Skip to content

Latest commit

 

History

History

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

README.md

MCEP Specifications (v0.1)

This directory carries the v0.1 specification documents for Ardur's protocol layer, MCEP (Mission-Controlled Execution Protocol). v0.1 is a pre-release series — the specs describe the intended protocol shape; the public code that implements them is being curated in phases per docs/public-import-plan.md.

The MCEP acronym was expanded as "Mission-bound Cryptographic Evidence Protocol" in earlier learn-MCEP teaching material; the formal v0.1 specs use "Mission-Controlled Execution Protocol" and that is the canonical expansion going forward. Articles and other public prose follow the spec form.

Public-surface import caveat. The migrated specs were authored in a private context and may reference implementation source paths (e.g. vibap-prototype/vibap/passport.py), private session artifacts (e.g. docs/session-2026-04-XX/...), or internal review trails that have not yet landed in this public repo. Treat such references as pointers to future work — the underlying code lands alongside the Phase 1 import per the public import plan. Contributors cannot verify those referenced artifacts from the public tree today. Same caveat as the decisions index.

Runtime implementation caveat. The v0.1 specs define intended protocol semantics for mission-declared lineage_budgets, but the current public runtime does not yet compile or verify those mission-level declarations. Today, delegation budget reservations use the file-backed FileLineageBudgetLedger, while non-empty mission-level lineage_budgets fail closed at compile/issue time instead of being silently accepted.

