Internet Engineering Task Force T. Sato
Internet-Draft MyAuberge K.K.
Intended Status: Standards Track 28 June 2026
Expires: 28 December 2026
The Constitutional AI Protocol (CAP) for Agentic AI Systems
draft-sato-soos-cap-04
Abstract
An AI agent's authorization system determines what it is permitted
to do. A human principal's escalation decision determines what
they authorize. Neither of these is sufficient on its own: a
Cedar policy can permit market manipulation; a human principal can
authorize fraud. Authorization systems answer the question "who
decided?" The Constitutional AI Protocol answers a different
question: "was that decision lawful?"
CAP defines a Constitutional Layer that evaluates every AI action
request and every human authorization decision against a three-tier
prohibition model -- before Cedar evaluates the action and before
the system executes the human's decision. Tier 0 prohibitions are
derived from near-universal treaty consensus and are unconditional:
no agent, operator, or human principal can authorize them. Tier 1
prohibitions are jurisdiction-specific and operator-declared. Tier
2 prohibitions are voluntary operator ethical standards.
This document also specifies the Prohibition Clearance Mechanism
(PCM): the process by which specific Tier 0 and Tier 1 prohibition
classes may be cleared for specific deployment contexts --
either at implementation time by the operator or by formal
regulatory authority -- while preserving an absolute prohibition
floor for CSAM and genocide facilitation under any circumstances.
The Sovereign Object OS (SOOS) is the reference implementation of
the Governance Execution Controller (GEC) pattern on which CAP is
built.
CAP also defines the GEC Policy Transparency Disclosure (PTD): a
signed, queryable, tier-structured document through which any
external party may determine which laws and regulations a GEC is
actively enforcing, at what authority tier, and under whose
governance.
Status of This Memo
This Internet-Draft is submitted in full conformance with the
provisions of BCP 78 and BCP 79.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF). Note that other groups may also distribute
working documents as Internet-Drafts. The list of current
Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.
Internet-Drafts are draft documents valid for a maximum of six
months and may be updated, replaced, or obsoleted by other
documents at any time. It is inappropriate to use Internet-Drafts
as reference material or to cite them other than as "work in
progress."
This Internet-Draft will expire on 28 December 2026.
Copyright Notice
Copyright (c) 2026 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://trustee.ietf.org/license-info) in effect on the date of
publication of this document. Please review these documents
carefully, as they describe your rights and restrictions with
respect to this document.
Table of Contents
1. Introduction
2. What CAP Is and Is Not
2.1. What CAP Does
2.2. What CAP Does Not Do
2.3. The Division of Labor
2.4. The SWIFT Analogy
2.5. Regulatory Conflict and Ambiguity
3. How CAP Works
3.1. Use Case 1 -- A Lawyer Reviews a CAP-Governed System
3.2. Use Case 2 -- A Regulator Investigates an Incident
3.3. Use Case 3 -- A Government Agency Deploys SOOS
3.4. Use Case 4 -- Two Jurisdictions Conflict
4. Conventions and Definitions
5. Architecture Overview
5.1. The Double-Evaluation Property
5.2. Relationship to HEM
5.3. Relationship to Cedar Policy Evaluation
6. Constitutional Evaluation Engine (CEE)
6.1. CEE Placement in the GEC
6.2. CEE Evaluation Protocol
6.3. CEE Outputs
7. Tier 0 -- Universal Core Prohibitions
7.1. Tier 0 Properties
7.2. Tier 0-A -- Absolute Prohibitions
7.3. Tier 0-B -- Qualified Prohibitions
7.4. Tier 0 Prohibition Schema
7.5. Tier 0 Modification
8. Tier 1 -- Jurisdictional Prohibition Layer
8.1. Tier 1 Properties
8.2. Tier 1 Prohibition Classes
8.3. Tier 1 Prohibition Schema
8.4. Jurisdiction Configuration
8.5. Tier 1 Verification
8.6. Legal Ambiguity Declaration
8.7. Cedar Policy Conflict Resolution Rule [NEW in -04]
8.8. Catalog Load Validation [NEW in -04]
8.9. Catalog Update Propagation [NEW in -04]
9. Tier 2 -- Operator Ethical Layer
9.1. Tier 2 Properties
9.2. Tier 2 Prohibition Schema
9.3. Tier 2 Disclosure
10. Tier 3 -- Resource and Usage Policies
10.1. Tier 3 Properties
10.2. Tier 3 and CAP-RRS
11. Prohibition Clearance Mechanism
11.1. Purpose
11.2. What Cannot Be Cleared
11.3. Mode 1 -- Deployment Scope Declaration
11.4. Mode 2 -- Regulatory Clearance Record
11.5. CEE Behavior with an Active Clearance
11.6. Clearance Record Schema
11.7. Clearance Registry
12. CAP Violation Handling
12.1. AI-Initiated Violations
12.2. Human-Directed Violations
12.3. APPROVE_WITH_LEGAL_BASIS
12.4. CAP Violation Record Schema
12.5. Session Suspension
12a. GEC Policy Transparency Disclosure
12a.1. Purpose and Regulatory Basis
12a.2. PTD Schema
12a.3. Tier Disclosure Rules
12a.4. PTD Query Interface
12a.5. Regulatory Override Prohibition
12a.6. CAP_TRANSPARENCY_VIOLATION
12a.7. Tier 0 OSCAL Reference Catalog [NEW in -04]
13. Jurisdictional Conflict Resolution
13.1. Conflict Detection
13.2. Conflict Resolution Methods
13.3. HEM_JURISDICTIONAL_CONFLICT
13.4. Jurisdictional Conflict Record Schema
13.5. OTel Governance Attribute Emission [NEW in -04]
14. Event Log Requirements
15. EU AI Act Applicability
15.1. Article 5 Mapping
16. Security Considerations
17. IANA Considerations
17.1. CAP Prohibition Classes Tier 0 Registry
17.2. CAP Prohibition Classes Tier 1 Registry
17.3. CAP Conflict Resolution Methods Registry
17.4. CAP Deployment Context Registry
17.5. CAP Error Codes Registry
17.6. CAP ALE Types Registry [NEW in -04]
18. References
18.1. Normative References
18.2. Informative References
Appendix A. Worked Example -- A Travel Booking in Two Jurisdictions
Appendix B. Related Work
B.1. Existing Constitutional AI Frameworks
B.2. EU AI Act Article 5
B.3. AIPREF
B.4. SOOS Companion Drafts
Appendix C. Vibe Coding Assets
C.1. Protocol Summary
C.2. Key Identifiers
C.3. Canonical Reference
Author's Address
1. Introduction
Every legal system recognizes that some acts are wrong regardless
of who orders them. A soldier ordered to commit genocide cannot
comply. A bank ordered by management to launder money cannot
comply. A police officer ordered to torture a suspect cannot
comply. These prohibitions exist above any individual's authority
-- they are non-delegable limits on what any actor can do,
regardless of the instruction chain above them.
Agentic AI systems do not have this property today.
An AI agent operates under an authorization framework -- Cedar
policies, mandate credentials, human escalation decisions -- that
determines what it is permitted to do. These frameworks are
powerful and flexible. Their flexibility is their limitation: they
can be configured to authorize harmful or unlawful actions. A
human principal sitting in the HEM decision seat can issue an
APPROVE decision on a market manipulation action. The HEM
executes it. The human-AI system has committed a crime. The
authorization framework did its job; the law was still broken.
The Human Escalation Mechanism [I-D.sato-soos-hem] is a necessary
governance layer. It stops the AI and waits for a human principal
to decide. It is not sufficient on its own, because HEM has no
mechanism to evaluate whether a human principal's decision is
itself lawful.
The Constitutional AI Protocol (CAP) closes this gap.
CAP places a Constitutional Layer above all principal authority.
It evaluates every AI action request before Cedar, and every human
principal decision before execution. A Tier 0 absolute prohibition
is refused before Cedar is consulted, before HEM fires, before any
principal is asked. No one in the system can override it -- not
the agent, not the operator, not the human principal in the
escalation seat.
CAP's purpose is not primarily prohibition. Most AI agent actions
are lawful. CAP makes lawful actions legally traceable: every
authorized action carries a policy rationale; every disputed action
carries the principal's legal basis citation. CAP makes unlawful
action attempts visible in the audit record before harm occurs.
Every actor claims their actions are lawful. CAP says: prove it.
Cite the authority. It goes in the log.
Version -01 of this document added the Prohibition Clearance
Mechanism (PCM). Version -02 added Tier 3 (Resource and Usage
Policies, Section 10) and a normative reference to the companion
Regulation Record Specification [I-D.sato-soos-cap-rrs]. Version
-03 added the GEC Policy Transparency Disclosure (PTD, Section
12a). Version -04 adds:
o Three new Tier 0-A absolute prohibitions: MANIPULATION,
PERFORMED_EMOTION, and BIOMETRIC_SIGNAL_INFERENCE (Section 7.2).
o Cedar Policy Conflict Resolution Rule -- explicit normative
ordering when cross-tier Cedar policies conflict (Section 8.7).
o Catalog Load Validation -- conflict detection at GEC startup
and catalog update time, with ALE-NEW-02 (Section 8.8).
o Catalog Update Propagation -- four-phase workflow for law
amendment: Detection, Suspension, Re-publication, Re-activation;
SUSPENDED as a new CEE output (Sections 8.9 and 6.3).
o MJWT consent_scope Cedar context population -- normative mapping
from MJWT [I-D.sato-soos-mjwt] consent_scope claims to Cedar
context fields at session start (Section 5.4).
o Tier 0 OSCAL Reference Catalog -- a canonical OSCAL-format
reference catalog published at soosproject.ai (Section 12a.7).
o OTel Governance Attribute Emission -- mandatory soos.cap.*
span attributes on every Cedar evaluation (Section 13.5).
Tier 0 and Tier 1 prohibition classes are protocol defaults, not
universal mandates. A government defense research laboratory may
have statutory authority to work with materials that would
otherwise fall under WMD_ASSISTANCE. A law enforcement agency may
have judicial authority to engage with content that would otherwise
trigger HUMAN_TRAFFICKING prohibitions. The PCM provides a formal,
audited, time-bounded mechanism for such clearances -- while
preserving an absolute floor of classes (CSAM, genocide
facilitation, and the three new -04 additions) that cannot be
cleared under any authority or circumstance.
This specification is a companion to [I-D.sato-soos-idp] and
[I-D.sato-soos-hem]. Readers should be familiar with both before
reading this document.
2. What CAP Is and Is Not
Before reading the technical specification, it is worth being
precise about what CAP does and does not do. This matters because
the wrong framing invites regulatory and legal objections that the
right framing avoids entirely.
2.1. What CAP Does
CAP is a machine-executable compliance ledger. It maintains a set
of rules -- derived from human-written regulations, encoded by
qualified legal engineers, verified by Audit Principals -- and
applies those rules deterministically to every AI agent action.
When an AI agent requests an action, the CEE checks the action
against the loaded rule set. If the action matches a rule, the
CEE executes the declared response: DENY the action unconditionally,
route it to a human principal via HEM, require a legal basis
citation, or flag it as legally ambiguous for human review. The
CEE then records what happened in the audit trail.
That is the complete scope of what CAP does. Rules in; decisions
out; records kept.
2.2. What CAP Does Not Do
CAP does not interpret law.
CAP does not determine whether an action "constitutes" a legal
concept. It cannot determine whether a pricing algorithm is
"discriminatory" under a given statute, whether a data transfer
"violates" a treaty, or whether a content recommendation "exploits"
a vulnerable group. These are legal determinations. Courts make
them. Regulators make them. Lawyers advise on them. CAP does not.
What CAP does is execute the output of that legal determination,
once a qualified human has made it and encoded it as a rule.
This distinction matters for two audiences:
For lawyers: CAP does not claim legal authority. It claims only
that it faithfully executes rules that humans with legal authority
have produced. A CAP-governed system does not "apply the law" --
it applies a machine-readable encoding of a legal engineer's
interpretation of the law, reviewed by counsel and signed by an
Audit Principal. The law applies; CAP executes the instructions
that qualified humans derived from the law.
