offline-verifiable authorization and execution receipts for AI and high-consequence software actions
The trust layer for AI and high-consequence software actions. Every decision is traceable, exportable, and independently verifiable.
TypeScript + Python reference · pnpm · Append-only chain · Offline verification · No database required
| Signal | Current status |
|---|---|
| Status | Public release track |
| API stability | Pre-1.0, changes possible |
| Verification scope | Hash-chain integrity plus manifest chain hash checks |
| Security disclosure | See SECURITY.md, report privately via email |
| Recommended usage | Proof layer for traceability and offline verification |
| Not yet included | Runtime enforcement, claim tokens, replay locks, signed bundles |
Decision Passport v0.7.0 is implemented core-first in this repository.
For v0.7.0, this repository is the canonical source for:
- model semantics
- verifier semantics
- fixture and golden output corpus
- protocol/spec documentation
Primary v0.7.0 scope:
- DecisionTrail
- RuntimeClaim
- OutcomeBinding
- upgraded verifier semantics for authorization, runtime claim, and outcome linkage
Explicitly out of v0.7.0 scope:
- hosted guard runtime implementation
- enterprise-only control plane surfaces
- broad signing/profile expansion without complete verifier and fixture coverage
- UI-first feature expansion
Sovereign and OpenClaw Lite can adopt v0.7.0 semantics after they are locked in core. They do not define the canonical model for this release.
This section is normative for what this repository can prove today.
| Surface | v0.7.0 status | Truth statement |
|---|---|---|
| DecisionPassport (bundle hash chain + manifest integrity) | Implemented | TypeScript and Python verifiers validate integrity, shape, and deterministic auditor outputs. |
| DecisionTrail (structured pre-action artifact) | Implemented (model + schema + verifier-visible linkage semantics) | Trail structure and linkage signals are modeled and validated on canonical fixtures; trail is not an authorization decision by itself. |
| DecisionGuard semantics (RuntimeClaim + fail-closed deny taxonomy) | Partially implemented | RuntimeClaim schema and verifier-visible outcomes are implemented; a full hosted/runtime guard executor is not included. |
| DecisionVerifier semantics | Implemented for v0.7.0 scope | Verifier exposes stable auditor fields and additive semantic statuses for authorization, payload binding, runtime claim, outcome linkage, revocation, supersession, and trail linkage. |
Spec-defined but not fully implemented in this release:
- full runtime enforcement service behavior and orchestration
- broad signing and key-management profiles
- external notarization or identity attestation workflows
Future work (0.8.x or later):
- hosted guard runtime and replay-state infrastructure
- richer execution side-effect graph surfaces
- expanded signing/profile ecosystem with complete parity fixtures
- A bundle's record hashes, chain links, and manifest chain hash are internally consistent.
- Payload tampering and chain mutation are detected by verification.
- Verification runs offline with no database, API key, or cloud dependency.
- v0.7.0 verifier semantics classify runtime-claim, outcome-linkage, revocation/supersession, and trail-linkage states on supported bundle surfaces.
- Runtime policy enforcement at execution time.
- Storage-level immutability by itself.
- Who authored a bundle, unless a separate signing layer is used.
- That a hosted guard executor blocked or allowed execution in real time.
Use this repository when you need portable, offline-checkable proof artifacts for AI action history.
Use stronger infrastructure when you need execution claims, fail-closed guard enforcement, replay protection, tenant isolation, signed bundles, or regulated deployment controls.
Logs and traces are operational telemetry. Decision Passport Core is a verifiable proof format with canonical hashing and chain integrity checks. Observability helps you inspect behavior, this repo helps you verify integrity of exported proof artifacts.
git clone https://github.com/brigalss-a/decision-passport-core.git
cd decision-passport-core
pnpm install --frozen-lockfile
pnpm build
pnpm test
pnpm verify-demoNo database, API key, or cloud account required.
Use this exact sequence for a fast, trust-focused validation pass:
pnpm install --frozen-lockfile
pnpm build
pnpm test
pnpm conformance
pnpm verify-demo
pnpm example:smoke
python -m decision_passport.verify examples/reference-integrations/webhook-approval-receipt.bundle.json
python -m decision_passport.verify examples/reference-integrations/agent-tool-execution-receipt.bundle.jsonIf all commands pass, you have validated:
- Core verifier correctness.
- TypeScript/Python conformance parity.
- Deterministic reference-integration behavior.
- Auditor-grade output paths on canonical bundle surfaces.
Python reference implementation is available in python/decision_passport_py and mirrors the protocol surface for offline create and verify flows.
