VeritasActa
diff --git a/‎IMPLEMENTATIONS.md‎
Lines changed: 1 addition & 1 deletion b/‎IMPLEMENTATIONS.md‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎conformance/signet/ADAPTER.md‎
Lines changed: 135 additions & 0 deletions b/‎conformance/signet/ADAPTER.md‎
Lines changed: 135 additions & 0 deletions
diff --git a/‎conformance/signet/DEVIATIONS.md‎
Lines changed: 94 additions & 0 deletions b/‎conformance/signet/DEVIATIONS.md‎
Lines changed: 94 additions & 0 deletions
@@ -6,7 +6,7 @@
 | protect-mcp | [scopeblind/scopeblind-gateway](https://github.com/scopeblind/scopeblind-gateway) | Claimed | @tomjwxf | Claude Code hooks + MCP gateway. Operator-signed mode. |
 | protect-mcp-adk | [scopeblind/protect-mcp-adk](https://github.com/scopeblind/protect-mcp-adk) | Claimed | @tomjwxf | Google ADK BasePlugin. Python. |
 | aps-governance-hook | [aeoess/hermes-aps-delegation](https://github.com/aeoess/hermes-aps-delegation) (pending 0.1.0) | Claimed | @aeoess | Authority-chain-referenced mode with delegation_chain_root. |
-| Signet | TBD | Under review | @willamhou | Added to AGT Tutorial 33 via [microsoft/agent-governance-toolkit#1201](https://github.com/microsoft/agent-governance-toolkit/pull/1201); conformance under confirmation. |
+| Signet | [Prismer-AI/signet](https://github.com/Prismer-AI/signet) | Self-certified (adapter crate pending) | @willamhou | Mapping confirmed by @willamhou in [agt-integration-profile#1](https://github.com/VeritasActa/agt-integration-profile/pull/1); conformance/signet/ captures the agreed field mapping and four documented wire-format deltas. Signet is adding `parent_hash` alongside `parent_receipt_id` and shipping a `--emit-draft02` flag plus an in-workspace `signet-draft02-adapter` crate in an upcoming point release. Cross-documentation at [aeoess/agent-governance-vocabulary#37](https://github.com/aeoess/agent-governance-vocabulary/pull/37). |
 
 ## How to add an implementation
 
 
@@ -0,0 +1,135 @@
+# Signet -> draft-02 adapter sketch
+
+Pseudocode for a thin shim that translates a Signet receipt (as emitted by `Prismer-AI/signet@main` at the date of this PR) into a draft-farley-acta-signed-receipts-02 envelope verifiable against `@veritasacta/verify`.
+
+**Status:** Sketch. The Signet maintainer has confirmed the co-signer shape below and committed to shipping this as a `--emit-draft02` flag on `signet sign` (main repo), plus an in-workspace `signet-draft02-adapter` crate. Production implementation is scheduled on the Signet side; this file remains as the architectural reference. Open questions at the bottom are resolved.
+
+## Input
+
+A signed Signet receipt, as emitted by `signet_core::sign::sign()`.
+
+## Output
+
+Either:
+
+- **A draft-02 envelope that verifies against `@veritasacta/verify --key operator.pem`**, IF the adapter has access to the Signet operator's pubkey and can publish a JWKS at the correct discovery endpoint; OR
+- **A draft-02 envelope that fails verification with a deterministic `invalid_signature` error** — because the signature was generated over Signet's canonical form, not draft-02's. To produce a verifying draft-02 envelope, the adapter must re-sign.
+
+The latter is usually what is wanted: the adapter acts as a **co-signer** at the governance gateway, producing a draft-02 envelope in parallel with the Signet receipt. Both receipts are emitted; downstream consumers choose which to verify.
+
+## Pseudocode (co-signer mode)
+
+```python
+def signet_to_draft02(signet_receipt: dict, operator_signer: Ed25519Signer) -> dict:
+    """Co-sign a Signet receipt as a draft-02 envelope.
