Skip to content

Scaffold 0.4 (draft) — adoption-first, fully additive#13

Open
koishore wants to merge 1 commit into
fix/spec-status-prose-0.3from
draft/0.4-adoption-scaffold
Open

Scaffold 0.4 (draft) — adoption-first, fully additive#13
koishore wants to merge 1 commit into
fix/spec-status-prose-0.3from
draft/0.4-adoption-scaffold

Conversation

@koishore

Copy link
Copy Markdown
Member

What

Scaffolds 0.4 (draft) of the wire spec. 0.4 is adoption-first: the goal is to make the protocol consumable by the ICP (platform/security-eng teams shipping action-taking agents) and to give the buyer an approval+audit story — not to deepen the protocol.

Key decision: 0.4 is entirely additive. Every clause changes no hashed or signed bytes and MAY be adopted by a 0.3 implementation. The one breaking item considered for 0.4 — folding request headers/body into the action_fingerprint preimage — is deferred (a breaking preimage change invalidates parked approvals and forces re-integration; that's an adoption tax). The reference still implements 0.3; these clauses are spec-led (draft — not yet in reference).

New sections

  • §2.2 Broker interface (the PEP contract) + a separated-gateway request/response profile (schema/broker-gateway.json). Consolidates the Broker's transport-agnostic obligations (reconstruct from the authorized action only · refuse what it can't reconstruct · verify a token per §9.1 if required · execute at most once · report outcome) so a third party can write a conformant broker without reverse-engineering the reference. A gateway must distinguish a refusal from an upstream result.
  • §7.2 Approval lifecycle & routing metadatareason, routing_group/required_approvers, expires_at (expiry fails closeddeny). Advisory only; on the approval record, not the fingerprint/receipt; never settable by the Agent; MUST NOT affect the §7 guards.
  • §7.3 Approval notification & callback protocol — the adoption headline: approvals out of the local console onto any surface (chat/web/ticketing) with the Agent out of the loop (schema/approval-callback.json). Outbound notification + signed single-use decision callback; the approval principal MUST be separate from the Agent; an unverifiable/replayed callback leaves the approval pending (fail-closed). The callback carries no action, so the §7 P1/P2 guards still bind the action at release time.
  • §8.4 Receipt context (optional, UNSIGNED) — a context object outside the signed payload for correlating receipts to operational identity (agent/session/trace/principal) without a breaking receipt change. Not tamper-evident; ignored by §8.1; MUST NOT carry authorization-relevant data. schema/receipt.json gains an optional context.
  • §10 gains a 0.4 — additive (adoption) conformance block; §11 gains security notes (callback authenticity/replay, broker idempotency, unsigned context).
  • §2.1 version table/legend + README/CHANGELOG moved to 0.4 (draft); spec badge → v0.4-draft.

New files

schema/approval-callback.json, schema/broker-gateway.json, examples/approval-callback.json, examples/broker-gateway.json — all wired into validate.py.

Verification

  • validate.py green (incl. the four new example shapes).
  • conformance.py green — no CTK vector changes; reference 0.3 <= spec 0.4.
  • All spec.md# anchors across the repo resolve.

Merge order (stacked PR)

Based on fix/spec-status-prose-0.3 (#12), which supplies the corrected §2.1/§10 text these clauses build on. Merge #12 first. On squash-merge of #12 with branch delete, GitHub retargets this PR to main; if the diff then shows #12's changes, rebase with git rebase --onto main fix/spec-status-prose-0.3 draft/0.4-adoption-scaffold to detach.

Scope

Spec + schemas + examples + validator + docs only. No delego implementation changes (these are draft/spec-led). Landing is deliberately untouched — we don't publish a draft spec to the public site.

Moves the document to 0.4 (draft). 0.4 is adoption-first and ENTIRELY
ADDITIVE on the 0.3 preimage (changes no hashed or signed bytes; MAY be
adopted by a 0.3 implementation). The one breaking item considered for
0.4 — folding request headers/body into the action_fingerprint — is
deferred to avoid a re-integration tax. The reference still implements
0.3; these clauses are spec-led (draft, not yet in reference).

New sections:
- §2.2 Broker interface (the PEP contract) + separated-gateway profile
  (schema/broker-gateway.json): one contract a third party can implement
  against instead of reverse-engineering the reference.
- §7.2 Approval lifecycle & routing metadata (reason, routing, expiry;
  expiry fails closed). Advisory; never settable by the Agent.
- §7.3 Approval notification & callback protocol — approvals out of the
  local console onto any surface, Agent out of the loop
  (schema/approval-callback.json). Approval principal separate from the
  Agent; unverifiable/replayed callback leaves the approval pending.
- §8.4 Receipt context (optional, UNSIGNED) — correlation metadata
  outside the signed payload; ignored by §8.1; never authorization-
  relevant. schema/receipt.json gains optional context.
- §10 adds a '0.4 — additive (adoption)' conformance block; §11 adds
  security notes (callback authenticity/replay, broker idempotency,
  unsigned context).

New examples + validate.py wiring. No CTK vector changes; conformance.py
unaffected (reference 0.3 <= spec 0.4). validate.py + conformance.py
green; all spec.md anchors resolve.

Stacked on the spec-prose fix (#12) — that base supplies the corrected
§2.1/§10 text these clauses build on.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant