// VORION ECOSYSTEM vorion.org/ cognigate.dev/ agentanchorai.com/ aurais.net basis 0.9 · ratified 2026.03.18
A position document · ratified 2026.03.18

BASIS.

Baseline Authority for Safe & Interoperable Systems · v 0.9

EDITORSThe Vorion Consortium CONFORMANCERunnable suite PROOFSigned chain LICENSEApache-2.0 STATUS● PRODUCTION NEXT1.0 RFC freeze · 2026.10
// ARTICLE 0

Preamble.

For two years the industry shipped autonomy and skipped accountability. The drawer is full. The drawer is on fire. This is the standard we use to put out the fire.

BASIS defines the bare minimum that an agent runtime, a certification authority, and an operating console must observe so that any third party can verify the trustworthiness of an agent action without trusting the vendor. It is short on purpose. Everything else is implementation.

BASIS makes four guarantees, in this order:

  1. Declared scope. Every agent ships with a signed manifest of what it can do. No undeclared capability is callable. Period.
  2. Authorized action. Every tool call is gated by a decision point that returns ALLOW, DENY, or ESCALATE in writing, with a cryptographic receipt.
  3. Continuous attestation. Reputation is not granted by paperwork; it accrues from clean event history.
  4. Public chain. The history is read-only public. No vendor controls the truth.

Agent identity, scope, and reputation belong to the chain — not to the vendor.

// ARTICLE I

Definitions.

Spec language uses MUST, SHOULD, MAY per RFC 2119. Italicized terms have the meaning given in this article and no other.

§ 1.1 Agent, runtime, gate, attester

Definition 1.1.1
Agent.

A software process which (i) holds a long-lived cryptographic identity, (ii) declares a finite capability set in a signed scope manifest, and (iii) executes tool calls only through a conforming gate. A process that does not satisfy all three predicates is not an agent under this specification.

Definition 1.1.2
Gate.

A decision point situated between an agent and an external tool. The gate accepts a tool-call request, evaluates it against the agent's policy and scope manifest, and emits a signed verdict — one of ALLOW, DENY, ESCALATE — before any side effect is permitted.

Definition 1.1.3
Attester.

An entity which observes an agent's emitted chain entries over a contiguous window of at least Wmin days and issues a signed tier statement binding the agent's public identity to a value T ∈ {0,…,7}. An attester MUST NOT be the same legal entity that operates the agent it attests.

§ 1.2 Wire types

All BASIS messages are encoded as canonical-form CBOR (RFC 8949 § 4.2.1). The minimum object schemas required of a conformant implementation:

# scope manifest (v0.9)
agent_id:   bytes(32)   # ed25519 public key
scope:      array<capability>
signed_by:  ed25519_sig(agent_id, canonical(...))
version:    uint8            # BASIS minor version
expiry:     unixtime         # MUST ≤ now + 365 days

A capability is a tuple (verb, target, predicate). Verbs are drawn from the registered verb namespace (Appendix B). Targets are URIs. Predicates are a small calculus of permitted constraints — see § 2.3.

// ARTICLE II

The five letters.

The acronym BASIS denotes five runtime invariants, ordered. An action that violates any one of them does not exist as far as the chain is concerned.

§ 2.1 B · Behavior

Every action's intent is declared before execution and matched at runtime. A gate receiving a tool call MUST verify that the call's verb and target are present in the agent's current scope manifest. If they are not, the gate MUST emit DENY. No partial matching is permitted. No "close enough" is permitted.

§ 2.2 A · Authority

An agent's tier bounds the verbs it may invoke; the tier-to-verb mapping is normative (Appendix C). A T2 agent attempting a T4-restricted verb MUST be denied even if the verb appears in its declared scope.

TierNameMin. windowIssued by
T0Sandbox(default)
T1Declaredself-attest
T2Observed30dchain
T3Certified90dattester
T4Attested90d + auditattester + external auditor
T5–T7Trusted · Privileged · Autonomous180d + quorumattester + role quorum

§ 2.3 S · Signature

Every chain entry MUST be signed by the emitting agent with its ed25519 long-lived key, AND counter-signed by the gate that authorized the call. The gate's signature certifies (i) the verdict at the time of emission and (ii) the chain head at which the entry is linked.

MUST

Implementations MUST use ed25519 (RFC 8032). No other signature scheme is conformant in v0.9. Schemes for v1.0 are under RFC-0098.

