Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Right to History: A Sovereignty Kernel for Verifiable AI Agent Execution

Jing Zhang

TL;DR

The Right to History: the principle that individuals are entitled to a complete, verifiable record of every AI agent action on their own hardware is proposed and implemented in PunkGo, a Rust sovereignty kernel that unifies RFC 6962 Merkle tree audit logs, capability-based isolation, energy-budget governance, and a human-approval mechanism.

Abstract

AI agents increasingly act on behalf of humans, yet no existing system provides a tamper-evident, independently verifiable record of what they did. As regulations such as the EU AI Act begin mandating automatic logging for high-risk AI systems, this gap carries concrete consequences -- especially for agents running on personal hardware, where no centralized provider controls the log. Extending Floridi's informational rights framework from data about individuals to actions performed on their behalf, this paper proposes the Right to History: the principle that individuals are entitled to a complete, verifiable record of every AI agent action on their own hardware. The paper formalizes this principle through five system invariants with structured proof sketches, and implements it in PunkGo, a Rust sovereignty kernel that unifies RFC 6962 Merkle tree audit logs, capability-based isolation, energy-budget governance, and a human-approval mechanism. Adversarial testing confirms all five invariants hold. Performance evaluation shows sub-1.3 ms median action latency, ~400 actions/sec throughput, and 448-byte Merkle inclusion proofs at 10,000 log entries.

Right to History: A Sovereignty Kernel for Verifiable AI Agent Execution

TL;DR

The Right to History: the principle that individuals are entitled to a complete, verifiable record of every AI agent action on their own hardware is proposed and implemented in PunkGo, a Rust sovereignty kernel that unifies RFC 6962 Merkle tree audit logs, capability-based isolation, energy-budget governance, and a human-approval mechanism.

Abstract

AI agents increasingly act on behalf of humans, yet no existing system provides a tamper-evident, independently verifiable record of what they did. As regulations such as the EU AI Act begin mandating automatic logging for high-risk AI systems, this gap carries concrete consequences -- especially for agents running on personal hardware, where no centralized provider controls the log. Extending Floridi's informational rights framework from data about individuals to actions performed on their behalf, this paper proposes the Right to History: the principle that individuals are entitled to a complete, verifiable record of every AI agent action on their own hardware. The paper formalizes this principle through five system invariants with structured proof sketches, and implements it in PunkGo, a Rust sovereignty kernel that unifies RFC 6962 Merkle tree audit logs, capability-based isolation, energy-budget governance, and a human-approval mechanism. Adversarial testing confirms all five invariants hold. Performance evaluation shows sub-1.3 ms median action latency, ~400 actions/sec throughput, and 448-byte Merkle inclusion proofs at 10,000 log entries.
Paper Structure (68 sections, 1 theorem, 3 equations, 3 figures, 7 tables)

This paper contains 68 sections, 1 theorem, 3 equations, 3 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Background and Motivation
  3. The Accountability Gap in the Age of AI Agents
  4. The Transparent Log Paradigm
  5. Regulatory Urgency
  6. From Data Sovereignty to Computational History Sovereignty
  7. Threat Model and Assumptions
  8. System Boundary and Trust Model
  9. Inside the TCB (trusted).
  10. Outside the TCB (untrusted).
  11. Trust Assumptions.
  12. Adversary Model
  13. Scope of Defense.
  14. Security Goals
  15. Formal Framework
  16. ...and 53 more sections

Key Result

Corollary 4.1

If two verifiers obtain $\mathrm{root}_1 \neq \mathrm{root}_2$ from the kernel, at least one does not correspond to the kernel's true log---equivocation is detected. Specifically, for a claimed prefix relation $\mathcal{L} \sqsubseteq \mathcal{L}'$, a consistency proof (Definition 4.10) can verify t

Figures (3)

  • Figure 1: The security chain formed by the five invariants. Each invariant depends on the one above it.
  • Figure 2: Three-layer architecture of PunkGo. The kernel layer (green, TCB) is the sole commit point; agents submit actions but cannot directly access system resources.
  • Figure 3: Action pipeline. The normal path traverses all seven steps left to right. The hold path short-circuits inside validate (which internally performs quote, reserve, and append of the hold request), returning HoldTriggered. On approve, the action is recursively re-submitted to the full pipeline with replay guards that make the hold check and energy reservation idempotent.

Theorems & Definitions (33)

  • Definition 4.1: World
  • Definition 4.2: Actor Partition
  • Definition 4.3: Atomic Action
  • Definition 4.4: State Transition
  • Definition 4.5: Sole Committer
  • Remark 4.1
  • Definition 4.6: Event
  • Remark 4.2
  • Definition 4.7: Log
  • Definition 4.8: Merkle Root
  • ...and 23 more