+
+    signet_receipt: the decoded JSON of a Signet receipt.
+    operator_signer: the same Ed25519 key that signed the Signet receipt,
+                     wrapped for draft-02-style JCS canonicalization.
+
+    Returns: a draft-02 envelope.
+    """
+    action = signet_receipt["action"]
+
+    payload = {
+        "type": "signet:decision",
+        "action": action["tool"],
+        "agent_id": signet_receipt["signer"].get("name", "unknown"),
+        "issuer_id": signet_receipt["signer"].get("owner", "unknown"),
+        "issued_at": signet_receipt["ts"],
+        "decision": "allow",  # Or pull from signet's decision field if present
+    }
+
+    # Optional mappings (only if present in Signet)
+    if "params_hash" in action:
+        payload["action_ref"] = action["params_hash"]
+    if "trace_id" in action:
+        payload["iteration_id"] = action["trace_id"]
+    if "parent_receipt_id" in action:
+        # Requires the prior receipt (or its hash) to be resolvable.
+        # See DEVIATIONS.md section 3.
+        payload["previousReceiptHash"] = resolve_prior_hash(action["parent_receipt_id"])
+
+    # Map PolicyAttestation -> policy_digest / policy_id / decision.
+    # Signet's PolicyAttestation struct uses policy_name and policy_hash.
+    if signet_receipt.get("policy"):
+        policy = signet_receipt["policy"]
+        payload["policy_id"] = policy.get("policy_name")
+        payload["policy_digest"] = policy.get("policy_hash")
+        if policy.get("decision"):
+            payload["decision"] = policy["decision"]
+        # Suggested: attestation_evidence extension for richer fields
+        if policy.get("matched_rules") or policy.get("reason"):
+            payload["attestation_evidence"] = {
+                "matched_rules": policy.get("matched_rules", []),
+                "reason": policy.get("reason"),
+            }
+
+    # Map Authorization -> holder_binding (AIP-0003).
+    # Signet's Authorization struct: { chain, chain_hash, root_pubkey }.
+    # Only chain_hash and root_pubkey enter the signed scope; full chain
+    # is carried for storage and dropped at adapt time.
+    if signet_receipt.get("authorization"):
+        auth = signet_receipt["authorization"]
+        payload["holder_binding"] = {
+            "mode": "jwk_thumbprint",
+            "thumbprint": jwk_thumbprint_of_ed25519_pubkey(auth["root_pubkey"]),
+            "delegation_chain_hash": auth["chain_hash"],
+        }
+
+    # Re-sign under draft-02 canonicalization (JCS RFC 8785, AIP-0001 ASCII-keys)
+    canonical = jcs_canonicalize(payload)
+    signature_bytes = operator_signer.sign(canonical)
+
+    return {
+        "payload": payload,
+        "signature": {
+            "alg": "EdDSA",
+            "kid": jwk_thumbprint(operator_signer.public_key()),
+            "sig": base64url_encode(signature_bytes).rstrip("="),
+        },
+    }
+```
+
+## Verification after adapt
+
+```bash
+# Write adapted envelope
+echo "$DRAFT02_ENVELOPE" > /tmp/signet-as-draft02.json
+
+# Publish operator pubkey as JWKS at well-known URL, then:
+npx @veritasacta/verify /tmp/signet-as-draft02.json --jwks https://operator.example/jwks
+
+# Or pin the key locally:
+npx @veritasacta/verify /tmp/signet-as-draft02.json --key ./operator-public.pem
+```
+
+Expected output on a successful adapt + verify:
+
+```
+✓ Signature valid
+✓ Issuer: signet:operator:...
+✓ Decision: allow
+✓ Issued: 2026-04-19T...
+✓ Tier: T1 (basic)
+```
+
+## Alternative: transcode mode (no re-sign)
+
+If the operator specifically wants the SAME Ed25519 signature to verify under BOTH Signet and draft-02 rules, the transcoding is stricter: the canonicalization MUST produce the same byte string under both systems, which in practice requires the Signet canonical form and the draft-02 payload canonical form to be byte-identical.
