System Architecture

ABS Core is a strict Layer 7 API Runtime Enforcement Layer and Identity Access Management (IAM) hub designed specifically for AI Agents and the Model Context Protocol (MCP). It operates by intercepting agent-to-tool communications, evaluating intents, injecting secrets "just-in-time" (JIT), and recording an immutable audit trail.

Unlike standard reverse proxies, ABS Core is optimized for the non-deterministic nature of Large Language Models (LLMs). It decodes natural language parameters and MCP payloads to ensure they match statically defined corporate policies before any high-stakes infrastructure is touched.

System Architecture Overview

graph TD
    subgraph "Agent Runtime"
        Agent[AI Agent]
        Client[LLM SDK / MCP Client]
    end

    subgraph "Runtime Enforcement Layer"
        Runtime Enforcement Layer[ABS Runtime Enforcement Layer Interceptor]
        WASM[Stateless Policy Engine WASM]
        Vault[JIT Credential Vault]
    end

    subgraph "External Infrastructure"
        LLM[Model Provider OpenAI/Anthropic]
        Tools[Production Tools / DBs]
        Ledger[Immutable Audit Ledger]
    end

    Agent --> Client
    Client --> Runtime Enforcement Layer
    Runtime Enforcement Layer --> WASM
    WASM -- "ALLOW (Decrypted)" --> Vault
    WASM -- "DENY (403 Forbidden)" --> Runtime Enforcement Layer
    Vault --> LLM
    Vault --> Tools
    WASM -- "Evidence Hash" --> Ledger

Detailed Execution Flow

sequenceDiagram
    participant Agent
    participant Runtime Enforcement Layer
    participant WASM as WASM Policy Engine
    participant Vault
    participant Tool as Target Tool/DB

    Agent->>Runtime Enforcement Layer: [Intent] API Call (e.g. Drop Table)
    Runtime Enforcement Layer->>WASM: Evaluate Intent Hash + Policy DSL
    Note over WASM: Execution in Isolated Sandbox (< 1.2ms)
    WASM-->>Runtime Enforcement Layer: Result: BLOCK (Security Policy violation)
    Runtime Enforcement Layer-->>Agent: 403 Forbidden (Action Intercepted)
    
    rect rgb(240, 240, 240)
    Note right of Tool: Failure path avoided
    end

    Agent->>Gateway: [Intent] Legitimate Query
    Gateway->>WASM: Evaluate
    WASM-->>Gateway: Result: ALLOW
    Gateway->>Vault: Fetch JIT Secret
    Vault->>Tool: Execute with injected Auth
    Tool-->>Agent: Data Return

The Agent Authentication Flow

The standard execution lifecycle of an ABS-governed request operates in a strict, fail-closed loop:

1. Authentication & Attribution: An agent identity (OID) initiates a request targeting an external tool or MCP Server.
2. Payload Interception: The ABS Gateway intercepts the communication at the network or SDK layer.
3. Intent Validation: The sandbox validates the payload against the agent's assigned Compliance Profile (schema validation, scope limits, semantic risk).
4. Secret Injection: If the policy evaluates to ALLOW, ABS Core dynamically injects the required API keys (e.g., Stripe, AWS, GitHub) into the payload. The LLM never holds the keys in its context window.
5. Execution & Auditing: The request is forwarded to the destination. The entire interaction (prompt, intent, decision, timestamp) is cryptographically hashed and appended to an append-only audit log.

The Octagon Architecture

ABS Core is governed by the Octagon — an 8-pillar framework designed for Total Resilience. The system is split between its cognitive components (The Brain) and its operational subsystems (The Muscle).

The Octagon Brain (8 Core Components)

1. ARCHAEO (History): The 8th pillar. Scans historical logs to identify deletions and reconstruct event genealogy for retroactive intelligence.
2. OID (Sovereignty): Provides Decentralized Identity (DID) and cryptographic signing for irrefutable agent attribution.
3. OCS (Territory): Financial and regulatory guardian (FinOps) that prevents resource-draining or non-compliant cloud execution.
4. AICCP (Law): Structured change control protocol. Ensures irreversible operations (deploys, schema drops) require cryptographically signed approval.
5. ABS Core (Executor): The central kernel that intercepts actions and orchestrates the other pillars in real-time.
6. CHI (Intuition): Cognitive layer that analyzes intent to detect semantic drift, PII leaks, and hallucinations.
7. CORTEX (Memory): Long-term behavioral memory unit that tracks reputation scores and detects deviations over time.
8. LEDGER (Proof): Immutable SHA-256 hash chain providing cryptographic proof for every decision produced by the ABS.

The Octagon Muscle (Infrastructure Subsystems)

• AUTO-HARDENING: Syntactic immunity through continuous lint and type scans for absolute core stability.
• PAP (Pre-Authorization Protocol): Human private-key validation for high-risk agent transactions.
• WASM (Universal Kernel): Edge execution engine — policy hot path in 1.2ms median; full governance loop in 23ms e2e.
• VAULT (Certified Policy Packs): Instant activation of compliance rules (HIPAA, SOC2, LGPD).
• QUORUM (Human Consensus): M-of-N multi-signature approval for critical operations.
• BRIDGE (MCP Firewall): Shielding for external tool connections (Claude Code, Cursor).
• DSL (Policy DSL): Declarative ABS_Schema 2.0 for simple, auditable policy definitions.

Deployment Topologies

To accommodate different enterprise compliance frameworks, ABS Core supports distinct deployment strategies:

• Cloud/Edge Proxy: The fastest implementation. Traffic is routed through ABS's managed edge network, adding ~18ms median overhead (policy engine + audit) to the total LLM roundtrip.
• VPC Self-Hosted Gateway: For organizations with strict data residency requirements (e.g., HIPAA, SOC2, FedRAMP), the gateway can be deployed within the customer's Virtual Private Cloud (AWS, Azure, GCP) using lightweight Docker containers.
• Embedded MCP Middleware: For local or high-security internal agent loops, the runtime can be embedded directly into custom MCP Host implementations.

Security Model

The architecture relies on the principle of Zero Trust for Agents:

1. No Implicit Scope: Every agent starts with zero access rights. Policies explicitly grant access to specific tools, parameters, or domains.
2. Immutable Separation: The evaluation engine (WASM) is isolated from the routing layer. Policies cannot modify the engine, and the engine cannot alter the policies.
3. Fail-Closed Operations: If the policy engine times out, encounters malformed payloads, or detects memory anomalies, the default behavior is to drop the connection and alert the operations team.