Agent Control Protocol (ACP) v1.19 Overview The Agent Control Protocol (ACP) is a formal governance specification for autonomous AI agents operating in multi-tenant, multi-capability environments. ACP defines a deterministic, auditable admission-control framework — grounded in risk scoring, behavioral pattern detection, temporal cooldown enforcement, and cryptographic request signing — that governs what actions an agent may take, when, and under what conditions. This release (v1.19) completes Sprint H: a full adversarial evaluation campaign demonstrating that ACP-RISK-2.0 enforcement holds under active evasion attempts. What ACP provides A structured request lifecycle: every agent action is evaluated before execution, producing a verifiable APPROVED/DENIED decision with full audit trail A multi-dimensional risk model (ACP-RISK-2.0): frequency, burst, anomaly pattern, and temporal cooldown rules evaluated in a single deterministic pass Cryptographic signing (ACP-SIGN-2.0): Ed25519 request authentication with tamper-evident audit logs A replaceable state backend interface (LedgerQuerier/LedgerMutator) supporting InMemoryQuerier for development and RedisQuerier for production-grade deployments Formal verification via TLA+ covering the core admission-control state machine A compliance runner (compliance/runner/) with 5 canonical sequence test vectors (5/5 PASS across all implementations) An adversarial evaluation suite (compliance/adversarial/) with 3 experiments against ACP-RISK-2.0 v1.19 introduces Adversarial Evaluation (ACP-RISK-2.0) — three experiments against real attack patterns: Experiment 1 — Cooldown Evasion: 500 requests from a single agent alternating DENIED→DENIED→APPROVED. Result: 495/500 blocked (99%); cooldown triggered after exactly 3 DENIED; sustained 815k req/s. ACP cooldown is monotonic — approval decisions do not reset CooldownTriggerDenials. Experiment 2 — Distributed Multi-Agent Attack: 100 coordinated agents at low per-agent volume. Result: each agent blocked independently at its own 3-DENIED threshold; 3N free denials for N distinct identities is the correct design boundary for per-agent admission control. Experiment 3 — State Backend Stress: InMemoryQuerier vs RedisQuerier (go-redis/v9) under 500 concurrent agents. Result: ~350k req/s (InMemory) vs ~2.1k req/s (Redis, single-connection no pipelining); 165× gap attributable to network round-trip overhead, not ACP decision logic. Confirms that ACP is compute-cheap but state-sensitive. RedisQuerier implementation — production-grade LedgerQuerier backed by Redis sorted sets (ZAdd/ZCount) with 15-minute TTL; fully substitutable via the LedgerQuerier interface compliance/adversarial/ directory — reproducible Go experiment suite with real benchmark numbers Specification v1.19 defines 62 verifiable behavioral requirements across: ACP-CORE-1.0: Request lifecycle and capability gating ACP-RISK-2.0: Four-rule risk evaluation with cooldown enforcement ACP-SIGN-2.0: Ed25519 cryptographic signing ACP-ACR-1.0: Audit, compliance, and reproducibility ACP-RISK-FORMAL-1.0: TLA+ formal model of the admission-control state machine Implementation Go reference implementation: impl/go/ (module github.com/chelof100/acp-framework/acp-go) OpenAPI 3.1 specification: 18 endpoints Test vectors: 138 total (73 signed + 65 ACP-RISK-2.0 unsigned) Sequence vectors: 5 stateful scenarios (SEQ-BENIGN-001, SEQ-BOUNDARY-001, SEQ-PRIVJUMP-001, SEQ-FANOM-RULE3-001, SEQ-COOLDOWN-001) — 5/5 PASS Repositories English: https://github.com/chelof100/acp-framework-en Spanish: https://github.com/chelof100/acp-framework Web: https://agentcontrolprotocol.xyz Academic preprint arXiv:2603.18829 — companion paper documenting the formal specification, security model, performance evaluation (820 ns/req latency, 9.5× Step-2 short-circuit, 920k req/s baseline throughput), and adversarial evaluation results. Previous versions v1.16 (10.5281/zenodo.19185033): ACP-RISK-2.0 + ACP-SIGN-2.0, 65 unsigned risk test vectors, payment-agent example v1.17 (10.5281/zenodo.19198298): compliance/runner/, 5 stateful sequence vectors, TLA+ formal model, canonical signed vectors v1.18 (10.5281/zenodo.19210824): Security model, performance benchmarks (latency + throughput + state contention), LedgerQuerier abstraction, paper Related Work and Evaluation sections Post-quantum signing (ML-DSA-65 / Dilithium) is deferred to v1.20.
Marcelo Fernandez (Tue,) studied this question.