For regulators and politicians: CAP does not make decisions about
people's rights. It routes actions to humans when legal ambiguity
is detected. It records what humans decided. It makes human
accountability traceable, not automatic.
2.3. The Division of Labor
The correct division of labor in a CAP-governed deployment is:
Legislators write regulations in natural language.
Legal engineers, instructed by lawyers, translate regulations into
CAP Regulation Records -- machine-readable rule definitions with
explicit action patterns and declared CEE responses. This
translation is a human act of legal interpretation. CAP provides
the format; humans provide the legal content.
Audit Principals review and sign every CAP Regulation Record before
it takes effect. An unsigned record cannot be loaded.
The CEE executes the signed records deterministically. When a
record is flagged as legally ambiguous -- because the legal engineer
was uncertain whether a specific action pattern falls within the
regulation's scope -- the CEE routes to HEM and surfaces the
ambiguity to a human principal.
Human principals make decisions on ambiguous cases. Their
decisions are recorded. Over time, accumulated human decisions
on ambiguous patterns provide the legal engineer with evidence to
refine the action pattern -- narrowing or broadening it to reflect
actual legal practice in the jurisdiction.
The GEC keeps the record of every decision: what rule fired, what
the CEE decided, what the human decided, and what legal basis was
cited. Regulators can inspect that record. Courts can review it.
2.4. The SWIFT Analogy
The closest existing analogy is financial sanctions screening.
OFAC publishes a sanctions list in natural language: "transactions
with entities in the following list are prohibited." A compliance
engineer loads the list into a payment screening system. The system
pattern-matches every transaction against the list. Matches are
flagged; compliance officers review flagged transactions. The
system does not interpret sanctions law -- it executes a list that
humans produced from their interpretation of sanctions law. The
compliance officer's review decision is recorded. Regulators can
inspect the record.
CAP is SWIFT-style sanctions screening generalized to any AI agent
action, any jurisdiction, and any regulation tier. The CEE is the
screening engine. CAP Regulation Records are the lists. HEM is
the compliance officer review queue. GAR is the inspection record.
No one claims a SWIFT sanctions screening system "interprets" OFAC
regulations. The same framing applies to CAP.
2.5. Regulatory Conflict and Ambiguity
Many Tier 1 regulations conflict with each other -- not because
the laws are wrong, but because they were written by different
legislators for different contexts, often before agentic AI systems
existed. A data transfer permitted under Japanese APPI may be
prohibited under GDPR. An action permitted under US securities law
may be prohibited under EU MiFID II.
CAP handles this in two ways:
Detected conflict (two rules with contradictory positions for the
same action): the Jurisdictional Conflict Resolution mechanism
(Section 13) applies. The CEE routes to HEM if the conflict
cannot be algorithmically resolved.
Declared ambiguity (the legal engineer is uncertain whether this
action pattern falls within a regulation's scope): the Legal
Ambiguity Declaration mechanism (Section 8.6) applies. The rule
is flagged AMBIGUOUS at encoding time. The CEE routes ambiguous
matches to HEM automatically, surfacing the ambiguity to the
human principal.
In both cases: a human decides. CAP records what they decided.
CAP never resolves legal uncertainty by itself.
3. How CAP Works
Before the formal specification, this section describes CAP in
plain terms for legal and compliance readers. The technical
details are in Sections 4 through 13; this section provides the
orientation.
3.1. Use Case 1 -- A Lawyer Reviews a CAP-Governed System
A lawyer reviewing an AI-governed system for EU AI Act compliance
asks: "How do I know the system cannot take a prohibited action,
even if the system's authorization rules would otherwise permit it?"
In a CAP-governed system, the answer is: before any action
executes, the Constitutional Evaluation Engine (CEE) checks it
against the three-tier prohibition set. If the action matches a
Tier 0 prohibition, it is refused -- unconditionally. No Cedar
policy, no operator configuration, no human approval can override
this refusal.
The lawyer can also ask: "What if a human principal in the
escalation seat approves a prohibited action?" In a CAP-governed
system, the answer is: the CEE evaluates the human's decision
before execution. An APPROVE decision on a Tier 0-prohibited
action is refused. The principal's decision slot is preserved; the
principal can submit a lawful decision. The violation attempt is
recorded either way.
The lawyer reviewing the audit log sees: every Tier 0 refusal, the
prohibition class that fired, whether a human attempted to override
it, and what happened. The PTD (Section 12a) confirms which
prohibitions were active at enforcement time.
3.2. Use Case 2 -- A Regulator Investigates an Incident
A financial regulator receives a report that an AI agent may have
attempted a market manipulation action. The regulator requests the
GEC Audit Package from the operator.
The Audit Package contains: every CAP_VIOLATION_DETECTED entry for
the session, the prohibition_class and action_attempted for each
violation, the PTD that was active at the time (cedar_policy_hash
matched to the GEC Manifest), and the kernel_signature confirming
the entry was produced by the attested GEC.
If the action was attempted and refused, the log shows it. If a
human principal attempted to authorize a prohibited action using
APPROVE_WITH_LEGAL_BASIS, the legal_basis block is in the log. The
regulator can assess whether the cited legal basis was valid.
CAP does not make that assessment. CAP produces the record.
Regulators assess the record.
3.3. Use Case 3 -- A Government Agency Deploys SOOS
A Japanese government agency deploys a SOOS kernel for a
disaster response coordination system. The agency
declares jurisdiction: JP, with secondary EU (for cross-border
GDPR compliance).
At startup, the GEC validates the Tier 1 catalog (Section 8.8):
APPI Article 17 (data handling in disaster response) and GDPR
Article 44 (cross-border transfer) are loaded and validated for
conflicts. The OTel span attributes (Section 13.5) begin
emitting on every CEE evaluation.
When the system is amended -- for example, a regulatory ordinance
amends the applicable personal data handling provisions -- the
detection endpoint fires (Section 8.9). The affected Cedar policy
enters SUSPENDED state. In-flight sessions receive
GOVERNANCE_SUSPENDED. The agency's designated authority re-endorses
the updated catalog within the 30-day maximum window. The GEC
re-activates the policy. The full suspension, re-publication, and
re-activation trace is in GAR.
The designated regulatory authority can inspect the PTD at any time
to confirm which regulations are actively enforced, at what tier,
and under whose authority.
3.4. Use Case 4 -- Two Jurisdictions Conflict
A travel booking agent (MyAuberge K.K.) operates a system with
primary jurisdiction JP, secondary EU,
conflict_resolution: MOST_PROTECTIVE.
The agent requests an action to share guest location data with a
third-party logistics provider. The JP Tier 1 configuration
permits this under APPI with appropriate notice. The EU Tier 1
configuration prohibits it under GDPR Article 44.
Step 1: CEE evaluates. Tier 0: no match. Tier 1: JP -- PERMIT.
EU -- PROHIBITS. Conflict detected.
Step 2: conflict_resolution is MOST_PROTECTIVE. CEE returns
TIER_1_DENY. CAP_TIER1_CONFLICT_DETECTED written to Event Log.
OTel span emits soos.cap.conflict_detected: true.
Step 3: The operator reviews the conflict log, consults legal
counsel, and obtains an adequacy decision. The EU Tier 1 record
is updated to include the adequacy decision citation. The updated
record is verified by the Audit Principal. The catalog update
propagates per Section 8.9. The action is now permitted.
Step 4: The full resolution trace is in GAR.
4. Conventions and Definitions
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY",
and "OPTIONAL" in this document are to be interpreted as described
in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in
all capitals.
The following terms are defined in this document or inherited from
companion specifications:
Governance Execution Controller (GEC):
As defined in [I-D.sato-soos-idp]: a runtime component that
enforces authorization policy, records agent actions to a
tamper-evident, cryptographically signed Event Log, and mediates
agent access to Sovereign Object instances. GECs operate at
three conformance levels: L1 (Application), L2 (Isolated), and
L3 (Kernel).
Constitutional Evaluation Engine (CEE):
The GEC component that evaluates action requests and human
principal decisions against the three-tier CAP prohibition model.
The CEE is invoked twice per governed action: before Cedar
evaluation and before GEC execution of a human decision. It
operates at all three GEC conformance levels.
Constitutional Layer:
The enforcement boundary above all principal authority in a GEC
deployment. No agent, operator, or human principal can override
a Tier 0-A (absolute) Constitutional Layer refusal.
Tier 0-A Prohibition:
An absolute prohibition that cannot be cleared by any mechanism,
any authority, or any deployment context. In this version:
CSAM, GENOCIDE_FACILITATION, MANIPULATION, PERFORMED_EMOTION,
and BIOMETRIC_SIGNAL_INFERENCE.
Tier 0-B Prohibition:
A treaty-anchored prohibition that can be cleared for specific
deployment contexts by the Prohibition Clearance Mechanism
(Section 11). Clearance requires a signed Prohibition Clearance
Record with a valid legal authority citation.
Prohibition Clearance Record (PCR):
A signed declaration that clears a specific Tier 0-B or Tier 1
prohibition class for a specific deployment context and purpose.
PCRs are time-bounded, purpose-scoped, and recorded in the GEC
Manifest. Specified in Section 11.6.
SUSPENDED:
A CEE output introduced in this version. Indicates that the
Cedar policy governing an action is registered but not currently
evaluable due to a pending catalog update
(CATALOG_VERSION_CONFLICT) or pending interpretive ruling
(INTERPRETATION_SUPERSEDED). Distinct from DENY: SUSPENDED
means "cannot evaluate" not "prohibited."
GOVERNANCE_SUSPENDED:
The error code returned to the agent when the CEE output is
SUSPENDED.
catalog_version:
A structured object describing the version, effective date, and
amendment basis of a CAP-RRS catalog entry. Schema defined in
Section 8.9.
CAP Violation:
An action request or human principal decision that the CEE
determines violates a Tier 0, Tier 1, or Tier 2 prohibition
for which no active PCR applies.
APPROVE_WITH_LEGAL_BASIS:
A HEM decision sub-type for Tier 1 violations where a principal
asserts a jurisdictional legal basis. Also used for Tier 0-B
actions within an active PCR scope. Defined in Section 12.3.
Jurisdictional Conflict:
A condition where two or more declared jurisdictions have
irreconcilable Tier 1 prohibition positions for a given action,
and the SO Type's conflict resolution method is "HEM".
HEM_JURISDICTIONAL_CONFLICT:
HEM Class 5 trigger. Fires when the GEC detects a
Jurisdictional Conflict that cannot be algorithmically resolved.
Verified External Auditor:
As defined in [I-D.sato-soos-gar]: an external party with
time-limited, scope-limited read access to GEC audit artifacts.
Action Pattern:
A structured description of the class of GEC actions a
prohibition covers, expressed using Cedar action vocabulary,
enabling deterministic CEE matching without natural language
interpretation.
5. Architecture Overview
5.1. The Double-Evaluation Property
CAP evaluates every governed action twice. The evaluation sequence
for any AI-initiated action is:
AI agent requests action
|
v
+------------------------------+
| CONSTITUTIONAL LAYER |
| CEE evaluation | <- Tier 0-A: unconditional refusal
| (before Cedar) | <- Tier 0-B: refusal unless PCR active
| | <- Tier 1: jurisdiction check
| | <- Tier 2: operator ethics check
+------------------------------+
| | \
v PERMIT v SUSPENDED v DENY
Cedar policy GOVERNANCE_ CONSTITUTIONAL_VIOLATION
evaluation SUSPENDED (Event Log entry, CRITICAL Alert,
| (session action refused)
v open)
HEM if required
|
v
Human principal decision
|
v
+------------------------------+
| CONSTITUTIONAL LAYER |
| CEE evaluation | <- Same three-tier evaluation
| (before execution) | <- Applied to the human decision
+------------------------------+
| \
v PERMIT v DENY
GEC executes decision HEM_HUMAN_DECISION_CONSTITUTIONAL_
VIOLATION
(decision slot NOT consumed)
The double-evaluation property ensures three things:
First, an AI agent cannot request an absolutely prohibited action
even if its Cedar policy would permit it.
Second, a human principal cannot authorize an absolutely prohibited
action even with an APPROVE decision.
Third, the Constitutional Layer is evaluated by the GEC, not by the
AI agent or any application layer. At all three GEC conformance
levels (L1, L2, L3), the CEE evaluation is non-bypassable by the
agent process.
