This directory carries the v0.1 specification documents for Ardur's protocol layer, MCEP (Mission-Controlled Execution Protocol). v0.1 is a pre-release series — the specs describe the intended protocol shape; the public code that implements them is being curated in phases per docs/public-import-plan.md.
The MCEP acronym was expanded as "Mission-bound Cryptographic Evidence Protocol" in earlier learn-MCEP teaching material; the formal v0.1 specs use "Mission-Controlled Execution Protocol" and that is the canonical expansion going forward. Articles and other public prose follow the spec form.
Public-surface import caveat. The migrated specs were authored in a private context and may reference implementation source paths (e.g. vibap-prototype/vibap/passport.py), private session artifacts (e.g. docs/session-2026-04-XX/...), or internal review trails that have not yet landed in this public repo. Treat such references as pointers to future work — the underlying code lands alongside the Phase 1 import per the public import plan. Contributors cannot verify those referenced artifacts from the public tree today. Same caveat as the decisions index.
Runtime implementation caveat. The v0.1 specs define intended protocol semantics for mission-declared lineage_budgets, but the current public runtime does not yet compile or verify those mission-level declarations. Today, delegation budget reservations use the file-backed FileLineageBudgetLedger, while non-empty mission-level lineage_budgets fail closed at compile/issue time instead of being silently accepted.
| Spec | Status | Notes |
|---|---|---|
| Conformance Profiles | migrated | Public-import annotated |
| Delegation Grant (DG) Profile of AAT | migrated | Public-import annotated |
| Delegation Grant v0.2 Profile of AAT draft-01 | implemented self-test | Explicit revision dispatch, profile safeguards, and deterministic fixture; independent interoperability not demonstrated |
| AAT draft-01 migration decision | review completed | Versioned DG v0.2 selected on 2026-07-11; draft-00 remains supported |
| AAT draft-00 to draft-01 change ledger | audited | Primary-source claims, roles, constraints, derivation, verification, algorithms, and security delta |
| Ardur DRP Mapping Profile v0.1 | mapping published | Draft-10-pinned field ledger and B2 target shape; not an IETF conformance or interoperability claim |
| Ardur DRP Profile v0.1 | implemented | RFC 8785/P-256 emit, external-trust verifier, full transitive attenuation, and bounded DENY reasons |
| DRP implementation and interoperability note v0.1 | implementation evidence published | Draft-10 support ledger, portable signed scenarios, deterministic CI report, and explicit not-demonstrated independent status |
| Verifier Contract | migrated | Public-import annotated |
| Mission Declaration (MD) | migrated | Public-import annotated; clean-break protocol rename applied (application/ardur.md+jwt, https://ardur.dev/...) |
| Execution Receipt (ER) | migrated | Public-import annotated; clean-break rename applied (application/ardur.er+jwt) |
| Execution Receipt v0.2 hardening | implemented | Versioned RFC 8785 payloads, legacy verification, receipt-chain-head binding, and kernel loss/kill-switch finalization contract |
| Transparency Anchor v0.1 | implemented | Immutable receipt sidecars, asynchronous pending queue, Rekor v1 and separately keyed self-hosted proof profiles, offline verifier |
| Receiver Attestation v0.1 | implemented | Immutable receipt envelope, separate receiver ES256 signature, MCP receiver shim, exact request/response digest checks, offline verifier |
| Offline Verification Bundle v0.1 | implemented | Full receipt-chain, transparency, and conditional receiver-evidence composition with redacted CLI/JSON/static HTML reports |
| Runtime Evidence Correlation Profile v0.1 | implemented external-evidence inspection | Verified receipt journal plus normalized/Tetragon/Falco JSONL adapters, explicit confidence/source assurance, and detached redacted reports; not sensor authenticity or complete coverage |
| Governance Telemetry Profile v0.1 | implemented verified export | Signed-chain-first redacted JSONL plus OTLP/HTTP JSON traces/logs with deterministic correlation IDs and explicit signer-claim versus SPIFFE-workload assurance; not a collector, SIEM, delivery guarantee, or vendor connector |
| Tool-Server Preflight v0.1 | implemented static analysis | Strict JSON MCP/tool-server config scan, redacted deterministic report, CI threshold exits, and deny-oriented capability/policy skeleton; not runtime safety proof |
