ARF · Authority Reference Framework

Rules, not trust.
Policy, not prayer.

ARF enforces declarative TOML governance rules at the proxy layer before any message reaches the model and before any response reaches the agent. Circuit breakers trip automatically. Health grades track agent behavior over time. You write the rules once; ARF enforces them forever.

Policy Reference View Profiles

Writing Policy

Declarative TOML.
Human-readable governance.

ARF policy files are plain TOML. Every rule is readable by a human, auditable by a machine, and version-controlled like any other infrastructure config. No opaque binary formats, no vendor-locked policy languages, no click-ops.

Rules express what agents are allowed to do, what they're forbidden from doing, and what requires human approval before proceeding. Governance isn't applied post-hoc it's enforced live, in the request path, before the model generates a response.

The Authority Reference Framework evaluates every inbound prompt and outbound completion against your policy DAG. The evaluation is streaming-aware: ARF reads completion chunks as they arrive and can trip a circuit breaker mid-stream if content violates policy.

# arf-policy.toml governance rules

[profile]
name = "production"
base = "standard"
token_budget = 100_000
health_grade_floor = "C"

[rules.content]
# Block any prompt mentioning credentials
deny_patterns = [
  "(?i)(api.?key|secret|password|token)",
  "(?i)system.?(prompt|message)"
]
# Auto-approve read-only file ops
auto_approve = ["read_file", "list_dir", "grep"]
# Require human sign-off on network calls
require_approval = ["bash", "network", "write_file"]

[rules.cost]
max_tokens_per_request = 8_000
max_requests_per_hour = 200
warn_at_budget_pct = 80
hard_stop_at_budget_pct = 100

[circuit_breakers]
error_rate_threshold = 0.15
consecutive_failures = 3
cooldown_seconds = 60
# Dead man's switch: auto-trip if idle > N seconds
idle_trip_seconds = 14400  # 4 hours

[quality_gates]
min_test_coverage = 0.70
require_passing_lint = true
block_on_security_findings = true
        

Governance Profiles

Strict. Standard.
Minimal.

Strict

Maximum oversight. Every tool call requires explicit approval. Token budgets are tight. Circuit breakers are hair-trigger. For production systems, regulated environments, or any context where an agent mistake is costly.

✓ All tool calls require approval
✓ 50k token budget
✓ 1-failure circuit break
✓ Content filtering: maximum
✓ Network calls: blocked by default

Standard

Balanced oversight for everyday development. File reads auto-approve. Writes and network calls require approval. 100k token budget. Recommended for most teams starting with governed agent development.

✓ Reads auto-approved
~ Writes require approval
✓ 100k token budget
✓ 3-failure circuit break
~ Network: prompt on first call

Minimal

Light governance for trusted, local-only workflows. Audit and signing still active you still get a full proof record but approvals are minimal and budgets are relaxed. For personal workstations and experimentation.

✓ Most ops auto-approved
✓ 500k token budget
✓ 5-failure circuit break
✓ Audit still active
~ Network: log but allow

Circuit Breakers

Trips fast.
Cools down. Heals.

ARF's circuit breaker model is borrowed from distributed systems engineering: when an agent starts failing, starts violating policy, or goes silent for too long, the breaker trips and further requests are blocked until the condition clears.

Circuit breakers have three states: Closed (normal operation), Open (blocked, cooling down), and Half-Open (probing to see if recovery is possible). Transitions are configurable per profile.

The dead man's switch is a special circuit breaker: if no human interaction is detected within a configurable window, the breaker trips automatically. Useful for long-running autonomous sessions where you want a guaranteed check-in.

Circuit Breaker State Machine

        ┌─────────────────────────────────────┐
        │                                     │
        ▼                                     │ success
  ┌──────────┐   failure_count ≥ N    ┌───────────┐
  │  CLOSED  │ ─────────────────────▶│   OPEN    │
  │  normal  │                        │  blocked  │
  └──────────┘                        └───────────┘
        ▲                                    │
        │                                    │ cooldown elapsed
        │                             ┌──────────────┐
        │   success                   │  HALF-OPEN   │
        └─────────────────────────────│   probing    │
                                      └──────────────┘
                                             │
                                             │ failure
                                             ▼
                                      ┌──────────┐
                                      │   OPEN    │
                                      │  reset ↺  │
                                      └──────────┘

  Events that trip a breaker:
  ✗ error_rate > threshold
  ✗ consecutive_failures ≥ N
  ✗ policy_violation (content, cost)
  ✗ idle > dead_man_switch_seconds
  ✗ manual trip via TUI / CLI

Health Grading

Your agents get
a report card.

Excellent

Error rate <2%. All policy checks passing. Token usage within budget. No manual interventions required.

Good

Error rate 2–8%. Minor policy flags. Token usage slightly elevated. Occasional circuit breaker trips.

Acceptable

Error rate 8–15%. Moderate policy violations. Budget warnings active. Review recommended.

D–F

Poor / Fail

Error rate >15% or budget exceeded. Repeated policy violations. Circuit breakers tripped. Session requires human review.

Health grades are computed per-session and per-agent over a rolling window. They feed back into the governance profile: a session that drops below its configured health_grade_floor in the policy will have its circuit breakers armed for earlier trips. Set health_grade_floor = "C" and any session that reaches D will immediately open the breaker.

Standards Compatibility

Works with the governance
tooling you already have.

ARF's TOML policy language is designed for composability. Export and import rules in OPA Rego, YAML-based policy formats, and JSON Schema. Governance engineers who know Rego can write ARF rules from day one.

OPA / Rego

Import existing OPA Rego policies as ARF rule modules. The ARF compiler translates Rego allow/deny rules into ARF's streaming evaluation pipeline. Your existing compliance library works out of the box.

Integration docs →

JSON Schema / OpenAPI

Define message shape constraints using JSON Schema. ARF validates inbound and outbound message payloads against your schema definitions and blocks malformed or unexpected structures.

Schema validation →

Rules, not trust.Policy, not prayer.

Declarative TOML.Human-readable governance.

Strict. Standard.Minimal.

Trips fast.Cools down. Heals.

Your agents geta report card.