Right to History: A Sovereignty Kernel for Verifiable AI Agent Execution

This paper introduces the "Right to History" principle and implements it in PunkGo, a Rust-based sovereignty kernel that ensures tamper-evident, independently verifiable logging of AI agent actions on personal hardware through Merkle trees, capability isolation, and energy-budget governance, thereby addressing critical regulatory and trust gaps in decentralized AI execution.

The Gist

Imagine you hire a very smart, but slightly unpredictable, personal assistant to run your errands. You tell them: "Go buy groceries, pay the bills, and maybe fix a leaky faucet."

Now, imagine that assistant comes back and says, "I did all that!" But you have no way of knowing:

• Did they actually buy the groceries, or did they just buy a video game?
• Did they pay the right amount, or did they accidentally transfer your savings to a stranger?
• Did they fix the faucet, or did they just kick the pipe until it stopped leaking?

In the world of AI, we are starting to let these "agents" do exactly this. But currently, there is no black box or receipt that proves what they actually did. If something goes wrong, you have no proof.

This paper introduces a solution called PunkGo and a new concept called the "Right to History."

Here is the simple breakdown of how it works, using everyday analogies.

1. The Core Idea: The "Right to History"

Think of your personal data (photos, emails) as your property. You already have laws saying you own your data.
This paper argues you should also own your computational history. If an AI agent acts on your computer, you have a right to a complete, unchangeable, and mathematically proven record of every single thing that agent did.

2. The Problem: The "Black Box"

Right now, if an AI agent runs on your laptop, it's like a magician pulling rabbits out of a hat. You see the rabbit appear, but you don't know if it was a real rabbit, a plastic toy, or if the magician swapped it with a different one.

• Current Systems: They might have a "pause" button or a "permission" switch, but they don't keep a permanent, unalterable diary of the magic tricks.
• The Risk: If the AI goes rogue or makes a mistake, you can't prove it to a bank, a court, or even to yourself.

3. The Solution: PunkGo (The "Sovereignty Kernel")

The authors built a new piece of software called PunkGo. Think of it as a super-strict, unblinking security guard that sits between you (the human) and the AI agent.

Here is how PunkGo works, using three main metaphors:

A. The "Merkle Tree" (The Unbreakable Diary)

Imagine a diary where every page is glued to the next one with super-strong, magical glue.

• If you try to tear out a page or change a word on Page 5, the glue on Page 6, 7, and 8 instantly turns red and breaks.
• In computer terms, this is called a Merkle Tree. It creates a digital fingerprint for every action. If anyone tries to tamper with the history, the math proves it immediately.
• The Result: You get a receipt that is mathematically impossible to fake.

B. The "Energy Budget" (The Token Jar)

Imagine you give your assistant a jar with 100 tokens. Every time they do something, it costs tokens.

• Buying groceries: 5 tokens.
• Fixing the faucet: 10 tokens.
• Trying to break into your safe: 100 tokens (and they get stopped).
• The Twist: If the assistant tries to ask for permission to do something risky (like "transfer $1,000"), they have to lock 20 tokens in the jar first.
  • If you say "Yes", the action happens, and the tokens are spent.
  • If you say "No" or they wait too long, you still lose a small fee (20% of the locked tokens) just for the trouble of checking.
• Why this matters: This stops the AI from spamming you with "Are you sure?" requests to drain your resources or trick you. It forces the AI to be serious about its requests.

C. The "Capability Badge" (The ID Card)

Imagine the AI agent has an ID card that says exactly what it is allowed to touch.

• Agent A: "Can touch the Kitchen and the Living Room."
• Agent B: "Can touch the Garage only."
• If Agent A tries to walk into the Garage, the security guard (PunkGo) slams the door shut. The agent doesn't even get a chance to try; the action is blocked before it happens.

4. The "Hold" Mechanism (The Human in the Loop)

Sometimes, the AI needs to do something big, like "Sell my house."

• Old Way: The AI just does it, or you have to manually stop it.
• PunkGo Way: The AI stops and says, "I need to sell the house. Do you approve?"
• You get a notification. You click "Approve."
• Crucially: The system records exactly when you clicked, what you approved, and who asked. This creates a legal and technical proof that you gave the order, not the AI.

5. Why This Matters for You

• Regulations: New laws (like the EU AI Act) are coming that say high-risk AI must keep logs. PunkGo makes this easy for regular people, not just big companies.
• Trust: You can finally look at a log and say, "Yes, the AI did exactly what I told it to do, and nothing else."
• Sovereignty: It puts you back in the driver's seat. You aren't just a user; you are the owner of the history of your own computer.

Summary

The paper proposes a new system where your AI agent acts like a hired hand with a leash.

1. The Leash: It can only go where you let it (Boundaries).
2. The Wallet: It has to pay for every step it takes (Energy).
3. The Diary: Every step is written in a book that cannot be erased or changed (Merkle Tree).
4. The Boss: You get to sign off on the big moves (Human Approval).

This turns AI from a "black box" mystery into a transparent, accountable partner that you can trust.

Technical Summary

1. Problem Statement

As AI agents increasingly perform autonomous tasks on behalf of humans (e.g., file modification, API calls, code execution), a critical accountability gap has emerged. Current systems lack a mechanism to provide a tamper-evident, independently verifiable record of what an agent actually did, who authorized it, and whether it stayed within declared bounds.