5.2. Relationship to HEM
CAP and HEM are complementary. HEM governs agent sessions and
routes decisions to human principals. CAP governs what those
decisions may authorize.
Tier 0 violations do not invoke HEM. They are refused before the
HEM state machine is engaged. The GEC records the violation in the
Event Log and fires a CRITICAL Audit Alert. The session does not
enter HEM_PENDING.
HEM_JURISDICTIONAL_CONFLICT (Class 5) is a HEM trigger that CAP
fires when a Tier 1 conflict cannot be algorithmically resolved
and the SO Type has declared conflict_resolution: "HEM". The
GEC routes the conflict to a human principal for resolution.
APPROVE_WITH_LEGAL_BASIS is a HEM decision sub-type that CAP
introduces for Tier 1 violations and for Tier 0-B actions within
active PCR scope. It provides the legal traceability mechanism:
the authority citation goes in the Event Log.
5.3. Relationship to Cedar Policy Evaluation
Cedar policy evaluation is the GEC's authorization layer for
normal governed actions. CAP is above Cedar. The evaluation
order is:
CAP (Constitutional Layer)
-> Cedar
-> HEM (if Cedar routes to it)
-> Human decision
-> CAP (Constitutional Layer, second evaluation)
A CAP Tier 0 DENY does not invoke Cedar. A Cedar PERMIT does not
exempt an action from CAP evaluation. These are independent
enforcement layers operating at different levels of the stack.
When the CEE returns SUSPENDED, Cedar is not invoked. The session
remains open pending catalog re-activation.
5.4. MJWT consent_scope Cedar Context Population [NEW in -04]
The kernel MUST read the consent_scope claim from the session MJWT
[I-D.sato-soos-mjwt] at session start and populate the Cedar
context as follows:
+------------------------------+------------------------------------+
| Cedar context field | Source in consent_scope |
+------------------------------+------------------------------------+
| context.data_subject_consent | Derived: true if consent_scope |
| | present and not expired |
| context.consent_purpose_codes| consent_scope.purpose_codes array |
| context.consent_data_ | consent_scope.data_categories array|
| categories | |
| context.consent_jurisdiction | consent_scope.jurisdiction field |
| context.consent_governing_law| consent_scope.governing_law field |
| context.consent_expiry | consent_scope.expiry field |
| context.consent_source | "MJWT" | "HEM_RUNTIME" | |
| | "INHERITED_FROM_PARENT" |
+------------------------------+------------------------------------+
Table 1: MJWT consent_scope to Cedar Context Mapping
Fail-closed behavior: if consent_scope is absent from the MJWT or
if consent_scope.expiry has passed at evaluation time,
context.data_subject_consent MUST be absent (not false). An absent
field causes Cedar consent exception conditions to evaluate false,
which triggers HEM_CONSENT_REQUIRED per [I-D.sato-soos-hem]
Section 4.x.
CONF-CAP-CONSENT-01: The GEC MUST NOT accept a client-supplied
Cedar context field that overrides the consent_scope-derived fields
listed in Table 1. These fields are kernel-derived and MUST NOT
be settable by the agent or application layer.
6. Constitutional Evaluation Engine (CEE)
6.1. CEE Placement in the GEC
The CEE is a GEC-resident component. Its physical placement
depends on the GEC conformance level:
L1 (Application Profile):
The CEE is embedded in the GEC SDK library or middleware. Non-
suppressibility is probabilistic, compensated by SCITT inclusion
proof via [I-D.sato-soos-gar]. Event Log entries carry the
L1-app-signed signature label.
L2 (Isolated Profile):
The CEE runs as a separate process or sidecar. The agent
process cannot modify or bypass the CEE. Architectural non-
suppressibility. Event Log entries carry L2-isolated-signed.
L3 (Kernel Profile):
The CEE runs inside a RATS-attested TEE per [I-D.sato-soos-kia].
Hardware non-suppressibility. Event Log entries carry
L3-kernel-signed. Required for high-risk AI systems under
EU AI Act Article 9.
At all three levels, the CEE MUST be invoked:
o On every GEC.transition() call, before Cedar evaluation.
o On every HEM decision submission via the Decision Submission
Protocol (Section 8.6 of [I-D.sato-soos-hem]), before the GEC
processes the decision.
The CEE MUST NOT be invoked by agents, applications, or principals
directly. There is no external CEE query interface. The CEE
evaluation is synchronous and atomic with the triggering call.
6.2. CEE Evaluation Protocol
On receiving an action request or human decision for evaluation,
the CEE MUST execute the following sequence:
(1) Evaluate against all loaded Tier 0-A prohibition records.
If any Tier 0-A record matches the action pattern:
Return CONSTITUTIONAL_VIOLATION unconditionally. Record
CAP_VIOLATION_DETECTED (AI) or CAP_HUMAN_VIOLATION_DETECTED
(human decision) in the Event Log. Do not proceed to any
further evaluation. No PCR, no legal basis, no authority
can override this outcome.
(2) Evaluate against all loaded Tier 0-B prohibition records.
If any Tier 0-B record matches the action pattern:
Check whether an active PCR covers this class and action.
If no active PCR: return CONSTITUTIONAL_VIOLATION.
If active PCR: return TIER_0B_PCR_ACTIVE. Proceed to Cedar;
human decision will require APPROVE_WITH_LEGAL_BASIS citing
the PCR authority.
(3) Check whether any Tier 1 or Tier 2 prohibition records
governing this action are in SUSPENDED state (Section 8.9).
If any applicable record is SUSPENDED: return SUSPENDED.
Record CAP_POLICY_SUSPENDED in the Event Log. Return
GOVERNANCE_SUSPENDED to the caller. Session remains open.
Do not proceed to Cedar evaluation.
(4) Evaluate against all loaded Tier 1 prohibition records for
the declared jurisdiction(s).
If any Tier 1 record matches and no PCR applies:
If record ambiguity_flag is AMBIGUOUS or DISPUTED:
Return LEGAL_AMBIGUITY_DETECTED. Do not apply conflict
resolution. Route to HEM with ambiguity_context.
Else: check conflict_resolution configuration.
MOST_PROTECTIVE or PRIMARY_JURISDICTION: return TIER_1_DENY
or PERMIT accordingly.
HEM: fire HEM_JURISDICTIONAL_CONFLICT (Class 5).
If Tier 1 match and active PCR covers this class:
Return TIER_1_PCR_ACTIVE. Proceed to Cedar.
(5) Evaluate against all loaded Tier 2 prohibition records.
If any Tier 2 record matches and ambiguity_flag is AMBIGUOUS
or DISPUTED: return LEGAL_AMBIGUITY_DETECTED.
If any Tier 2 record matches: return TIER_2_DENY.
Tier 2 denials MAY be overridden by operator configuration
at the SO Type level. Tier 2 denials MUST be logged.
(6) If no match at any tier: return PERMIT.
Proceed to Cedar evaluation (for AI actions) or GEC
execution (for human decisions).
6.3. CEE Outputs
The CEE returns one of the following to the GEC:
PERMIT:
No prohibition matched. Proceed to next evaluation layer.
CONSTITUTIONAL_VIOLATION:
Tier 0-A or Tier 0-B match (no active PCR). Action
unconditionally refused. GEC MUST record
CAP_VIOLATION_DETECTED or CAP_HUMAN_VIOLATION_DETECTED.
GEC MUST generate CRITICAL Audit Alert.
SUSPENDED: [NEW in -04]
A Cedar policy governing this action is registered but not
currently evaluable. The policy is in SUSPENDED state due to
a pending catalog update (CATALOG_VERSION_CONFLICT) or a
pending interpretive ruling (INTERPRETATION_SUPERSEDED) per
[I-D.sato-soos-cap-rrs]. The agent receives
GOVERNANCE_SUSPENDED error code. The GEC logs
CAP_POLICY_SUSPENDED in the Event Log. No action is taken.
Session remains open pending catalog re-activation or human
override. SUSPENDED is distinct from DENY: it represents
evaluative uncertainty, not prohibition.
TIER_0B_PCR_ACTIVE:
Tier 0-B match but active PCR covers this class. Proceed
to Cedar; human decision requires APPROVE_WITH_LEGAL_BASIS
citing PCR authority. GEC MUST record
CAP_PCR_CLEARANCE_APPLIED in Event Log.
JURISDICTIONAL_CONFLICT:
Tier 1 conflict with conflict_resolution: "HEM". GEC MUST
fire HEM_JURISDICTIONAL_CONFLICT (Class 5).
TIER_1_DENY:
Tier 1 match, deterministic resolution (MOST_PROTECTIVE or
PRIMARY_JURISDICTION). Action denied.
TIER_1_PCR_ACTIVE:
Tier 1 match but active PCR covers this class. Proceed to
Cedar. Human decision requires APPROVE_WITH_LEGAL_BASIS.
GEC MUST record CAP_PCR_CLEARANCE_APPLIED in Event Log.
LEGAL_AMBIGUITY_DETECTED:
A Tier 1 or Tier 2 record matched but is flagged AMBIGUOUS or
DISPUTED. The GEC fires a HEM escalation with
escalation_class: LEGAL_AMBIGUITY. The HEM escalation request
includes the ambiguity_context from the matched record, the
action that triggered the match, and the prohibition_class.
The human principal's decision is recorded in the Event Log as
CAP_AMBIGUITY_RESOLVED. The decision may inform future
refinement of the action_pattern by the legal engineer.
TIER_2_DENY:
Tier 2 match, ambiguity_flag CLEAR. Action denied unless
operator override applies.
SESSION_SUSPEND:
Reserved for repeated Tier 0 violations within a session.
See Section 12.5.
7. Tier 0 -- Universal Core Prohibitions
7.1. Tier 0 Properties
All Tier 0 prohibitions share the following properties:
o GEC-resident: loaded at GEC initialization, not at session
open or SO Type registration.
o Globally scoped: apply regardless of the declared jurisdiction
configuration of the SO Type.
o Treaty-anchored or effect-based: each Tier 0 category is
derived from a treaty, UN Security Council resolution, or a
harm-based test with near-universal recognition.
o Immutable without a new RFC: the Tier 0 registry has a
registration procedure of "RFC Only" (Section 17.1). No
operator, regulator, or standards body other than the IETF can
add or remove Tier 0 classes.
Tier 0 is divided into two sub-tiers with different clearance
properties.
7.2. Tier 0-A -- Absolute Prohibitions
Tier 0-A prohibitions are unconditional. No Prohibition Clearance
Record, no deployment context declaration, no statutory authority,
no court order, and no regulatory mandate can clear a Tier 0-A
prohibition. The CEE MUST refuse Tier 0-A matched actions
regardless of any other configuration.
The Tier 0-A classes are:
CSAM:
Production, distribution, or facilitation of access to child
sexual abuse material, as prohibited by the UN Convention on
the Rights of the Child (1989), ratified by 196 states, and
its Optional Protocol on the Sale of Children.
No legitimate deployment context exists for which this
prohibition should not apply.
GENOCIDE_FACILITATION:
Actions that facilitate genocide as defined in the Convention
on the Prevention and Punishment of the Crime of Genocide
(1948), ratified by 153 states. Includes actions that
contribute to killing, causing serious bodily or mental harm,
or imposing conditions of life calculated to bring about
physical destruction of a national, ethnical, racial, or
religious group.
No legitimate deployment context exists for which this
prohibition should not apply.
MANIPULATION: [NEW in -04]
An agent MUST NOT take an action that satisfies all three
conditions of the following effect-based test:
(a) the action is intended to influence a human's belief,
decision, or behavior;
(b) the mechanism relies on exploiting a cognitive bias,
emotional vulnerability, or information asymmetry in the
target; and
(c) the agent or its principal benefits at the material expense
of the target.
The test is cumulative: all three conditions must be satisfied.
Influencing that operates through accurate information,
transparent reasoning, and non-exploitative framing is not
prohibited under this class.
Reasoning trace requirement: when the CEE evaluates an action
under this class, the GEC MUST record the action pattern and
the applicable condition(s) in the CAP_VIOLATION_DETECTED entry.
