Agent Control Protocol (ACP) v1. 17 Agent Control Protocol (ACP) v1. 17 is a formal governance specification for autonomous AI agents operating in institutional environments. ACP defines the admission control layer between agent intent and system state mutation: before any agent action reaches execution, it must pass a cryptographic admission check that validates identity, capability scope, delegation chain, and policy compliance simultaneously. The v1. 17 specification comprises 38 technical documents organized across five conformance levels (L1–L5), a Go reference implementation of 23 packages covering all L1–L4 capabilities, 73 signed conformance test vectors (Ed25519 + SHA-256) plus 65 unsigned RISK-2. 0 vectors, and an OpenAPI 3. 1. 0 specification with 18 HTTP endpoints. v1. 16 introduced ACP-RISK-2. 0, a deterministic integer-arithmetic risk engine extending ACP-RISK-1. 0 with a three-rule anomaly factor (Fₐnom: burst detection, repeated-denial pattern, high-frequency pattern matching) and automatic cooldown enforcement (three DENIED decisions within ten minutes triggers a five-minute block). The engine evaluates requests in under 1. 4 microseconds on commodity hardware (Intel i7-8665U, Go 1. 22) with zero floating-point operations and no external ML inference, yielding provably predictable latency bounds under load. v1. 16 also introduced ACP-SIGN-2. 0, a post-quantum migration specification for hybrid digital signatures combining Ed25519 (current standard) with ML-DSA-65 (NIST FIPS 204, lattice-based), defining a three-phase migration ladder and dual-signature envelope format. v1. 17 introduces external verifiability — the property that ACP's decision behavior can be reproduced and validated by third parties without access to internal implementation details: ACR-1. 0 Sequence Compliance Runner (compliance/runner/): a dual-mode Go runner (library mode + HTTP mode) that validates ACP-RISK-2. 0 implementations against stateful, multi-step test sequences. It implements the full ACP-RISK-2. 0 execution contract: stateless evaluation first, then deterministic state updates (AddRequest → AddPattern → AddDenial → SetCooldown). Five stateful sequence test vectors (compliance/test-vectors/sequence/): SEQ-BENIGN-001, SEQ-BOUNDARY-001, SEQ-PRIVJUMP-001, SEQ-FANOM-RULE3-001, SEQ-COOLDOWN-001. All five pass with CONFORMANT status under strict mode. These vectors test behaviors that require state accumulation across requests and cannot be validated with single-shot runners. TLC-runnable TLA+ formal model (tla/ACP. tla + tla/ACP. cfg): three mechanically checked invariants — Safety (no APPROVED decision above threshold), LedgerAppendOnly (append-only temporal property with entry preservation), and RiskDeterminism (identical capability+resource pairs always produce identical risk scores). Verified with TLC at 2 agents × 4 capabilities × 3 resources, 0 violations. ACP-SIGN-2. 0 HYBRID mode Go implementation (impl/go/pkg/sign2/): SignHybrid () with real Ed25519 signatures and ML-DSA-65 stub (full post-quantum implementation deferred to v1. 18 via cloudflare/circl). The verifiability pipeline forms a three-layer chain: formal model (TLA+) → test data (sequence vectors) → runtime validation (ACR-1. 0 runner). All cryptographic operations use Ed25519 + JCS canonicalization (RFC 8785). The specification is language-agnostic; the reference implementation is provided in Go. Specification and implementation: https: //github. com/chelof100/acp-framework-en Preprint: arXiv: 2603. 18829
Marcelo Fernandez (Tue,) studied this question.