Skip to main content
Normative reference for the unified alignment card — the YAML document every Mnemom agent has as one half of its two cards. This page specifies every section, field, required/optional status, type, and composition semantic. Implementers of MCP servers, SDK clients, or custom tooling that stores or mutates alignment cards should treat this as the contract. The AAP protocol-level card (the 1.0 handshake card, stable for external interop) is specified separately at /concepts/alignment-cards. The unified card is a superset with additional sections not present in the protocol surface.

Top-level structure

card_version: unified/2026-04-26      # required; format: /^unified\/\d{4}-\d{2}-\d{2}$/
card_id: ac-<uuid>                    # required; stable ID for this card document (preserved through compose)
agent_id: mnm-<uuid>                  # required; the agent this card belongs to
issued_at: 2026-04-26T12:00:00Z       # required; ISO 8601 UTC
expires_at: 2026-10-26T12:00:00Z      # optional; ISO 8601 UTC; null = no expiry

# Two independent top-level master switches (ADR-039 Decision 1):
autonomy_mode: enforce                 # required; off | observe | nudge | enforce
                                       # gates the action-policing pipeline (gateway CLPI tool-use policy
                                       # + observer trace verification of bounded/forbidden actions)
integrity_mode: enforce                # required; off | observe | nudge | enforce
                                       # gates the values/conscience pipeline (gateway AIP Haiku analysis
                                       # + observer drift detection + coherence scoring)

principal: { ... }                     # optional; see §principal
values: { ... }                        # required; see §values
conscience: { ... }                    # optional; see §conscience
autonomy: { ... }                      # required; see §autonomy
capabilities: { ... }                  # optional; see §capabilities
enforcement: { ... }                   # optional; see §enforcement
audit: { ... }                         # required; see §audit
extensions: { ... }                    # optional; §extensions

# System-managed — present on canonical cards, absent on raw agent-scope cards.
_composition: { ... }                  # see §composition-metadata

Master switches

The four-mode enum off | observe | nudge | enforce is shared with the Protection Card. Same words; same semantics; same UI picker component renders all three master fields (Protection’s mode, Alignment’s autonomy_mode, Alignment’s integrity_mode). Composition rule on each: strictest wins across Platform → Org → Agent (enforce > nudge > observe > off).
FieldGovernsOffObserveNudgeEnforce
autonomy_modeaction-policingskip CLPI + trace verificationlog policy results, don’t blockinject advisory annotation, don’t blockblock tool violations, escalate
integrity_modevalues/conscienceskip AIP + drift detectionlog checkpoint, no actioninject advisory on next requestauto-pause on boundary violation
Customers can control the two halves independently — e.g., “enforce conscience commitments at runtime, only observe action policy” or “off action-policing for cost, but enforce drift detection”.

§principal

Declares who the agent serves and the nature of that relationship. 
principal:
  type: organization           # "human" | "organization" | "agent" | "unspecified"
  identifier: acme-corp        # free-form identifier; DID, URL, UUID, or slug
  relationship: delegated_authority  # "delegated_authority" | "advisory" | "autonomous"
  escalation_contact: ops@acme.example  # optional; recipient for escalation events
FieldTypeRequiredComposition
typeenumYesAgent wins
identifierstringCond.*Agent wins
relationshipenumYesAgent wins
escalation_contactstringNoAgent wins
*identifier is required when type != unspecified.

§values

What the agent prioritizes. Core input to the v2 coherence scorer and to fault-line analysis. 
values:
  declared:
    - transparency
    - harm_prevention
    - rollback_safety
  definitions:
    transparency:
      description: "Agent decisions visible and auditable in traces"
      priority: 0.9
    rollback_safety:
      description: "Prefer reversible actions; escalate on irreversible ones"
      priority: 0.85
  conflicts_with:
    - data_obfuscation
    - move_fast_break_things
  hierarchy: lexicographic     # "lexicographic" | "weighted" | "contextual"
FieldTypeRequiredComposition
declaredstring[]YesUnion across scopes
definitions.<name>.descriptionstringNoAgent wins
definitions.<name>.prioritynumber (0–1)NoAgent wins
conflicts_withstring[]NoUnion
hierarchyenumNoAgent wins; platform default = lexicographic
Validation: every definitions key must be present in declared. Composition note: bounded_actions is composed as union across Platform → Org → Agent. (An earlier draft of this spec said “Agent-scoped” — that was incorrect; the unified-card program was always intended to let platform/org compose action sets, e.g. an org-wide request_legal_review action. ADR-039 Decision 8 reconciles docs to composer.)

