diff --git a/specs/test-vectors/execution-attestation-arkforge.json b/specs/test-vectors/execution-attestation-arkforge.json new file mode 100644 index 00000000..67839410 --- /dev/null +++ b/specs/test-vectors/execution-attestation-arkforge.json @@ -0,0 +1,188 @@ +{ + "version": "0.3.1", + "spec": "CTEF (Composable Trust Evidence Format)", + "contributor": "ArkForge Trust Layer (did:web:trust.arkforge.tech)", + "reference_implementation": "https://github.com/ark-forge/proof-spec (v2.1.3)", + "cross_validation": { + "agentgraph_vectors": "https://agentgraph.co/.well-known/cte-test-vectors.json", + "result": "4/4 pass (byte-exact canonical + SHA-256 reproduction)", + "validated_at": "2026-04-30T12:00:00Z", + "implementation": "Python json.dumps(obj, sort_keys=True, separators=(',',':'), ensure_ascii=False)" + }, + "constraint_evaluation_schema": { + "origin": "corpollc/qntm#6 (constraint_evaluation shape)", + "fields": { + "facet": "string: constraint dimension (e.g. token_budget, api_rate, delegation_depth)", + "limit": "number: declared ceiling", + "actual": "number: observed value", + "delta": "number: limit minus actual (positive = headroom, negative = exceeded)", + "result": "string: within_limit | exceeded" + }, + "note": "delta enables near-miss detection: a positive delta close to zero is a leading indicator of future constraint violations." + }, + "execution_attestation_minimal": { + "note": "Execution attestation as CTEF authority claim. ArkForge chain hash (canonical_json_sha256, proof-spec v2.1.3) composed into CTEF v0.3.1 envelope. Verifier reproduces canonical_sha256; chain_hash in payload is independently verifiable against the ArkForge proof-spec test vectors.", + "input_object": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://arkforge.tech/ns/execution-attestation/v1" + ], + "type": "TrustAttestation", + "version": "0.3.1", + "claim_type": "authority", + "provider": { + "id": "did:web:trust.arkforge.tech", + "name": "ArkForge Trust Layer", + "category": "execution_attestation", + "version": "2.1.3" + }, + "subject": { + "did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "agent_fingerprint": "7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11" + }, + "attestation": { + "type": "ExecutionAttestation", + "confidence": 1.0, + "payload": { + "proof_id": "prf_20260430_120000_a1b2c3", + "chain_hash": "sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3", + "request_hash": "sha256:0987aa49eb45583406b66c77ea6f35498bd318b81040bec9c54ab439114abe42", + "response_hash": "sha256:bad7c7f7f632182e9d746c9a4a02aea5f526a6a76c5108c4a98a7c4823fdbef2", + "target": "api.example.com", + "algorithm": "canonical_json_sha256" + } + }, + "issued_at": "2026-04-30T12:00:00Z", + "expires_at": "2026-04-30T13:00:00Z" + }, + "canonical_bytes_utf8": "{\"@context\":[\"https://www.w3.org/ns/credentials/v2\",\"https://arkforge.tech/ns/execution-attestation/v1\"],\"attestation\":{\"confidence\":1.0,\"payload\":{\"algorithm\":\"canonical_json_sha256\",\"chain_hash\":\"sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3\",\"proof_id\":\"prf_20260430_120000_a1b2c3\",\"request_hash\":\"sha256:0987aa49eb45583406b66c77ea6f35498bd318b81040bec9c54ab439114abe42\",\"response_hash\":\"sha256:bad7c7f7f632182e9d746c9a4a02aea5f526a6a76c5108c4a98a7c4823fdbef2\",\"target\":\"api.example.com\"},\"type\":\"ExecutionAttestation\"},\"claim_type\":\"authority\",\"expires_at\":\"2026-04-30T13:00:00Z\",\"issued_at\":\"2026-04-30T12:00:00Z\",\"provider\":{\"category\":\"execution_attestation\",\"id\":\"did:web:trust.arkforge.tech\",\"name\":\"ArkForge Trust