The Vaara Receipt: A Recomputable Receipt Format for Decisions About Agent Actions

Introduction A Vaara receipt is a signed, independently recomputable record that binds a decision about an agent action to the evidence it was made on, and optionally to one or more external timestamp anchors. Any system that emits or consumes Vaara receipts conforms to this document. Downstream specifications define profiles that pin to a version of this document and add only their own evidence schema; they do not redefine the envelope. The receipt's trust is root-agnostic. The same record is verifiable with or without a hardware TEE and re-expressible as an IETF RATS () Entity Attestation Result (an AR4SI vector, ), whether rooted in a TPM 2.0 host, an AMD SEV-SNP confidential VM, or software alone. The signature and the optional external time anchor carry the evidence, not a single trust root. This document packages a format that already ships and is already recomputed by independent implementers. The executable conformance fixtures live under tests/vectors/ in the source repository () with a dependency-light checker (_check_independent.py) that imports only the standard library, a signature library, and a JCS implementation.

Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHOULD", and "MAY" in this document are to be interpreted as described in RFC 2119 ().

Canonicalization All digests and all signed payloads in this specification are computed over the JSON Canonicalization Scheme (JCS, ). The canonicalization label for the evidenceRef.canonicalization field () is "jcs-rfc8785". The values "JCS" and "jcs-json-v1" are accepted aliases for the same algorithm; producers SHOULD emit "jcs-rfc8785", and consumers MUST accept all three. A digest is written "sha256:" followed by the lowercase hexadecimal SHA-256 () of the JCS-canonical bytes of the referenced object.

The Receipt Envelope A receipt is a JSON object with these top-level members: Receipt envelope members

Field	Type	Required	Meaning
version	integer	MUST	Envelope version. 1 for this document.
alg	string	MUST	Signature algorithm. ES256 in v1; ML-DSA-65 MAY be offered as a post-quantum scheme.
backLink	object	MUST	Binds this receipt to its attestation/predecessor: attestationDigest, attestationNonce.
decisionDerived	object	MUST	The decision and the evidence it derives from. See .
issuerAsserted	object	MUST	Issuer-asserted identity claims: iss, sub, iat, nonce, alg, secretVersion.
signature	string	MUST	Detached signature, hex. For ES256, the 64-byte r\|\|s pair (128 hex chars).
timestampAnchors	array	MAY	External time attestations over this receipt. See .

The ES256 algorithm label and its 64-byte r||s signature encoding are as defined for "ES256" in JSON Web Algorithms (). The ML-DSA-65 scheme is as defined in .

Signed Payload The signature is computed over the JCS-canonical bytes of the object containing exactly these members, in this set, with their receipt values: "signature" and "timestampAnchors" are NOT part of the signed payload: a receipt can gain anchors after signing without invalidating the signature. A consumer MUST verify the signature by reconstructing this payload, canonicalizing it, and checking it against the public key under "alg".

Evidence Binding (decisionDerived.evidenceRef) decisionDerived carries the decision (decision, decidedAt, policyId, reason, riskScore, thresholdAllow, thresholdBlock) and one evidenceRef object that binds the decision to a recomputable evidence record: evidenceRef members

Field	Meaning
canonicalization	The label from (jcs-rfc8785 / JCS / jcs-json-v1).
digest	"sha256:" of the JCS-canonical evidence record.
ref	An opaque locator for the evidence record (profile-defined).
schema	The schema id of the evidence record (profile-defined).

The binding is recomputable: given the receipt and the evidence record, a third party confirms that sha256(JCS(evidence_record)) equals evidenceRef.digest with no access to the issuer. This is the property independent implementers verify today.

Timestamp Anchors (timestampAnchors) A timestamp anchor is an external attestation that this receipt existed no later than a stated time. Anchors are additive and optional. Each anchor binds the anchored digest, which is "sha256:" of the JCS-canonical signed payload (), so an anchor commits to the exact signed receipt without depending on later anchors. ", "authority": "" } ]]> Registered methods (the registry is open; a profile MAY register more): Timestamp anchor methods

method	What it is	Who can produce it
rfc3161	An RFC 3161 () timestamp token from any Time-Stamping Authority.	Self-hostable (e.g. OpenSSL ts); needs no third party.
rfc3161-eidas-qualified	An RFC 3161 token from a qualified TSA under eIDAS ().	A qualified trust service provider. Adds legal / court-admissible weight; this is the only thing the qualification adds over rfc3161.
ledger	A commitment of the anchored digest to a public ledger; the block time bounds existence.	Self-producible; trust-minimized, no TSA.

