// ARTICLE 0
Preamble.
For two years the industry shipped autonomy and skipped accountability. The drawer is full. The drawer is on fire. This is the standard we use to put out the fire.
BASIS defines the bare minimum that an agent runtime, a certification authority, and an operating console must observe so that any third party can verify the trustworthiness of an agent action without trusting the vendor. It is short on purpose. Everything else is implementation.
BASIS makes four guarantees, in this order:
- Declared scope. Every agent ships with a signed manifest of what it can do. No undeclared capability is callable. Period.
- Authorized action. Every tool call is gated by a decision point that returns ALLOW, DENY, or ESCALATE in writing, with a cryptographic receipt.
- Continuous attestation. Reputation is not granted by paperwork; it accrues from clean event history.
- Public chain. The history is read-only public. No vendor controls the truth.
Agent identity, scope, and reputation belong to the chain — not to the vendor.
// ARTICLE I
Definitions.
Spec language uses MUST, SHOULD, MAY per RFC 2119. Italicized terms have the meaning given in this article and no other.
§ 1.1 Agent, runtime, gate, attester
Definition 1.1.1 Agent.
A software process which (i) holds a long-lived cryptographic identity, (ii) declares a finite capability set in a signed scope manifest, and (iii) executes tool calls only through a conforming gate. A process that does not satisfy all three predicates is not an agent under this specification.
Definition 1.1.2 Gate.
A decision point situated between an agent and an external tool. The gate accepts a tool-call request, evaluates it against the agent's policy and scope manifest, and emits a signed verdict — one of ALLOW, DENY, ESCALATE — before any side effect is permitted.
Definition 1.1.3 Attester.
An entity which observes an agent's emitted chain entries over a contiguous window of at least Wmin days and issues a signed tier statement binding the agent's public identity to a value T ∈ {0,…,7}. An attester MUST NOT be the same legal entity that operates the agent it attests.
§ 1.2 Wire types
All BASIS messages are encoded as canonical-form CBOR (RFC 8949 § 4.2.1). The minimum object schemas required of a conformant implementation:
# scope manifest (v0.9)
agent_id: bytes(32) # ed25519 public key
scope: array<capability>
signed_by: ed25519_sig(agent_id, canonical(...))
version: uint8 # BASIS minor version
expiry: unixtime # MUST ≤ now + 365 days
A capability is a tuple (verb, target, predicate). Verbs are drawn from the registered verb namespace (Appendix B). Targets are URIs. Predicates are a small calculus of permitted constraints — see § 2.3.
// ARTICLE II
The five letters.
The acronym BASIS denotes five runtime invariants, ordered. An action that violates any one of them does not exist as far as the chain is concerned.
§ 2.1 B · Behavior
Every action's intent is declared before execution and matched at runtime. A gate receiving a tool call MUST verify that the call's verb and target are present in the agent's current scope manifest. If they are not, the gate MUST emit DENY. No partial matching is permitted. No "close enough" is permitted.
§ 2.2 A · Authority
An agent's tier bounds the verbs it may invoke; the tier-to-verb mapping is normative (Appendix C). A T2 agent attempting a T4-restricted verb MUST be denied even if the verb appears in its declared scope.
| Tier | Name | Min. window | Issued by |
| T0 | Sandbox | — | (default) |
| T1 | Declared | — | self-attest |
| T2 | Observed | 30d | chain |
| T3 | Certified | 90d | attester |
| T4 | Attested | 90d + audit | attester + external auditor |
| T5–T7 | Trusted · Privileged · Autonomous | 180d + quorum | attester + role quorum |
§ 2.3 S · Signature
Every chain entry MUST be signed by the emitting agent with its ed25519 long-lived key, AND counter-signed by the gate that authorized the call. The gate's signature certifies (i) the verdict at the time of emission and (ii) the chain head at which the entry is linked.
MUST Implementations MUST use ed25519 (RFC 8032). No other signature scheme is conformant in v0.9. Schemes for v1.0 are under RFC-0098.
SHOULD Implementations SHOULD rotate signing keys at intervals not exceeding 30 days, with key rotation itself an emitted chain entry.
MAY Implementations MAY anchor the rolling chain root to a permissionless DLT (the CHAIN extension) for external verification. This is OPTIONAL and is not used in conformance evaluation.
§ 2.4 I · Integrity
The sequence of chain entries forms a Merkle DAG. Reordering or deletion of any entry SHALL be detectable in O(log n) time by inspection of the root. The current root MUST be published, signed, every 60 seconds at minimum.
§ 2.5 S · Scope
An agent's scope is monotone-decreasing within an attestation window. Capabilities may be removed; they may not be added without re-attestation. A tier upgrade does not, of itself, expand scope.
// ARTICLE III
Receipts & the chain.
A receipt is the unit of evidence. The chain is the ledger. Every conformant deployment writes both, on every call.
§ 3.1 The receipt object
A receipt is a CBOR-encoded object satisfying the schema below. The receipt is the verdict, persisted; it is also the only artifact a third party may inspect to verify a call.
# receipt (v0.9)
id: bytes(32) # sha256(canonical(receipt))
agent: agent_id
call: tool_call # verb, target, args (hashed)
verdict: "ALLOW" | "DENY" | "ESCALATE"
tier: uint8 # at time of call
cap: capability_token # nil if DENY
prev: receipt_id # chain link
at: unixtime_ns
sig_agent: ed25519_sig
sig_gate: ed25519_sig
The cap field is a scoped capability token (RFC-0017). It is bearer-only, expires within the latency budget of the call, and grants exactly the permissions of the receipt — no more, no less.
§ 3.2 Chain construction
The chain is an append-only, content-addressed sequence. Each receipt's prev field MUST reference the immediately previous receipt for the emitting agent. Cross-agent linking is performed by the chain root, which is signed by the gate every 60 seconds.
A gate that fails to emit a chain root within the 60-second window SHALL lose conformance for the affected window. The next attester observation period MUST exclude the affected window from its clean-days calculation.
§ 3.3 Read access
The chain MUST be readable by any party, without authentication, with a read latency under 4 seconds from commit. Read-side rate limits, where applied, MUST NOT distinguish between authenticated and unauthenticated callers.
// ARTICLE IV
Conformance.
A conformant implementation passes the public test harness at one of three classes. The harness is open-source and reproducible end-to-end.
| Class | Tests | Implies |
| Class 1 | 312 of 472 | Read-side conformant. May verify but not emit. |
| Class 2 | 418 of 472 | Single-tier emit conformant. Suitable for T0–T2. |
| Class 3 | 472 of 472 | Full conformance. Required to emit T3+. |
The reference implementation is Cognigate. Published, revision-stamped conformance results for the engine are planned as the conformance suite matures; no conformance class is claimed today.
// ARTICLE V
Governance.
BASIS is governed by a consortium of signatories under a public RFC process. No single signatory holds material authority over the specification.
Amendments require: (i) a published RFC with at least 30 days of public comment, (ii) sign-off by two editors, (iii) sign-off by two signatories not affiliated with the editors, and (iv) a clean run of the conformance suite against a reference implementation incorporating the change.
Adopting BASIS in a production deployment requires signing Article V.A — the adoption commitment, which is public, free, and revocable on 90 days notice. Signatories are listed in the public registry.
A standard works because someone signs it.