Expand description
Ratify Protocol v1 types.
Every public key and every signature is a hybrid pair: one Ed25519 component and one ML-DSA-65 (FIPS 204) component. Both must verify.
Structs§
- Agent
Identity - An AI agent’s identity.
- Anchor
- Optional external binding for higher-assurance identity.
- Constraint
- First-class bound on when/where/how much an agent may exercise its scopes.
- Delegation
Cert - Signed authorization from a principal to an agent.
- Human
Root - Master identity for a human (or tenant admin).
- Hybrid
Private Key - Both component private keys. Never serialized to the wire.
- Hybrid
Public Key - Ed25519 + ML-DSA-65 public key pair.
- Hybrid
Signature - Ed25519 + ML-DSA-65 signature pair over the same canonical bytes.
- KeyRotation
Statement - Signed continuity statement from an old root key to a new root key.
- Proof
Bundle - Proof an agent presents to a verifier.
- Receipt
Party - One party to a TransactionReceipt.
- Receipt
Party Signature - Hybrid signature by a party over the canonical receipt signable.
- Revocation
List - Signed list of revoked cert IDs, served by the issuer.
- Revocation
Push - v1.1 signed push notification of newly revoked cert IDs.
- Session
Token - v1.1 verifier-issued credential that caches a verified chain. MAC = HMAC-SHA256(session_secret, session_token_sign_bytes(token)). The session secret is private to the verifier and never leaves its trust boundary.
- Stream
Context - Verifier state tracked per stream_id for v1.1 stream-bound bundles.
- Transaction
Receipt - v1.1 canonical envelope for a multi-party, atomic transaction.
- Transaction
Receipt Result - Outcome of verify_transaction_receipt.
- Verifier
Context - Application-supplied inputs for evaluating first-class constraints.
A cert bearing a constraint whose required context field is absent will
be rejected with
constraint_unverifiable(fail-closed). - Verify
Options - Options passed to
verify_bundle. - Verify
Result - Deterministic output of
verify_bundle. Always checkvalidfirst. - Witness
Entry - v1.1 element in a hash-chain append-only witness log.
Enums§
- Identity
Status - Identity status values in a VerifyResult (SPEC §5.9). Granular failure statuses (scope_denied, constraint_denied, etc) let callers route on the enum directly — they do not have to parse error_reason text.