A receipt MAY carry several anchors of different methods. The technical anchor (rfc3161, ledger) and the legal anchor (rfc3161-eidas-qualified) are independent: a producer can stand up its own time evidence and add qualified legal weight as a separate, swappable method. No single anchor method is load-bearing for the receipt's integrity, which rests on the signature.

Profiles A profile is a downstream specification that uses this envelope unchanged and defines only its own evidence record (the schema and contents behind evidenceRef), plus any join keys it needs. A profile MUST state the vaara.receipt/vN version it pins to and SHOULD ship recomputable vectors.

Registry The profiles below pin to vaara.receipt/v1. Vector paths are relative to the source repository (). Profile registry

Profile	Evidence schema	Vectors
x402 settlement binding	x402.settlement.*/v0	tests/vectors/x402_settlement_v0/
authorization decision	vaara.authorization/v0	tests/vectors/authorization_v0/, tests/vectors/contiguity_v0/
AP2 checkout binding	vaara.authorization/v0 (names AP2 PEF frame_id)	tests/vectors/ap2_v0/

Profile Example: x402 Settlement Binding This profile binds an x402 payment settlement to a Vaara receipt across an action lifecycle, on a generic rail and on the Sui exact-payment rail. It adds:

A settlement record (schema = x402.settlement.<rail>/v0) whose JCS digest is the receipt's evidenceRef.digest.
A join key actionRef = sha256(JCS({agentId, actionType, scope, timestampMs, seq, terminal})), carried on the settlement, so an in-progress receipt (terminal: false) cannot be presented where the terminal one is required.

A third party recomputes three per-step verdicts (action-ref recomputes, settlement binding resolves, signature verifies) and one lifecycle verdict, with only the settlement and the receipt in hand. See _check_independent.py in the vectors directory.

Profile Example: Authorization Decision This profile turns an enforcement decision into a receipt. A credential broker authorizes a tool call against a signed, attestation-bound grant with typed capability scopes; the gateway's verdict, allow or deny, is minted as a receipt instead of being discarded. The decision maps onto the envelope verdict vocabulary: an allowed call is "allow", a refused call is "block" carrying the machine reason (capability_exceeded, binding_unknown, missing_credential, ...) as decisionDerived.reason. It adds:

An authorization record (schema = vaara.authorization/v0) whose JCS digest is the receipt's evidenceRef.digest. It binds toolName, tenantId, the grant by content address (grantFingerprint = sha256(JCS(signed grant))), the runtime argument commitment (argsCommitment = sha256(JCS(args))), the evaluated capabilities, and the verdict / reason.
The raw arguments never enter the record; only their commitment does, so the receipt is publishable while the arguments stay private. An auditor holding the arguments out of band recomputes the commitment and re-runs the verdict.
An optional coverage block names the observation boundary the decision was made under, inside the record and therefore under the signature. It binds the boundary (the chokepoint identity), the serverFingerprint (the exact capability surface in scope, manifest:sha256(JCS(tools)) or the command hash), and a scope literal stating that only calls routed through the chokepoint are observed. A tool reached on an out-of-band path is out of coverage. The block is absent when no boundary is asserted, leaving the record byte-identical to a coverage-free decision.
An optional completeness block scopes a sequence to that boundary, inside the record and therefore under the signature. It binds the boundaryId (the same boundary the coverage block names), a monotonic seq starting at 0 with no gaps by construction, and a runningCount equal to the total receipts issued under the boundary up to and including this one (runningCount = seq + 1). The block is absent when no sequence is asserted, leaving the record byte-identical to a completeness-free decision.

A verdict is only as meaningful as what the issuer could see. "allow" over an unbounded surface and "allow" over a stated one are identical bytes with opposite meaning, so an absent refusal reads as fact only against a declared scope: "not refused within this boundary", never "not observed". The coverage block carries that boundary in the trace itself, so it is recomputable evidence rather than a separate trust root. The verdict stays a thin read over it. The chokepoint remains an observer of what passes through it, not a claim about what does not. The deny case is the point. A refused call leaves a signed, content-addressed, portable proof of the non-action: a third party recomputes the verdict from the grant and the arguments and confirms the refusal, trusting only the issuer's public key. A third party recomputes five verdicts per case (grant fingerprint, argument commitment, capability verdict, evidence binding, signature) with only the grant, the arguments, the evidence, and the receipt in hand. See _check_independent.py. Coverage states the boundary; completeness makes a gap inside it provable. With the per-boundary seq contiguous by construction and the runningCount signed into each record, a dropped receipt is a missing sequence number that any holder detects from the receipts alone: the highest running count names how many exist, so a short set is self-evidently incomplete and the absent seq is named. This needs no issuer access and no external witness. The tests/vectors/contiguity_v0/ vectors and the "vaara verify-contiguity" surface carry that check. One honest limit remains: a pure tail truncation (holding 0..k with nothing after) cannot be told from a complete stream by contiguity alone, since the latest held count is then k + 1. Closing it is the job of an rfc3161 anchor over the running count (), which attests that at time T, N receipts existed under the boundary.

