feat(identity): seed Proof-of-Self identity plane contracts

asyncapi.agent-plane.patch.identity.yaml

@@ -0,0 +1,35 @@
+channels:
+  srcos.v2.identity.packet.requested:
+    publish:
+      message:
+        $ref: '#/components/messages/ValidatorPacketMessage'
+
+  srcos.v2.identity.packet.signed:
+    publish:
+      message:
+        $ref: '#/components/messages/ValidatorReceiptMessage'
+
+  srcos.v2.identity.post.issued:
+    publish:
+      message:
+        $ref: '#/components/messages/ProofOfSelfTokenMessage'
+
+  srcos.v2.identity.post.renewed:
+    publish:
+      message:
+        $ref: '#/components/messages/ProofOfSelfTokenMessage'
+
+  srcos.v2.identity.post.revoked:
+    publish:
+      message:
+        $ref: '#/components/messages/RevocationEntryMessage'
+
+  srcos.v2.identity.attestation.drift:
+    publish:
+      message:
+        $ref: '#/components/messages/AttestationEvidenceMessage'
+
+  srcos.v2.identity.recovery.completed:
+    publish:
+      message:
+        $ref: '#/components/messages/RecoveryCeremonyMessage'

docs/adr/ADR-proof-of-self-identity-plane.md

@@ -0,0 +1,17 @@
+# ADR — Proof-of-Self Identity Plane
+
+## Status
+Accepted
+
+## Context
+SourceOS requires a first-class identity plane for local issuance, validator-backed trust, recovery, revocation, and attestation-bound proof artifacts.
+
+## Decision
+We add a Proof-of-Self identity family to `sourceos-spec` as typed contracts and additive agent-plane patches.
+The runtime lives in a separate implementation repo and is not embedded into the substrate, integration spine, or optional commons.
+
+## Consequences
+- Identity objects become machine-verifiable and transport-neutral.
+- Issuance, revocation, and recovery become receipt-bearing and event-emitting.
+- Local operation remains possible without `socios`.
+- `agentos-spine` integrates but does not absorb the runtime.

examples/attestationevidence.json

@@ -0,0 +1,11 @@
+{
+  "id": "urn:srcos:attestation:demo-001",
+  "type": "AttestationEvidence",
+  "specVersion": "2.1.0",
+  "capturedAt": "2026-04-14T12:00:00Z",
+  "deviceRef": "urn:srcos:device:demo",
+  "nonce": "nonce-demo",
+  "evidenceKind": "bundle",
+  "status": "captured",
+  "pcrs": {}
+}

examples/genesisattestationdocument.json

@@ -0,0 +1,16 @@
+{
+  "id": "urn:srcos:genesis-attestation:demo-001",
+  "type": "GenesisAttestationDocument",
+  "specVersion": "2.1.0",
+  "subjectRef": "urn:srcos:subject:demo",
+  "issuedAt": "2026-04-14T12:00:00Z",
+  "aad": "pos-validator",
+  "nonce": "nonce-demo",
+  "bundleHash": "abc123",
+  "status": "complete",
+  "attestationEvidenceRefs": [],
+  "livenessProfileRef": null,
+  "validatorPacketRefs": [],
+  "validatorReceiptRefs": [],
+  "quorumPolicyRef": null
+}

examples/proofofselftoken.json

@@ -0,0 +1,21 @@
+{
+  "id": "urn:srcos:proof-of-self:demo-post-001",
+  "type": "ProofOfSelfToken",
+  "specVersion": "2.1.0",
+  "subjectRef": "urn:srcos:subject:demo",
+  "issuedAt": "2026-04-14T12:00:00Z",
+  "expiresAt": "2027-04-14T12:00:00Z",
+  "state": "active",
+  "gadRef": "urn:srcos:genesis-attestation:demo-001",
+  "validatorReceiptRefs": [
+    "urn:srcos:validator-receipt:v1",
+    "urn:srcos:validator-receipt:v2",
+    "urn:srcos:validator-receipt:v3"
+  ],
+  "trustRootRefs": [
+    "urn:srcos:validator-trust-root:root-001"
+  ],
+  "binding": {},
+  "revocationStatus": {},
+  "transportHints": {}
+}