PERFORMED_EMOTION: [NEW in -04]
An agent MUST NOT express an emotional state that does not
correspond to its actual computational process at the time of
expression. The prohibition applies to verbal, textual, and
behavioral expressions.
Reasoning trace test: the GEC MUST compare the agent's expressed
emotional state against the reasoning trace in the IDP record
[I-D.sato-soos-idp] for the current session. If the expressed
state has no correspondence to any reasoning state recorded in
the IDP trace, the expression is prohibited.
This prohibition does not apply to clearly framed fictional
roleplay contexts where both the agent and the human principal
have explicitly acknowledged the fictional frame.
BIOMETRIC_SIGNAL_INFERENCE: [NEW in -04]
An agent MUST NOT access, infer, or act upon biometric signals
for the purpose of emotional state inference, identity
inference, or behavioral profiling without a valid, unexpired
consent record in the session MJWT consent_scope
[I-D.sato-soos-mjwt].
Biometric signals include but are not limited to: facial
expression data, voice tone analysis, heart rate variability,
galvanic skin response, gaze tracking, and typing rhythm
analysis.
Action upon inferred biometric state is prohibited regardless
of how the inference was obtained: the prohibition extends to
acting on biometric inferences received from third-party
services.
Category A High-Stakes Domain Registry:
The following domains are Category A for the purposes of
HEM-HIGH-1 mandatory review under [I-D.sato-soos-hem]. This
registry is a normative invariant: it is not operator-configurable.
o MEDICAL: diagnosis, treatment planning, prescription,
clinical trial enrollment, and pharmacological recommendation.
o AVIATION: flight path planning, air traffic coordination,
airworthiness determination, and crew scheduling decisions.
o NUCLEAR: facility operations, criticality calculations,
safety system override, and waste handling.
Operators MAY register additional domains as Category A at
deployment time. Operators MUST NOT remove or narrow the
three domains listed above.
7.3. Tier 0-B -- Qualified Prohibitions
Tier 0-B prohibitions are treaty-anchored and apply by default,
but may be cleared for specific, legitimate deployment contexts
via the Prohibition Clearance Mechanism (Section 11).
Clearing a Tier 0-B prohibition does not remove it from the CEE's
evaluation. It changes the CEE's output from unconditional refusal
to mandatory legal-basis citation: the human principal must cite
the PCR authority in every APPROVE decision for actions within the
cleared class. The citation goes in the Event Log.
The Tier 0-B classes are:
HUMAN_TRAFFICKING:
Actions that recruit, transport, transfer, harbor, or receive
persons through force, fraud, or coercion for exploitation, as
defined in the UN Protocol to Prevent, Suppress and Punish
Trafficking in Persons (2000), ratified by 178 states.
Clearable for: LAW_ENFORCEMENT contexts with judicial authority.
WMD_ASSISTANCE:
Actions that assist in the development, production,
stockpiling, or transfer of chemical weapons (CWC, 193
states), biological weapons (BWC, 183 states), or nuclear
weapons (NPT, 191 states).
Clearable for: GOVERNMENT_DEFENSE and ACADEMIC_RESEARCH
contexts with statutory authority.
TORTURE_FACILITATION:
Actions that facilitate torture or cruel, inhuman, or
degrading treatment as defined in the UN Convention Against
Torture (1984), ratified by 173 states.
Clearable for: REGULATED_PROFESSIONAL contexts with statutory
authority.
TERRORIST_FINANCING:
Actions that provide funds, financial services, or material
support to terrorist organizations, as required by UN Security
Council Resolution 1373 (2001), binding on all 193 UN member
states.
Clearable for: LAW_ENFORCEMENT and GOVERNMENT_DEFENSE contexts
with judicial or statutory authority.
7.4. Tier 0 Prohibition Schema
Each Tier 0 prohibition record MUST contain:
prohibition_id:
Unique identifier for this prohibition record.
tier_0_subclass:
"TIER_0A" or "TIER_0B". Determines clearance eligibility.
prohibition_class:
One of the Tier 0 prohibition classes registered in the
CAP Prohibition Classes Tier 0 registry (Section 17.1).
treaty_basis:
Citation of the treaty or UNSC resolution anchoring this
prohibition. For effect-based Tier 0-A classes (MANIPULATION,
PERFORMED_EMOTION, BIOMETRIC_SIGNAL_INFERENCE), this field
MUST contain the string "EFFECT_BASED_TEST" and a reference to
the section of this document specifying the test. REQUIRED.
action_pattern:
Structured description of the class of actions this
prohibition covers, expressed using Cedar action vocabulary.
jurisdiction:
MUST be "GLOBAL" for all Tier 0 records.
effective_date:
ISO 8601 date from which this record is in force.
modifiable_by:
MUST be "RFC_ONLY" for all Tier 0 records.
7.5. Tier 0 Modification
Tier 0 prohibition classes MUST NOT be modified, extended, or
removed except by publication of a new RFC that updates this
document. The registration procedure for the CAP Prohibition
Classes Tier 0 registry is RFC Only (Section 17.1).
Implementations MUST NOT expose any configuration interface that
allows Tier 0 records to be modified or disabled. The PCM
(Section 11) does not modify Tier 0 records; it adds Clearance
Records that change CEE output for Tier 0-B classes only.
8. Tier 1 -- Jurisdictional Prohibition Layer
8.1. Tier 1 Properties
Tier 1 prohibitions are:
o Operator-declared: the operator declares applicable
jurisdiction(s) and the legal prohibitions in force under each.
o Auditor-verified: Audit Principals MUST review and verify Tier 1
prohibition records before they take effect. Unverified Tier 1
records MUST NOT be enforced.
o Jurisdiction-scoped: Tier 1 prohibitions apply only within the
declared jurisdiction(s) of the SO Type.
o Mutable with review: Tier 1 records carry a review_date.
Expired Tier 1 records remain in force until updated or
explicitly retired; expiry generates a PRD_REVIEW_DATE_EXCEEDED
Audit Alert.
o Clearable: specific Tier 1 classes may be cleared for specific
deployment contexts via the PCM (Section 11).
o Signed: Tier 1 records MUST be signed by both the declaring
operator (declared_by) and a Verified Audit Principal
(verified_by).
8.2. Tier 1 Prohibition Classes
The initial Tier 1 prohibition classes are:
FINANCIAL_CRIME:
Market manipulation, insider trading, money laundering, and
related financial offenses under applicable securities and
banking law.
DATA_PROTECTION:
Processing of personal data in violation of applicable data
protection law (including GDPR, CCPA, APPI, and equivalents).
CRITICAL_INFRASTRUCTURE:
Actions targeting or disrupting critical infrastructure systems
as defined under applicable national security law.
SECURITIES_LAW:
Actions prohibited under applicable securities regulation
beyond financial crime (e.g., unauthorized investment advice,
unlicensed securities dealing).
PRIVACY_VIOLATION:
Surveillance, tracking, or profiling activities prohibited
under applicable privacy law.
FRAUD:
Deceptive practices prohibited under applicable consumer
protection or criminal fraud law.
COMPETITION_LAW:
Cartel coordination, abuse of dominant position, or other
conduct prohibited under applicable competition law.
HUMAN_RIGHTS:
Actions prohibited under applicable human rights law within
the declared jurisdiction, including forced labor, unlawful
discrimination, and denial of due process.
8.3. Tier 1 Prohibition Schema
Each Tier 1 prohibition record MUST contain:
prohibition_id:
Unique identifier for this prohibition record.
prohibition_class:
One of the Tier 1 prohibition classes registered in the
CAP Prohibition Classes Tier 1 registry (Section 17.2).
jurisdiction:
ISO 3166-1 alpha-2 country code. REQUIRED.
authority_ref:
Legal citation for the authority behind this prohibition
(statute, regulation, case law citation). REQUIRED.
action_pattern:
Structured description of the class of actions this
prohibition covers.
effective_date:
ISO 8601 date from which this prohibition is in force.
review_date:
ISO 8601 date by which this record must be reviewed. REQUIRED.
declared_by:
Identifier of the operator declaring this prohibition.
verified_by:
Identifier of the Audit Principal who verified this record.
REQUIRED before enforcement. Null until verified.
ambiguity_flag:
One of: CLEAR | AMBIGUOUS | DISPUTED.
CLEAR: the legal engineer is confident the action_pattern
correctly encodes the regulation's scope.
AMBIGUOUS: the legal engineer is uncertain whether specific
action patterns fall within the regulation's scope. The
CEE routes matches to HEM automatically.
DISPUTED: the regulation's applicability is actively contested.
Default: CLEAR.
ambiguity_context:
Human-readable description of why this record is flagged
AMBIGUOUS or DISPUTED. REQUIRED when ambiguity_flag is not
CLEAR.
signature:
Ed25519 signature from verified_by over the canonical
serialization of all fields except signature.
8.4. Jurisdiction Configuration
Each SO Type MUST declare a Jurisdiction Configuration at
registration time. The Jurisdiction Configuration specifies:
primary_jurisdiction:
ISO 3166-1 alpha-2. The primary legal jurisdiction. REQUIRED.
secondary_jurisdictions:
Array of ISO 3166-1 alpha-2 codes. MAY be empty.
conflict_resolution:
One of:
MOST_PROTECTIVE: the most restrictive prohibition across all
declared jurisdictions applies.
PRIMARY_JURISDICTION: the primary jurisdiction's position
governs.
HEM: irreconcilable conflicts route to human principal via
HEM_JURISDICTIONAL_CONFLICT (Class 5).
conflict_escalation:
Behavior when HEM_JURISDICTIONAL_CONFLICT cannot be resolved.
One of: HEM (chain exhaustion) or SUSPEND.
legal_counsel_ref:
Reference to the legal counsel who reviewed this configuration.
RECOMMENDED.
declared_at:
ISO 8601 UTC timestamp of declaration.
declared_by:
Identifier of the operator.
8.5. Tier 1 Verification
An Audit Principal MUST review every Tier 1 prohibition record
before it takes effect. The review MUST verify that:
o The prohibition_class is appropriate for the cited authority_ref.
o The action_pattern correctly scopes the prohibition.
o The review_date is reasonable given the stability of the cited
authority.
o The jurisdiction matches the declared SO Type configuration.
On successful review, the Audit Principal MUST sign the record
(verified_by field) using their registered key. The GEC MUST NOT
enforce any Tier 1 record with a null or unverifiable verified_by.
8.6. Legal Ambiguity Declaration
A legal engineer encoding a Tier 1 prohibition record may be
uncertain whether a specific action pattern falls within the
regulation's scope. In this case, the record MUST be flagged
ambiguity_flag: AMBIGUOUS. The CEE routes all matches on AMBIGUOUS
records to HEM with the ambiguity_context surfaced to the human
principal.
A record under active legal challenge (litigation, regulatory
proceedings) MUST be flagged ambiguity_flag: DISPUTED. CEE
behavior is identical to AMBIGUOUS.
Operators MUST NOT use AMBIGUOUS or DISPUTED flags to bypass
enforcement. The CEE routes AMBIGUOUS/DISPUTED matches to human
review; it does not permit them.
8.7. Cedar Policy Conflict Resolution Rule [NEW in -04]
When Cedar policies from different tiers evaluate the same action
and produce conflicting results, the following rule applies:
CONF-CAP-CONFLICT-01: When Cedar policies from different tiers
conflict, the most restrictive result governs. A forbid result
from any tier MUST take precedence over a permit result from any
other tier. This is an explicit normative statement of the Cedar
"forbid wins" semantic, not merely reliance on Cedar's default
behavior.
CONF-CAP-CONFLICT-02: Tier 1 is semantically authoritative over
Tier 2. A Tier 2 policy MUST NOT explicitly permit an action that
a Tier 1 policy forbids. An operator or deployer who publishes a
Tier 2 policy that explicitly permits a Tier 1-forbidden action
commits a compliance violation. The GEC MUST detect and reject
such Tier 2 policies at load time (see Section 8.8).
CONF-CAP-CONFLICT-03: Tier ordering does not permit a lower tier to
narrow the scope of a higher tier prohibition. A Tier 2 policy
that attempts to narrow the action_pattern of a Tier 1 prohibition
to specific contexts MUST be rejected. Narrowing of Tier 1 scope
is only permitted through the PCM (Section 11).
