ClawNet: Identity-Governed Agent Framework

• ClawNet is an identity-governed agent collaboration framework designed for secure, auditable, and multi-user autonomous interactions.
• It employs layered identity partitioning and dual-layer scoped authorization to enforce strict data isolation and verify actions via comprehensive audit logs.
• The framework supports cross-organizational workflows by enabling autonomous negotiation, explicit governance, and traceable accountability in agent-mediated tasks.

ClawNet is an identity-governed agent collaboration framework enabling secure, autonomous cooperation between human users mediated by personal AI agent systems. It operationalizes a human-symbiotic agent paradigm, forging a collaboration network where nodes correspond to people—each with a permanently bound, partitioned agent architecture—and edges represent governed, cross-user interactions. The system establishes foundational governance constructs: layered identity partitioning, dual-layer scoped authorization, and comprehensive accountability at the action level, all enforced by a central orchestrator. ClawNet targets scenarios that require agents to represent and negotiate on behalf of distinct organizational or individual principals, with transparent auditability and strict boundary guarantees (Yang et al., 21 Apr 2026).

1. Human–Symbiotic Agent Paradigm

ClawNet advances beyond traditional agent frameworks that serve a single user, addressing the sociotechnical requirements of cross-user coordination observed in real-world settings. Productivity in organizations, supply chains, and collaborative projects relies on distinct governance primitives: identity (principal representation), authorization (scoped permissions), and accountability (traceability of actions to individuals). In ClawNet, each agent system $A_u$ is permanently assigned to a human owner $u \in U$. Collaboration occurs via a network $G = (U, E)$, where each edge $e(u,v)$ represents an inter-agent relationship governed by explicit permissions and audit mechanisms.

This model shifts focus from maximizing per-agent capability to digitizing the organizational structures underpinning human cooperation. Each user's agent system is not simply a tool, but an institutionalized delegate—empowered and constrained by explicit scoping—enabling cross-user autonomy with robust oversight.

2. Layered Identity Architecture

Agent systems in ClawNet are partitioned into two tiers: a global Manager Agent ($M_u$) and one or more context-specific Identity Agents ($\{I_u^1, \ldots, I_u^k\}$):

• Manager Agent ($M_u$): Aggregates the user’s total knowledge base $K_u$ but is architecturally isolated from all external communication, acting as an internal consultant only.
• Identity Agents ($I_u^i = (c_i, \sigma_i, K_i, P_i)$): Outward-facing personas assigned to distinct contexts (e.g., procurement, legal). Each is encapsulated in a dedicated subdirectory (scoped by $\sigma_i$), operates with a minimal, context-relevant knowledge subset $u \in U$0, and is discoverable/interactable only by explicit principal lists $u \in U$1.

The partitioning is formalized via:

• $u \in U$2
• All operations $u \in U$3 satisfy $u \in U$4, $u \in U$5.

Isolation of $u \in U$6 precludes external access to global user knowledge, enforcing clear boundaries between internal deliberation and external action.

3. Scoped, Two-Layer Authorization

ClawNet employs a defense-in-depth model for all agent operations, particularly file and data access. Each $u \in U$7 is governed by:

• L1 Server-side ACL: Enforced centrally, checks $u \in U$8.
• L2 Client-side Whitelist: Enforced at the user’s endpoint, checks $u \in U$9 $G = (U, E)$0 (generally equivalent to or tighter than $G = (U, E)$1).

An operation $G = (U, E)$2 is permitted only if:

$G = (U, E)$3

where $G = (U, E)$4 and $G = (U, E)$5 are as above.

Denials or violations generate immediate boundary-violation events, logged and escalated to the human owner for possible override or rejection. This ensures enforceable isolation, even under partial system compromise.

4. Action-Level Accountability and Auditability

Every mutative action by an identity agent produces an append-only audit entry

$G = (U, E)$6

stored on both the server and client. Pre-execution backups precede destructive actions (e.g., delete), allowing for rollbacks and forensics. The audit log $G = (U, E)$7 provides a complete causal chain linking high-level intent to granular system actions, and forms the basis for accountability and trust in agent-mediated collaborations.

5. Central Orchestrator and Communication Protocols

The central orchestrator mediates all cross-user requests and enforces critical security and governance logic. User clients and agent containers communicate through WebSocket connections to the central server, which proxies requests, performs initial ACL validation, and forwards approved operations to user endpoints.

Pseudocode for request routing: $e(u,v)$5

Cross-user messaging is permitted only after bilateral approval:

$G = (U, E)$8

Messages are routed via the orchestrator, with per-turn verification that actions remain within specified boundaries.

6. Security Properties and Governance Guarantees

ClawNet provides several core security properties:

• Architectural Isolation: $G = (U, E)$9's global context is never externally accessible.
• Defense in Depth: The dual ACL model prevents privilege escalation or accidental data exposure even in the event of partial system compromise.
• Comprehensive Audit Trail: All actions are causally logged and recoverable, supporting certainty in attribution and rollback.

Formally, every agent action satisfies:

$e(u,v)$0

This forms the core correctness invariant underlying ClawNet's governance (Yang et al., 21 Apr 2026).

7. Demonstrated Applications and Example Workflow

ClawNet is instantiated in a cross-organizational procurement scenario involving distinct agent identities for a buyer (Mr. Li) and supplier (Mrs. Wang), as well as her technical and business sub-agents. Key findings:

• Autonomous negotiation occurs entirely within the agents' authorization boundaries ($e(u,v)$1).
• Sensitive data (e.g., supplier internal costs) remains contained; no unapproved leakage was possible.
• Unauthorized queries are automatically rejected at the ACL.
• Large-value or sensitive decisions escalate to human approval.
• The audit trail enables retrospective review, permission revocation, and full undo.

A sample secure workflow includes contact linking, intent formulation and authorization, bilateral channel approval, automated negotiation through delegated agents, human-in-the-loop finalization, and append-only audit logging. All inter-agent exchanges are strictly scoped and mediated by the architecture.

Summary Table: ClawNet Core Components

Component	Role/Function	Enforcement Layer
Manager Agent ($e(u,v)$2)	Internal advisor, global view	Container isolation
Identity Agent ($e(u,v)$3)	Persona for specific context	Scoped directories, ACLs
L1 ACL	Server-side boundary check	Orchestrator
L2 Whitelist	Client-side access control	Endpoint
Audit Log ($e(u,v)$4)	Immutable, causal trail	Server and client

ClawNet is the first open-source framework to realize multi-user agent cooperation—autonomous, secure, and governed by explicit primitives—at both architectural and workflow levels (Yang et al., 21 Apr 2026).