• The Regulatory Gap: Regulations like the EU AI Act mandate automatic logging for high-risk AI systems. However, these frameworks implicitly assume a centralized provider controlling the log. When agents run on personal hardware (local-first), there is no central authority to guarantee log integrity, completeness, or non-tampering.
• The Technical Gap: Existing solutions fail to address this holistically:
  • Agent Contracts define what agents may do but do not record what they did.
  • OS Audit Tools (auditd, eBPF) operate at the syscall level, lacking semantic attribution to agent actions and cryptographic proof.
  • Agent OSs (e.g., AIOS) often treat the LLM as the Trusted Computing Base (TCB), which is non-deterministic and unverifiable.
  • Transparent Logs (Certificate Transparency) exist but have not been applied to agent action auditing.

2. Core Concept: The Right to History

The paper proposes the Right to History, an extension of Floridi's informational rights framework. It asserts that individuals are entitled to a complete, verifiable, and tamper-evident record of every AI agent action performed on their hardware. This is not an optional feature but an architectural commitment.

3. Methodology: The PunkGo Kernel

The authors implement this concept in PunkGo, a sovereignty kernel written in Rust. PunkGo acts as a Trusted Computing Base (TCB) that sits between the untrusted AI agent (LLM) and the system resources.

A. System Architecture

PunkGo follows a three-layer architecture:

1. Kernel Layer (TCB): The sole commit point. It validates, records, and proves actions but does not execute them. It contains the Event Log, Energy Ledger, Boundary Checker, and Audit Prover.
2. Agent Layer: The untrusted LLM-driven agent that submits actions to the kernel.
3. Client Layer: The human interface for approval and history browsing.

B. Key Mechanisms

1. RFC 6962 Merkle Tree Audit Log:
   • All actions are appended to an immutable log.
   • Uses a Merkle tree structure to provide O(log n) inclusion and consistency proofs.
   • Ensures that any modification to a past event invalidates the root hash, making tampering detectable.
2. Capability-Based Isolation:
   • Agents operate under strict writable targets (patterns) and action types (observe, create, mutate, execute).
   • Follows a "Default Deny" policy; only actions matching declared capabilities are processed.
3. Energy Budget Governance:
   • To prevent Denial-of-Service (DoS) and resource exhaustion, every action consumes "energy."
   • Energy is produced based on hardware capacity and allocated to actors.
   • Hold Mechanism: High-risk actions trigger a hold_on state, requiring human approval. If rejected or timed out, a commitment cost (20% of reserved energy) is deducted to deter malicious probing.
4. Execute Submission Model:
   • The kernel is a committer, not an executor. For execute actions, the agent runs the code externally and submits the result (input/output hashes, exit codes) to the kernel for recording. The kernel validates the payload format but trusts the agent's claim of execution (analogous to Certificate Transparency).

4. Formal Framework & Invariants

The paper formalizes the system using five core invariants, proven via structured pre/post-condition sketches:

1. Append-Only (INV-1): The log can only grow; events cannot be deleted or modified.
2. Completeness (INV-2): Every action that passes boundary checks and has sufficient energy is recorded in the log.
3. Integrity (INV-3): The Merkle root precisely commits the current log contents, allowing independent verification.
4. Boundary Enforcement (INV-4): Agents cannot commit actions outside their declared capabilities.
5. Energy Conservation (INV-5): No actor can consume more energy than allocated; the system prevents negative balances.

5. Key Contributions

• C1. Formal Framework: A mathematical model for AI agent auditing comprising primitives (Actor, Energy, State) and the five invariants above.
• C2. PunkGo Kernel: A Rust implementation unifying Merkle logs, capability isolation, and energy governance. It shifts the TCB from the LLM to a verified kernel.
• C3. Sovereignty Inversion: A conceptual shift from "how agents maintain sovereignty from humans" to "how humans maintain sovereignty over agents."
• C4. Proof-of-Concept Validation: Empirical verification of all invariants and performance benchmarks.

6. Evaluation Results

The system was tested on an Intel Core i7-14700K with a SQLite backend.

• Performance:
  • Latency: Median action latency is sub-1.3 ms (0.7–1.3 ms depending on action type).
  • Throughput: Approximately 400 actions/sec (sequential commits).
  • Proof Size: At 10,000 log entries, Merkle inclusion proofs are only 448 bytes (14 hashes).
• Security Verification:
  • Adversarial testing confirmed that tampering with the log (modifying payloads) was detected within 55 ms.
  • Boundary enforcement correctly rejected 100% of out-of-bounds attempts.
  • Energy conservation prevented budget exhaustion and double-spending.
• Comparison: Unlike AIOS (which lacks audit logs and uses a permission hashmap), PunkGo provides cryptographic evidence and formal invariants.

7. Significance and Future Work

• Regulatory Compliance: PunkGo enables individuals running local AI agents to self-comply with the EU AI Act's logging and human oversight requirements.
• Architectural Shift: It establishes "verifiable action recording" as a first-class architectural concern rather than an afterthought.
• Limitations & Future Work:
  • Currently single-node (no distributed consensus).
  • Formal proofs are sketches; future work aims for machine-checked verification using Verus.
  • Integration with Trusted Execution Environments (TEEs) like Intel SGX/TDX to protect against privileged platform adversaries (Level 2 threats).
  • Optimization of Merkle proof generation (currently O(n) due to storage loading) to O(log n).

Conclusion

"Right to History" addresses the critical lack of accountability in autonomous AI agents. By introducing the PunkGo Sovereignty Kernel, the authors provide a practical, high-performance system that guarantees a tamper-evident history of agent actions, ensuring that humans retain ultimate oversight and verifiable proof of what their AI agents have done on their behalf.