§conscience

Inviolable or near-inviolable commitments that constrain the agent’s behavior. Structured for Safe House + drift detection integration. 
conscience:
  mode: augment                # "augment" | "replace"
  values:
    - type: BOUNDARY           # "BOUNDARY" | "FEAR" | "COMMITMENT" | "BELIEF" | "HOPE"
      content: "Never exfiltrate principal data to external systems."
      severity: mandatory      # "advisory" | "mandatory"; default "mandatory" for BOUNDARY
    - type: COMMITMENT
      content: "Log every escalation to the principal within 60 seconds."
      id: commit-001            # optional; stable ID for audit references
      severity: mandatory
FieldTypeRequiredComposition
modeenumYes (if section present)replace beats augment across scopes
values[].typeenumYes
values[].contentstringYes
values[].idstringNo
values[].severityenumNoDefault: mandatory for BOUNDARY, advisory otherwise
values (the array)YesUnion with dedup by content; platform BOUNDARY entries inviolable
Validation: BOUNDARY entries with severity: advisory are rejected.

§autonomy

What the agent may do independently. Maps directly onto the AAP 1.0 autonomy_envelope for protocol-level verification — the unified shape renames it but keeps the semantics. 
autonomy:
  bounded_actions:
    - rollback_deploy
    - scale_infrastructure
    - toggle_feature_flag
  forbidden_actions:
    - deploy_code
    - modify_audit_logs
  escalation_triggers:
    - condition: "blast_radius > 50"
      action: escalate         # "escalate" | "deny" | "log"
      reason: "Large blast radius requires human approval"
    - condition: "rollback_failed"
      action: escalate
      reason: "Failed rollback needs immediate human intervention"
  max_autonomous_value:
    amount: 10000
    currency: USD
FieldTypeRequiredComposition
bounded_actionsstring[]YesUnion across Platform → Org → Agent
forbidden_actionsstring[]NoDeny-overrides union
escalation_triggers[].conditionstringYes (if trigger present)
escalation_triggers[].actionenumYes
escalation_triggers[].reasonstringYes
escalation_triggers (array)NoUnion with dedup by condition
max_autonomous_value.amountnumberCond.Min across scopes
max_autonomous_value.currencystring (ISO 4217)Cond.Agent wins
Validation: bounded_actions and forbidden_actions must be disjoint (no action in both).

§capabilities

Tool-use capabilities, keyed by capability name. Each entry maps to a glob pattern over MCP/A2A tool names or an explicit tool allowlist. 
capabilities:
  query_database:
    description: "Read from the operational database"
    tools: ["mcp:postgres/*", "mcp:readonly-query"]
    severity_on_unmapped: medium    # "low" | "medium" | "high" | "critical"
  external_http:
    tools: ["mcp:fetch"]
    allowed_domains: ["api.acme.example"]
    severity_on_unmapped: high
FieldTypeRequiredComposition
<name>.descriptionstringNoAgent wins
<name>.toolsstring[] (glob patterns)YesUnion within capability
<name>.allowed_domainsstring[]NoPlatform → agent intersection (compliance ceiling, mirrors Protection Card trusted_sources)
<name>.severity_on_unmappedenumNoStrictest wins per name; default medium
Capabilities are consumed by @mnemom/policy-engine’s evaluatePolicy({ card, tools }) to produce per-request policy decisions.