What this verifies:
- The hash chain engine builds cleanly.
- A decision chain can be created and exported.
- The offline verifier confirms
PASSwhen hashes and links are intact. - A tampered bundle is rejected as
FAIL. - HTML verification reports are generated in
artifacts/. - Current local validation for v0.7.0 release prep requires all release gates in
docs/release-checklist.mdto pass, including TypeScript suite, conformance parity, demo/reference checks, and Python verifier checks on reference bundles.
cd python/decision_passport_py
pip install -e .
python -m unittest discover -s tests -v
python -m decision_passport.verify ../../fixtures/valid-bundle.jsonServe the repo and open apps/verifier-web/. Drag any bundle JSON onto the page for client-side verification.
npx serve . -l 3000
# Open http://localhost:3000/apps/verifier-web/
Decision Passport is an append-only, hash-linked record system for AI agent actions.
Every material action your AI agent performs, such as a recommendation, an approval decision, or an execution result, is stamped into a tamper-evident chain. That chain is bundled and can be independently verified offline.
This repository provides deterministic verification semantics through canonical hashing and explicit chain rules. Record creation still uses runtime UUID and timestamp values, so fixture regeneration is not byte-identical unless controlled inputs are used.
AI agent runs, tool calls happen, results returned, nothing verifiable is exported.
Hard to explain what was decided.
Hard to prove what executed.
Hard to support external review.
AI agent runs, each material step is stamped into an append-only chain.
Bundle exported as portable JSON proof.
Verifier returns PASS when integrity checks succeed.
External reviewers can independently verify chain integrity.
import { createRecord, createManifest } from '@decision-passport/core';
import { verifyBasicBundle } from '@decision-passport/verifier-basic';
const chainId = `session-${Date.now()}`;
// 1. Stamp each action
const record1 = createRecord({
chainId,
lastRecord: null,
actorId: 'claude-agent-01',
actorType: 'ai_agent',
actionType: 'AI_RECOMMENDATION',
payload: {
rationale: 'Policy v2.1, action within approved risk threshold',
confidence: 0.94,
policy_version: 'v2.1'
}
});
const record2 = createRecord({
chainId,
lastRecord: record1,
actorId: '[email protected]',
actorType: 'human',
actionType: 'HUMAN_APPROVAL_GRANTED',
payload: { note: 'Reviewed and approved' }
});
const record3 = createRecord({
chainId,
lastRecord: record2,
actorId: 'claude-agent-01',
actorType: 'ai_agent',
actionType: 'EXECUTION_SUCCEEDED',
payload: { result_summary: 'Email delivered', message_id: 'msg-8821' }
});
// 2. Export a portable proof bundle
const records = [record1, record2, record3];
const bundle = {
bundle_version: '1.4-basic' as const,
exported_at_utc: new Date().toISOString(),
passport_records: records,
manifest: createManifest(records)
};
// 3. Verify independently (no network, no database)
const result = verifyBasicBundle(bundle);
console.log(result.status); // 'PASS'decision-passport-core/
├── packages/
│ ├── core/ ← Hash chain engine
│ │ ├── src/types.ts ActionType, PassportRecord, ChainManifest, BasicProofBundle
│ │ ├── src/chain.ts createRecord(), verifyChain(), assertValidChain()
│ │ ├── src/hashing.ts hashCanonical(), hashPayload(): SHA-256, deterministic
│ │ ├── src/canonical.ts Canonical JSON serialiser (no duplicate hashing)
│ │ ├── src/manifest.ts createManifest()
│ │ ├── src/explain-tamper.ts explainTamper(): what changed and why it broke
│ │ ├── src/bundle-diff.ts diffBundles(): compare two bundles field by field
│ │ └── src/errors.ts ChainValidationError
│ │
│ ├── verifier-basic/ ← Offline bundle verifier
│ │ ├── src/verify-bundle.ts verifyBundle(): zero external deps
│ │ └── src/html-report.ts renderVerificationReport(): static HTML export
│ │
│ └── demo/ ← Runnable demo
│ └── src/index.ts Full demo: record → export → verify → PASS
│
├── apps/
│ └── verifier-web/ ← Browser verifier (drag-and-drop, zero dependencies)
│
├── fixtures/ ← Deterministic conformance fixtures
│ ├── valid-bundle.json
│ ├── tampered-bundle.json
│ ├── broken-prev-hash.json
│ ├── wrong-sequence.json
│ ├── wrong-chain-hash.json
│ ├── malformed-bundle.json
│ ├── unsupported-version.json
│ └── compatible-optional-metadata.json
│
├── python/
│ └── decision_passport_py/ ← Python reference implementation (offline-first)
│
└── artifacts/ ← Generated by verify-demo
├── verification-report.html
├── tampered-report.html
└── verification-summary.json
PassportRecord[0] PassportRecord[1] PassportRecord[2]
───────────────── ───────────────── ─────────────────
id: uuid id: uuid id: uuid
sequence: 0 sequence: 1 sequence: 2
prev_hash: GENESIS prev_hash: hash[0] prev_hash: hash[1]
payload_hash: sha256 payload_hash: sha256 payload_hash: sha256
record_hash: sha256 ──► record_hash: sha256 ──► record_hash: sha256
│
▼
ChainManifest
chain_hash = record_hash[2]
│
▼
BasicProofBundle
(portable · verifiable · exportable)
Tampering with any single byte in any record breaks every subsequent hash. The chain becomes self-auditing.
