitive: decision evaluation costs ~820 ns while throughput reaches 920k req/s -- a separation enabling state backend replacement without modifying protocol semantics. Adversarial evaluation confirms ACP-RISK-2.0 enforcement holds under active evasion: 99% (495/500) single-agent evasion attempts are blocked after only five requests, per-agent isolation is preserved across 100 coordinated agents, and throughput degradation under stress is attributable to state-backend latency. The v1.19 specification comprises 38 technical documents, a Go reference implementation (23 packages), 73 signed conformance test vectors, 65 RISK-2.0 vectors, an OpenAPI 3.1.0 specification (18 endpoints), a TLC-checked TLA+ formal model (3 invariants, 0 violations), an ACR-1.0 sequence compliance runner, and adversarial evaluation scripts in compliance/adversarial/.

翻译：智能体控制协议（ACP）是在B2B机构环境中对自主智能体实施准入控制治理的形式化技术规范。在任意智能体行为执行前，需通过加密准入检查以验证身份标识、能力范围、委托链及策略合规性——这是介于智能体意图与系统状态变更之间的准入控制层。ACP定义了加密身份（Ed25519、JCS）、基于能力的授权机制、确定性风险评估（整数运算，无机器学习推理）、链式委托、传递性撤销及加密链审计。该协议基于RBAC与零信任架构运行，解决了二者均未解决的问题：以确定性执行、时间限制及跨组织边界全链路可追溯性治理智能体行为。协议计算成本低但状态敏感：决策评估耗时约820纳秒，吞吐量达每秒920,000次请求——这种分离设计可在不修改协议语义的前提下替换状态后端。对抗性评估证实ACP-RISK-2.0强制执行机制在主动规避行为下仍有效：99%（495/500）的单智能体规避尝试在仅五次请求后即被拦截，100个协同智能体的独立隔离性得以维持，压力下的吞吐量衰减可归因于状态后端延迟。v1.19规范包含38份技术文档、一个Go语言参考实现（23个包）、73个已签名的一致性测试向量、65个RISK-2.0测试向量、一份OpenAPI 3.1.0规范（18个端点）、一个经TLC验证的TLA+形式化模型（3个不变式，0违规）、一个ACR-1.0序列合规运行器，以及位于compliance/adversarial/目录下的对抗性评估脚本。