Migration status

Spec Status Notes
Conformance Profiles migrated Public-import annotated
Delegation Grant (DG) Profile of AAT migrated Public-import annotated
Delegation Grant v0.2 Profile of AAT draft-01 implemented self-test Explicit revision dispatch, profile safeguards, and deterministic fixture; independent interoperability not demonstrated
AAT draft-01 migration decision review completed Versioned DG v0.2 selected on 2026-07-11; draft-00 remains supported
AAT draft-00 to draft-01 change ledger audited Primary-source claims, roles, constraints, derivation, verification, algorithms, and security delta
Ardur DRP Mapping Profile v0.1 mapping published Draft-10-pinned field ledger and B2 target shape; not an IETF conformance or interoperability claim
Ardur DRP Profile v0.1 implemented RFC 8785/P-256 emit, external-trust verifier, full transitive attenuation, and bounded DENY reasons
DRP implementation and interoperability note v0.1 implementation evidence published Draft-10 support ledger, portable signed scenarios, deterministic CI report, and explicit not-demonstrated independent status
Verifier Contract migrated Public-import annotated
Mission Declaration (MD) migrated Public-import annotated; clean-break protocol rename applied (application/ardur.md+jwt, https://ardur.dev/...)
Execution Receipt (ER) migrated Public-import annotated; clean-break rename applied (application/ardur.er+jwt)
Execution Receipt v0.2 hardening implemented Versioned RFC 8785 payloads, legacy verification, receipt-chain-head binding, and kernel loss/kill-switch finalization contract
Transparency Anchor v0.1 implemented Immutable receipt sidecars, asynchronous pending queue, Rekor v1 and separately keyed self-hosted proof profiles, offline verifier
Receiver Attestation v0.1 implemented Immutable receipt envelope, separate receiver ES256 signature, MCP receiver shim, exact request/response digest checks, offline verifier
Offline Verification Bundle v0.1 implemented Full receipt-chain, transparency, and conditional receiver-evidence composition with redacted CLI/JSON/static HTML reports
Runtime Evidence Correlation Profile v0.1 implemented external-evidence inspection Verified receipt journal plus normalized/Tetragon/Falco JSONL adapters, explicit confidence/source assurance, and detached redacted reports; not sensor authenticity or complete coverage
Governance Telemetry Profile v0.1 implemented verified export Signed-chain-first redacted JSONL plus OTLP/HTTP JSON traces/logs with deterministic correlation IDs and explicit signer-claim versus SPIFFE-workload assurance; not a collector, SIEM, delivery guarantee, or vendor connector
Tool-Server Preflight v0.1 implemented static analysis Strict JSON MCP/tool-server config scan, redacted deterministic report, CI threshold exits, and deny-oriented capability/policy skeleton; not runtime safety proof
Agentic Policy Conformance Profile v0.1 implemented self-test Eight no-key runtime-policy/delegation scenarios with offline signed-receipt binding; provenance context is not semantic content detection
Execution Receipt EAT/CWT Profile migrated Public-import annotated; clean-break rename applied
IDM Extension Profile migrated Public-import annotated; clean-break rename applied (application/ardur.idm+jwt)
Revocation Model migrated Public-import annotated; clean-break rename applied
Mission Declaration schema migrated JSON Schema; $id rebased to ardur.dev
Execution Receipt schema migrated JSON Schema; $id rebased to ardur.dev
Execution Receipt v0.2 schema implemented Runtime-aligned action enums and required version/canonicalization claims
Tool-Server Preflight report schema implemented Closed deterministic JSON contract for findings, discovered server metadata, and suggested controls
Execution Receipt v0.2 golden fixture implemented Schema-validated claim set with pinned RFC 8785 canonical digest
Ardur DRP Profile v0.1 schema implemented Closed-world Authorization Object and critical extension contract
Ardur DRP Profile v0.1 fixture implementation fixture Organic root/child/grandchild signatures, external public trust/context, and self-verification report; not independent conformance
DRP implementation fixture bundle schema implemented Closed portable scenario, trust, expectation, and external-status contract
DRP implementation fixture report schema implemented Closed deterministic scenario result, verifier status, and bundle-digest contract
Agentic policy conformance bundle schema implemented Closed policy path, provenance, mission claim, action, expectation, and signed-receipt fixture contract
Agentic policy conformance report schema implemented Closed scenario decision, reason, receipt-verification, diagnostics, and summary contract
Agentic policy portable fixtures implementation self-test Safe baseline plus seven risk classes; deterministic, no network or private fixture keys
DRP portable implementation fixtures implementation self-test Seven signed deterministic scenarios and report; no private keys, network dependency, IETF claim, or independent pass
AAT draft-01 DG v0.2 fixture implementation self-test Deterministic organic chain and audience-bound PoP; no private keys, IETF claim, or independent pass
Runtime evidence event schema implemented Closed private ingest event contract for process/file/network observations
Runtime evidence correlation report schema implemented Closed deterministic redacted association report; source assurance remains separate from match confidence
Governance telemetry event schema implemented Closed redacted event contract linking each export to a verified receipt, parent hash, signed decision, budget, source-journal digest, and explicit non-SPIFFE-verified identity assurance
Governance telemetry golden fixture implementation fixture Canonical redacted PERMIT event used for schema and OTLP projection regression
Linux governance benchmark report schema implemented Closed smoke/stress report separating governance-only, imported evidence, sustained resources, and optional paired sensor measurements
AuditBench evaluation protocol v0.1 pipeline implemented; no real study Strict raw capture, blind two-view annotation, adjudication, local content-integrity sealing, held-out scoring, and explicit external-human proof boundary
Runtime evidence portable fixtures implementation self-test Ephemeral-key signed journal plus normalized/Tetragon/Falco inputs and reports; no private keys, sensor deployment, network dependency, or source-authenticity claim
Transparency Anchor v0.1 schema implemented Strict pending/anchored state and backend proof shapes
Transparency Anchor v0.1 golden fixture implemented Signed local checkpoint, public trust keys, tamper and registration-window regressions
Receiver Attestation v0.1 schema implemented Strict self-attested/receiver-attested state invariant and exact-receipt binding
Receiver Attestation v0.1 golden fixture implemented Separately signed action/receiver evidence with public trust keys and offline verification
Offline Verification Bundle v0.1 schema implemented Strict full-evidence journal shape with no embedded trust-root fields
Offline Verification Bundle v0.1 golden fixture implemented Three-receipt PERMIT/DENY/PERMIT chain, separate public trust roots, and redacted JSON/HTML explorer reports
Host adoption/governance source-semantic vectors starter vectors No-key Codex, Claude Code, Gemini CLI, OpenAI Agents SDK, and ToolHive source-semantic rows; explicitly not live-host proof.