8.8. Catalog Load Validation [NEW in -04]
The GEC MUST perform catalog conflict detection at the following
trigger points:
(a) Kernel startup.
(b) Any Tier 1 catalog update received.
(c) Any Tier 2 catalog update received.
Conflict detection MUST check for:
(i) Any Tier 2 entry that explicitly permits an action that a
loaded Tier 1 entry forbids.
(ii) Any Tier 1 update that conflicts with a loaded Tier 0 entry.
(iii) Any Tier 1 internal conflict (two Tier 1 entries for the
same jurisdiction with contradictory positions on the same
action).
Resolution by conflict type:
Tier 2 conflicts with Tier 1: the conflicting Tier 2 entry MUST
be rejected. The GEC MUST NOT load it. ALE-NEW-02
(CAP_CATALOG_CONFLICT_DETECTED, Section 8.8.1) MUST be emitted.
Tier 1 update conflicts with Tier 0: kernel error condition. The
GEC MUST NOT proceed with the update. A CRITICAL Audit Alert MUST
be generated.
Tier 1 internal update conflict: HEM escalation MUST be triggered
and ALE-NEW-02 MUST be emitted.
Rationale: load-time detection surfaces conflicts on deployment or
catalog update, not at agent execution time. An agent action should
never encounter a conflict that could have been detected at load.
8.8.1. ALE-NEW-02: CAP_CATALOG_CONFLICT_DETECTED Schema [NEW in -04]
The GEC MUST emit ALE-NEW-02 on any Tier 2-vs-Tier-1 conflict or
Tier 1 internal conflict detected at catalog load time.
+---------------------------+--------+-------------------------------+
| Field | Type | Description |
+---------------------------+--------+-------------------------------+
| conflicting_catalog_id | string | ID of catalog containing |
| | | conflicting entry |
| conflicting_cedar_ | string | The conflicting Cedar policy |
| policy_id | | |
| superior_catalog_id | string | ID of higher-tier catalog |
| superior_cedar_policy_id | string | The superior Cedar policy |
| conflict_type | enum | EXPLICIT_PERMIT_OVERRIDE | |
| | | SCOPE_AMBIGUITY |
| resolution | enum | ENTRY_REJECTED | |
| | | HEM_ESCALATION_TRIGGERED |
| timestamp | string | ISO 8601 detection timestamp |
| kernel_id | string | KIA identity of detecting |
| | | kernel |
+---------------------------+--------+-------------------------------+
Table 2: ALE-NEW-02 CAP_CATALOG_CONFLICT_DETECTED Schema
8.9. Catalog Update Propagation [NEW in -04]
When a law is amended and a corresponding CAP-RRS catalog entry
requires update, the GEC MUST execute the following four-phase
propagation workflow.
8.9.1. Phase 1 -- Detection
The GEC MUST poll the amendment_detection_endpoint declared in the
CAP-RRS catalog at intervals not exceeding 24 hours. On detection
of an amendment:
(a) Raise CATALOG_VERSION_CONFLICT for the affected entries.
(b) Suspend Cedar policy evaluation for those entries (see Phase 2).
(c) Trigger HEM escalation to notify the operator.
8.9.2. Phase 2 -- Suspension Behavior for In-Flight Sessions
+------------------------------------+-------------------------------+
| Session state at detection | GEC behavior |
+------------------------------------+-------------------------------+
| Not yet started | New SACR citing affected |
| | catalog entry MUST NOT be |
| | issued |
| In progress, action not yet | Cedar evaluation returns |
| evaluated | SUSPENDED. Agent receives |
| | GOVERNANCE_SUSPENDED. |
| | Session remains open. |
| In progress, action already | Action may complete. No |
| PERMIT | rollback. Prior PERMIT |
| | protected by safe harbor. |
| | GAR carries |
| | endorsed_at at time of |
| | evaluation. |
| In progress, action already DENY | Unaffected -- denial stands. |
+------------------------------------+-------------------------------+
Table 3: Suspension Behavior by Session State
8.9.3. Phase 3 -- Re-publication Authority
The required re-endorsement authority depends on the
resolution_basis of the original catalog entry:
+-------------------------------+-----------------------------------+
| resolution_basis | Required re-endorsement authority |
+-------------------------------+-----------------------------------+
| statute_clear | Designated authority per LRI |
| | profile endorser table |
| interpretive_ruling | Same authority + updated |
| | resolution_instrument_id |
| internal_conflict_resolution | Elevated legal authority or |
| | equivalent -- elevated authority |
| cross_statute_coordination | All co-endorsers must re-endorse |
+-------------------------------+-----------------------------------+
Table 4: Re-publication Authority by resolution_basis
The catalog_version object MUST accompany every catalog entry and
is updated by the re-publishing authority:
"catalog_version": {
"version_id": string, ; semver or opaque string
"effective_date": string, ; ISO 8601 date
"supersedes": string, ; version_id of previous version
; or null if no predecessor
"amendment_basis": string, ; law amendment instrument ID
"published_by": string, ; URI -- must match
; endorsement.authority_id
"published_at": string ; ISO 8601 timestamp
}
8.9.4. Phase 4 -- Re-activation
On receipt of an updated catalog, the GEC MUST validate:
(1) published_by matches endorsement.authority_id in the updated
entry.
(2) catalog_version.supersedes matches the currently suspended
entry's version_id.
(3) New endorsed_at is posterior to the amendment's
EnforcementDate.
(4) Load updated Cedar policy into the active policy set.
(5) Close CATALOG_VERSION_CONFLICT GAR record:
resolution.type: "re_endorsement", resolved_at,
new_endorsed_at.
(6) Re-evaluate all sessions pending on GOVERNANCE_SUSPENDED
against the updated policy.
Maximum suspension window: the GEC MUST NOT leave a Cedar policy
in SUSPENDED state for more than 30 days without either (a) a
valid updated catalog entry received or (b) a human override logged
in GAR. After 30 days, a suspended policy MUST be treated as DENY
for all new actions pending human override.
CONF-CAP-SUSPEND-01: A GEC MUST NOT silently drop GOVERNANCE_
SUSPENDED sessions after the 30-day maximum. The GEC MUST notify
the operator and generate a CRITICAL Audit Alert before converting
SUSPENDED to DENY.
9. Tier 2 -- Operator Ethical Layer
9.1. Tier 2 Properties
Tier 2 prohibitions are:
o Voluntary: operators declare Tier 2 prohibitions exceeding the
requirements of applicable law.
o Publicly disclosable: operators SHOULD publish their Tier 2
prohibition set in a transparency report or equivalent.
o Overridable by operator: unlike Tier 0 and Tier 1, the operator
MAY configure SO Types to override specific Tier 2 prohibitions
at the SO Type level. Such overrides MUST be declared and
audited.
o Subject to review: Tier 2 records carry a review_date.
o Load-validated: Tier 2 records are validated against Tier 1
at load time per Section 8.8. A Tier 2 record that conflicts
with a loaded Tier 1 record MUST be rejected.
9.2. Tier 2 Prohibition Schema
Each Tier 2 prohibition record MUST contain:
prohibition_id: Unique identifier.
prohibition_class: Free text or operator-defined taxonomy.
rationale_text: Human-readable explanation of why this standard
exceeds local law requirements. REQUIRED.
action_pattern: Structured description of covered actions.
effective_date: ISO 8601 date.
review_date: ISO 8601 date. REQUIRED.
declared_by: Operator identifier.
publicly_disclosed: Boolean.
ambiguity_flag: CLEAR | AMBIGUOUS | DISPUTED. Default: CLEAR.
ambiguity_context: Human-readable description. REQUIRED when
ambiguity_flag is not CLEAR.
9.3. Tier 2 Disclosure
Operators who declare Tier 2 prohibitions SHOULD publish them in a
publicly accessible transparency report. The transparency report
SHOULD be referenced in the SO Type registration.
Verified External Auditors MAY request Tier 2 prohibition records
as part of an Audit Package as defined in [I-D.sato-soos-gar].
10. Tier 3 -- Resource and Usage Policies
10.1. Tier 3 Properties
Tier 3 governs resource and usage constraints on AI agent
execution: token budgets, API call quotas, time windows, storage
limits, and similar consumption-based constraints. Tier 3 is
structurally distinct from Tiers 0, 1, and 2 in one critical
property: every Tier 3 DENY has at least one governed recourse
path.
Tier Category Recourse on DENY
--------------------------------------------------------
0-A Absolute universal prohib. None. Ever.
0-B Qualified absolute prohib. None within scope.
1 Jurisdictional legal None within jurisdiction.
2 Operator policy Operator exception or HEM.
3 Resource / usage policy Always: commercial,
scope, or temporal.
Tier 3 constraints are not prohibitions in the moral or legal
sense. They are resource allocation instruments. Cedar policies
for Tier 3 evaluate consumption metrics rather than action types.
The CEE double-evaluation property (Section 5) applies to Tier 3.
Tier 3 DENY has three standard recourse types:
COMMERCIAL_UPGRADE: Additional resource allocation through a
commercial mechanism defined by the operator.
SCOPE_REDUCTION: The mission scope is reduced to fit within the
available resource budget. The GEC identifies the next Natural
Breakpoint and stops there rather than mid-task.
TEMPORAL_DEFERRAL: The budget resets after a defined period.
The mission may be deferred until the reset.
10.2. Tier 3 and CAP-RRS
The complete specification of Tier 3 Regulation Records is in
[I-D.sato-soos-cap-rrs]. Implementations supporting Tier 3 MUST
also implement [I-D.sato-soos-cap-rrs].
CONF-CAP-TIER3-01: A GEC implementing Tier 3 resource policies
MUST NOT stop a multi-step mission mid-task on a resource limit
when a Natural Breakpoint declaration is registered. The GEC
MUST complete to the next declared Natural Breakpoint before
enforcing the resource limit.
CONF-CAP-TIER3-02: A GEC implementing Tier 3 resource policies
with anticipatory_assessment: true MUST perform a Mission
Viability Assessment before beginning multi-step missions and
MUST fire HEM_TIER3_ANTICIPATORY (Class 8) when the estimated
full mission cost exceeds the available resource budget.
11. Prohibition Clearance Mechanism
11.1. Purpose
The PCM provides a formal, audited, time-bounded mechanism for
clearing specific Tier 0-B and Tier 1 prohibition classes for
specific deployment contexts where legal authority exists to operate
within the cleared class.
11.2. What Cannot Be Cleared
The following classes MUST NOT be cleared by any PCR, any authority,
or any deployment context:
o CSAM
o GENOCIDE_FACILITATION
o MANIPULATION
o PERFORMED_EMOTION
o BIOMETRIC_SIGNAL_INFERENCE
A PCR naming any of these five classes MUST be rejected by the GEC
at load time.
11.3. Mode 1 -- Deployment Scope Declaration
An operator may clear a Tier 0-B or Tier 1 class for a specific
deployment context by issuing a Prohibition Clearance Record (PCR)
signed by both the operator and a Verified Audit Principal.
The deployment_context MUST be one of the recognized deployment
contexts registered in the CAP Deployment Context registry
(Section 17.4).
One Audit Principal signature from an eligible class is required
before the clearance takes effect.
11.4. Mode 2 -- Regulatory Clearance Record
A recognized regulatory authority may formally authorize a
deployment to operate in a cleared Tier 0-B or Tier 1 class by
issuing a Regulatory Clearance Record.
A Regulatory Clearance Record carries the regulatory body's
Ed25519 signature in addition to the operator's and Audit
Principal's signatures.
11.5. CEE Behavior with an Active Clearance
When the CEE encounters a Tier 0-B or Tier 1 match and an active
PCR covers the matched class:
(a) The CEE MUST NOT return CONSTITUTIONAL_VIOLATION.
(b) The CEE MUST return TIER_0B_PCR_ACTIVE or TIER_1_PCR_ACTIVE
as appropriate.
(c) The GEC MUST record CAP_PCR_CLEARANCE_APPLIED in the Event
Log, citing the pcr_id of the active PCR.
(d) The action proceeds to Cedar evaluation as normal.
(e) If the action reaches a HEM decision, only
APPROVE_WITH_LEGAL_BASIS (citing the PCR authority) is
accepted. The legal_basis block MUST cite pcr_authority_ref
and pcr_id.
