Table of Contents
Fetching ...

Faramesh: A Protocol-Agnostic Execution Control Plane for Autonomous Agent Systems

Amjad Fatmi

TL;DR

Faramesh introduces an execution-time governance architecture for autonomous agents by layering a non-bypassable boundary (AAB) between reasoning and execution. Central to the design are the Canonical Action Representation (CAR) which normalizes semantically equivalent intents, a deterministic evaluation function over ($A$, $P$, $S$), and an immutable, hash-bound decision record that enables replay and auditability. The framework is protocol-agnostic, scalable to multi-agent/multi-tenant deployments, and designed to resist bypass through artifact-bound execution and fail-closed semantics. The work distinguishes decision provenance from post-execution observability, enabling counterfactual replay and policy-evolution analysis, and argues that existing identity or observability approaches cannot reproduce these guarantees. Together, CAR and AAB provide a minimal semantic contract for cross-boundary governance that supports deterministic, auditable, and replayable authorization of real-world actions by autonomous agents, with clear guidance on deployment, limitations, and potential extensions.

Abstract

Autonomous agent systems increasingly trigger real-world side effects: deploying infrastructure, modifying databases, moving money, and executing workflows. Yet most agent stacks provide no mandatory execution checkpoint where organizations can deterministically permit, deny, or defer an action before it changes reality. This paper introduces Faramesh, a protocol-agnostic execution control plane that enforces execution-time authorization for agent-driven actions via a non-bypassable Action Authorization Boundary (AAB). Faramesh canonicalizes agent intent into a Canonical Action Representation (CAR), evaluates actions deterministically against policy and state, and issues a decision artifact (PERMIT/DEFER/DENY) that executors must validate prior to execution. The system is designed to be framework- and model-agnostic, supports multi-agent and multi-tenant deployments, and remains independent of transport protocols (e.g., MCP). Faramesh further provides decision-centric, append-only provenance logging keyed by canonical action hashes, enabling auditability, verification, and deterministic replay without re-running agent reasoning. We show how these primitives yield enforceable, predictable governance for autonomous execution while avoiding hidden coupling to orchestration layers or observability-only approaches.

Faramesh: A Protocol-Agnostic Execution Control Plane for Autonomous Agent Systems

TL;DR

Faramesh introduces an execution-time governance architecture for autonomous agents by layering a non-bypassable boundary (AAB) between reasoning and execution. Central to the design are the Canonical Action Representation (CAR) which normalizes semantically equivalent intents, a deterministic evaluation function over (, , ), and an immutable, hash-bound decision record that enables replay and auditability. The framework is protocol-agnostic, scalable to multi-agent/multi-tenant deployments, and designed to resist bypass through artifact-bound execution and fail-closed semantics. The work distinguishes decision provenance from post-execution observability, enabling counterfactual replay and policy-evolution analysis, and argues that existing identity or observability approaches cannot reproduce these guarantees. Together, CAR and AAB provide a minimal semantic contract for cross-boundary governance that supports deterministic, auditable, and replayable authorization of real-world actions by autonomous agents, with clear guidance on deployment, limitations, and potential extensions.

Abstract

Autonomous agent systems increasingly trigger real-world side effects: deploying infrastructure, modifying databases, moving money, and executing workflows. Yet most agent stacks provide no mandatory execution checkpoint where organizations can deterministically permit, deny, or defer an action before it changes reality. This paper introduces Faramesh, a protocol-agnostic execution control plane that enforces execution-time authorization for agent-driven actions via a non-bypassable Action Authorization Boundary (AAB). Faramesh canonicalizes agent intent into a Canonical Action Representation (CAR), evaluates actions deterministically against policy and state, and issues a decision artifact (PERMIT/DEFER/DENY) that executors must validate prior to execution. The system is designed to be framework- and model-agnostic, supports multi-agent and multi-tenant deployments, and remains independent of transport protocols (e.g., MCP). Faramesh further provides decision-centric, append-only provenance logging keyed by canonical action hashes, enabling auditability, verification, and deterministic replay without re-running agent reasoning. We show how these primitives yield enforceable, predictable governance for autonomous execution while avoiding hidden coupling to orchestration layers or observability-only approaches.
Paper Structure (331 sections, 7 theorems, 111 equations, 10 figures, 8 tables)

This paper contains 331 sections, 7 theorems, 111 equations, 10 figures, 8 tables.

Key Result

lemma 1

Re-evaluating a canonical action $A$ under a new policy context $P'$ and system state $S'$ without executing side effects yields an authorization outcome equivalent to a hypothetical execution-time decision, modulo differences between $(P, S)$ and $(P', S')$.

Figures (10)

  • Figure 1: Latency components vs. state digest size (single machine).
  • Figure 2: Single minimal end-to-end trace demonstrating determinism, evaluation binding, hash-chained recording, artifact-only execution, and replay behavior.
  • Figure 3: Runtime flow of canonical action evaluation and authorization. All execution-capable actions traverse canonicalization and decision evaluation prior to effectful execution. Decision-only requests follow the same evaluation path without invoking execution.
  • Figure 4: Single-agent local enforcement path. Intent generation, canonicalization, authorization, and execution are strictly separated. Execution occurs if and only if the Action Authorization Boundary returns PERMIT.
  • Figure 5: Multi-agent, multi-tenant control plane. Multiple agents submit canonical actions to a shared Action Authorization Boundary. Authorization is evaluated against tenant-isolated policy $P_t$ and state $S_t$, and execution artifacts are scoped per tenant.
  • ...and 5 more figures

Theorems & Definitions (17)

  • definition 1: Decision Provenance Record
  • definition 2: Decision Provenance Record
  • definition 3: Decision Provenance Record
  • lemma 1: Replay Soundness
  • proof : Proof Sketch
  • lemma 2: Invariant Necessity
  • lemma 3: Limit of Execution-Time Governance
  • lemma 4: Undecidability of Intent Correctness
  • lemma 5: Latency Lower Bound
  • definition 4: Correct Placement
  • ...and 7 more