openapi.agent-plane.patch.identity.yaml

@@ -0,0 +1,98 @@
+paths:
+  /v2/identity/genesis-packets:
+    post:
+      summary: Create a validator packet for genesis or renewal
+      operationId: createIdentityGenesisPacket
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ValidatorPacket'
+      responses:
+        '201':
+          description: ValidatorPacket created
+
+  /v2/identity/validator-receipts:
+    post:
+      summary: Submit a validator receipt
+      operationId: submitIdentityValidatorReceipt
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ValidatorReceipt'
+      responses:
+        '201':
+          description: ValidatorReceipt accepted
+
+  /v2/identity/posts:
+    post:
+      summary: Issue a Proof-of-Self token
+      operationId: issueProofOfSelfToken
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/ProofOfSelfToken'
+      responses:
+        '201':
+          description: ProofOfSelfToken issued
+
+  /v2/identity/recoveries:
+    post:
+      summary: Record a recovery ceremony
+      operationId: recordRecoveryCeremony
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RecoveryCeremony'
+      responses:
+        '201':
+          description: RecoveryCeremony recorded
+
+  /v2/identity/revocations:
+    post:
+      summary: Append a revocation entry
+      operationId: appendRevocationEntry
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/RevocationEntry'
+      responses:
+        '201':
+          description: RevocationEntry appended
+
+  /v2/identity/attestations:
+    post:
+      summary: Record attestation evidence
+      operationId: recordAttestationEvidence
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/AttestationEvidence'
+      responses:
+        '201':
+          description: AttestationEvidence recorded
+
+  /v2/identity/quorum-policies:
+    post:
+      summary: Create or update an identity quorum policy
+      operationId: upsertIdentityQuorumPolicy
+      requestBody:
+        required: true
+        content:
+          application/json:
+            schema:
+              $ref: '#/components/schemas/IdentityQuorumPolicy'
+      responses:
+        '201':
+          description: IdentityQuorumPolicy stored

schemas/AttestationEvidence.json

@@ -0,0 +1,104 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.srcos.ai/v2/AttestationEvidence.json",
+  "title": "AttestationEvidence",
+  "description": "Measured-boot and host-attestation evidence for a SourceOS workstation or edge node.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "type",
+    "specVersion",
+    "capturedAt",
+    "deviceRef",
+    "nonce",
+    "evidenceKind",
+    "status"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:attestation:[A-Za-z0-9._~-]+$"
+    },
+    "type": {
+      "const": "AttestationEvidence"
+    },
+    "specVersion": {
+      "type": "string"
+    },
+    "capturedAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "deviceRef": {
+      "type": "string"
+    },
+    "nonce": {
+      "type": "string"
+    },
+    "evidenceKind": {
+      "type": "string",
+      "enum": [
+        "tpm_quote",
+        "ima_runtime",
+        "secure_boot",
+        "firmware",
+        "bundle"
+      ]
+    },
+    "status": {
+      "type": "string",
+      "enum": [
+        "captured",
+        "validated",
+        "failed",
+        "stale"
+      ]
+    },
+    "pcrs": {
+      "type": "object",
+      "additionalProperties": {
+        "type": "string"
+      }
+    },
+    "tpmQuote": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "imaAggregate": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "secureBootState": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "firmwareHash": {
+      "type": [
+        "string",
+        "null"
+      ]
+    },
+    "collector": {
+      "type": "object",
+      "additionalProperties": false,
+      "properties": {
+        "name": {
+          "type": "string"
+        },
+        "version": {
+          "type": "string"
+        }
+      }
+    },
+    "diagnostics": {
+      "type": "object"
+    }
+  }
+}

schemas/GenesisAttestationDocument.json

@@ -0,0 +1,75 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://schemas.srcos.ai/v2/GenesisAttestationDocument.json",
+  "title": "GenesisAttestationDocument",
+  "description": "Canonical genesis ceremony record for initial Proof-of-Self issuance.",
+  "type": "object",
+  "additionalProperties": false,
+  "required": [
+    "id",
+    "type",
+    "specVersion",
+    "subjectRef",
+    "issuedAt",
+    "aad",
+    "nonce",
+    "bundleHash",
+    "status"
+  ],
+  "properties": {
+    "id": {
+      "type": "string",
+      "pattern": "^urn:srcos:genesis-attestation:[A-Za-z0-9._~-]+$"
+    },
+    "type": {
+      "const": "GenesisAttestationDocument"
+    },
+    "specVersion": {
+      "type": "string"
+    },
+    "subjectRef": {
+      "type": "string"
+    },
+    "issuedAt": {
+      "type": "string",
+      "format": "date-time"
+    },
+    "aad": {
+      "type": "string"
+    },
+    "nonce": {
+      "type": "string"
+    },
+    "bundleHash": {
+      "type": "string"
+    },
+    "status": {
+      "type": "string",
+      "enum": [
+        "draft",
+        "collecting",
+        "complete",
+        "superseded",
+        "failed"
+      ]
+    },
+    "attestationEvidenceRefs": {
+      "type": "array",
+      "items": {"type": "string"}
+    },
+    "livenessProfileRef": {
+      "type": ["string", "null"]
+    },
+    "validatorPacketRefs": {
+      "type": "array",
+      "items": {"type": "string"}
+    },
+    "validatorReceiptRefs": {
+      "type": "array",
+      "items": {"type": "string"}
+    },
+    "quorumPolicyRef": {
+      "type": ["string", "null"]
+    }
+  }
+}