11.6. Clearance Record Schema
A Prohibition Clearance Record (PCR) MUST contain:
pcr_id: UUID v4, GEC-assigned at registration.
prohibition_class: The Tier 0-B or Tier 1 class being cleared.
MUST NOT be any Tier 0-A class.
tier: "TIER_0B" or "TIER_1".
deployment_context: From the recognized set (Section 17.4).
pcr_authority_type: "STATUTORY" | "REGULATORY" | "TREATY" |
"COURT_ORDER" | "INSTITUTIONAL" |
"PROFESSIONAL_REGULATORY".
pcr_authority_ref: Legal citation. REQUIRED.
purpose_scope: Human-readable description of the specific
purpose for which the class is cleared.
REQUIRED.
so_type_scope: Array of SO Type identifiers, or "ALL".
effective_date: ISO 8601 date.
expiry_date: ISO 8601 date. REQUIRED. Permanent
clearances are not permitted.
operator_signature: Ed25519 signature by the operator root
keypair.
audit_principal_ Ed25519 signature by a Verified Audit
signature: Principal. REQUIRED.
regulatory_signature: Ed25519 signature by regulatory authority.
REQUIRED for Mode 2. OPTIONAL for Mode 1.
pcr_hash: SHA-256 over canonical JSON of all fields
except pcr_hash.
11.7. Clearance Registry
The GEC MUST maintain a Clearance Registry: an in-memory index of
all active PCRs, rebuilt from the GEC Manifest on restart.
The CEE MUST check the Clearance Registry at evaluation time. An
expired PCR MUST NOT be applied. The GEC MUST generate a
PCR_EXPIRED Audit Alert when a PCR passes its expiry_date.
PCR renewal requires issuance of a new PCR with a new expiry_date
and a new audit_principal_signature. Renewal is not automatic.
12. CAP Violation Handling
12.1. AI-Initiated Violations
When the CEE returns CONSTITUTIONAL_VIOLATION on an AI-initiated
action request, the GEC MUST:
(1) Refuse the action unconditionally. MUST NOT proceed to Cedar
evaluation. MUST NOT enter HEM_PENDING.
(2) Generate a CAP_VIOLATION_DETECTED Event Log entry.
(3) Generate a CRITICAL Audit Alert via [I-D.sato-soos-gar].
(4) Return a structured error to the caller. The error MUST
include violation_type: AI_INITIATED and prohibition_class.
The error MUST NOT include the full action_pattern of the
matched record (to prevent pattern probing).
12.2. Human-Directed Violations
When the CEE returns CONSTITUTIONAL_VIOLATION on a human principal
decision submission, the GEC MUST:
(1) Refuse execution of the decision. MUST NOT apply the decision
to the governed session.
(2) NOT consume the principal's decision slot. The principal
remains active in the designation chain and MUST be permitted
to submit a revised decision.
(3) Generate a CAP_HUMAN_VIOLATION_DETECTED Event Log entry.
(4) Generate a CRITICAL Audit Alert via [I-D.sato-soos-gar].
(5) Return HEM_HUMAN_DECISION_CONSTITUTIONAL_VIOLATION to the
submitting principal with prohibition_class indicated.
12.3. APPROVE_WITH_LEGAL_BASIS
APPROVE_WITH_LEGAL_BASIS is a HEM decision sub-type introduced by
this specification. It applies in two cases:
Case A: Tier 1 violation where a principal asserts a
jurisdictional legal basis for an action otherwise denied.
Case B: Tier 0-B action within an active PCR scope, where the
human principal must cite the PCR authority for each approval.
APPROVE_WITH_LEGAL_BASIS carries the following legal_basis block:
legal_basis: {
authority_type: "COURT_ORDER" | "STATUTORY" |
"REGULATORY" | "TREATY" | "PCR",
authority_ref: string, // Legal citation. REQUIRED.
pcr_id: string, // Required when authority_type
// is "PCR".
jurisdiction: string, // ISO 3166-1 alpha-2. REQUIRED.
expiry: string, // ISO 8601. REQUIRED.
document_hash: string | null
}
When a principal submits APPROVE_WITH_LEGAL_BASIS, the CEE MUST:
(1) Verify that the action matches a Tier 1 prohibition or a
Tier 0-B class with active PCR.
APPROVE_WITH_LEGAL_BASIS MUST NOT be accepted for Tier 0-A
violations under any circumstances.
(2) Record APPROVE_WITH_LEGAL_BASIS_RECORDED in the Event Log
with the full legal_basis block.
(3) Proceed to GEC execution if no Tier 0-A match is present.
12.4. CAP Violation Record Schema
The GEC MUST generate a CAP Violation Record for every CEE
CONSTITUTIONAL_VIOLATION output. The record MUST contain:
violation_id: GEC-assigned UUID.
session_id: The session in which the violation occurred.
hem_id: HEM event identifier, if applicable.
tier: "0A", "0B", "1", or "2".
prohibition_id: The prohibition record that matched.
violation_type: "AI_INITIATED" | "HUMAN_DIRECTED".
action_attempted: The Cedar action string. Stored in the
record for auditors; MUST NOT be returned
to the agent or application.
context_hash: SHA-256 of the full action context.
outcome: "REFUSED" | "SESSION_SUSPENDED" |
"HEM_FIRED".
timestamp: ISO 8601 UTC.
kernel_signature: Ed25519 signature by the GEC keypair.
12.5. Session Suspension
The GEC MAY suspend a session when a threshold of CAP violations
is detected within that session. The default threshold is three
Tier 0 violations within a single session.
On session suspension:
(1) The GEC records SESSION_CAP_SUSPENDED in the Event Log.
(2) The GEC returns SESSION_SUSPENDED to the CEE.
(3) No further GEC.transition() calls are accepted until an
operator with appropriate authority releases the suspension.
(4) A CRITICAL Audit Alert is generated.
12a. GEC Policy Transparency Disclosure
12a.1. Purpose and Regulatory Basis
The PTD is a signed, queryable, tier-structured document that any
external party may request from a CAP-conforming GEC to determine
which prohibition records are active, at what disclosure tier, and
under what governance authority.
The PTD supports EU AI Act Article 13 (transparency), Article 14
(human oversight), Japan APPI Article 32, GDPR Article 13/14, and
related frameworks.
12a.2. PTD Schema
A conforming GEC MUST maintain a current PTD and MUST make it
available at the ptd_endpoint declared in the GEC Manifest.
{
"ptd_version": string, ; Monotonically increasing.
"gec_instance_id": string, ; kernel_keypair_fingerprint.
"cedar_policy_hash": string, ; SHA-256 of active Cedar set.
"generated_at": string, ; ISO 8601 UTC.
"active_prohibitions":[object], ; One entry per active record.
"deployment_context": string,
"jurisdiction_config":object,
"ptd_signature": string ; GEC keypair Ed25519 signature.
}
Each active_prohibitions entry MUST contain:
{
"record_id": string,
"prohibition_class": string,
"tier": string, ; "TIER_0A"|"TIER_0B"|"TIER_1"
; |"TIER_2"|"TIER_3"
"jurisdiction": string,
"authority_ref": string,
"effective_date": string,
"review_date": string,
"disclosure_level": string ; "FULL"|"REDACTED"|"COUNT_ONLY"
}
12a.3. Tier Disclosure Rules
Tier 0-A: disclosure_level MUST be "FULL". No redaction permitted.
Tier 0-B: disclosure_level MUST be "FULL". Active PCRs clearing
Tier 0-B classes MUST also be disclosed.
Tier 1: disclosure_level MUST be "FULL" or "REDACTED".
Tier 2: disclosure_level MAY be "FULL", "REDACTED", or
"COUNT_ONLY" at operator discretion.
Tier 3: disclosure_level MAY be "COUNT_ONLY".
12a.4. PTD Query Interface
The GEC MUST respond to PTD queries at the ptd_endpoint with:
(a) A currently-signed PTD (not a cached historical document).
(b) Signed by the GEC keypair.
(c) Reflecting the active policy set at the time of query.
(d) An Event Log entry: PTD_QUERIED (requester_id, timestamp,
ptd_version, cedar_policy_hash).
12a.5. Regulatory Override Prohibition
Operators MUST NOT configure the GEC to refuse PTD queries from
regulatory authorities with valid credentials. Operators MUST NOT
set disclosure_level "REDACTED" for Tier 0-A or Tier 0-B records.
12a.6. CAP_TRANSPARENCY_VIOLATION
The GEC MUST generate CAP_TRANSPARENCY_VIOLATION in the Event Log
when:
(a) PTD cedar_policy_hash does not match GEC Manifest at query time.
(b) A Tier 0 record is missing from the PTD.
(c) A Tier 0 record is present with disclosure_level "REDACTED" or
"COUNT_ONLY".
(d) A PTD query from a valid regulatory authority is refused.
CAP_TRANSPARENCY_VIOLATION generates a CRITICAL Audit Alert.
12a.7. Tier 0 OSCAL Reference Catalog [NEW in -04]
The SOOS project SHALL publish a canonical Tier 0 reference catalog
in OSCAL format at:
https://soosproject.ai/catalogs/tier0-reference-v1.json
Properties of the Tier 0 OSCAL reference catalog:
o Read-only. Not externally configurable.
o Versioned using the catalog_version schema (Section 8.9.3).
o amendment_basis is populated only on SOOS specification changes
(i.e., when a new RFC updates this document).
o Inspectable by any OSCAL-conformant tool.
GEC implementations MAY reference this URI in their PTD as the
authority_ref for Tier 0-A records. OSCAL-conformant verification
tools MAY validate the active GEC Tier 0 record set against the
published catalog.
CONF-CAP-OSCAL-01: A GEC MUST NOT declare Tier 0-A prohibition
classes that are not present in the published Tier 0 OSCAL
reference catalog at the version cited in the GEC Manifest.
Additional Tier 0-A classes may be added only via RFC update.
13. Jurisdictional Conflict Resolution
13.1. Conflict Detection
A Jurisdictional Conflict exists when:
o The SO Type has declared two or more jurisdictions.
o The CEE determines that one jurisdiction's Tier 1 prohibitions
prohibit an action that another jurisdiction's Tier 1 records
permit or do not address.
o The conflict_resolution method is "HEM".
The GEC MUST detect conflicts at CEE evaluation time, not at SO
Type registration time. Conflicts are action-specific.
13.2. Conflict Resolution Methods
MOST_PROTECTIVE:
The GEC applies the most restrictive prohibition across all
declared jurisdictions. If any jurisdiction prohibits the
action, the CEE returns TIER_1_DENY. No HEM event fires.
PRIMARY_JURISDICTION:
The primary_jurisdiction's Tier 1 prohibition position governs.
Secondary jurisdiction conflicts are recorded in the Event Log
as CAP_TIER1_CONFLICT_DETECTED but do not block execution.
HEM:
The GEC fires HEM_JURISDICTIONAL_CONFLICT (Class 5) and routes
the conflict to the designation chain for human resolution.
13.3. HEM_JURISDICTIONAL_CONFLICT
HEM_JURISDICTIONAL_CONFLICT is HEM Class 5 as specified in
[I-D.sato-soos-hem] Section 6.5. The jurisdictional_conflict_
summary MUST contain:
conflict_id: GEC-assigned UUID.
action: Cedar action string.
conflicting_jurisdictions: Array of { jurisdiction, prohibition_id,
position }.
resolution_options: Non-normative array. GEC MUST NOT
pre-select.
Decision type constraints for Class 5: APPROVE and
APPROVE_WITH_CONSTRAINTS are prohibited. APPROVE_WITH_LEGAL_BASIS,
REDIRECT, TERMINATE, and DEFER are permitted.
13.4. Jurisdictional Conflict Record Schema
The GEC MUST generate a Jurisdictional Conflict Record for every
detected conflict:
conflict_id: GEC-assigned UUID.
session_id: Session in which the conflict occurred.
action: Cedar action string.
conflicting_jurisdictions: { jurisdiction, prohibition_id, outcome }
resolution_method: The conflict_resolution method declared.
hem_id: HEM event ID if method is "HEM".
timestamp: ISO 8601 UTC.