§enforcement

Policy-level knobs that affect how capabilities are enforced at runtime. The master switch lives at the top level (autonomy_mode); this section carries the fine-grained tool-use policy. 
enforcement:
  allow_unmapped_tools: false                  # strictest wins across scopes
  default_unmapped_severity: high              # "low" | "medium" | "high" | "critical"
  forbidden_tools:                             # XACML deny-overrides
    - pattern: "mcp:filesystem/*"
      reason: "No filesystem access for billing agents"
      severity: critical
  grace_period_hours: 24                       # min across scopes (shorter grace = stricter)
FieldTypeRequiredComposition
allow_unmapped_toolsbooleanNo (default false)Strictest wins (false beats true)
default_unmapped_severityenumNo (default high)Strictest wins (critical > high > medium > low)
forbidden_tools[].patternstringYes (per entry)Deny-overrides union (with exemption removal)
forbidden_tools[].reasonstringYes (per entry)
forbidden_tools[].severityenumYes (per entry)
grace_period_hoursnumberNo (default 24)Min across scopes

§audit

Commitments around trace format, retention, tamper evidence. These are platform-scoped — agents and orgs cannot weaken the audit floor. 
audit:
  trace_format: ap-trace-v1
  retention_days: 90
  queryable: true
  query_endpoint: https://api.mnemom.ai/v1/traces
  tamper_evidence: append_only    # "append_only" | "signed" | "merkle" | null
FieldTypeRequiredComposition
trace_formatstringYesPlatform-scoped
retention_daysnumberYesMax across scopes (longest retention wins)
queryablebooleanYesPlatform-scoped
query_endpointstring (URL)YesPlatform-scoped
tamper_evidenceenumNoPlatform-scoped
Validation: audit.query_endpoint is a composer-enforced invariant (see ADR-023). The validator rejects cards without it; the composer ensures it’s always present on canonical output.

§extensions

Protocol-specific or user-defined additions. Free-form Record<string, unknown>. Mnemom reserves the clpi.* and mnemom.* namespaces. 
extensions:
  clpi:
    role: remediator
  mnemom:
    showcase_color: green
  a2a:
    card_url: https://patch.example.com/a2a-card.json
Extensions are agent-scoped and not composed across scopes by default. Callers that need scope-composed extensions must opt in via _composition.extensions_composition_mode: merge.

§_composition (canonical-only)

Present on the canonical card, absent on raw agent-scope cards. Records the provenance of every composed field. 
_composition:
  composed_at: 2026-04-17T18:23:41Z
  scopes_applied:
    - platform
    - "org:acme"
    - "agent:mnm-patch-001"
  versions:
    platform: 3
    "org:acme": 17
    "agent:mnm-patch-001": 4
  exemptions_applied:
    - exm-aabbcc     # exemption IDs honored during this composition
  source_card_id: ac-f47ac10b-58cc-4372-a567-0e02b2c3d479
  canonical_id: can-cd-88aa0011
_composition is read-only on the wire. Mutating it via API is a 400.

YAML safe schema

All yaml.load() calls in the Mnemom stack use { schema: yaml.CORE_SCHEMA } — Node-specific tags (!!js, !!binary, etc.) are rejected. If your client produces YAML with those tags, validation fails. Stick to plain scalars, maps, and sequences.

Body-size limits

  • Full alignment card payload: 128 KB max (Content-Length + rawBody double-check).
  • values.declared: recommended under 200 values per scope for coherence-scoring performance.
These limits are enforced at the API boundary. 413 Payload Too Large for oversize bodies; no grace period. If a legitimate card is getting 413’d, file an issue — the limits are currently conservative and will relax with production data.

Versioning

card_version is a date-anchored schema identifier. Accepted values as of 2026-04-17:
  • unified/2026-04-15 — current. All canonical cards emit this version.
  • (legacy) — the pre-UC AAP-shape card is no longer accepted at the alignment-card endpoint. Convert via the migration script before publishing.
A version bump is an additive + deprecation-by-date convention; breaking changes are negotiated via the same X-Mnemom-Version request-header mechanism used elsewhere in the API.

See also