feat(audit): add optional external_execution_evidence on AuditEntry#330
Merged
Conversation
…301) Introduce an optional, independently-signed execution receipt bound to an audit entry, distinct from response_payload_hash. response_payload_hash is what the gateway forwarded; external_execution_evidence is what an independent authority (for example a safety controller) attested. Confirmed direction: Option A. - chain.py: add the optional external_execution_evidence field to AuditEntry and an append() keyword. Serialized uniformly via asdict (null when absent), so receipt-less entries hash exactly as before and existing evidence keeps verifying. - schemas/audit-entry.schema.json: add the optional receipt object (issuer, issuer_key_id, signature, evidence_hash, evidence_type, linked_call_id), not in required so entries that predate the field still validate. - cmcp_verify: opt-in receipt verification. When external_evidence_keys is supplied, check linked_call_id == call_id and the issuer Ed25519 signature over the canonical receipt. Receipt-less entries and callers without keys are unaffected. - LIMITATIONS.md: state what the receipt does and does not prove. - conformance tests: absent verifies and keeps old hashing, populated verifies, tampered fails, linked_call_id mismatch fails, unknown issuer key fails. Scope note: this lands the data model, schema, verification, and tests. Proxy ingestion (how a controller receipt rides in the upstream response) and the industrial-embodied-ai example follow next; the transport convention is flagged for maintainer input. Pre-existing audit-entry.schema.json drift (detail, workflow_id, extra entry_type enum values) is noted and left out of scope. Signed-off-by: Carlos Hernandez <carloshvp@gmail.com>
Signed-off-by: Carlos Hernandez <carloshvp@gmail.com>
Signed-off-by: Carlos Hernandez <carloshvp@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Rebased version of #314 from @carloshvp. Original PR had conflicts in
LIMITATIONS.md,chain.py, andproxy.pyafter #329 landed on main — resolved by keeping both contributions:evidence_classfield (TLS pin tracking from main)external_execution_evidencefield and proxy ingestion (this PR)All original scope is intact:
AuditEntry.external_execution_evidence: optional controller receipt, distinct fromresponse_payload_hashchain.py:append()acceptsexternal_execution_evidencekeyword;Noneentries hash exactly as beforeproxy.py:_extract_external_execution_evidence()ingests a receipt from a JSON tool response;evidence_classand evidence ingest both land in the audit appendaudit-entry.schema.json: receipt object added (not required, pre-field entries still validate)cmcp_verify: opt-in receipt verification viaexternal_evidence_keys;verify_audit_bundle()type stub added toverification-library.mdLIMITATIONS.md: external evidence limitations documented alongside tool server non-repudiationlinked_call_idmismatch, unknown issuer keyCloses #314. Scope note Carlos flagged: proxy ingestion convention and industrial-embodied-AI example (agentrust-io/examples#29) follow separately.
Signed-off-by: Imran Siddique imran.siddique@opaque.co