docs: external evidence anchoring and agent spend attribution#907
Merged
Conversation
3f4036d to
326638a
Compare
326638a to
1212be0
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two docs-only additions plus tightly related documentation-truth fixes: how operators register, timestamp, or checkpoint PEAC evidence digests using external services, and how to attribute observed spend across correlated workflow records, with delegation context. No protocol, wire, schema, registry, receipt-type, extension-group, public API, package, dependency, conformance, or build-target change.
Scope
Six files (2 new, 4 edits):
docs/guides/anchoring-evidence-digests.mddocs/SOLUTIONS/agent-spend-attribution.mddocs/SOLUTIONS/README.md(one index row)docs/START_HERE.md(one audit-section link)docs/WHEN_NOT_TO_USE_PEAC.md(records-layer wording + boundary corrections)examples/workflow-correlation/README.md(aligned to its own executable demo)build_targets unchanged (110); no example code or build target added.
Changes
receipt_ref, dispute-bundlecontent_hash,receipt_merkle_root); a per-mechanism assurance table (SCITT / RFC 9943 + RFC 9942, RFC 3161 TSA, signed git tag, generic append-only log); complete Merkle commitment metadata (tree_alg,hash_alg,tree_size, plus the inclusion proof) with a membership-only boundary; RFC 3161 evidence stated as "no later thangenTime" (interpreted withaccuracy), with an explicit non-goal that it does not establish the exact interaction time; a tightened RFC 3161 checklist (exact imprint, nonce-if-supplied else trusted-time policy, CMS signature, signer-certificate binding viaSigningCertificate/ESSCertIDorSigningCertificateV2/ESSCertIDv2per RFC 5816/RFC 5035,id-kp-timeStampingas sole critical EKU, long-term archival material); RFC 9921's two constructions named correctly (COSE, Then Timestamp; Timestamp, Then COSE); explicit signed-Git digest binding (digest in the signed tag message or a committed manifest reachable from the signed tag); SCITT full-record vs digest-only over the Statement payload authenticated as an RFC 9943 Signed Statement; ERC-8126/ERC-8004 as related external composition only. PEAC anchors nothing itself.workflow_id(underext["org.peacprotocol/correlation"]) is correlation metadata, not proof of workflow membership or authorization: establish a bounded review set and an accepted-issuer/participant policy first, group only accepted records, and resolve everyparent_jti/depends_onto exactly one accepted record (zero = dangling, multiple = ambiguous and rejected; never by array order). Source identity preserved asreceipt_refand the(iss, jti)tuple; BigInt minor-unit summing viaisValidAmountMinor, grouped by exact currency. Thecom.example/financeextension and the linked acknowledgment binding are example-local / integrator-defined and name no PEAC receipt type or extension group; digest references are not confidentiality controls. PEAC verification is shown separately from integrator-defined correlation and linkage checks.demo.tsexactly (org.peacprotocol/correlationwithworkflow_id/parent_jti/depends_on), a repo-root run command, a production-ID warning (do not useMath.random()), and a correlation-metadata-is-not-authorization note. No example code or build target changed.Validation
Prettier,
git diff --check, forbid-strings, repo-links gate, reference verifiers (doc-truth / hygiene / stale-labels), codegen-drift, registries-schema, no-widening, verify:release, api-contract check (no drift), typecheck:core, andpnpm gate:fastall pass. Planning-leak and public-artifact scanners clean on all six files; full-diff Unicode scan reports zero format/bidi/zero-width/BOM code points. All structural sentinels unchanged (build_targets 110, api_contract 27, kernel errors 189, receipt types 61, extension groups 19, conformance 290, wire 0.2, published 36).