docs(agent-commit/v0.2): document ResourceDescriptor byproduct pattern#2
Closed
tomjwxf wants to merge 6 commits intoarewm:mainfrom
Closed
docs(agent-commit/v0.2): document ResourceDescriptor byproduct pattern#2tomjwxf wants to merge 6 commits intoarewm:mainfrom
tomjwxf wants to merge 6 commits intoarewm:mainfrom
Conversation
Initial draft of a SLSA provenance v1 build type for AI agent commits. Defines how to capture agent configuration (model, runtime, tools, sandbox policy), subagent delegation, and eBPF-observed runtime behavior (network, filesystem, process) within the standard SLSA provenance predicate. Related: slsa-framework/slsa#1594 Assisted-by: Claude Code (Opus 4.6)
Add explicit background colors and a prefers-color-scheme: dark media query so the page is readable in both light and dark mode. Assisted-by: Claude Code (Opus 4.6)
Remove minima theme reference (we provide our own layout), add trailing slash to permalink so Jekyll outputs index.html instead of an extensionless file, and add Gemfile for local builds. Assisted-by: Claude Code (Opus 4.6)
Add timestamps to all observation entries (start/end for ranges, time for instants) to enable cross-observation correlation. Simplify field names (finalDigest → digest, startedOn/finishedOn → start/end). Mark v0.1 as superseded. Assisted-by: Claude Code (Opus 4.6)
Assisted-by: Claude Code (Opus 4.6)
Implements the pattern you described in issue arewm#1 and in SLSA #1594: additional attestations about the same subject, produced by identities distinct from the builder, are referenced via ResourceDescriptor entries in byproducts rather than inlined under the builder's signature. Changes (all additive, no breaking changes to v0.2 observation schema): 1. New subsection "Referenced attestations" in the Byproducts section, describing the digest + URI + annotations.predicateType shape and the three-step verifier flow for fetching and checking referenced attestations independently of the builder's signature. 2. A decision-receipts ResourceDescriptor entry added to the existing coordinator + implementer JSON example, alongside the observed-* entries. Shows the canonical shape: name, digest, uri, annotations.{predicateType, signerRole, ...} Uses the in-toto predicate type URI proposed at in-toto/attestation#549. 3. A parsing-rule clarifying that byproduct entries carrying both `digest` and `uri` SHOULD be routed as ResourceDescriptor references rather than as inline observation data, with the predicateType used for verifier routing when present. 4. Design Rationale subsection "Why additional attestations use ResourceDescriptor references", explaining trust-domain separation: inlining would imply content-level verification the builder cannot do; cross-signing would obscure the original signer's identity; the reference pattern keeps the buildType composable as new attestation types emerge (decision receipts, behavioral telemetry, compliance). 5. Changelog entry for this update, explicitly noted as additive. Motivated by your comment on issue arewm#1: "best potential way to integrate additional attestations might be to add it to byproducts, but not in-lining those attestation properties. If the supervisor is aware of these additional attestations then it could potentially insert a ResourceDescriptor in byproducts with a digest and URI pointing to where the attestation is stored." The "decision-receipts" byproduct in the example references an in-toto attestation signed by a supervisor-hook identity, matching the "who makes the claim" separation you asked about in SLSA #1594. Happy to iterate on naming (e.g., the `signerRole` key), on the exact predicate type URI (in-toto/attestation#549 is still in review), or to split this into a v0.3 tag if you would rather keep v0.2 frozen at timestamp-only. Refs: arewm#1 slsa-framework/slsa#1594 in-toto/attestation#549
This was referenced Apr 17, 2026
tomjwxf
pushed a commit
to tomjwxf/attestation
that referenced
this pull request
Apr 17, 2026