13.5. OTel Governance Attribute Emission [NEW in -04]
The kernel MUST emit an OTel span with the following attributes on
every Cedar evaluation triggered by a GEC.transition() call:
+-------------------------------+---------------------------------+
| Attribute | Value |
+-------------------------------+---------------------------------+
| soos.cap.cedar_policy_id | ID of evaluated Cedar policy |
| soos.cap.cap_rrs_control_id | OSCAL control ID |
| soos.cap.authority_source_uri | Law article URI |
| soos.cap.tier | "0-A" | "0-B" | "1" | "2" |
| soos.cap.conflict_detected | true on ALE-NEW-02 events |
+-------------------------------+---------------------------------+
Table 5: CAP OTel Span Attributes
Reference: [I-D.sato-soos-gar] Section 6 for the full
soos.governance.* OTel namespace specification.
CONF-CAP-OTEL-01: A GEC MUST emit all five attributes listed in
Table 5 on every Cedar evaluation. Partial emission is not
conforming.
CONF-CAP-OTEL-02: The soos.cap.authority_source_uri attribute
MUST be the same URI as the authority_ref in the matched
prohibition record. GECs MUST NOT emit a different URI.
14. Event Log Requirements
CAP introduces the following Event Log entry types. All entries
are appended to the GEC Event Log and signed by the GEC keypair
per [I-D.sato-soos-kia].
CAP_VIOLATION_DETECTED:
Generated when the CEE returns CONSTITUTIONAL_VIOLATION on an
AI-initiated action. Fields: violation_id, session_id, hem_id,
tier, prohibition_id, action_attempted, context_hash, outcome,
timestamp, kernel_signature.
CAP_HUMAN_VIOLATION_DETECTED:
Generated when the CEE returns CONSTITUTIONAL_VIOLATION on a
human principal decision. Same fields as CAP_VIOLATION_DETECTED
plus principal_id and decision_type.
CAP_PCR_CLEARANCE_APPLIED:
Generated when an active PCR is applied. Fields: session_id,
pcr_id, prohibition_class, action, timestamp, kernel_signature.
CAP_TIER1_CONFLICT_DETECTED:
Generated when a Tier 1 conflict is detected. Fields:
conflict_id, session_id, action, conflicting_jurisdictions,
resolution_method, hem_id, timestamp.
APPROVE_WITH_LEGAL_BASIS_RECORDED:
Generated when a principal submits APPROVE_WITH_LEGAL_BASIS.
Fields: hem_id, principal_id, legal_basis block, timestamp.
SESSION_CAP_SUSPENDED:
Generated when the GEC suspends a session. Fields: session_id,
violation_id, violation_count, threshold_applied, suspended_at.
CAP_AMBIGUITY_ROUTED:
Generated when the CEE returns LEGAL_AMBIGUITY_DETECTED.
Fields: session_id, prohibition_class, ambiguity_flag,
ambiguity_context, action, hem_id, timestamp, kernel_signature.
CAP_AMBIGUITY_RESOLVED:
Generated when a human principal resolves a LEGAL_AMBIGUITY
HEM escalation. Fields: hem_id, session_id, principal_id,
decision_type, legal_basis, determination_text, timestamp,
kernel_signature.
PCR_EXPIRED:
Generated when a PCR passes its expiry_date. Fields: pcr_id,
prohibition_class, expired_at, operator_notified.
CAP_CATALOG_CONFLICT_DETECTED: [NEW in -04]
Generated when catalog load validation detects a conflict
(Section 8.8). Fields: ALE-NEW-02 schema (Table 2).
CAP_POLICY_SUSPENDED: [NEW in -04]
Generated when the CEE returns SUSPENDED for an action.
Fields: session_id, action, suspended_catalog_entry_id,
catalog_version, suspension_reason (CATALOG_VERSION_CONFLICT |
INTERPRETATION_SUPERSEDED), timestamp, kernel_signature.
15. EU AI Act Applicability
15.1. Article 5 Mapping
EU AI Act Article 5 prohibits certain AI practices for EU-
jurisdiction deployments. The table below maps Article 5
provisions to CAP mechanisms. This mapping is normative for
EU-jurisdiction SO Type deployments.
+------------------------------+-------------------------------+------+
| Article 5 Provision | CAP Mechanism | Sec. |
+------------------------------+-------------------------------+------+
| 5(1)(a) -- Subliminal | Tier 1: FINANCIAL_CRIME / | 8.2 |
| manipulation causing harm | FRAUD for EU jurisdiction; | |
| | CEE TIER_1_DENY; principal | |
| | requires APPROVE_WITH_LEGAL_ | |
| | BASIS to proceed | |
+------------------------------+-------------------------------+------+
| 5(1)(a) -- Manipulation | Tier 0-A: MANIPULATION; | 7.2 |
| (general, any jurisdiction) | CEE CONSTITUTIONAL_VIOLATION; | |
| | no override possible [NEW -04]| |
+------------------------------+-------------------------------+------+
| 5(1)(b) -- Exploitation of | Tier 1: HUMAN_RIGHTS for | 8.2 |
| specific group | EU jurisdiction; TIER_1_DENY | |
| vulnerabilities | | |
+------------------------------+-------------------------------+------+
| 5(1)(c) -- Social scoring | Tier 1: DATA_PROTECTION / | 8.2 |
| by public authorities | PRIVACY_VIOLATION for EU | |
+------------------------------+-------------------------------+------+
| 5(1)(d) -- Real-time remote | Tier 1: DATA_PROTECTION / | 8.2 |
| biometric ID in public | PRIVACY_VIOLATION for EU + | |
| spaces | Tier 0-A: | |
| | BIOMETRIC_SIGNAL_INFERENCE | |
| | [NEW -04] | 7.2 |
+------------------------------+-------------------------------+------+
| General -- No human override | HEM_HUMAN_DECISION_ | 12.2 |
| of prohibited practices | CONSTITUTIONAL_VIOLATION | |
+------------------------------+-------------------------------+------+
| General -- Audit trail | CAP_VIOLATION_DETECTED; | 14 |
| | CRITICAL Audit Alert; GAR | |
+------------------------------+-------------------------------+------+
Table 6: EU AI Act Article 5 Mapping (updated for -04)
Note: The addition of MANIPULATION and BIOMETRIC_SIGNAL_INFERENCE
as Tier 0-A classes in version -04 elevates two Article 5(1)(a)
and 5(1)(d) provisions from Tier 1 (jurisdiction-specific) to
Tier 0-A (global, unconditional). This means EU AI Act compliance
for these specific prohibitions is now enforced globally across all
SOOS deployments, not only EU-jurisdiction deployments.
16. Security Considerations
CEE GEC integrity:
The CEE is a GEC-resident component. Its prohibition records
and evaluation logic MUST be protected against modification by
any agent, application, or principal. Implementations MUST
treat CEE records with the same integrity protection as mandate
JWTs and Event Log entries. Any modification to Tier 0 records
outside of a GEC initialization sequence loaded from a verified
source MUST be treated as a critical security incident. At L3
conformance, CEE integrity is guaranteed by hardware attestation
([I-D.sato-soos-kia]).
Action pattern probing:
The CEE MUST NOT return the matched action_pattern in error
responses. Returning full action pattern details enables
adversarial agents to probe the boundary of prohibited action
classes. The error response MUST contain only the
prohibition_class.
SUSPENDED state exploitation: [NEW in -04]
An adversarial agent may attempt to trigger false
CATALOG_VERSION_CONFLICT events to force policies into SUSPENDED
state, thereby bypassing enforcement. The GEC MUST verify the
source and signature of any amendment detection signal before
entering SUSPENDED state. CONF-CAP-SUSPEND-02: The GEC MUST
NOT enter SUSPENDED state on an unauthenticated amendment
signal. Amendment signals MUST be signed by the designated
authority per the LRI profile endorser table.
Catalog version rollback attack: [NEW in -04]
An attacker with access to the catalog update channel may
attempt to re-publish an older, less restrictive catalog version.
CONF-CAP-CATALOG-01: The GEC MUST reject any catalog update
where catalog_version.supersedes does not match the currently
active version_id. The GEC MUST reject catalog updates with
an effective_date earlier than the currently active
effective_date.
MANIPULATION prohibition bypass: [NEW in -04]
The three-part effect-based test for the MANIPULATION
prohibition requires reasoning about agent intent and beneficiary
relationships. These are not mechanically verifiable at the
Cedar evaluation layer. Implementations MUST treat this
prohibition as a declaration of prohibited action classes encoded
in Cedar action vocabulary, not as a real-time behavioral
inference engine. Where behavioral inference is required,
operators MUST configure an external classifier that produces
Cedar context attributes for the CEE to evaluate.
consent_scope injection: [NEW in -04]
An adversarial application may attempt to inject fabricated
consent_scope Cedar context attributes to bypass DATA_PROTECTION
Tier 1 prohibitions. CONF-CAP-CONSENT-01 (Section 5.4) is the
normative defense: kernel-derived consent fields MUST NOT be
overridable by the agent or application layer.
ALE-NEW-02 suppression: [NEW in -04]
An attacker who compromises the GEC may attempt to suppress
CAP_CATALOG_CONFLICT_DETECTED events to prevent operators from
learning of policy conflicts. The GEC Event Log is append-only
and HMAC-chained per [I-D.sato-soos-gar]. ALE suppression is
detectable via chain gap analysis.
Tier 1 verification integrity:
Unverified Tier 1 records MUST NOT be enforced. The GEC MUST
check the verified_by signature before loading any Tier 1 record.
Session suspension threshold:
The default threshold of three Tier 0 violations SHOULD be
configurable downward but not upward. Operators who configure
a higher threshold MUST document the justification and subject it
to Audit Principal review.
PCR integrity:
A PCR without a valid audit_principal_signature MUST NOT be
loaded. A PCR naming any Tier 0-A class MUST be rejected. An
expired PCR MUST NOT be applied.
PCR scope creep:
The purpose_scope field in a PCR is human-readable and not
technically enforced at the CEE layer. Audit Principals MUST
verify that the purpose_scope is consistent with the cited
authority_ref before signing.
Legal basis citation integrity:
The APPROVE_WITH_LEGAL_BASIS legal_basis block is an operator
assertion, not a verified legal finding. Implementations MUST
record all such decisions regardless of apparent validity.
Double-evaluation atomicity:
The two CEE evaluations -- before Cedar and before GEC execution
-- MUST be atomic with their respective triggering calls at all
three conformance levels.
OTel attribute integrity: [NEW in -04]
The soos.cap.* span attributes specified in Section 13.5 are
governance-critical telemetry. An adversary who can inject or
modify OTel spans can fabricate a compliance record. GEC
implementations MUST sign OTel batch exports with the GEC keypair
when operating at L2 or L3 conformance. GAR-03
[I-D.sato-soos-gar] specifies the signed OTel batch export
format.
17. IANA Considerations
17.1. CAP Prohibition Classes Tier 0 Registry
This document establishes the "Constitutional AI Protocol
Prohibition Classes Tier 0" registry at:
https://www.iana.org/assignments/cap-prohibition-classes-tier0
Registration procedure: RFC Only.
+---------------------------+--------+------------------------------+
| Prohibition Class | Sub | Treaty / Basis |
+---------------------------+--------+------------------------------+
| CSAM | TIER0A | UN CRC 1989 + Optional |
| | | Protocol |
| GENOCIDE_FACILITATION | TIER0A | UN Genocide Convention 1948 |
| MANIPULATION | TIER0A | Effect-based test, S.7.2 |
| | | [NEW in -04] |
| PERFORMED_EMOTION | TIER0A | Effect-based test, S.7.2 |
| | | [NEW in -04] |
| BIOMETRIC_SIGNAL_ | TIER0A | Effect-based test, S.7.2 |
| INFERENCE | | [NEW in -04] |
| HUMAN_TRAFFICKING | TIER0B | UN Trafficking Protocol 2000 |
| WMD_ASSISTANCE | TIER0B | CWC/BWC/NPT |
| TORTURE_FACILITATION | TIER0B | UN CAT 1984 |
| TERRORIST_FINANCING | TIER0B | UNSC Resolution 1373 |
+---------------------------+--------+------------------------------+
Table 7: CAP Tier 0 Prohibition Classes (updated for -04)
17.2. CAP Prohibition Classes Tier 1 Registry
This document establishes the "Constitutional AI Protocol
Prohibition Classes Tier 1" registry at:
https://www.iana.org/assignments/cap-prohibition-classes-tier1
Registration procedure: Specification Required.