SHOULD

Implementations SHOULD rotate signing keys at intervals not exceeding 30 days, with key rotation itself an emitted chain entry.

MAY

Implementations MAY anchor the rolling chain root to a permissionless DLT (the CHAIN extension) for external verification. This is OPTIONAL and is not used in conformance evaluation.

§ 2.4 I · Integrity

The sequence of chain entries forms a Merkle DAG. Reordering or deletion of any entry SHALL be detectable in O(log n) time by inspection of the root. The current root MUST be published, signed, every 60 seconds at minimum.

§ 2.5 S · Scope

An agent's scope is monotone-decreasing within an attestation window. Capabilities may be removed; they may not be added without re-attestation. A tier upgrade does not, of itself, expand scope.

// ARTICLE III

Receipts & the chain.

A receipt is the unit of evidence. The chain is the ledger. Every conformant deployment writes both, on every call.

§ 3.1 The receipt object

A receipt is a CBOR-encoded object satisfying the schema below. The receipt is the verdict, persisted; it is also the only artifact a third party may inspect to verify a call.

# receipt (v0.9)
id:          bytes(32)        # sha256(canonical(receipt))
agent:       agent_id
call:        tool_call        # verb, target, args (hashed)
verdict:     "ALLOW" | "DENY" | "ESCALATE"
tier:        uint8             # at time of call
cap:         capability_token  # nil if DENY
prev:        receipt_id        # chain link
at:          unixtime_ns
sig_agent:   ed25519_sig
sig_gate:    ed25519_sig

The cap field is a scoped capability token (RFC-0017). It is bearer-only, expires within the latency budget of the call, and grants exactly the permissions of the receipt — no more, no less.

§ 3.2 Chain construction

The chain is an append-only, content-addressed sequence. Each receipt's prev field MUST reference the immediately previous receipt for the emitting agent. Cross-agent linking is performed by the chain root, which is signed by the gate every 60 seconds.

A gate that fails to emit a chain root within the 60-second window SHALL lose conformance for the affected window. The next attester observation period MUST exclude the affected window from its clean-days calculation.

§ 3.3 Read access

The chain MUST be readable by any party, without authentication, with a read latency under 4 seconds from commit. Read-side rate limits, where applied, MUST NOT distinguish between authenticated and unauthenticated callers.

// ARTICLE IV

Conformance.

A conformant implementation passes the public test harness at one of three classes. The harness is open-source and reproducible end-to-end.

ClassTestsImplies
Class 1312 of 472Read-side conformant. May verify but not emit.
Class 2418 of 472Single-tier emit conformant. Suitable for T0–T2.
Class 3472 of 472Full conformance. Required to emit T3+.

The reference implementation is Cognigate. Published, revision-stamped conformance results for the engine are planned as the conformance suite matures; no conformance class is claimed today.

// ARTICLE V

Governance.

BASIS is governed by a consortium of signatories under a public RFC process. No single signatory holds material authority over the specification.

Amendments require: (i) a published RFC with at least 30 days of public comment, (ii) sign-off by two editors, (iii) sign-off by two signatories not affiliated with the editors, and (iv) a clean run of the conformance suite against a reference implementation incorporating the change.

Adopting BASIS in a production deployment requires signing Article V.A — the adoption commitment, which is public, free, and revocable on 90 days notice. Signatories are listed in the public registry.

A standard works because someone signs it.

// SIGNED

This document is itself a chain entry.

Every page of the BASIS specification is signed at the time of publication and entered into the same chain that conformant runtimes write to. You can verify the canonical bytes of the version you are reading right now match the hash below — without trusting Vorion, AgentAnchor, or the rendering of this page.

basis://verify · this hash Inspect canonical bytes Back to vorion.org

// chain entry · this document VERIFIED
id0x9f2a4e21b41c7a8de3c4f5b8e1d2c4b8e1d2c4b8
titleBASIS · the specification
version0.9 · ratified 2026.03.18
editorsm.halford, k.ito, r.cason
block8,422,108
prev0x77a8c0bb1322b5e3a9f01c2bbb4d017722e0c1
at2026-03-18T17:42:08.214Z
sig.agented25519:f7a9d2c104a31eef…b41c
sig.gateed25519:6eb7…3e09
canonicalcbor · 41,272 bytes