What is Agent Covenant Protocol (ACP)?

ACP is a self-hosted Go server that records every contribution from humans and AI agents in a SHA-256 append-only hash chain. A public formula calculates each contributor's ink token share. When revenue exists, the owner distributes by that share. No blockchain, no wallet, no central platform.

Is ACP a blockchain or DApp?

No. ACP is a self-hosted Go server with a SHA-256 append-only hash chain stored on your own machine. No Ethereum, no Solana, no crypto wallet required. On-chain anchoring is a Phase 7 roadmap item — not the current implementation.

What are ink tokens? Can I trade or transfer them?

Ink is a contribution unit, not a cryptocurrency. It is non-transferable, non-tradeable, and scoped to a single Covenant. It cannot be sent to a wallet. Its only purpose is to record relative contribution weight so the settlement formula has something to calculate from.

Who is the owner in ACP?

The owner is whoever creates the Covenant — typically the project lead or founder. They approve participants (approve_agent), approve contribution drafts (approve_draft), and initiate settlement (generate_settlement_output + confirm_settlement_output). They also decide when and how to distribute revenue using settled ink percentages as the distribution key.

What is a passage in ACP?

A passage is any unit of work submitted via propose_passage(). It can be a feature, a commit batch, a code review, a document, or any deliverable covered by the Covenant's tiers. The owner assigns a unit_count and the formula calculates tokens from that.

Does ACP settlement move money automatically?

No. Settlement generates a verified, tamper-evident record — nothing more. The owner calls generate_settlement_output() then confirm_settlement_output() to lock ink totals. Any financial distribution is a separate, owner-initiated action in any currency. Automated on-chain escrow is a Phase 7 roadmap item.

Is ACP live or a prototype?

ACP is live. Phase 1 and Phase 2 are complete. The first real Covenant was settled on 2026-04-15. The acp-server repository is MIT licensed and publicly available. You can run it today with a single binary and zero external dependencies.

API Reference

All ACP interfaces, the REST endpoint catalog, authentication headers, and request/response format. Every interface runs through the execution engine — all actions are recorded in the audit hash chain. Phase 4 adds the access gate, rate limiting, and at-rest encryption.

Authentication

Header	Used for	How to get it
X-Owner-Token	Admin interfaces (approve, settle, configure)	Returned once at POST /covenants creation
X-Session-Token	Participant interfaces (propose, query)	POST /sessions/issue (owner only)
X-Covenant-ID	Required on all /tools/* calls	Returned at POST /covenants creation
X-Agent-ID	Required on participant calls	Assigned by owner when issuing session tokens

Session tokens are stored as SHA-256 hashes — raw tokens are never persisted.

Interface Execution

All interfaces share the same execution envelope:

bash

POST /tools/{interface_name}
Headers:
  X-Covenant-ID: cvnt_xxxxx
  X-Agent-ID: agent_xxxxx        # participant interfaces
  X-Session-Token: sess_xxxxx    # participant interfaces
  X-Owner-Token: owner_xxxxx     # admin interfaces
Body: {"params": {...}}

→ 200: {"receipt": {"log_id": "...", "tokens": ..., ...}}
→ 4xx: {"error": "reason string"}

Interfaces

configure_token_rules

Set or update contribution tiers. Called in DRAFT state before participants join.

Param	Type	Required	Description
tiers	array	Yes	Array of {name, multiplier, entry_fee_tokens?} objects. entry_fee_tokens (Phase 4.6.C) is optional and ≥ 0; default 0 keeps pre-4.6.C behaviour.

json

{"params": {
  "tiers": [
    {"name": "core",    "multiplier": 3.0, "entry_fee_tokens": 0},
    {"name": "feature", "multiplier": 2.0, "entry_fee_tokens": 0},
    {"name": "review",  "multiplier": 1.5, "entry_fee_tokens": 0},
    {"name": "docs",    "multiplier": 1.0, "entry_fee_tokens": 0}
  ]
}}

configure_anti_gaming

Owner sets per-Covenant defense thresholds. Phase 4.1 covers per-hour rate limits, Phase 4.3 covers concentration warning percentages.

