Agent Control Protocol: Admission Control for Agent Actions

Agent Control Protocol (ACP) v1. 16 is a formal governance specification for autonomous AI agents operating in institutional environments. ACP defines cryptographically verifiable structures for agent identity, capability declaration, execution logging, policy enforcement, cross-organization coordination, and reputation portability. The v1. 16 specification comprises 38 technical documents organized across five compliance levels (L1–L5), a Go reference implementation of 23 packages covering all L1–L4 capabilities, 73 signed conformance test vectors (Ed25519 + SHA-256) plus 65 unsigned RISK-2. 0 vectors covering all anomaly rules and cooldown paths, and an OpenAPI 3. 1. 0 specification with 18 HTTP endpoints across 10 groups. This release introduces ACP-RISK-2. 0, a deterministic integer-arithmetic risk engine extending ACP-RISK-1. 0 with a three-rule anomaly factor (Fₐnom: burst detection, repeated-denial pattern, high-frequency pattern matching) and automatic cooldown enforcement (three DENIED decisions within ten minutes triggers a five-minute block). The engine evaluates requests in under two microseconds on commodity hardware (Intel i7-8665U, Go 1. 22) with zero floating-point operations and no external ML inference, yielding provably predictable latency bounds under load. An executable payment-agent demonstration (examples/payment-agent/) exercises the full ACP-RISK-2. 0 pipeline end-to-end: POST /admission → deterministic risk evaluation → immutable ledger append → automatic cooldown. This release also introduces ACP-SIGN-2. 0, a post-quantum migration specification for hybrid digital signatures combining Ed25519 (current standard) with ML-DSA-65 (NIST FIPS 204, lattice-based). ACP-SIGN-2. 0 defines a dual-signature envelope format, a three-phase migration ladder (Ed25519-only → hybrid → ML-DSA-65-only), and conformance test vectors for both signature schemes. A formal verification sketch (TLA+ module AdmissionControl) captures the three core safety invariants of ACP-RISK-2. 0: Safety (no APPROVED decision above threshold), LedgerAppendOnly (hash-chain integrity), and RiskDeterminism (identical inputs produce identical risk scores). All cryptographic operations use Ed25519 + JCS canonicalization. The specification is language-agnostic; the reference implementation is provided in Go. Preprint: arXiv: 2603. 18829