| Agentic Policy Conformance Profile v0.1 | implemented self-test | Eight no-key runtime-policy/delegation scenarios with offline signed-receipt binding; provenance context is not semantic content detection |
| Execution Receipt EAT/CWT Profile | migrated | Public-import annotated; clean-break rename applied |
| IDM Extension Profile | migrated | Public-import annotated; clean-break rename applied (application/ardur.idm+jwt) |
| Revocation Model | migrated | Public-import annotated; clean-break rename applied |
| Mission Declaration schema | migrated | JSON Schema; $id rebased to ardur.dev |
| Execution Receipt schema | migrated | JSON Schema; $id rebased to ardur.dev |
| Execution Receipt v0.2 schema | implemented | Runtime-aligned action enums and required version/canonicalization claims |
| Tool-Server Preflight report schema | implemented | Closed deterministic JSON contract for findings, discovered server metadata, and suggested controls |
| Execution Receipt v0.2 golden fixture | implemented | Schema-validated claim set with pinned RFC 8785 canonical digest |
| Ardur DRP Profile v0.1 schema | implemented | Closed-world Authorization Object and critical extension contract |
| Ardur DRP Profile v0.1 fixture | implementation fixture | Organic root/child/grandchild signatures, external public trust/context, and self-verification report; not independent conformance |
| DRP implementation fixture bundle schema | implemented | Closed portable scenario, trust, expectation, and external-status contract |
| DRP implementation fixture report schema | implemented | Closed deterministic scenario result, verifier status, and bundle-digest contract |
| Agentic policy conformance bundle schema | implemented | Closed policy path, provenance, mission claim, action, expectation, and signed-receipt fixture contract |
| Agentic policy conformance report schema | implemented | Closed scenario decision, reason, receipt-verification, diagnostics, and summary contract |
| Agentic policy portable fixtures | implementation self-test | Safe baseline plus seven risk classes; deterministic, no network or private fixture keys |
| DRP portable implementation fixtures | implementation self-test | Seven signed deterministic scenarios and report; no private keys, network dependency, IETF claim, or independent pass |
| AAT draft-01 DG v0.2 fixture | implementation self-test | Deterministic organic chain and audience-bound PoP; no private keys, IETF claim, or independent pass |
| Runtime evidence event schema | implemented | Closed private ingest event contract for process/file/network observations |
| Runtime evidence correlation report schema | implemented | Closed deterministic redacted association report; source assurance remains separate from match confidence |
| Governance telemetry event schema | implemented | Closed redacted event contract linking each export to a verified receipt, parent hash, signed decision, budget, source-journal digest, and explicit non-SPIFFE-verified identity assurance |
| Governance telemetry golden fixture | implementation fixture | Canonical redacted PERMIT event used for schema and OTLP projection regression |
| Linux governance benchmark report schema | implemented | Closed smoke/stress report separating governance-only, imported evidence, sustained resources, and optional paired sensor measurements |
| AuditBench evaluation protocol v0.1 | pipeline implemented; no real study | Strict raw capture, blind two-view annotation, adjudication, local content-integrity sealing, held-out scoring, and explicit external-human proof boundary |
| Runtime evidence portable fixtures | implementation self-test | Ephemeral-key signed journal plus normalized/Tetragon/Falco inputs and reports; no private keys, sensor deployment, network dependency, or source-authenticity claim |
| Transparency Anchor v0.1 schema | implemented | Strict pending/anchored state and backend proof shapes |
| Transparency Anchor v0.1 golden fixture | implemented | Signed local checkpoint, public trust keys, tamper and registration-window regressions |
| Receiver Attestation v0.1 schema | implemented | Strict self-attested/receiver-attested state invariant and exact-receipt binding |
| Receiver Attestation v0.1 golden fixture | implemented | Separately signed action/receiver evidence with public trust keys and offline verification |