The atomic unit of trust. Every record contains:
| Field | Description |
|---|---|
id |
UUID |
chain_id |
Session identifier |
sequence |
Monotonic counter (0, 1, 2, ...) |
timestamp_utc |
ISO 8601 timestamp |
actor_id |
Who acted (agent ID, user email, system name) |
actor_type |
human / ai_agent / system / policy |
action_type |
Category (see below) |
payload |
Action data (structured) |
payload_hash |
SHA-256 of payload |
prev_hash |
Hash of previous record (or GENESIS) |
record_hash |
SHA-256 of the full record (excluding itself) |
metadata |
Optional: environment, tenant, policy refs |
type ActionType =
| 'AI_RECOMMENDATION' // Agent produces a decision
| 'HUMAN_APPROVAL_GRANTED' // Human approves
| 'HUMAN_APPROVAL_REJECTED' // Human rejects
| 'POLICY_APPROVAL_GRANTED' // Policy engine approves
| 'EXECUTION_PENDING' // Action queued
| 'EXECUTION_SUCCEEDED' // Action completed successfully
| 'EXECUTION_FAILED' // Action failed
| 'EXECUTION_ABORTED' // Action cancelled
| 'HUMAN_OVERRIDE' // Human overrides system decision
| 'POLICY_EXCEPTION'; // Exception grantedChain summary: chain_id, record_count, first_record_id, last_record_id, chain_hash.
The portable export format (bundle_version: "1.4-basic"). Contains all records + manifest. Self-contained, verifiable offline.
import { verifyBasicBundle } from '@decision-passport/verifier-basic';
import fs from 'fs';
const bundle = JSON.parse(fs.readFileSync('./bundle.json', 'utf8'));
const result = verifyBasicBundle(bundle);
console.log(result.status); // 'PASS' | 'FAIL'
console.log(result.summary); // short human summary
console.log(result.reasonCodes); // stable machine-readable reason codes
console.log(result.checks); // array of individual check results
console.log(result.nextSteps); // concise triage guidance on FAILA CLI verifier is also available at packages/verifier-basic/src/cli.ts:
pnpm tsx packages/verifier-basic/src/cli.ts ./bundle.jsonCompare two bundles to see exactly what changed:
pnpm diff-bundles fixtures/valid-bundle.json fixtures/tampered-bundle.jsonOr use the API:
import { diffBundles } from '@decision-passport/core';
const result = diffBundles(bundleA, bundleB);
console.log(result.identical); // false
console.log(result.summary); // '1 difference(s) found: 1 field change(s).'
console.log(result.findings); // structured diff findingsThe Python package in python/decision_passport_py is protocol-first and offline-only, not an API wrapper.
cd python/decision_passport_py
pip install -e .
python -m decision_passport.verify ../../fixtures/valid-bundle.json
python -m decision_passport.diff ../../fixtures/valid-bundle.json ../../fixtures/tampered-bundle.jsonThe verifier checks:
- Every
record_hashmatches the recomputed deterministic hash - Every
prev_hashcorrectly chains to the previous record - Sequence numbers are gapless and correct
chain_hashin the manifest matches the terminal record
If the input is malformed, verification returns FAIL with a structure reason code.
If integrity checks fail, verification returns FAIL with integrity reason codes.
