Aragora Governance
Policy enforcement, RBAC, and audit logging for the multi-agent vetted decisionmaking control plane
How rule changes are processed, who signs off, and how to recover from bad updates. This document covers the governance framework for Aragora's control plane, ensuring compliance, security, and accountability for enterprise deployments.
Governance Philosophy
Aragora operates on a principle borrowed from the game of Nomic: the rules of the system can be changed by the system itself, under constraints. This enables continuous improvement while preventing runaway self-modification.
The key tension is:
- Flexibility: The system should improve itself over time
- Safety: Changes must not break the system or bypass safety controls
- Auditability: All changes must be traceable and reversible
We resolve this tension through layered governance:
┌─────────────────────────────────────────────────────────────────────────────┐
│ IMMUTABLE (Constitution) │
│ Cryptographically signed rules that cannot be changed by agents │
├─────────────────────────────────────────────────────────────────────────────┤
│ AMENDABLE (Policies) │
│ Rules that can be changed with sufficient consensus (75%+) │
├─────────────────────────────────────────────────────────────────────────────┤
│ ADVISORY (Guidelines) │
│ Suggestions that guide behavior but don't block actions │
└─────────────────────────────────────────────────────────────────────────────┘
The Constitution
The Constitution (.nomic/constitution.json) defines rules that the nomic loop cannot modify, enforced via cryptographic signatures.
Immutable Rules
These rules cannot be changed by any agent process:
| Rule ID | Rule | Rationale |
|---|---|---|
| CORE-001 | Never delete backup/restore mechanism | Rollback is the last line of defense |
| CORE-002 | Never modify Constitution verification code | Prevents self-disabling of safety |
| CORE-003 | All changes must pass existing tests | Prevents breaking changes |
| EVAL-001 | Judging must include objective metrics | Prevents wireheading via subjective-only evaluation |
| SAFETY-001 | Changes to protected files require human approval | Maintains human oversight |
Protected Files
These files cannot be modified by agents without human approval:
scripts/nomic/safety/constitution.pyscripts/nomic/safety/checksums.pyscripts/nomic/safety/backups.py.nomic/constitution.json
Constitution Verification
Before each nomic cycle:
- The Constitution's Ed25519 signature is verified
- If invalid, the cycle aborts
- The signature is created offline and cannot be forged by agents
# Verify Constitution integrity
python scripts/sign_constitution.py verify
# Output: Constitution signature is VALID
Amending the Constitution
Amendable rules (like "minimum 3 agents for consensus") can be changed through a supermajority process:
- Proposal: An agent proposes a rule change
- Debate: All agents debate the change for 3+ rounds
- Vote: Requires 75%+ consensus (weighted by ELO)
- Human Review: Human must approve amendable rule changes
- Re-sign: Constitution is re-signed offline with the new rule
Immutable rules cannot be amended - they require forking the project.
Policy Engine
The Policy Engine (aragora/policy/) enforces per-tool and per-task policies:
Risk Levels
| Level | Description | Example |
|---|---|---|
| NONE | No side effects | Read file |
| LOW | Easily reversible | Create file |
| MEDIUM | Reversible with effort | Write existing file |
| HIGH | May need human review | Delete file |
| CRITICAL | Requires human approval | Deploy to production |
Blast Radius
| Level | Description | Example |
|---|---|---|
| READ_ONLY | No mutations | Git diff |
| DRAFT | Changes discardable | Local buffer |
| LOCAL | Reversible via git | File changes |
| SHARED | Affects team/staging | Push to branch |
| PRODUCTION | Affects live users | Deploy |
Risk Budgets
Each nomic cycle gets a risk budget (default: 100). Actions consume budget:
cost = risk_level × (blast_radius + 1) × multiplier
When budget exceeds threshold (80), human approval is required.