| Offline Verification Bundle v0.1 schema | implemented | Strict full-evidence journal shape with no embedded trust-root fields |
| Offline Verification Bundle v0.1 golden fixture | implemented | Three-receipt PERMIT/DENY/PERMIT chain, separate public trust roots, and redacted JSON/HTML explorer reports |
| Host adoption/governance source-semantic vectors | starter vectors | No-key Codex, Claude Code, Gemini CLI, OpenAI Agents SDK, and ToolHive source-semantic rows; explicitly not live-host proof. |
The v0.1 specs originally embedded a legacy product/project name in their JWT media types (application/<legacy>.er+jwt) and $id URIs (https://<legacy>.io/...). The rename decision: clean break, no dual-type support. New canonical identifiers in this public series:
| Identifier kind | Old | New |
|---|---|---|
| Mission Declaration JWT type | application/<legacy>.md+jwt |
application/ardur.md+jwt |
| Execution Receipt JWT type | application/<legacy>.er+jwt |
application/ardur.er+jwt |
| IDM Extension JWT type | application/<legacy>.idm+jwt |
application/ardur.idm+jwt |
Schema $id URI base |
https://<legacy>.io/spec/... |
https://ardur.dev/spec/... |
The clean-break rationale: there are no v0.1 receipts, passports, or attestations in third-party hands — all empirical artifacts under this series stay private (the paper, internal benchmarks). Backward-compat dual-type would have added implementation complexity for zero observed callers. If receipts in the wild appear later, a v0.2 with dual-type support is the right answer at that point.
- Mission Declaration (MD) — the signed scope envelope the agent starts with
- Delegation Grant (DG) Profile — how child agents get strictly narrower authority
- Ardur DRP Mapping Profile v0.1 — field-by-field draft-10 mapping and proof boundaries
- Ardur DRP Profile v0.1 — executable emit/verify, trust context, and reference-SDK comparison
- DRP implementation and interoperability note v0.1 — exact support matrix, portable fixture evidence, and independent-status boundary
- Execution Receipt v0.2 — versioned, canonical signed action receipts and the v0.1 compatibility boundary
- Execution Receipt EAT/CWT Profile — RFC 9711 binding for ER carriage
- Transparency Anchor v0.1 — asynchronous third-party/self-hosted inclusion proofs without mutating signed receipts
- Receiver Attestation v0.1 — separate called-service signatures without mutating signed receipts
- Offline Verification Bundle v0.1 — skeptical-auditor composition and receipt-explorer output
- Runtime Evidence Correlation Profile v0.1 — detached claim-vs-reality association over imported sensor evidence
- Governance Telemetry Profile v0.1 — verified redacted JSONL and OTLP export without mutating receipts
- Verifier Contract — what a conforming verifier must do
- Conformance Profiles — tiered conformance matrix (Delegation-Core, MIC-State, MIC-Evidence, IDM Extension)
- Revocation Model — layered revocation across delegation, session, credential, and transparency-log layers
- IDM Extension Profile — Intent-Declaration-Manifest experimental profile
- AAT (Attenuating Authorization Tokens) — individual Internet-Drafts with no formal IETF standing; MCEP preserves its draft-00 DG v0.1 wire contract and adds the explicitly discriminated draft-01 DG v0.2 profile. The 2026-07-11 review and field ledger are recorded in issue #246; independent interoperability remains not demonstrated.
- DRP (Delegation Receipt Protocol) — individual Internet-Draft with no formal IETF standing; Ardur implements its draft-10-pinned profile and publishes portable implementation self-test fixtures, while raw RFC 3161 proof integration and independent interoperability remain not demonstrated.
- EAT (Entity Attestation Token, RFC 9711) — used by the ER EAT/CWT profile to carry Execution Receipts.
- SPIFFE — workload identity substrate; MCEP binds mission credentials to SVIDs.
- Biscuit — first-party-attenuation credential format; the DG profile's narrowing semantics rely on Biscuit's append-only block model (see ADR-017).
These are real artifacts, not codenames. Their names stay in the specs as technical lineage.
- Versioning: v0.1 is the pre-release. The next revision (v0.2 or later) lands after the protocol-level rename decision + one round of adversarial review against the migrated public specs.
- Normative language: MUST / SHOULD / MAY usage follows RFC 2119 / RFC 8174.
- Updates: specs don't mutate in place; a material change opens a new version file and leaves the prior version immutable for citation stability.