Profile Example: AP2 Checkout Binding This profile binds an AP2 checkout to the post-checkout agent actions a credential broker authorizes, so the actions taken after a payment settles carry the same recomputable, gap-evident record as the authorization decisions in . It reuses the vaara.authorization/v0 evidence record unchanged and adds a join to the AP2 Payment Evidence Frame (PEF, AP2 PR #274):

The AP2 checkout emits a PEF whose frame_id = sha256(JCS(frame)), with frame_id and signature excluded from the preimage, and whose receipt_hash = sha256(JCS(receipt)) content-addresses the wrapped Checkout Receipt. Canonicalization is urn:x402:canonicalisation:jcs-rfc8785-v1 (JCS / RFC 8785), the same as this envelope, so the address joins with no re-canonicalization.
Each post-checkout authorization receipt names the checkout it followed by content address: decisionDerived.evidenceRef.ref = ap2:checkout/<frame_id>, under the receipt signature. The AP2 task scope is the coverage.boundary (), and the completeness block sequences the actions under it.

The identity of the checkout is the PEF frame_id, a content address the payment side already computes; the completeness of the actions taken under it is the vaara.authorization/v0 contiguity stream. A per-action hash says an action was recorded; the running count says none inside the AP2 task boundary was dropped. A third party recomputes the frame address, confirms every receipt names that checkout, resolves each evidence binding, verifies each signature, and re-runs the gap check, with only the PEF and the held receipts in hand. See tests/vectors/ap2_v0/_check_independent.py. AP2 can pin from the point the Checkout Receipt ends rather than define a new post-settlement primitive.

Conformance An implementation conforms to vaara.receipt/v1 if, for every receipt it emits:

The signature verifies against the stated alg and key.
evidenceRef.digest equals sha256(JCS(evidence_record)) for the referenced record, under one of the canonicalization labels.
Any timestampAnchors[].anchoredDigest equals the "sha256:" of the JCS signed payload of the same receipt.

The committed vectors plus _check_independent.py are the reference conformance suite; running the x402 profile checker and having it exit 0 is a passing run for that profile.

Versioning The envelope version is the integer "version" field and the vaara.receipt/vN schema id. Additive, backward-compatible changes (new optional fields, new anchor methods, new profiles) do not bump N. A change to the signed-payload field set, the canonicalization, or the signature construction bumps N.

Security Considerations The integrity of a receipt rests on the signature over the JCS-canonical signed payload, not on any timestamp anchor or trust root. A consumer MUST verify that signature against the public key named under "alg" before relying on any field. Because the signed payload excludes "signature" and "timestampAnchors", anchors added after signing cannot alter the signed content; a consumer MUST recompute each anchoredDigest from the signed payload rather than trusting the anchor's stated value. Recomputability depends entirely on canonicalization. A producer and a consumer that disagree on JCS output for the same JSON value will compute different digests; implementations MUST use a conformant JCS () implementation and MUST treat any of the three accepted labels as the same algorithm. The argument commitment in the authorization profile () lets a receipt be published while the raw arguments stay private, but a low-entropy argument set is open to a dictionary attack against the commitment. Producers SHOULD ensure the committed object carries sufficient entropy (for example a per-call nonce) where argument confidentiality matters. An absent refusal is evidence only within a declared coverage boundary (). A reader MUST NOT read a missing receipt as "the action did not happen"; without a coverage block it means only "not observed", and with one it means "not refused within this boundary". The completeness block makes a dropped receipt inside the boundary detectable, but a pure tail truncation is not detectable by sequence contiguity alone and requires a timestamp anchor over the running count to close.

IANA Considerations This document has no IANA actions. The timestamp anchor method registry () and the profile registry () are maintained by the specification, not by IANA, in this version.