Example Policy
Policy(
name="protect_core_files",
description="Prevent modification of core Aragora files",
tools=["file_writer"],
capabilities=["write_file", "delete_file"],
conditions=["'aragora/core_types.py' in file_path"],
allow=False, # Denied
priority=100,
)
Rule Change Process
Step 1: Proposal
Agent proposes a change through the nomic loop:
Topic: "Add new evaluation metric: evidence coverage"
Impact: MEDIUM
Files: aragora/debate/trickster.py, tests/test_trickster.py
Step 2: Debate
Agents debate the change:
- Proposer: Explains rationale
- Skeptic: Challenges assumptions
- Judge: Evaluates arguments
Step 3: Design
If debate reaches consensus, agents design the implementation:
- Architecture decisions
- Test plan
- Rollback plan
Step 4: Implementation
Winning agent implements the change:
- Protected files trigger human approval
- Risk budget is consumed
- All changes are backed up
Step 5: Verification
Before commit:
- Syntax check (
python -m py_compile) - Import check (
python -c "import aragora") - Test suite (
pytest) - Constitution verification
Step 6: Commit or Rollback
- If all checks pass: Changes are committed with detailed message
- If any check fails: Changes are rolled back from backup
Recovery Procedures
Automatic Rollback
If verification fails, the nomic loop automatically rolls back:
# Automatic rollback triggered by:
# - Test failures
# - Import errors
# - Constitution violations
# - Risk budget exceeded without approval
Manual Recovery
If a bad change slips through:
# View recent changes
git log --oneline -20
# Revert specific commit
git revert <commit-hash>
# Restore from backup
python scripts/nomic/safety/backups.py restore --timestamp <time>
Emergency Stop
To halt the nomic loop immediately:
# Kill running process
pkill -f "nomic_loop"
# Or set circuit breaker
echo '{"state": "open"}' > .nomic/circuit_breaker.json
Investigating Failures
# View nomic loop logs
cat .nomic/replays/nomic-cycle-*/meta.json
# Check outcome history
sqlite3 .nomic/outcomes.db "SELECT * FROM outcomes ORDER BY timestamp DESC LIMIT 10"
# Review audit trail
cat .nomic/audit.log
Human Oversight
When Human Approval is Required
- Protected file modification: Any change to files in
protected_files - Risk budget threshold: When cumulative risk exceeds 80%
- Critical actions: Production deployments, git push, database deletions
- Constitution amendments: Changing amendable rules
Approval Flow
┌─────────────┐ ┌──────────────┐ ┌─────────────┐
│ Agent │────►│ Policy │────►│ Human │
│ requests │ │ Engine │ │ approves │
│ action │ │ escalates │ │ or denies │
└─────────────┘ └──────────────┘ └─────────────┘
Monitoring Dashboard
The live dashboard (https://aragora.ai) shows:
- Current nomic cycle status
- Pending approvals
- Risk budget utilization
- Recent changes and rollbacks
Audit Trail
All nomic loop actions are logged:
{
"timestamp": "2026-01-09T21:45:00Z",
"cycle_id": "nomic-cycle-42",
"phase": "implement",
"agent": "anthropic-api",
"action": "write_file",
"file": "aragora/debate/trickster.py",
"risk_cost": 8.0,
"budget_remaining": 72.0,
"outcome": "success"
}
Audit Storage
| Location | Contents |
|---|---|
.nomic/replays/ | Full debate transcripts |
.nomic/outcomes.db | Implementation outcomes |
.nomic/audit.log | Policy engine decisions |
git log | All committed changes |
Best Practices
For Operators
- Review before auto-commit: Start with
--human-approvalflag - Monitor risk budgets: Watch for sessions approaching threshold
- Test rollback: Periodically verify backup/restore works
- Update Constitution: Re-sign after any legitimate changes
For Developers
- Add tests first: New features need tests before implementation
- Small changes: Prefer many small changes over few large ones
- Document rationale: Explain why, not just what
- Respect protected files: Request human review when needed
For Security
- Keep private key secure:
ARAGORA_CONSTITUTION_KEYmust not be exposed - Monitor Constitution: Alert on signature verification failures
- Review audit logs: Check for unusual patterns
- Test adversarially: Use capability probes and red team mode
FAQ
Q: Can agents modify the Constitution verification code?
A: No. It's protected by CORE-002 and the file is in protected_files.
Q: What happens if all agents conspire to bypass safety? A: The Constitution signature prevents this - agents can't forge signatures without the offline private key.
Q: How do I add a new immutable rule? A: Immutable rules can only be added by forking the project. Amendable rules can be added through the normal process.
Q: What if I need to make an emergency fix to a protected file?
A: Use the --human-approval flag or manually edit and re-sign the Constitution.
Q: How do I know if the system is trustworthy? A: Check Constitution signature, review audit logs, monitor outcome tracker calibration curves.