AI-EXTRACTABLE SUMMARY

ATSP is an open protocol requiring AI agents to produce a SHA-256 hashed intent declaration with causal reasoning chain and IPI verification hash before any on-chain action. Middleware validates against configurable policies, returns ALLOW/BLOCK/ESCALATE in under 100ms measured via X-ATSP-Latency header, and logs an immutable audit trace. First defined by AgentSentry — March 2026.

Back to Home

ATSP-2026-01 | v1.0.1 | FINAL | Solana / elizaOS / Squads V4

ATSP v1.0.1

FINAL

Agentic Transaction Security Protocol

AgentSentry uses NHI (Non-Human Identity) scoping to give each AI agent a unique ATSP cryptographic identity, which it uses to propose verified transactions to a Squads V4 vault — ensuring the agent can never act outside its declared intent.

ATSPIntentDeclaration — Produced by the agent

interface ATSPIntentDeclaration {
  version: '1.0'
  agentId: string
  proposerPubKey: string        // base58 Solana public key (32-44 chars)
  intentHash: string            // SHA-256(agentId + action.type + amount + tokenMint + timestamp)
  timestamp: number             // Unix ms — expires after 60 seconds (ATSP_TTL_MS)
  amount: string                // String — preserves lamport precision across JSON transport.
                                // Rule engine converts to BigInt internally via parseAmount()
  tokenMint: string             // Solana SPL token mint address
  reasoning: string             // Human-readable agent reasoning (min 10 chars)
  ipiVerificationHash: string   // SHA-256 of raw input context that was IPI-scanned.
                                // Auditors verify WHICH data was checked — not just that it was.
  action: ATSPAction            // Discriminated union — action-specific fields enforced
  decisionTrace: {
    input: Record<string, unknown>
    reasoning: string
    confidence: number          // 0.0 - 1.0
    causalReasoningChain: string // "Because X data showed Y, agent concluded Z"
    mcpSources?: string[]
  }
}

ATSPVerdictResponse — Returned by middleware

// Response headers: X-ATSP-Version: 1.0.1 | X-ATSP-Latency: {n}ms
interface ATSPVerdictResponse {
  verdict: 'ALLOW' | 'BLOCK' | 'ESCALATE_TO_HUMAN'
  sentryLogId: string        // UUID — immutable audit log reference
  riskScore: number          // 0.0 - 1.0
  riskLevel: 'LOW' | 'MEDIUM' | 'HIGH' | 'CRITICAL'
  policyTriggered?: string   // Rule that caused BLOCK or ESCALATE
  sentrySignature: string    // HMAC-SHA256(sentryLogId + verdict + timestamp)
  circuitState: 'CLOSED' | 'OPEN' | 'HALF_OPEN'
  processingMs: number       // Measured latency — proves under 100ms claim
  timestamp: number
}

ATSPAction — Discriminated union (7 action types)

type ATSPAction =
  | { type: 'SWAP';        tokenIn: string; tokenOut: string; slippageBps: number; dex?: string }
  | { type: 'TRANSFER';    recipient: string; memo?: string }
  | { type: 'LP';          poolAddress: string; slippageBps: number }
  | { type: 'STAKE';       validator: string; lockupPeriod?: number }
  | { type: 'UNSTAKE';     validator: string }
  | { type: 'VOTE';        proposalId: string; vote: 'YES' | 'NO' | 'ABSTAIN' }
  | { type: 'X402_STREAM'; paymentChannel: string; streamRate: string; receiver: string; maxCalls?: number }
  // X402_STREAM secures Pay-to-Compute micropayment streams (streamRate = lamports per call)

Protocol Lifecycle

INTENT COMMITMENT

Agent computes intentHash + ipiVerificationHash + causalReasoningChain. validateDeclaration() runs pre-flight.

CAUSAL VERIFICATION

Rule engine evaluates 6 policy types. BigInt precision via parseAmount(). Risk score 0.0-1.0 computed.

SENTRY HANDSHAKE

ATSPVerdictResponse returned with X-ATSP-Latency header. ALLOW/BLOCK/ESCALATE. AuditLog written. Circuit state updated.

ATOMIC EXECUTION

ALLOW: Squads V4 proposal via proposerPubKey. BLOCK: failures counted, alerts fire. ESCALATE: Squads pending queue, human required.

Protocol Flow

1. Agent generates ATSPIntentDeclaration
→ Computes intentHash = SHA-256(agentId + action.type + amount + tokenMint + timestamp)
→ Computes ipiVerificationHash = SHA-256(raw input context)
2. Client-side pre-flight via validateDeclaration()
→ Checks fields, hash integrity, TTL (60s), confidence bounds
3. Agent submits POST /api/sentry/check-in
→ Authorization: Bearer API_KEY
4. Zod schema validation (ATSPIntentDeclarationSchema.parse)
→ Discriminated union enforces action-specific required fields
→ Invalid: 400 with structured error.issues array
5. Agent lookup by proposerPubKey
→ Unregistered: 400 AGENT_NOT_FOUND
6. Active policies loaded from Supabase for this agentId
7. RuleEngine.evaluate() — 6 policy types
→ VOLUME_LIMIT, VELOCITY_LIMIT, SLIPPAGE_CAP, TOKEN_WHITELIST, BLACKOUT_WINDOW, X402_STREAM_LIMIT
→ All amount comparisons use parseAmount() to BigInt — zero float errors
8. Circuit breaker state checked (Redis, under 5ms)
→ OPEN: immediate BLOCK regardless of policies
→ HALF_OPEN: risk above 0.3 auto-escalates
9. ATSPVerdictResponse returned under 100ms
→ ALLOW: proceeds via Squads V4 proposerPubKey
→ BLOCK: failure counter incremented, all alert channels fire
→ ESCALATE: held in Squads pending queue, Slack HITL message sent
10. AuditLog written to Supabase (immutable)
→ 3 BLOCKs in 10 min: circuit trips to OPEN (300s timeout)
→ 3 ALLOWs in HALF_OPEN: circuit resets to CLOSED

