How It Works
The TAO Protocol
Every write to a system of record passes through the same mandatory pipeline. No stage is bypassable. No stage is probabilistic. The pipeline is the architecture.
Proposal
Any actor — AI agent, human operator, automated pipeline, script, batch job — proposes a write to a system of record. The proposal is structured: actor identity, role, target resource, intended action, timestamp. A proposal is not an authorization.
Authorization Decision
The Governance Plane evaluates the proposal. Actor credentials, role binding, and authorization scope are checked against the declared action. The decision function is Δ_p — a valuation-metric distance over a finite chain ring. The output is an exact integer. There is no confidence score to calibrate and no threshold to tune.
TAO Issued
If authorized, a Typed Authorization Object is issued: cryptographically signed, single-use, carrying identity, role, scope, and timestamp. If not authorized, nothing proceeds — there is no retry path that bypasses this stage. The TAO is the pre-execution certificate.
Gate Verification
The actor presents the TAO at the persistence gate. The gate operates at the kernel layer — below the application, below the agent, below the pipeline. It verifies the cryptographic signature, confirms the TAO is unused, and checks that the write matches the authorized scope exactly.
Write and Consumption
The TAO is consumed in the same atomic transaction as the write. Replay is structurally impossible. If the write fails for any reason, the TAO is voided. No partial state is left behind. No TAO can authorize two writes.
Receipt Anchored
A hardware-signed receipt is appended to the append-only audit ledger. The receipt is not a log of what happened — it is a cryptographic artifact proving that authorization preceded the action. It exists before the write completes.
The pipeline above reflects the current production implementation. The architecture is extensible — additional verification, escrow, or multi-party authorization stages can be inserted without altering the invariant: no TAO, no write.
The Mathematics
Authorization is not inference. It is proof.
The governance decision function Δ_p is a valuation-metric distance computed over a finite chain ring. The output is an exact integer — there is no threshold, no confidence score, no model output to calibrate.
The Gap-3 theorem establishes the mathematical ceiling for the authorization decision: certain code families over odd-prime-square rings achieve maximum structural separation. This has been verified by exhaustive enumeration across 13.8+ billion seeds with zero exceptions.
This is not a theoretical property. It is a verified computational fact, submitted for peer review at IEEE Transactions on Information Theory and Elsevier Finite Fields and Their Applications, with open-access preprints on Zenodo.
// The governance decision
Δ_p(c, C) = min {
v_p(c - c') : c' ∈ C, c' ≠ c
}
// Authorization is exact comparison
authorized = Δ_p(proposal, C) ≥ threshold
// Gap-3 theorem: threshold is provable
∀ seeds ∈ 13.8B+: verified
exceptions = 0
Competitive Landscape
Why nothing else is close
| Dimension | Every other system | STS-001 |
|---|---|---|
| When | After execution | Before execution |
| Layer | Application / API / middleware | Persistence layer |
| Decision type | Policy rule or ML classifier | Deterministic integer math (Δ_p) |
| Actor scope | Often AI-only or human-only | Any actor — human, AI, pipeline, script |
| Bypassable? | Yes — misconfiguration, privilege | No — below the application |
| Audit artifact | Log of what happened | Cryptographic proof authorization preceded action |
| Separation | Configured, conventional | Structural — authorizer ≠ executor by architecture |
Ready to see it in your environment?
Get in Touch