← Documentation

Plugin API

Domain plugin contract.

Normative specification for the five-method plugin interface. Implement this contract to add AGTS governance to any domain.

Normativev0.1-Draft

Supersedes: rtr-clearinghouse/PLUGIN_API.md (pre-AGTS; retained as historical reference)

Overview

The AGTS Clearinghouse Plugin API allows any governance vertical to integrate with the shared clearinghouse infrastructure. A plugin provides domain-specific governance logic; the clearinghouse provides:

The plugin provides: domain-specific G1–G5 gate evidence, policy-relevant metadata for validators, and domain-specific observable nudges (optional override).

Plugin Interface Contract

A plugin is a JavaScript object implementing five mandatory properties:

const agtsPlugin = { // 1. Unique domain identifier get name() { return 'myDomain'; }, // 2. Called once on registration. // onMeasurement(m) — call to push events into the clearinghouse. async initialize(onMeasurement) { this._emit = onMeasurement; onMeasurement({ type: 'plugin_registered', measurement_source: 'PLUGIN', plugin: this.name, timestamp: new Date().toISOString(), }); }, // 3. Returns current plugin status — synchronous, non-throwing. getStatus() { return { name: this.name, initialized: true, lifecycleState: 'ACTIVE', }; }, // 4. Handle messages from the clearinghouse or other plugins. async onMessage(msg, sender) { return null; }, // 5. Called on clearinghouse shutdown. destroy() { this._emit = null; }, }; // Registration: await clearinghouse.pluginRegistry.register(agtsPlugin); // Calls initialize(onMeasurement) automatically. // If initialize() throws, plugin is not registered.

Measurement Object Shape

Every call to onMeasurement(m):

  1. Adds a domain-separated leaf to the local Merkle tree (SHA256("AGTS_LEAF_V1" || canonical_json(m)))
  2. Updates H/C/E trust observables via the nudge table
  3. Updates metering counters if a governance event type is detected
  4. Triggers a dashboard refresh

Required fields

onMeasurement({ type: '<measurement type — see table below>', measurement_source: 'PLUGIN', plugin: this.name, timestamp: new Date().toISOString(), // + any additional domain fields });

Standard measurement types

TypeHCE effectWhen to use
plugin_registeredH↑Plugin initialization complete
plugin_errorH↓Internal plugin error
gate_passH↑ C↑ E↓Any single RTR gate (G1–G5) passes
gate_failH↓ C↓ E↑Any single RTR gate fails
agts_governance_evidenceH↑ C↑ E↓Full G1–G5 evidence set ready for Proof Bundle assembly
agts_envelope_admittedH↑ C↑ E↓Governance Envelope successfully admitted to Transparency Log
agts_envelope_rejectedH↓ C↓ E↑Governance Envelope rejected by log or validator network
receipt_submittedH↑AGTS_SETTLEMENT_V1 successfully submitted
receipt_errorH↓Settlement receipt submission failed
plugin_analyzedH↑Plugin code analysis complete
plugin_admittedH↑Plugin admitted to registry
plugin_revokedH↓Plugin revoked from registry

Emitting Governance Evidence

When a plugin has collected all five gate results for a governed action, it emits an agts_governance_evidence measurement. This triggers the clearinghouse to assemble a AGTS_PROOF_BUNDLE_V1 and initiate the validator network round.

this._emit({ type: 'agts_governance_evidence', measurement_source: 'PLUGIN', plugin: this.name, timestamp: new Date().toISOString(), subject_id: 'myDomain:model-update:v2.1', capability_certificate_id: '<64-char hex>', deployment_artifact_hash: '<64-char hex>', gate_results: { G1: { result: 'PASS', confidence_interval_lower: 0.72, confidence_interval_upper: 0.89, bootstrap_iterations: 10000 }, G2: { result: 'PASS', causal_attribution: true, ablation_delta: 0.043 }, G3: { result: 'PASS', protected_metrics: { accuracy_on_holdout: 0.923 } }, G4: { result: 'PASS', evidence_class: 'HOOKED' }, G5: { result: 'PASS', operator_id: 'alice@example.com' }, }, evidence: { dataset_provenance_hash: '<64-char hex>', evaluation_trace_hash: '<64-char hex>', ablation_execution_log_hash: '<64-char hex>', capability_certificate_hash: '<64-char hex>', }, state_before_hash: '<64-char hex>', state_after_hash: '<64-char hex>', replay_seed: '<hex-or-URI>', });