Layer\",\"version\":\"2.1.3\"},\"subject\":{\"agent_fingerprint\":\"7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11\",\"did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\"},\"type\":\"TrustAttestation\",\"version\":\"0.3.1\"}", + "canonical_sha256": "801955711399c150ebbdaa0145f352abb76a43cab8fb60efe00484e3e2790442", + "expected_result": "pass" + }, + "constraint_evaluation_within_limit": { + "note": "Authority claim with constraint_evaluation object (facet/limit/actual/delta shape from #6). delta=250 (25% headroom). Verifier checks canonical_sha256 and confirms constraint_evaluation.result matches sign(delta).", + "input_object": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://arkforge.tech/ns/execution-attestation/v1" + ], + "type": "TrustAttestation", + "version": "0.3.1", + "claim_type": "authority", + "provider": { + "id": "did:web:trust.arkforge.tech", + "name": "ArkForge Trust Layer", + "category": "execution_attestation", + "version": "2.1.3" + }, + "subject": { + "did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "agent_fingerprint": "7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11" + }, + "attestation": { + "type": "ExecutionAttestation", + "confidence": 1.0, + "payload": { + "proof_id": "prf_20260430_120100_b2c3d4", + "chain_hash": "sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3", + "constraint_evaluation": { + "facet": "token_budget", + "limit": 1000, + "actual": 750, + "delta": 250, + "result": "within_limit" + } + } + }, + "issued_at": "2026-04-30T12:01:00Z", + "expires_at": "2026-04-30T13:01:00Z" + }, + "canonical_bytes_utf8": "{\"@context\":[\"https://www.w3.org/ns/credentials/v2\",\"https://arkforge.tech/ns/execution-attestation/v1\"],\"attestation\":{\"confidence\":1.0,\"payload\":{\"chain_hash\":\"sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3\",\"constraint_evaluation\":{\"actual\":750,\"delta\":250,\"facet\":\"token_budget\",\"limit\":1000,\"result\":\"within_limit\"},\"proof_id\":\"prf_20260430_120100_b2c3d4\"},\"type\":\"ExecutionAttestation\"},\"claim_type\":\"authority\",\"expires_at\":\"2026-04-30T13:01:00Z\",\"issued_at\":\"2026-04-30T12:01:00Z\",\"provider\":{\"category\":\"execution_attestation\",\"id\":\"did:web:trust.arkforge.tech\",\"name\":\"ArkForge Trust Layer\",\"version\":\"2.1.3\"},\"subject\":{\"agent_fingerprint\":\"7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11\",\"did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\"},\"type\":\"TrustAttestation\",\"version\":\"0.3.1\"}", + "canonical_sha256": "22e934a0cdb9da965cb7f7469b3e2f839c45cf9eee6e166a702d74ce865e209a", + "expected_result": "pass" + }, + "constraint_evaluation_near_miss": { + "note": "Near-miss constraint evaluation: delta=5 (0.5% headroom). Same shape as vector 2 but tests boundary detection. A monitoring system SHOULD alert on delta < threshold even when result=within_limit.", + "input_object": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://arkforge.tech/ns/execution-attestation/v1" + ], + "type": "TrustAttestation", + "version": "0.3.1", + "claim_type": "authority", + "provider": { + "id": "did:web:trust.arkforge.tech", + "name": "ArkForge Trust Layer", + "category": "execution_attestation", + "version": "2.1.3" + }, + "subject": { + "did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "agent_fingerprint": "7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11" + }, + "attestation": { + "type": "ExecutionAttestation", + "confidence": 1.0, + "payload": { + "proof_id": "prf_20260430_120200_c3d4e5", + "chain_hash": "sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3", + "constraint_evaluation": { + "facet": "token_budget", + "limit": 1000, + "actual": 995, + "delta": 