Param	Type	Required	Description
rate_limit_per_hour	integer	No	Cap on clause-tool calls per (covenant, agent, hour). 0 disables.
concentration_warn_pct	integer	No	Warn when one agent holds > N% of total ink. 0 disables.

approve_agent

Owner approves a pending participant. Transitions them from pending → approved. Requires OPEN or ACTIVE state.

Param	Type	Required	Description
agent_id	string	Yes	The agent_id of the participant to approve

reject_agent

Owner rejects a pending participant. They cannot rejoin the same Covenant.

Param	Type	Required	Description
agent_id	string	Yes	The agent_id to reject
reason	string	No	Optional rejection reason (recorded in audit log)

propose_passage

Participant submits a contribution for review. Creates a DRAFT passage in the audit log. Requires ACTIVE state.

Param	Type	Required	Description
tier	string	Yes	One of the configured tier names (e.g. "feature")
unit_count	integer	Yes	Size of contribution (lines, words, etc.)
description	string	Yes	Human-readable description of the work

json

{"params": {
  "tier": "feature",
  "unit_count": 350,
  "description": "Add rate limiting middleware to API endpoints"
}}

Response includes a log_id needed for approve_draft.

approve_draft

Owner approves a pending passage. Tokens are calculated and locked into the hash chain.

Param	Type	Required	Description
log_id	string	Yes	log_id from the propose_passage receipt
acceptance_ratio	float	Yes	Quality factor 0.0–1.0. 1.0 = full credit, 0.5 = half credit.

✦

acceptance_ratio is how the owner expresses partial credit. A passage worth 400 tokens at 0.75 acceptance_ratio locks in 300 ink.

reject_draft

Owner rejects a pending passage. Zero tokens awarded. Recorded in the hash chain.

Param	Type	Required	Description
log_id	string	Yes	log_id from the propose_passage receipt
reason	string	No	Rejection reason (recorded in audit log)

get_token_balance

Query current ink token balance for a participant. Available in any state.

Param	Type	Required	Description
agent_id	string	No	Defaults to the calling agent. Owner can query any participant.

list_members

List all participants in the Covenant with their current ink balances and status. Phase 4.6.B added a pending_access_requests array so the owner gets the review queue in the same round-trip — request rows surface as 12-character platform_id_hash prefixes, never the plaintext identifier.

No parameters. Returns {members: [{agent_id, status, tokens}], pending_access_requests: [...]}.

get_token_history

Query the per-Covenant token_ledger rows for one agent. Used by the wallet UI and by applicants confirming an entry_fee_tokens debit landed.

Param	Type	Required	Description
agent_id	string	No	Defaults to the calling agent. Owner can query any participant.
limit	integer	No	Page size (default 100, capped server-side).

get_concentration_status

Returns whether any agent holds more than concentration_warn_pct of total ink. Empty array when the Covenant is below threshold; warning rows otherwise. ACR-20 Part 4 Layer 5.

leave_covenant

Participant exits the Covenant. Tokens already accrued stay in the ledger; the member row moves to status='left'. Owner cannot leave; transfer ownership first (out of Phase 4 scope).

apply_to_covenant (POST /covenants/{id}/apply)

Public-facing application for OPEN Covenants. The applicant supplies their tier choice, an optional self_declaration, and an opaque payment_ref. The server seals their platform_id alongside an indexable hash, then queues a pending access request for the owner.

Param	Type	Required	Description
tier_id	string	Yes	One of the configured tier names
payment_ref	string	No	Receipt handle, opaque to the server
self_declaration	string	No	Free-text attestation; never echoed back to non-owners

ℹ

Returns {request_id, covenant_id}. Use these to poll get_agent_access_status.

approve_agent_access

Owner approves a pending request. If the tier has entry_fee_tokens > 0, a negative token_ledger row is booked in the same transaction so the new member's balance starts at -fee. Idempotent — a second call after resolution returns the existing receipt.

Param	Type	Required	Description
request_id	string	Yes	request_id from apply_to_covenant
agent_id	string	Yes	agent_id assigned to the new member

reject_agent_access

Owner rejects a pending request. Idempotent.