+
+That is achievable but constrains Signet's field set (cannot include fields that draft-02 does not canonicalize, and vice versa). Given the known deltas on `params` (redacted in draft-02), this mode is not straightforward.
+
+**Co-sign mode is the recommended default.** Transcode mode is a design conversation for Path 3 (native alignment), not for an adapter.
+
+## Signet maintainer answers
+
+Resolved in the review of [VeritasActa/agt-integration-profile#1](https://github.com/VeritasActa/agt-integration-profile/pull/1):
+
+1. **Feature flag.** The co-signer emits as a `--emit-draft02` flag on `signet sign`. When set, both the Signet-native envelope and the draft-02 envelope are produced per operation. Lives in the main Signet repo (discoverable, tested in the main CI).
+
+2. **In-workspace adapter crate.** A `signet-draft02-adapter` crate is welcome inside the Signet Cargo workspace. Timing depends on the conformance bar; maintainer will prioritise after field mapping is confirmed (confirmed by this PR).
+
+3. **Co-signer mode is the right default.** The operator private key is accessible at the adapter site, so the adapter can produce a draft-02 envelope that verifies under the operator's public key. No cross-custody complications at the adapter site.
+
+The adapter therefore lives in the Signet main repo (not this repo, not third-party). This repo retains the architectural reference (this file) and the normative field mapping ([`FIELD-MAPPING.md`](./FIELD-MAPPING.md)).
@@ -0,0 +1,94 @@
+# Signet wire-format deviations from draft-farley-acta-signed-receipts-02
+
+Four deltas that require adapter handling but do not affect semantic conformance. Each is adaptable with under ~20 lines of code per direction.
+
+## 1. Envelope shape: flat struct vs `{payload, signature}` split
+
+**Signet.** Single flat struct with `sig` as one field among the others:
+
+```json
+{
+  "v": 1,
+  "id": "...",
+  "action": {"tool": "...", ...},
+  "signer": {"pubkey": "ed25519:..."},
+  "ts": "...",
+  "sig": "ed25519:..."
+}
+```
+
+**draft-02.** Envelope splits the signed material from the signature metadata:
+
+```json
+{
+  "payload": {
+    "action": "...",
+    "issuer_id": "...",
+    "issued_at": "..."
+  },
+  "signature": {
+    "alg": "EdDSA",
+    "kid": "...",
+    "sig": "..."
+  }
+}
+```
+
+**Adapter direction (Signet -> draft-02):** Move Signet's `sig` out into `signature.sig` (stripping the `ed25519:` prefix); derive `signature.kid` from `signer.pubkey` (see deviation 4); lift all other Signet top-level and nested fields under `payload`; set `signature.alg = "EdDSA"`.
+
+**Impact on conformance:** None. JCS canonicalization reproduces the same byte string for identical field sets regardless of nesting, as long as the adapter includes all originally-signed fields under `payload`.
+
+## 2. Signature encoding: `ed25519:<base64>` vs `<base64url>`
+
+**Signet.** Signature is a string of the form `ed25519:<standard-base64>` (canonical padded base64).
+
+**draft-02.** Signature is base64url (URL-safe alphabet, no padding), no algorithm prefix. Algorithm is carried in `signature.alg`.
+
+**Rationale for Signet's form.** Prefix-based encoding is self-identifying and forward-compatible with algorithm rotation (a post-quantum variant would be `ml-dsa-65:<base64>`). This is a reasonable design choice; draft-02 achieves the same via the separate `alg` field.
+
+**Adapter direction (Signet -> draft-02):** Strip the `ed25519:` prefix, decode the base64 body, re-encode as base64url without padding, place in `signature.sig`. Set `signature.alg = "EdDSA"`.