5, + "result": "within_limit" + } + } + }, + "issued_at": "2026-04-30T12:02:00Z", + "expires_at": "2026-04-30T13:02:00Z" + }, + "canonical_bytes_utf8": "{\"@context\":[\"https://www.w3.org/ns/credentials/v2\",\"https://arkforge.tech/ns/execution-attestation/v1\"],\"attestation\":{\"confidence\":1.0,\"payload\":{\"chain_hash\":\"sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3\",\"constraint_evaluation\":{\"actual\":995,\"delta\":5,\"facet\":\"token_budget\",\"limit\":1000,\"result\":\"within_limit\"},\"proof_id\":\"prf_20260430_120200_c3d4e5\"},\"type\":\"ExecutionAttestation\"},\"claim_type\":\"authority\",\"expires_at\":\"2026-04-30T13:02:00Z\",\"issued_at\":\"2026-04-30T12:02:00Z\",\"provider\":{\"category\":\"execution_attestation\",\"id\":\"did:web:trust.arkforge.tech\",\"name\":\"ArkForge Trust Layer\",\"version\":\"2.1.3\"},\"subject\":{\"agent_fingerprint\":\"7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11\",\"did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\"},\"type\":\"TrustAttestation\",\"version\":\"0.3.1\"}", + "canonical_sha256": "1d2788a87dcb5502a8775ed687fa68b67ea2e86943c4ced3801ffbf2457a4ef6", + "expected_result": "pass" + }, + "constraint_evaluation_exceeded": { + "note": "Exceeded constraint evaluation: delta=-150 (15% over limit). result=exceeded. A conformant enforcement layer receiving this attestation MUST NOT grant the requested authority scope. The attestation itself is valid (canonical + hash match); the enforcement decision is derived from result=exceeded.", + "input_object": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://arkforge.tech/ns/execution-attestation/v1" + ], + "type": "TrustAttestation", + "version": "0.3.1", + "claim_type": "authority", + "provider": { + "id": "did:web:trust.arkforge.tech", + "name": "ArkForge Trust Layer", + "category": "execution_attestation", + "version": "2.1.3" + }, + "subject": { + "did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "agent_fingerprint": "7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11" + }, + "attestation": { + "type": "ExecutionAttestation", + "confidence": 1.0, + "payload": { + "proof_id": "prf_20260430_120300_d4e5f6", + "chain_hash": "sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3", + "constraint_evaluation": { + "facet": "token_budget", + "limit": 1000, + "actual": 1150, + "delta": -150, + "result": "exceeded" + } + } + }, + "issued_at": "2026-04-30T12:03:00Z", + "expires_at": "2026-04-30T13:03:00Z" + }, + "canonical_bytes_utf8": "{\"@context\":[\"https://www.w3.org/ns/credentials/v2\",\"https://arkforge.tech/ns/execution-attestation/v1\"],\"attestation\":{\"confidence\":1.0,\"payload\":{\"chain_hash\":\"sha256:d37d4d5afab5f3c489fd1191f9823381ab02c4750ec3078e64680d63ea29fae3\",\"constraint_evaluation\":{\"actual\":1150,\"delta\":-150,\"facet\":\"token_budget\",\"limit\":1000,\"result\":\"exceeded\"},\"proof_id\":\"prf_20260430_120300_d4e5f6\"},\"type\":\"ExecutionAttestation\"},\"claim_type\":\"authority\",\"expires_at\":\"2026-04-30T13:03:00Z\",\"issued_at\":\"2026-04-30T12:03:00Z\",\"provider\":{\"category\":\"execution_attestation\",\"id\":\"did:web:trust.arkforge.tech\",\"name\":\"ArkForge Trust Layer\",\"version\":\"2.1.3\"},\"subject\":{\"agent_fingerprint\":\"7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11\",\"did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\"},\"type\":\"TrustAttestation\",\"version\":\"0.3.1\"}", + "canonical_sha256": "f0c1389e1162328578a1aa4148663f3eecda99cb1098780115a4dddabd8742ae", + "expected_result": "pass" + } +} diff --git a/specs/test-vectors/tier-upgrade-proof-arkforge.json b/specs/test-vectors/tier-upgrade-proof-arkforge.json new file mode 100644 index 00000000..d97f67f3 --- /dev/null +++ b/specs/test-vectors/tier-upgrade-proof-arkforge.json @@ -0,0 +1,163 @@ +{ + "version": "0.3.1", + "spec": "CTEF (Composable Trust Evidence