Protocol identifier rename (clean break, applied 2026-04-27)

The v0.1 specs originally embedded a legacy product/project name in their JWT media types (application/<legacy>.er+jwt) and $id URIs (https://<legacy>.io/...). The rename decision: clean break, no dual-type support. New canonical identifiers in this public series:

Identifier kind Old New
Mission Declaration JWT type application/<legacy>.md+jwt application/ardur.md+jwt
Execution Receipt JWT type application/<legacy>.er+jwt application/ardur.er+jwt
IDM Extension JWT type application/<legacy>.idm+jwt application/ardur.idm+jwt
Schema $id URI base https://<legacy>.io/spec/... https://ardur.dev/spec/...

The clean-break rationale: there are no v0.1 receipts, passports, or attestations in third-party hands — all empirical artifacts under this series stay private (the paper, internal benchmarks). Backward-compat dual-type would have added implementation complexity for zero observed callers. If receipts in the wild appear later, a v0.2 with dual-type support is the right answer at that point.

Reading order for first-timers

  1. Mission Declaration (MD) — the signed scope envelope the agent starts with
  2. Delegation Grant (DG) Profile — how child agents get strictly narrower authority
  3. Ardur DRP Mapping Profile v0.1 — field-by-field draft-10 mapping and proof boundaries
  4. Ardur DRP Profile v0.1 — executable emit/verify, trust context, and reference-SDK comparison
  5. DRP implementation and interoperability note v0.1 — exact support matrix, portable fixture evidence, and independent-status boundary
  6. Execution Receipt v0.2 — versioned, canonical signed action receipts and the v0.1 compatibility boundary
  7. Execution Receipt EAT/CWT Profile — RFC 9711 binding for ER carriage
  8. Transparency Anchor v0.1 — asynchronous third-party/self-hosted inclusion proofs without mutating signed receipts
  9. Receiver Attestation v0.1 — separate called-service signatures without mutating signed receipts
  10. Offline Verification Bundle v0.1 — skeptical-auditor composition and receipt-explorer output
  11. Runtime Evidence Correlation Profile v0.1 — detached claim-vs-reality association over imported sensor evidence
  12. Governance Telemetry Profile v0.1 — verified redacted JSONL and OTLP export without mutating receipts
  13. Verifier Contract — what a conforming verifier must do
  14. Conformance Profiles — tiered conformance matrix (Delegation-Core, MIC-State, MIC-Evidence, IDM Extension)
  15. Revocation Model — layered revocation across delegation, session, credential, and transparency-log layers
  16. IDM Extension Profile — Intent-Declaration-Manifest experimental profile

Relationship to adjacent standards

  • AAT (Attenuating Authorization Tokens) — individual Internet-Drafts with no formal IETF standing; MCEP preserves its draft-00 DG v0.1 wire contract and adds the explicitly discriminated draft-01 DG v0.2 profile. The 2026-07-11 review and field ledger are recorded in issue #246; independent interoperability remains not demonstrated.
  • DRP (Delegation Receipt Protocol) — individual Internet-Draft with no formal IETF standing; Ardur implements its draft-10-pinned profile and publishes portable implementation self-test fixtures, while raw RFC 3161 proof integration and independent interoperability remain not demonstrated.
  • EAT (Entity Attestation Token, RFC 9711) — used by the ER EAT/CWT profile to carry Execution Receipts.
  • SPIFFE — workload identity substrate; MCEP binds mission credentials to SVIDs.
  • Biscuit — first-party-attenuation credential format; the DG profile's narrowing semantics rely on Biscuit's append-only block model (see ADR-017).

These are real artifacts, not codenames. Their names stay in the specs as technical lineage.

Conventions

  • Versioning: v0.1 is the pre-release. The next revision (v0.2 or later) lands after the protocol-level rename decision + one round of adversarial review against the migrated public specs.
  • Normative language: MUST / SHOULD / MAY usage follows RFC 2119 / RFC 8174.
  • Updates: specs don't mutate in place; a material change opens a new version file and leaves the prior version immutable for citation stability.