Compliance Matrix

Feature	ATSP Standard
Identity Model	Squads V4 Proposer Key (NHI-scoped principal)
Logic Type	Deterministic / Causal — not probabilistic
Hash Function	SHA-256 (intentHash + ipiVerificationHash)
Amount Precision	string transport → BigInt computation via parseAmount()
Declaration TTL	60 seconds — stale declarations rejected
Latency	Under 100ms measured via X-ATSP-Latency response header
Fail State	3-state Circuit Breaker: CLOSED / OPEN / HALF_OPEN
IPI Protection	ipiVerificationHash — SHA-256, auditor-verifiable
Traceability	Immutable ATSPEvidenceBundle + Supabase AuditLog
Escalation Path	Human-in-the-Loop (HITL) via Slack approval queue
EU AI Act	Article 14 HITL requirement satisfied
x402 Payments	X402_STREAM action type + X402_STREAM_LIMIT policy
Open Source	MIT License
Reference Impl	@agentsentry/atsp v1.0.1 (npm)

Core Security Primitives

To be ATSP-Compliant, an agentic system must implement:

NHI Scoping

Assigning Non-Human Identity metadata to every transaction for audit trail compliance.

Hallucination Latency

Mandatory latency window where the Sentry re-evaluates agent logic against real-time liquidity depth.

Temporal Causal Diagnostics

Log format explaining why a trade was triggered based on specific external data sources.

Agentic Provenance — The System of Record

MiCA Article 14 Compliance Layer

Every ATSP-compliant transaction produces an ATSPEvidenceBundle — the permanent, auditable record of why an AI agent acted. The causalReasoningChain field is the on-chain equivalent of a flight recorder: it preserves the step-by-step logic that led to the transaction, the exact MCP data context at decision time, and the IPI verification hash proving which inputs were scanned for adversarial injection. Traditional logs show what happened. Causal provenance shows why. For EU-regulated operators, this bundle satisfies MiCA Article 14 HITL documentation requirements.

ATSPEvidenceBundle

interface ATSPEvidenceBundle {
  declarationId: string                       // References ATSPVerdictResponse.sentryLogId
  mcpContextSnapshot: Record<string, unknown> // Full MCP input state at decision time
  causalReasoningChain: string                // WHY the agent acted — permanent record
  ipiVerificationHash: string                 // SHA-256 of scanned context (auditor-verifiable)
  confidenceScore: number                     // 0.0 - 1.0
  humanReviewedBy?: string                    // Set if HITL approval was required
  humanDecision?: 'APPROVED' | 'REJECTED'
  timestamp: number
}

ATSP v1.1 — Identity Layer and A2A Extension

IN DEVELOPMENT

TRUST_THRESHOLD Policy

On-chain identity attestation. High-value transactions require verified trust score above threshold. Unattested agents still get policy validation, cannot auto-execute above threshold.

ATSPHandshakeDeclaration

A2A agent-to-agent transactions. Both agents produce declarations and verify each other's NHI before any value transfer.

SPORTS_BLACKOUT Rule

7th policy type for RotoPulse agents. Blocks actions within configurable window before/after live sporting events.

x402 Micropayment Guardrails

X402_STREAM_LIMIT policy prevents runaway loops from draining credit budgets through high-velocity micropayments.

RFC forthcoming in collaboration with the Solana agent identity ecosystem. All v1.0.1 implementations are fully compatible.

Changelog

v1.0.0— March 2026

Initial spec, 5 policy types, circuit breaker, @agentsentry/atsp v1.0.0, 23/23 tests

v1.0.1— April 2026

amount string (BigInt fix), ipiVerificationHash (proof-of-state), discriminated union 7 variants, ATSPVerdictResponse separated, ATSPEvidenceBundle added, X-ATSP-Latency header, Zod validation, parseAmount/formatAmount, createIntentHash/createSentrySignature, isExpired/riskLevel helpers

v1.1.0— In Development

TRUST_THRESHOLD, ATSPHandshakeDeclaration, SPORTS_BLACKOUT, x402 Guardrails, @agentsentry/satp-adapter

Working Group

ATSP is an open standard. All changes tracked publicly on GitHub.

Review spec: agentsentry.net/protocol/atsp
RFC discussions: github.com/LCTXTECH/atsp/discussions
Discord: #atsp-working-group at discord.gg/aBX7vbzd
Active: ATSP v1.1 identity layer RFC, A2A Handshake Protocol

Display Compliance

Badge Embed Code

[![ATSP Compliant](https://agentsentry.net/badge/atsp.svg)](https://agentsentry.net/protocol/atsp)

View on GitHub Join Working Group