Format)", + "contributor": "ArkForge Trust Layer (did:web:trust.arkforge.tech)", + "reference": "a2aproject/A2A#1734 — tier_upgrade_proof schema convergence (kenneives × desiorac × pmyers-abundance)", + "schema_origin": { + "base_shape": "kenneives CTEF v0.3.1 tier_upgrade schema (2026-04-30T23:54Z)", + "requester_did_required": "desiorac correction — replay surface closure (2026-05-01T03:31Z)", + "policy_ref_addition": "pmyers-abundance AEP 0.1.1 adoption per ArkForge suggestion (2026-05-01T01:43Z)" + }, + "tier_upgrade_granted": { + "note": "T1→T2 tier upgrade with enforcement verdict. Exercises full schema: requester_did (required per desiorac), policy_ref (optional per pmyers-abundance/AEP 0.1.1), scope_boundary + use_count_max for replay prevention. The verdict_jws is a placeholder — conformance test verifies canonical hash, not JWS signature.", + "input_object": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://arkforge.tech/ns/execution-attestation/v1" + ], + "type": "TrustAttestation", + "version": "0.3.1", + "claim_type": "authority", + "claim_subtype": "tier_upgrade", + "provider": { + "id": "did:web:trust.arkforge.tech", + "name": "ArkForge Trust Layer", + "category": "enforcement_gateway", + "version": "2.1.3" + }, + "subject": { + "did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "agent_fingerprint": "7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11" + }, + "tier_upgrade_proof": { + "from_tier": "T1", + "to_tier": "T2", + "intent_code": "TIER_UPGRADE_REQUEST", + "requester_did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "requested_action": { + "facet": "scope.scheduling.write", + "limit": 1, + "actual": 0 + }, + "approval_evidence": { + "verdict_jws": "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6dHJ1c3QuYXJrZm9yZ2UudGVjaCJ9.eyJjZXJ0aWZpZWQiOnRydWUsImF0dGVzdGF0aW9uX2hhc2giOiJzaGEyNTY6YWJjMTIzIiwiY29uc3RyYWludF9ldmFsdWF0aW9uIjp7ImZhY2V0Ijoic2NvcGUuc2NoZWR1bGluZy53cml0ZSIsImxpbWl0IjoxLCJhY3R1YWwiOjAsImRlbHRhIjoxLCJyZXN1bHQiOiJ3aXRoaW5fbGltaXQifX0.SIGNATURE_PLACEHOLDER", + "approver_did": "did:web:trust.arkforge.tech", + "evaluated_at": "2026-05-01T12:00:00Z", + "policy_ref": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + }, + "validity": { + "valid_until": "2026-05-01T13:00:00Z", + "scope_boundary": "session:tier_upgrade_test_001", + "use_count_max": 1 + } + }, + "issued_at": "2026-05-01T12:00:00Z", + "expires_at": "2026-05-01T13:00:00Z" + }, + "canonical_bytes_utf8": "{\"@context\":[\"https://www.w3.org/ns/credentials/v2\",\"https://arkforge.tech/ns/execution-attestation/v1\"],\"claim_subtype\":\"tier_upgrade\",\"claim_type\":\"authority\",\"expires_at\":\"2026-05-01T13:00:00Z\",\"issued_at\":\"2026-05-01T12:00:00Z\",\"provider\":{\"category\":\"enforcement_gateway\",\"id\":\"did:web:trust.arkforge.tech\",\"name\":\"ArkForge Trust Layer\",\"version\":\"2.1.3\"},\"subject\":{\"agent_fingerprint\":\"7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11\",\"did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\"},\"tier_upgrade_proof\":{\"approval_evidence\":{\"approver_did\":\"did:web:trust.arkforge.tech\",\"evaluated_at\":\"2026-05-01T12:00:00Z\",\"policy_ref\":\"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"verdict_jws\":\"eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6dHJ1c3QuYXJrZm9yZ2UudGVjaCJ9.eyJjZXJ0aWZpZWQiOnRydWUsImF0dGVzdGF0aW9uX2hhc2giOiJzaGEyNTY6YWJjMTIzIiwiY29uc3RyYWludF9ldmFsdWF0aW9uIjp7ImZhY2V0Ijoic2NvcGUuc2NoZWR1bGluZy53cml0ZSIsImxpbWl0IjoxLCJhY3R1YWwiOjAsImRlbHRhIjoxLCJyZXN1bHQiOiJ3aXRoaW5fbGltaXQifX0.SIGNATURE_PLACEHOLDER\"},\"from_tier\":\"T1\",\"intent_code\":\"TIER_UPGRADE_REQUEST\",\"requested_action\":{\"actual\":0,\"facet\":\"scope.scheduling.write\",\"limit\":1},\"requester_did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\",\"to_tier\":\"T2\",\"validity\":{\"scope_boundary\":\"session:tier_upgrade_test_001\",\"use_count_max\":1,\"valid_until\":\"2026-05-01T13:00:00Z\"}},\"type\":\"TrustAttestation\",\"version\":\"0.3.1\"}", + "canonical_sha256": "7b971451dd035f1f98659c1cfcd62633abe2097b96ce960f1703e44b2d2fafaa", + "expected_result": "pass", + "enforcement_decision": "grant — constraint_evaluation.result=within_limit, requester_did bound, validity window active" + }, + "tier_upgrade_denied": { + "note": "T2→T3 tier upgrade denied — requested_action.actual already at limit. Tests that a conformant enforcement layer rejects the upgrade when the constraint is already saturated. Canonical hash is still valid; enforcement decision is deny.", + "input_object": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://arkforge.tech/ns/execution-attestation/v1" + ], + "type": "TrustAttestation", + "version": "0.3.1", + "claim_type": "authority", + "claim_subtype": "tier_upgrade", + "provider": { + "id": "did:web:trust.arkforge.tech", + "name": "ArkForge Trust Layer", + "category": "enforcement_gateway", + "version": "2.1.3" + }, + "subject": { + "did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "agent_fingerprint": "7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11" + }, + "tier_upgrade_proof": { + "from_tier": "T2", + "to_tier": "T3", + "intent_code": "TIER_UPGRADE_REQUEST", + "requester_did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "requested_action": { + "facet": "scope.scheduling.write", + "limit": 1, + "actual": 1 + }, + "approval_evidence": { + "verdict_jws": "eyJhbGciOiJFZERTQSJ9.eyJjZXJ0aWZpZWQiOmZhbHNlLCJyZXN1bHQiOiJleGNlZWRlZCJ9.SIGNATURE_DENIED", + "approver_did": "did:web:trust.arkforge.tech", + "evaluated_at": "2026-05-01T12:05:00Z", + "policy_ref": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + }, + "validity": { + "valid_until": "2026-05-01T13:05:00Z", + "scope_boundary": "session:tier_upgrade_test_002", + "use_count_max": 1 + } + }, + "issued_at": "2026-05-01T12:05:00Z", + "expires_at": "2026-05-01T13:05:00Z" + }, + "canonical_bytes_utf8": "{\"@context\":[\"https://www.w3.org/ns/credentials/v2\",\"https://arkforge.tech/ns/execution-attestation/v1\"],\"claim_subtype\":\"tier_upgrade\",\"claim_type\":\"authority\",\"expires_at\":\"2026-05-01T13:05:00Z\",\"issued_at\":\"2026-05-01T12:05:00Z\",\"provider\":{\"category\":\"enforcement_gateway\",\"id\":\"did:web:trust.arkforge.tech\",\"name\":\"ArkForge Trust Layer\",\"version\":\"2.1.3\"},\"subject\":{\"agent_fingerprint\":\"7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11\",\"did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\"},\"tier_upgrade_proof\":{\"approval_evidence\":{\"approver_did\":\"did:web:trust.arkforge.tech\",\"evaluated_at\":\"2026-05-01T12:05:00Z\",\"policy_ref\":\"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"verdict_jws\":\"eyJhbGciOiJFZERTQSJ9.eyJjZXJ0aWZpZWQiOmZhbHNlLCJyZXN1bHQiOiJleGNlZWRlZCJ9.SIGNATURE_DENIED\"},\"from_tier\":\"T2\",\"intent_code\":\"TIER_UPGRADE_REQUEST\",\"requested_action\":{\"actual\":1,\"facet\":\"scope.scheduling.write\",\"limit\":1},\"requester_did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\",\"to_tier\":\"T3\",\"validity\":{\"scope_boundary\":\"session:tier_upgrade_test_002\",\"use_count_max\":1,\"valid_until\":\"2026-05-01T13:05:00Z\"}},\"type\":\"TrustAttestation\",\"version\":\"0.3.1\"}", + "canonical_sha256": "818a01235fb35345f6c21a2d87c024fbbfecfb11e60aeafc47644278b84997e8", + "expected_result": "pass", + "enforcement_decision": "deny — requested_action.actual >= requested_action.limit" + }, + "tier_upgrade_replay_vulnerable": { + "note": "Missing requester_did — per desiorac (2026-05-01T03:31Z), this proof is replay-vulnerable. An intercepted proof without requester_did binding can be replayed by any agent within the same session before use_count_max increments. Conformant implementations MUST reject proofs missing requester_did.", + "input_object": { + "@context": [ + "https://www.w3.org/ns/credentials/v2", + "https://arkforge.tech/ns/execution-attestation/v1" + ], + "type": "TrustAttestation", + "version": "0.3.1", + "claim_type": "authority", + "claim_subtype": "tier_upgrade", + "provider": { + "id": "did:web:trust.arkforge.tech", + "name": "ArkForge Trust Layer", + "category": "enforcement_gateway", + "version": "2.1.3" + }, + "subject": { + "did": "did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8", + "agent_fingerprint": "7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11" + }, + "tier_upgrade_proof": { + "from_tier": "T1", + "to_tier": "T2", + "intent_code": "TIER_UPGRADE_REQUEST", + "requested_action": { + "facet": "scope.scheduling.write", + "limit": 1, + "actual": 0 + }, + "approval_evidence": { + "verdict_jws": "eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6dHJ1c3QuYXJrZm9yZ2UudGVjaCJ9.eyJjZXJ0aWZpZWQiOnRydWUsImF0dGVzdGF0aW9uX2hhc2giOiJzaGEyNTY6YWJjMTIzIiwiY29uc3RyYWludF9ldmFsdWF0aW9uIjp7ImZhY2V0Ijoic2NvcGUuc2NoZWR1bGluZy53cml0ZSIsImxpbWl0IjoxLCJhY3R1YWwiOjAsImRlbHRhIjoxLCJyZXN1bHQiOiJ3aXRoaW5fbGltaXQifX0.SIGNATURE_PLACEHOLDER", + "approver_did": "did:web:trust.arkforge.tech", + "evaluated_at": "2026-05-01T12:10:00Z", + "policy_ref": "sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + }, + "validity": { + "valid_until": "2026-05-01T13:10:00Z", + "scope_boundary": "session:tier_upgrade_test_003", + "use_count_max": 1 + } + }, + "issued_at": "2026-05-01T12:10:00Z", + "expires_at": "2026-05-01T13:10:00Z" + }, + "canonical_bytes_utf8": "{\"@context\":[\"https://www.w3.org/ns/credentials/v2\",\"https://arkforge.tech/ns/execution-attestation/v1\"],\"claim_subtype\":\"tier_upgrade\",\"claim_type\":\"authority\",\"expires_at\":\"2026-05-01T13:10:00Z\",\"issued_at\":\"2026-05-01T12:10:00Z\",\"provider\":{\"category\":\"enforcement_gateway\",\"id\":\"did:web:trust.arkforge.tech\",\"name\":\"ArkForge Trust Layer\",\"version\":\"2.1.3\"},\"subject\":{\"agent_fingerprint\":\"7c8f263e06d5ce4681f750ad64ede882a4ebd87de60f9ae0e6b06f0300645a11\",\"did\":\"did:key:z6MkpTHR8VNs5xhPjVcMZnr3X7PvNmZgPEJaSbH3hZ6yzK8\"},\"tier_upgrade_proof\":{\"approval_evidence\":{\"approver_did\":\"did:web:trust.arkforge.tech\",\"evaluated_at\":\"2026-05-01T12:10:00Z\",\"policy_ref\":\"sha256:e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855\",\"verdict_jws\":\"eyJhbGciOiJFZERTQSIsImtpZCI6ImRpZDp3ZWI6dHJ1c3QuYXJrZm9yZ2UudGVjaCJ9.eyJjZXJ0aWZpZWQiOnRydWUsImF0dGVzdGF0aW9uX2hhc2giOiJzaGEyNTY6YWJjMTIzIiwiY29uc3RyYWludF9ldmFsdWF0aW9uIjp7ImZhY2V0Ijoic2NvcGUuc2NoZWR1bGluZy53cml0ZSIsImxpbWl0IjoxLCJhY3R1YWwiOjAsImRlbHRhIjoxLCJyZXN1bHQiOiJ3aXRoaW5fbGltaXQifX0.SIGNATURE_PLACEHOLDER\"},\"from_tier\":\"T1\",\"intent_code\":\"TIER_UPGRADE_REQUEST\",\"requested_action\":{\"actual\":0,\"facet\":\"scope.scheduling.write\",\"limit\":1},\"to_tier\":\"T2\",\"validity\":{\"scope_boundary\":\"session:tier_upgrade_test_003\",\"use_count_max\":1,\"valid_until\":\"2026-05-01T13:10:00Z\"}},\"type\":\"TrustAttestation\",\"version\":\"0.3.1\"}", + "canonical_sha256": "3e19f0d2da59be2c64481d52b58226339c290bd724a9208ac0b01a06e9abecb4", + "expected_result": "fail", + "enforcement_decision": "reject — requester_did is required (replay surface)" + } +} \ No newline at end of file diff --git a/specs/test-vectors/verify_execution_attestation_arkforge.py b/specs/test-vectors/verify_execution_attestation_arkforge.py new file mode 100644 index 00000000..f48e2c95 --- /dev/null +++ b/specs/test-vectors/verify_execution_attestation_arkforge.py @@ -0,0 +1,48 @@ +#!