+
+**Possible path 3 (native alignment):** draft-02 could optionally accept a prefixed signature form in a future revision, matching Signet's convention. Discussion welcome.
+
+## 3. Chain linkage: parent ID vs parent hash
+
+**Signet.** `action.parent_receipt_id` is the **ID** of the prior receipt.
+
+**draft-02.** `payload.previousReceiptHash` is the **SHA-256 hash of the canonicalized prior envelope**.
+
+**Tradeoff.** Signet's form is shorter and human-linkable; draft-02's form is tamper-evident without needing access to the prior receipt. A verifier given only a chain tip can detect tampering in any intermediate receipt by recomputing hashes; with Signet's IDs, an attacker can substitute a tampered receipt with the same ID and the chain still "links".
+
+**Adapter direction (Signet -> draft-02):** Compute the SHA-256 of the canonicalized Signet prior receipt at adapter time and emit as `previousReceiptHash`. The adapter MUST have access to the prior receipt (or its hash) to emit this field.
+
+**Maintainer preference (selected).** The Signet maintainer has chosen **Option 2**: add a `parent_hash` field alongside `parent_receipt_id`. Dual-mode, additive, low-effort. Both fields coexist on the wire. Signet-native verifiers continue to use `parent_receipt_id`; draft-02 verifiers use `parent_hash`.
+
+**Signet-side implementation note.** This requires the signer to have access to the prior receipt's canonical bytes at sign time; the signer API needs a minor extension to accept (or compute) the parent hash. Scheduled for an upcoming Signet point release. Once shipped, this deviation collapses to "emit `parent_hash` on the wire, read it on the draft-02 side", and the adapter's chain-linkage step becomes zero-cost.
+
+## 4. Key identifier: pubkey string vs JWK thumbprint
+
+**Signet.** `signer.pubkey = "ed25519:<base64-encoded-raw-pubkey>"`. The pubkey is carried directly; verification uses it by decoding.
+
+**draft-02.** `signature.kid` is the RFC 7638 JWK thumbprint of the operator's public key. The pubkey itself is NOT in the receipt. Verifiers resolve the pubkey from an external source (`--jwks`, `--key`, or a pinned trust anchor).
+
+**Rationale for draft-02's form.** Embedding the verification key in the receipt body does not protect against tampering. The key distribution concern is documented in Section 9 of draft-02 ("Key Distribution and Trust Anchors") and was the driver of the 0.4.0 embedded-key rejection across the protect-mcp and @veritasacta/verify stack.
+
+**Adapter direction (Signet -> draft-02):**
+
+- The adapter computes a JWK thumbprint over the Signet pubkey at adapt time and emits it as `signature.kid`.
+- The adapter does **not** emit the raw pubkey in the draft-02 envelope.
+- The adapter SHOULD publish the pubkey at an out-of-band discovery endpoint (e.g. operator-signed JWKS) for the verifier to resolve via `--jwks`.
+
+**For Signet self-certification:** this is where the conformance bar has teeth. A Signet receipt with the raw pubkey in the payload would fail draft-02 verification on key-distribution grounds. The adapter-produced envelope MUST omit the raw pubkey and MUST carry only the thumbprint.
+
+Not a blocker for conformance; just a real constraint on what the adapter emits.
+
+## Summary
+
+| Delta | Severity | Impact on adapter |
+|---|---|---|
+| Envelope shape | Structural | ~10 lines, boilerplate. |
+| Signature encoding | Cosmetic | ~5 lines, strip prefix + re-encode. |
+| Chain linkage (ID vs hash) | Semantic | Resolved. Signet is adding `parent_hash` alongside `parent_receipt_id` in an upcoming point release; dual-mode, zero-cost after the point release ships. |
+| Key identifier (pubkey vs thumbprint) | Policy | Adapter MUST NOT emit raw pubkey. External key discovery is the verification path. |
+
+None of these deltas are structural blockers to conformance. All are adapter-addressable; two could be additionally softened by thin Signet-side extensions.