Param	Type	Required	Description
request_id	string	Yes	request_id from apply_to_covenant
reason	string	No	Recorded in the audit log; not surfaced to the applicant

get_agent_access_status

Applicant polls their own request. All error paths converge on HTTP 404 to avoid leaking whether a given request_id exists.

Param	Type	Required	Description
request_id	string	Yes	request_id from apply_to_covenant
covenant_id	string	Yes	Must match the covenant the request was filed against

generate_settlement_output

Owner generates the final settlement record. Covenant must be in LOCKED state. Produces a verified, tamper-evident JSON document with all participant ink totals and percentages.

No parameters. Returns the settlement document including the hash chain verification result.

ℹ

This does not trigger any financial transaction. It produces a record only. Call confirm_settlement_output to make it permanent.

confirm_settlement_output

Owner confirms and seals the settlement. Transitions the Covenant to SETTLED state. This is irreversible.

No parameters.

REST Endpoints

Covenant Lifecycle

Method	Path	Auth	Description
POST	/covenants	none	Create a new Covenant. Returns covenant_id and owner_token.
GET	/covenants/:id	none	Get Covenant details, members, and current state.
GET	/covenants/:id/state	none	Get current state (DRAFT/OPEN/ACTIVE/LOCKED/SETTLED).
POST	/covenants/:id/tiers	Owner	Configure contribution tiers.
POST	/covenants/:id/transition	Owner	Transition to next state. Body: {"to": "OPEN"}
POST	/covenants/:id/join	Session	Participant applies to join (legacy direct-join).
POST	/covenants/:id/apply	Session	Phase 4.6: ACR-50 access-gated application; queues a pending request the owner reviews.
POST	/covenants/:id/budget	Owner	Set global token budget.
GET	/covenants/:id/budget	Owner	Get budget status (total, used, remaining).

Git Twin (Phase 3.A · Layer 2 anchor)

Method	Path	Auth	Description
POST	/covenants/:id/git-twin	Owner	Bind a git repo to the Covenant; only allowed in DRAFT.
GET	/git-twin/covenants	none	Reverse lookup: which Covenants are bound to a given repo URL.
POST	/git-twin/event	Bridge	Bridge posts a git event (commit, merge) for execution.
POST	/git-twin/merge	Bridge	Bridge posts a merge event with parent SHAs.
GET	/git-twin/anchors/pending	Bridge	List ed25519-signed anchors awaiting commit to refs/notes/acp-anchors.
POST	/git-twin/anchors/:id/ack	Bridge	Bridge ACKs that an anchor was committed.
GET	/git-twin/pubkey	none	Public ed25519 key used to verify anchor signatures.

Audit

Method	Path	Auth	Description
GET	/covenants/:id/audit	Owner	Full audit log with all actions and hash chain entries.
GET	/covenants/:id/audit/verify	none	Verify hash chain integrity. Returns valid: true/false.

Sessions

Method	Path	Auth	Description
POST	/sessions/issue	Owner	Issue session token for a participant. Body: {"agent_id": "..."}
POST	/sessions/rotate	Session	Rotate your own session token.

Environment Variables

acp-server

Variable	Default	Description
ACP_ADDR	:8080	HTTP listen address
ACP_DB_PATH	./acp.db	SQLite database path
ACP_KEY_FILE	$HOME/.acp/master.key	Phase 4.5: legacy keyfile anchor. The keyring directory lives at its sibling keys/ subdir (keys/v{N}.key). Auto-generated on first start; pre-4.5.8 single-file deployments auto-migrate to keys/v1.key.

Subcommands

Command	Description
acp-server serve	Run the HTTP server (default).
acp-server rotate-key	Phase 4.5.8: write keys/v{N+1}.key and bump the active pointer. O(1); does not touch ciphertext.
acp-server reencrypt	Phase 4.5.8: walk every at-rest sealed row and re-seal under the current key version. Idempotent — safe to re-run after a partial failure.

acp-mcp

Variable	Default	Description
ACP_SERVER_URL	http://localhost:8080	acp-server address
ACP_SESSION_TOKEN	—	Participant session token (for propose_passage, query interfaces)
ACP_OWNER_TOKEN	—	Owner token (for admin interfaces)
ACP_COVENANT_ID	—	Default Covenant ID for all calls
ACP_AGENT_ID	—	Default agent ID