The auth.md Spec
An open convention for AI agent governance as files: readable by people, validated and enforced by machines, signed like a release.
The agent ecosystem standardized on plain-text convention files — agents.md for instructions, llms.txt for guidance, SKILL.md for skills, MCP for tools. There was no agreed file for governance: who an agent may act as, what it may do, what must be recorded, and when it must stop and ask a human. The auth.md convention fills that gap.
The files
A .gaas/ directory at the governed project's root:
| File | Declares |
|---|---|
auth.md | Who or what may act: agent identities, trust tiers, delegation limits, and the actions that always require a human's yes |
policy.md | The rules: scope, severity, verdict, and declarative conditions |
audit.md | Record expectations: retention, signing mode, export cadence — validated against reality, drift surfaced |
escalation.md | Escalation routes: approvers, timeouts, and what happens when nobody answers (never auto-approve) |
attestation.sig | A detached ES256 signature over the bundle — portable, offline-verifiable proof of the rules in force |
Each .md file is YAML frontmatter (the machine contract, schema-validated) plus a Markdown body (the human rationale — hashed into the signature, never machine-interpreted). Governance you can diff in a pull request.
Conditions are declarative, never code
A governance file that can execute code is a supply-chain attack surface. Conditions in this convention are a structured matcher tree — portable across runtimes, reviewable by non-programmers, and safe to accept from any repo:
policies:
- id: no-bulk-customer-export
description: Block bulk exports of customer records
severity: mandatory
verdict: block
when:
all:
- { field: action.target.identifier, op: contains, value: customer }
- { field: action.payload.estimated_impact.audience_size, op: gte, value: 1000 }
Validate in CI, today
The reference validator is open-source Python — local-only, no API key, no network:
pip install gaas-spec
gaas validate # validate ./.gaas — exits non-zero with findings
gaas sign --key org-key.pem --key-id acme-2026
gaas verify --pub acme-2026=org-pub.pem
An implementation conforms to spec 0.1 when it accepts every bundle in the spec repo's fixtures/valid/ and rejects every bundle in fixtures/invalid/ for the documented reason. Fixtures are ground truth: where prose and fixtures disagree, fixtures win.
GaaS is the reference runtime
GaaS validates these files, compiles them into enforced runtime policy scoped to your organization, countersigns applied bundles, and records the applied bundle's hash in the tamper-evident audit chain — binding what the rules said to what decisions were made. The audit record beneath it is free forever.
gaas-spec validator are available now.
Related Pages
- The spec repository — canonical text, schemas, fixtures, governance
- The Record Is Free Forever — the pledge beneath the convention
- Policies — the runtime's policy engine
- Getting Started — free Shadow Mode, no card required