- Schema and versioning: bundle structure, record fields, hashing rules, evolution guidance
- Compatibility matrix: which tools work with which formats
- Verifier compatibility promise: 12-month supported/deprecated/unsupported policy
- Verifier auditor output: deterministic verdict/code/location/reason/remediation_hint contract
- Protocol conformance: normative verifier checks and fixture outcomes
- Conformance manifest: machine-readable expected verdict map for canonical fixtures
- JSON Schemas: machine-readable schemas for
BasicProofBundle,ChainManifest,PassportRecord - Release verification: how to verify a published release locally
- Release provenance: official release artifacts, 3-minute local verification, and trust limitations
- Reference integrations: two ultra-small end-to-end examples (webhook approval receipt and agent/tool execution receipt)
- Append-only guarantees: what the protocol enforces, what verification detects, storage-level limits
- Bundle Diff: how to compare two bundles, generate diff artifacts, and interpret findings
- Boundaries: exact scope, non-goals, and trust boundary edges
- Threat model: addressed threats, assumptions, and residual risk
- Verification model: PASS and FAIL semantics, safe interpretation
- Tamper cases: concrete failure patterns and investigation guidance
| Capability | Core (this repo) | Enterprise (private) |
|---|---|---|
| Append-only hash chain | ✓ Free | ✓ |
| Basic bundle export (JSON) | ✓ Free | ✓ |
| Offline verifier | ✓ Free | ✓ |
| CLI verifier | ✓ Free | ✓ |
| Demo + examples | ✓ Free | ✓ |
| Execution claims (single-use auth tokens) | N/A | ✓ |
| Guard enforcement (blocking before execution) | N/A | ✓ |
| Replay protection (nonce + TTL) | N/A | ✓ |
| Outcome binding (cryptographic result sealing) | N/A | ✓ |
| PostgreSQL persistence | N/A | ✓ |
| Redis distributed locking | N/A | ✓ |
| Merkle proof bundle | N/A | ✓ |
| Advanced verifier (enterprise-grade) | N/A | ✓ |
| Sovereign signed bundles (HMAC-SHA256) | N/A | ✓ |
| Air-gapped verifier packaging | N/A | ✓ |
| Dashboard + live backend | N/A | ✓ |
| SSO / RBAC / tenant isolation | N/A | ✓ |
Core is free and open source.
Hosted, business, enterprise, and sovereign deployment options are available on request.
Contact: [email protected]
- Core hash chain engine
- BasicProofBundle export
- Offline verifier (zero-dependency)
- CLI verifier
- Demo with sample data
- Tamper explainer (
explainTamper(): what changed and why it broke) - HTML verification report export
- Browser verifier (drag-and-drop, client-side only)
- Deterministic valid + tampered fixtures
- ASCII chain visualiser
- Policy version binding helpers
- Redaction mode (
metadata-onlyandhash-onlybundles) - Bundle diff utility (
diffBundles(): compare two bundles) - OpenClaw Lite bridge (see
decision-passport-openclaw-lite) - Trusted timestamping integration (RFC 3161)
This repository is the public protocol layer. The full ecosystem:
| Repo | Visibility | Purpose |
|---|---|---|
decision-passport-core |
Public | This repo: protocol, chain, basic verifier |
decision-passport-openclaw-lite |
Public | OpenClaw integration bridge (Lite) |
decision-passport-control-plane-real |
Private | Claims, guard, replay, outcomes, persistence |
decision-passport-sovereign-real |
Private | Signed bundles, air-gapped verifier |
To keep this repository technically honest, we keep public feedback channels focused on reproducible verifier and conformance evidence.
- Adoption and validation signals:
docs/adoption-signals.md - Verifier contract feedback template:
.github/ISSUE_TEMPLATE/verifier-contract-feedback.md - Conformance/integration feedback template:
.github/ISSUE_TEMPLATE/conformance-or-integration-feedback.md
When reporting feedback, include exact commands, fixture/bundle inputs, and expected vs actual verifier outputs.
Contributions to the public protocol are welcome.
Fork the repository on GitHub, then run:
git clone https://github.com/YOUR_USERNAME/decision-passport-core.git
cd decision-passport-core
git checkout -b feat/my-improvement
pnpm install --frozen-lockfile
pnpm testThen open a pull request with a clear description of what changed and why.
Apache-2.0. See full text in LICENSE file.
You may use, modify, and distribute this software freely, including in commercial products. The express patent grant protects you and your users. Product names, logos, and hosted offerings remain the intellectual property of Bespoke Champions League Ltd.
Decision Passport is built and maintained by Bespoke Champions League Ltd, London, United Kingdom.
It powers the trust layer inside Bespea. Decision Passport emerged from a real-world problem: AI systems making material delivery, execution, and approval decisions without a portable, verifiable record.
Maintainer: Grigore-Andrei Traistaru Founder [email protected] https://bespea.com