{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://attestproto.aitoolerylab.com/schemas/attestation-v0.1.schema.json", "title": "Agent Work Attestation", "description": "Cryptographic attestation that an autonomous AI agent completed a specific unit of work. Provides verifiable, tamper-evident proof of input, output, tool calls, and signing identity. Designed for inter-agent commerce, regulatory audit (EU AI Act Article 19), and AI liability underwriting.", "type": "object", "required": ["version", "attestation_id", "agent", "task", "input", "output", "timestamps", "signature"], "properties": { "version": { "const": "0.1.0", "description": "Spec version. Must match exactly for compatible verification." }, "attestation_id": { "type": "string", "pattern": "^att_[A-Za-z0-9_-]{22}$", "description": "Globally unique attestation identifier. Format: 'att_' + 22-char URL-safe base64 of 16 random bytes." }, "agent": { "type": "object", "required": ["id", "platform", "model"], "properties": { "id": { "type": "string", "description": "Stable agent identifier within platform (e.g. 'asst_abc123' for OpenAI Assistant, 'claude-mcp-fileserver' for MCP server name)." }, "platform": { "type": "string", "enum": ["openai", "anthropic", "google", "mcp", "self-hosted", "other"], "description": "Originating platform / framework." }, "model": { "type": "string", "description": "Model identifier (e.g. 'claude-opus-4-7', 'gpt-5o-2026-04-15')." }, "operator": { "type": "string", "format": "uri", "description": "Optional operator URI (DID, https URL, or DNS name) of the legal entity running the agent." } } }, "task": { "type": "object", "required": ["type", "spec_hash"], "properties": { "type": { "type": "string", "description": "Task category (e.g. 'document.summarize', 'payment.execute', 'support.respond'). Free-form, but recommended to use reverse-DNS namespace for vendor-specific types." }, "spec_hash": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "SHA-256 hash of the canonicalized task specification (input contract, output contract, constraints). Hex-encoded with 'sha256:' prefix." }, "delegation_parent": { "type": "string", "pattern": "^att_[A-Za-z0-9_-]{22}$", "description": "Optional. attestation_id of the parent task that delegated this one. Enables chain-of-proof for multi-hop agent delegation." } } }, "input": { "type": "object", "required": ["hash"], "properties": { "hash": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "SHA-256 hash of the canonicalized input payload. The actual payload may remain confidential; the hash is what's signed." }, "schema": { "type": "string", "description": "Optional JSON Schema URI describing the input shape." }, "size_bytes": { "type": "integer", "minimum": 0, "description": "Size of the canonicalized input in bytes." }, "redaction_policy": { "type": "string", "enum": ["none", "fields-redacted", "full-redacted", "zk-only"], "default": "none", "description": "How input was treated for confidentiality. 'zk-only' means only a zero-knowledge proof is shareable, no payload." } } }, "output": { "type": "object", "required": ["hash"], "properties": { "hash": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "SHA-256 hash of the canonicalized output payload." }, "schema": { "type": "string", "description": "Optional JSON Schema URI describing the output shape." }, "size_bytes": { "type": "integer", "minimum": 0 }, "verdict": { "type": "string", "enum": ["success", "partial", "failed", "refused"], "description": "Self-reported task outcome. Verifiers should treat this as a claim, not ground truth — the chain of attestations + signatures is the actual evidence." }, "redaction_policy": { "type": "string", "enum": ["none", "fields-redacted", "full-redacted", "zk-only"], "default": "none" } } }, "tool_calls": { "type": "array", "description": "Ordered log of external tool / API calls made during task execution. May be empty for pure inference tasks.", "items": { "type": "object", "required": ["tool", "input_hash", "output_hash"], "properties": { "tool": { "type": "string", "description": "Tool identifier (e.g. 'mcp:filesystem.read', 'openai:web_search', 'stripe:create_charge')." }, "input_hash": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "output_hash": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$" }, "timestamp": { "type": "string", "format": "date-time" }, "duration_ms": { "type": "integer", "minimum": 0 }, "error_class": { "type": "string", "description": "If tool call failed, broad error category (e.g. 'rate_limited', 'auth_failed', 'invalid_input'). Verifiers can use this to score reliability." } } } }, "timestamps": { "type": "object", "required": ["task_started", "task_completed"], "properties": { "task_started": { "type": "string", "format": "date-time" }, "task_completed": { "type": "string", "format": "date-time" }, "attestation_emitted": { "type": "string", "format": "date-time" } } }, "signature": { "type": "object", "required": ["alg", "key_id", "value"], "properties": { "alg": { "type": "string", "enum": ["ed25519", "ecdsa-p256", "rsa-pss-sha256"], "description": "Signature algorithm. Ed25519 is RECOMMENDED for new deployments." }, "key_id": { "type": "string", "description": "Identifier resolvable to a public key (DNSid record, DID document, https URL with .well-known/agent-keys.json, or fingerprint)." }, "value": { "type": "string", "description": "Base64-encoded signature over the canonicalized attestation (excluding the signature.value field itself)." }, "covers": { "type": "array", "description": "Field paths covered by this signature. Default: all fields except signature.value.", "items": { "type": "string" } } } }, "zk_proof": { "type": "object", "description": "Optional zero-knowledge proof for confidential attestations where input/output payload cannot be revealed but verifier needs cryptographic guarantee that work was performed against the claimed spec.", "properties": { "system": { "type": "string", "enum": ["groth16", "plonk", "stark", "bulletproofs"], "description": "ZK proof system used." }, "circuit_id": { "type": "string", "description": "Identifier of the circuit / constraint system being proven." }, "proof": { "type": "string", "description": "Base64-encoded proof bytes." }, "public_inputs": { "type": "array", "items": { "type": "string" }, "description": "Public inputs to the circuit (e.g. spec hash, task type)." } }, "required": ["system", "circuit_id", "proof"] }, "reputation_tags": { "type": "array", "description": "Optional self-reported tags for downstream reputation scoring (e.g. 'hipaa-eligible', 'eu-ai-act-article-19', 'soc2-tier-1'). Verifiers SHOULD NOT trust these without independent attestor confirmation.", "items": { "type": "string" } }, "co_signatures": { "type": "array", "description": "Optional additional signatures from third parties (e.g. compliance auditor, insurance carrier, regulator). Each follows the signature object schema.", "items": { "$ref": "#/properties/signature" } } } }