agentic-identity 0.2.4

Cryptographic identity anchor for AI agents — persistent identity, signed actions, revocable trust
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134

//! Data structures for negative capability proofs.

use serde::{Deserialize, Serialize};

use crate::identity::IdentityId;
use crate::receipt::witness::WitnessSignature;
use crate::spawn::SpawnId;

// ---------------------------------------------------------------------------
// Impossibility reason
// ---------------------------------------------------------------------------

/// Reason why a capability is structurally impossible.
#[derive(Debug, Clone, Serialize, Deserialize, PartialEq, Eq)]
pub enum ImpossibilityReason {
    /// Not in identity's capabilities ceiling
    NotInCeiling,

    /// No ancestor in lineage has this capability
    NotInLineage,

    /// Explicitly excluded at spawn time
    SpawnExclusion { spawn_id: SpawnId },

    /// Capability structurally doesn't exist
    CapabilityNonexistent,

    /// Voluntarily declared impossible
    VoluntaryDeclaration { declaration_id: DeclarationId },
}

// ---------------------------------------------------------------------------
// Negative capability proof
// ---------------------------------------------------------------------------

/// Unique identifier for a negative proof.
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub struct NegativeProofId(pub String);

impl std::fmt::Display for NegativeProofId {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{}", self.0)
    }
}

/// Negative capability proof — cryptographic evidence that an agent CANNOT do something.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct NegativeCapabilityProof {
    pub proof_id: NegativeProofId,
    pub identity: IdentityId,
    pub cannot_do: String, // CapabilityUri
    pub reason: ImpossibilityReason,
    pub evidence: NegativeEvidence,
    pub generated_at: u64,
    pub valid_until: Option<u64>,
    pub proof_hash: String,
    pub signature: String,
}

// ---------------------------------------------------------------------------
// Negative evidence
// ---------------------------------------------------------------------------

/// Evidence supporting the impossibility claim.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub enum NegativeEvidence {
    /// Ceiling proof — the ceiling doesn't include the capability
    CeilingExclusion {
        ceiling: Vec<String>,
        ceiling_hash: String,
    },

    /// Lineage proof — no ancestor has the capability
    LineageExclusion {
        lineage: Vec<IdentityId>,
        ancestor_ceilings: Vec<(IdentityId, Vec<String>)>,
        lineage_hash: String,
    },

    /// Spawn exclusion — spawn record explicitly excludes
    SpawnExclusion {
        spawn_id: SpawnId,
        spawn_record_hash: String,
        exclusions: Vec<String>,
    },

    /// Voluntary declaration as evidence
    Declaration { declaration_id: DeclarationId },
}

// ---------------------------------------------------------------------------
// Negative declaration
// ---------------------------------------------------------------------------

/// Unique identifier for a negative declaration.
#[derive(Debug, Clone, PartialEq, Eq, Hash, Serialize, Deserialize)]
pub struct DeclarationId(pub String);

impl std::fmt::Display for DeclarationId {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        write!(f, "{}", self.0)
    }
}

/// Voluntary negative capability declaration — self-imposed restriction.
#[derive(Debug, Clone, Serialize, Deserialize)]
pub struct NegativeDeclaration {
    pub declaration_id: DeclarationId,
    pub identity: IdentityId,
    pub cannot_do: Vec<String>, // CapabilityUris
    pub reason: String,
    pub declared_at: u64,
    pub permanent: bool,
    pub witnesses: Vec<WitnessSignature>,
    pub signature: String,
}

// ---------------------------------------------------------------------------
// Negative verification
// ---------------------------------------------------------------------------

/// Verification result for a negative proof.
#[derive(Debug, Clone)]
pub struct NegativeVerification {
    pub proof_id: NegativeProofId,
    pub identity: IdentityId,
    pub capability: String,
    pub reason_valid: bool,
    pub evidence_valid: bool,
    pub signature_valid: bool,
    pub is_valid: bool,
    pub verified_at: u64,
    pub errors: Vec<String>,
}