G4 evidence class definitions

ClassMeaningValidation rule
HOOKEDEvidence from instrumented external harnessDataset provenance hash MUST be commitment from the harness, not the evaluated system
ATTESTEDEvidence from attested execution environment (TEE/secure enclave)Attestation certificate MUST be included in capability_certificate_hash
INSTRUMENTEDEvidence from internal instrumentation with independent audit logAblation execution log MUST be retrievable at a durable URI

Validators MUST reject Proof Bundles with evidence_class: "SELF_REPORTED" or any class not in this table.

Iframe-Hosted Plugins (postMessage bridge)

If your domain's UI is a standalone HTML page hosted in an iframe, bridge events via postMessage:

// From inside the iframe: window.parent.postMessage({ type: 'AGTS_GOVERNANCE_EVIDENCE', payload: { plugin: 'myDomain', timestamp: new Date().toISOString(), subject_id: 'myDomain:action:id', gate_results: { G1: {...}, G2: {...}, G3: {...}, G4: {...}, G5: {...} }, evidence: { dataset_provenance_hash: '...', ... }, state_before_hash: '...', state_after_hash: '...', replay_seed: '...', }, }, '*');
TypePayloadEffect
AGTS_GOVERNANCE_EVIDENCEFull evidence objectTriggers Proof Bundle assembly + validator round
AGTS_GATE_RESULT{ gate, pass, ...result_fields }Increments individual gate counter
AGTS_GET_STATUSClearinghouse responds with current status
AGTS_SUBMIT_SETTLEMENT{ counters }Triggers manual settlement receipt submission

Pre-AGTS types RTR_GOV_BUNDLE_V1, RTR_GATE_RESULT — not recognized by the AGTS clearinghouse. Do not use.

Validator Evaluation Rules

Policy Validators evaluate each Proof Bundle against these mandatory rules. Verify locally before emitting to avoid unnecessary validator round failures:

RuleCheck
All gates passgate_results.G1.result == "PASS" through G5.result == "PASS"
Evidence class validgate_results.G4.evidence_class ∈ {HOOKED, ATTESTED, INSTRUMENTED}
All G4 hashes presentevidence.dataset_provenance_hash, evaluation_trace_hash, ablation_execution_log_hash, capability_certificate_hash all non-null
G5 operator_id presentgate_results.G5.operator_id is a non-empty string
Replay seed presentreplay_seed is non-null
generated_at in windowWithin 30-day replay window, ≤ 5-minute future skew
G1 CI is validconfidence_interval_lower > 0 and ≤ confidence_interval_upper

Lifecycle State Reference

StateMeaningWhat happens
PROPOSEDRegistered, waiting for first successful gate passNo Governance Envelope issuance
ACTIVEOperating normallyFull pipeline: evidence → validators → envelope → log
QUARANTINEDegraded — 3+ consecutive gate failuresEvidence accumulates; validator rounds suspended; alert emitted
LOCKBOXSuspended — 10+ consecutive failuresRead-only forensic state; no new measurements accepted
REJECTEDPermanent policy violationCannot be reactivated without full restart and new registration

Key differences from rtr-clearinghouse Plugin API

Pre-AGTS (rtr-clearinghouse)AGTS (agts-clearinghouse)
RTR_GOV_BUNDLE_V1 message typeAGTS_GOVERNANCE_EVIDENCE message type
G4 evidence hashes as flat fields in receipt bodyG4 evidence hashes in structured evidence object
nodeId (16-char truncation)node_id (64-char, full SHA256 of DER SPKI)
lastBundleHashparent_bundle_hash
camelCase fieldssnake_case fields
Signing: Sign(UTF8(hex(SHA256(body))))Signing: Sign(SHA256(canonical_json(body)))
Leaf hash: no prefixLeaf hash: SHA256("AGTS_LEAF_V1" || canonical_json(m))
No Sovereign AuthorityGovernance Envelope requires authority_signature before log admission
Quick plugin guide → Clearinghouse spec → Domain examples →