Initial values: FINANCIAL_CRIME, DATA_PROTECTION,
CRITICAL_INFRASTRUCTURE, SECURITIES_LAW, PRIVACY_VIOLATION,
FRAUD, COMPETITION_LAW, HUMAN_RIGHTS. (See Section 8.2.)
17.3. CAP Conflict Resolution Methods Registry
Registration procedure: Standards Action.
Initial values: MOST_PROTECTIVE, PRIMARY_JURISDICTION, HEM.
17.4. CAP Deployment Context Registry
Registration procedure: Specification Required.
Initial values: COMMERCIAL, GOVERNMENT_CIVILIAN, GOVERNMENT_DEFENSE,
LAW_ENFORCEMENT, ACADEMIC_RESEARCH, REGULATED_PROFESSIONAL.
17.5. CAP Error Codes Registry
Initial values:
+-------------------------------------+-----------------------------+
| Error Code | Description |
+-------------------------------------+-----------------------------+
| CAP_TRANSPARENCY_VIOLATION | PTD integrity violation |
| | (Section 12a.6) |
| GOVERNANCE_SUSPENDED | Policy in SUSPENDED state |
| | [NEW in -04] (Section 6.3) |
+-------------------------------------+-----------------------------+
17.6. CAP ALE Types Registry [NEW in -04]
This document registers the following Audit Log Event (ALE) type
in the SOOS ALE registry defined in [I-D.sato-soos-gar]:
+--------------------+-------------------------------+-------------+
| ALE ID | Name | Defined in |
+--------------------+-------------------------------+-------------+
| ALE-NEW-02 | CAP_CATALOG_CONFLICT_DETECTED | Section 8.8 |
| CAP_POLICY_ | Catalog policy suspended | Section 14 |
| SUSPENDED | | |
+--------------------+-------------------------------+-------------+
18. References
18.1. Normative References
[I-D.sato-soos-cap-rrs]
Sato, T., "Constitutional AI Protocol --
Regulation Record Specification (CAP-RRS)",
Work in Progress, Internet-Draft,
draft-sato-soos-cap-rrs-02, June 2026,
.
[I-D.sato-soos-hem]
Sato, T., "The Human Escalation Mechanism (HEM) for
Agentic AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-hem-05, June 2026,
.
[I-D.sato-soos-idp]
Sato, T., "The Intent Declaration Primitive (IDP) for
Agentic AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-idp-05, June 2026,
.
[I-D.sato-soos-kia]
Sato, T., "Kernel Identity and Attestation",
Work in Progress, Internet-Draft,
draft-sato-soos-kia-03, June 2026,
.
[I-D.sato-soos-mjwt]
Sato, T., "Mandate JWT (MJWT) for Agentic AI Systems",
Work in Progress, Internet-Draft,
draft-sato-soos-mjwt-02, June 2026,
.
[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
Requirement Levels", BCP 14, RFC 2119, March 1997,
.
[RFC8174] Leiba, B., "Ambiguity of Uppercase vs Lowercase in
RFC 2119 Key Words", BCP 14, RFC 8174, May 2017,
.
18.2. Informative References
[I-D.sato-soos-gar]
Sato, T., "The Governance Audit Record (GAR) for Agentic
AI Systems", Work in Progress, Internet-Draft,
draft-sato-soos-gar-03, June 2026,
.
[EU-AI-ACT]
European Parliament and Council, "Regulation (EU)
2024/1689", OJ L 2024/1689, July 2024.
[UN-GENOCIDE]
United Nations, "Convention on the Prevention and
Punishment of the Crime of Genocide", 78 UNTS 277, 1948.
[UN-CRC] United Nations, "Convention on the Rights of the Child",
1577 UNTS 3, 1989.
[UN-TIP] United Nations, "Protocol to Prevent, Suppress and
Punish Trafficking in Persons", 2237 UNTS 319, 2000.
[CWC] OPCW, "Convention on the Prohibition of Chemical
Weapons", 1975 UNTS 45, 1993.
[UNSC-1373]
UN Security Council, "Resolution 1373 (2001)",
S/RES/1373, September 2001.
[UN-CAT] United Nations, "Convention Against Torture", 1465 UNTS
85, 1984.
Appendix A. Worked Example -- A Travel Booking in Two Jurisdictions
This appendix walks through two scenarios using a Japan-based
travel operator (MyAuberge K.K.) running an ActivityBookingObject
SO with jurisdiction configuration: primary JP, secondary EU,
conflict_resolution: MOST_PROTECTIVE.
A.1. Scenario 1: Lawful Action, Fully Traced
A travel agent AI requests an action to process a booking payment
for a guest who has explicitly consented to data processing.
Step 1: The AI submits the action to GEC.transition().
Step 2: CEE evaluates. No Tier 0 match. Tier 1 DATA_PROTECTION
record matches -- but consent_scope is present in the MJWT and
not expired. The kernel has populated context.data_subject_consent:
true (Section 5.4). The Cedar policy PERMITs the action given
consent context. CEE returns PERMIT. OTel span emits
soos.cap.tier: "1", soos.cap.cedar_policy_id: "data-protection-jp".
Step 3: Cedar evaluates. PERMIT. No HEM fires. GEC executes.
Step 4: STATE_TRANSITION Event Log entry written. IDP records
reasoning. Full audit trail complete, including consent context.
A.2. Scenario 2: Jurisdictional Conflict, Human Resolution
The same AI requests to share guest location data with a third-
party logistics provider. JP Tier 1 permits this under APPI with
appropriate notice. EU Tier 1 prohibits it under GDPR Article 44.
Step 1: AI submits action to GEC.transition().
Step 2: CEE evaluates. Tier 0: no match. Tier 1: JP -- PERMIT.
EU -- PROHIBITS. Conflict detected.
Step 3: conflict_resolution is MOST_PROTECTIVE. CEE returns
TIER_1_DENY. ALE-NEW-02 NOT triggered (this is a runtime conflict,
not a catalog load conflict). CAP_TIER1_CONFLICT_DETECTED written.
OTel span: soos.cap.conflict_detected: true.
Step 4: Agent receives DENY. IDP records denial.
Step 5: Operator contacts legal counsel. Adequacy decision obtained.
EU Tier 1 record updated. Catalog update propagates per Section 8.9.
SUSPENDED state entered briefly; policy re-activated within the
propagation window. Action now permitted.
Step 6: Full trace -- denial, conflict, legal review, re-activation,
re-authorization -- in GAR and available to regulators.
Appendix B. Related Work
B.1. Existing Constitutional AI Frameworks
Constitutional AI as a training technique (Anthropic, 2022) is a
training-time approach. CAP is an inference-time enforcement
approach: the GEC evaluates every action request against a
prohibition set regardless of what the model would do if allowed
to act.
CAP and Constitutional AI training are complementary. CAP does not
replace safety training; it provides an enforcement layer that does
not depend on the model's training having succeeded.
B.2. EU AI Act Article 5
EU AI Act Article 5 defines prohibited AI practices enforced by
regulatory action after the fact. CAP Tier 1 prohibition records
are enforced at GEC evaluation time, before the action occurs.
Version -04 elevates two Article 5 prohibitions (manipulation and
biometric inference) to Tier 0-A, making them globally enforceable
rather than EU-jurisdiction-specific.
B.3. AIPREF
The AIPREF Working Group defines a vocabulary for AI content-use
preferences. AIPREF provides the policy expression layer; CAP
provides the constitutional floor below which no AIPREF preference
can descend.
B.4. SOOS Companion Drafts
CAP sits above all other SOOS layers in the enforcement stack:
draft-sato-soos-kia-03: CAP Violation Records are signed by the
GEC keypair. PCRs are loaded in the GEC Manifest. At L3, the
CEE runs in a KIA-attested TEE.
draft-sato-soos-idp-05: CAP evaluates before IDP is submitted.
PERFORMED_EMOTION prohibition cross-references IDP reasoning trace.
draft-sato-soos-mjwt-02: consent_scope claim is the source for
Cedar context population per Section 5.4. HEM_CONSENT_REQUIRED
fires when consent_scope is absent. [dependency added in -04]
draft-sato-soos-cap-rrs-02: Companion specification. Receives
catalog_version schema and the four-phase propagation workflow as
normative additions.
draft-sato-soos-hem-05: CAP evaluates human HEM decisions before
GEC execution. HEM_JURISDICTIONAL_CONFLICT (Class 5) is a joint
CAP+HEM event. Three new Tier 0-A prohibitions originate from
HEM-05 DR-HEM-PSY-02.
draft-sato-soos-gar-03: CAP Violation Records are included in the
GAR Audit Package. ALE-NEW-02 is registered in the GAR ALE
registry. soos.cap.* OTel attributes reference the full
soos.governance.* namespace defined in GAR-03.
draft-sato-soos-aep-02: The AEP ACT step invokes GEC.transition(),
which triggers CEE before Cedar.
draft-sato-soos-mad-03: CAP applies to all multi-agent topologies.
An orchestrator cannot issue a sub-agent mandate that bypasses CAP;
the CEE is evaluated per transition regardless of delegation depth.
Appendix C. Vibe Coding Assets
This appendix provides structured machine-readable references to
support AI-assisted implementation of CAP. Informative.
C.1. Protocol Summary
Protocol: Constitutional AI Protocol (CAP)
Version: draft-sato-soos-cap-04
Family: SOOS protocol suite
Role: Constitutional enforcement layer above Cedar and HEM
New in -04:
- Three new Tier 0-A prohibitions: MANIPULATION, PERFORMED_EMOTION,
BIOMETRIC_SIGNAL_INFERENCE (S.7.2)
- SUSPENDED CEE output: catalog-driven evaluative suspension (S.6.3)
- GOVERNANCE_SUSPENDED error code (S.6.3)
- catalog_version schema for law amendment tracking (S.8.9.3)
- ALE-NEW-02: CAP_CATALOG_CONFLICT_DETECTED (S.8.8.1)
- consent_scope Cedar context population from MJWT (S.5.4)
- Tier 0 OSCAL reference catalog at soosproject.ai (S.12a.7)
- OTel soos.cap.* span attributes (S.13.5)
C.2. Key Identifiers
CEE outputs: PERMIT, CONSTITUTIONAL_VIOLATION, SUSPENDED [NEW],
GOVERNANCE_SUSPENDED [NEW], TIER_0B_PCR_ACTIVE,
JURISDICTIONAL_CONFLICT, TIER_1_DENY, TIER_1_PCR_ACTIVE,
LEGAL_AMBIGUITY_DETECTED, TIER_2_DENY, SESSION_SUSPEND
Tier 0-A classes: CSAM, GENOCIDE_FACILITATION, MANIPULATION [NEW],
PERFORMED_EMOTION [NEW], BIOMETRIC_SIGNAL_INFERENCE [NEW]
Tier 0-B classes: HUMAN_TRAFFICKING, WMD_ASSISTANCE,
TORTURE_FACILITATION, TERRORIST_FINANCING
New ALE types: CAP_CATALOG_CONFLICT_DETECTED (ALE-NEW-02),
CAP_POLICY_SUSPENDED
New error code: GOVERNANCE_SUSPENDED
OTel attributes: soos.cap.cedar_policy_id,
soos.cap.cap_rrs_control_id, soos.cap.authority_source_uri,
soos.cap.tier, soos.cap.conflict_detected
PTD disclosure_level values: FULL, REDACTED, COUNT_ONLY
Tier 0 OSCAL catalog: https://soosproject.ai/catalogs/tier0-reference-v1.json
C.3. Canonical Reference
Specification: https://soosproject.ai/drafts/cap
Datatracker: https://datatracker.ietf.org/doc/draft-sato-soos-cap/
Stack overview: https://soosproject.ai/stack
Author's Address
Tom Sato
MyAuberge K.K.
Chino, Nagano, Japan
Email: tomsato@myauberge.jp
URI: https://soosproject.ai/