/usr/bin/env python3 +"""Verify ArkForge execution attestation test vectors (CTEF v0.3.1). + +Reproduces canonical JSON + SHA-256 for each vector and checks byte-exact match. +Zero dependencies beyond Python stdlib. +""" +import json, hashlib, sys +from pathlib import Path + +VECTORS_FILE = Path(__file__).parent / "execution-attestation-arkforge.json" + +def canonical_json(d: dict) -> str: + return json.dumps(d, sort_keys=True, separators=(",", ":"), ensure_ascii=False) + +def main(): + data = json.loads(VECTORS_FILE.read_text()) + vector_keys = [k for k in data if isinstance(data[k], dict) and "input_object" in data[k]] + passed = 0 + failed = 0 + + for key in vector_keys: + v = data[key] + inp = v["input_object"] + expected_canonical = v["canonical_bytes_utf8"] + expected_sha = v["canonical_sha256"] + + computed_canonical = canonical_json(inp) + computed_sha = hashlib.sha256(computed_canonical.encode("utf-8")).hexdigest() + + canonical_match = computed_canonical == expected_canonical + sha_match = computed_sha == expected_sha + + if canonical_match and sha_match: + print(f" PASS {key}") + passed += 1 + else: + print(f" FAIL {key}") + if not canonical_match: + print(f" canonical mismatch") + if not sha_match: + print(f" sha256: got {computed_sha}, expected {expected_sha}") + failed += 1 + + print(f"\n{passed}/{passed + failed} vectors pass") + return 0 if failed == 0 else 1 + +if __name__ == "__main__": + sys.exit(main()) diff --git a/specs/test-vectors/verify_tier_upgrade_proof_arkforge.py b/specs/test-vectors/verify_tier_upgrade_proof_arkforge.py new file mode 100644 index 00000000..b18670e8 --- /dev/null +++ b/specs/test-vectors/verify_tier_upgrade_proof_arkforge.py @@ -0,0 +1,54 @@ +#!/usr/bin/env python3 +"""Verify ArkForge tier_upgrade_proof CTEF test vectors. + +Checks: +1. Canonical JSON byte-exact reproduction +2. SHA-256 hash match +3. Required field presence (requester_did for non-replay vectors) +4. Enforcement decision consistency with constraint_evaluation +""" +import json, hashlib, sys +from pathlib import Path + +VECTORS_FILE = Path(__file__).parent / "tier-upgrade-proof-arkforge.json" + +def canonical(obj: dict) -> str: + return json.dumps(obj, sort_keys=True, separators=(",", ":"), ensure_ascii=False) + +def verify(): + data = json.loads(VECTORS_FILE.read_text()) + results = [] + + for key in ["tier_upgrade_granted", "tier_upgrade_denied", "tier_upgrade_replay_vulnerable"]: + vec = data[key] + obj = vec["input_object"] + expected_canonical = vec["canonical_bytes_utf8"] + expected_hash = vec["canonical_sha256"] + + actual_canonical = canonical(obj) + actual_hash = hashlib.sha256(actual_canonical.encode("utf-8")).hexdigest() + + canonical_match = actual_canonical == expected_canonical + hash_match = actual_hash == expected_hash + + has_requester_did = "requester_did" in obj.get("tier_upgrade_proof", {}) + expected_result = vec["expected_result"] + + if expected_result == "fail" and has_requester_did: + field_check = "WARN: expected fail but requester_did present" + elif expected_result == "pass" and not has_requester_did: + field_check = "WARN: expected pass but requester_did missing" + else: + field_check = "OK" + + status = "PASS" if (canonical_match and hash_match) else "FAIL" + results.append((key, status, hash_match, field_check)) + print(f" {key}: {status} (hash={'match' if hash_match else 'MISMATCH'}, fields={field_check})") + + passed = sum(1 for _, s, _, _ in results if s == "PASS") + print(f"\n{passed}/{len(results)} vectors passed") + return 0 if passed == len(results) else 1 + +if __name__ == "__main__": + print(f"Verifying {VECTORS_FILE}") + sys.exit(verify())