…escriptor Aligns this predicate with the agent-commit SLSA build type so that a SLSA provenance attestation and a Decision Receipt attestation about the same subject compose cleanly without cross-signing trust domains. Additions: - New "Relationship to SLSA Provenance" section explaining that the receipt signer (supervisor-hook identity) is deliberately distinct from the SLSA provenance signer (builder-platform identity), and that composition happens via a ResourceDescriptor reference in the SLSA byproducts, not by inlining the receipt content inside the SLSA envelope. - A worked example of the byproduct entry as it appears in an agent-commit provenance, including `predicateType`, `signerRole: "supervisor-hook"`, chain length, and genesis/final receipt hashes. Pattern tracks the companion PR at arewm/refs.arewm.com#2 (agent-commit v0.2 update). - Three-step verifier flow for consuming both attestations: verify SLSA signature against builder identity; fetch, digest-check, and verify the referenced receipt attestation against the supervisor identity named in `issuerId`; cross-reference subjects and interpret the chain per this predicate's semantics. - Clarification that `issuerId` (concrete signing identity) and the SLSA byproduct's `signerRole` annotation (logical role of that identity relative to the builder) are complementary fields, not duplicative. - Changelog and References updated to point at the agent-commit build type and slsa-framework/slsa#1594. No changes to the predicate schema or field semantics. Purely additive documentation on how this predicate composes with SLSA. Refs: arewm/refs.arewm.com#1, arewm/refs.arewm.com#2 (agent-commit composition) slsa-framework/slsa#1594 (SLSA-for-agents)
Owner
|
In the process of pushing a new |
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Picks up your comment on #1 and your edit on SLSA #1594 about using
ResourceDescriptorreferences (not inlined content) for additionalattestations produced by identities distinct from the builder. All changes
are additive to v0.2, no breaking changes to the observation byproduct
schema.
What this changes
### Referenced attestationssubsection in the Byproducts sectionagent-commit/v0.2/index.mddecision-receiptsResourceDescriptor entry added to the coordinator + implementer JSON example alongside theobserved-*entriesdigestanduriSHOULD be treated as ResourceDescriptor references, routed byannotations.predicateTypeWhy this addresses your architectural question
Your comment on #1 named the right issue: "what you are trying to do for a decision-receipt is being driven from a different identity." The ResourceDescriptor pattern resolves this cleanly:
{digest, uri, predicateType, signerRole}so a verifier can fetch and validate the referenced attestation independently.For decision receipts specifically: the receipt is signed by a supervisor hook (the
PreToolUseinterceptor in the agent host), using a key the agent process cannot access. The supervisor is in the enforcement path by the host's wiring, not by the agent's cooperation. Different identity, different key, same subject.Example
The worked example now carries a
decision-receiptsentry alongside theobserved-*entries:{ "name": "decision-receipts", "digest": { "sha256": "a8f3c9d2..." }, "uri": "oci://ghcr.io/org/agent-session/run-coord-issue-42/receipts:sha256-a8f3c9d2", "annotations": { "predicateType": "https://in-toto.io/attestation/decision-receipt/v1", "signerRole": "supervisor-hook", "chainLength": 47, "genesisReceiptHash": "sha256:a8f3c9d2e1b7465f", "finalReceiptHash": "sha256:e4d61f7a09b8cd34" } }The
predicateTypeURI points at the in-toto predicate proposal #549. If that URI changes during in-toto review, this reference can update without a schema change.What I did not change
observed-network,observed-filesystem,observed-process) is untouched.The pattern is purely additive: the buildType gains a documented way to reference external attestations without modifying what is already there.
Open questions
Happy to iterate on any of these:
signerRolenaming. Open tosigner,producer,attester, whatever fits. I usedsignerRolebecause it is a role, not an identity.https://github.com/in-toto/attestation/blob/main/spec/v1/resource_descriptor.md. If you prefer the SLSA provenance link or a different canonical reference, happy to update.Refs
Thanks for the careful architectural read — the decision-receipts design is materially better with the ResourceDescriptor separation than with the inline version I proposed initially.