Governed Action Receipt v1

v1 Frozen Envelope format — April 2026

A Governed Action Receipt is portable cryptographic proof that an AI agent action was evaluated by deterministic policy and decided by the stated authority. Anyone with the public key can verify. No platform access required.

Format frozen. The v1 schema is committed. Changes require a version bump to v2. See ADR-007 for the decision record.

Design Principles

Versioned protocol, not algorithm negotiation. v:1 determines the entire cryptographic construction: Ed25519 + SHA-256 + ZLAR canonical JSON. No alg field. The version IS the algorithm.
Envelope signing. The payload is base64url-encoded canonical bytes. The signature covers those exact bytes. Verifiers never re-canonicalize.
No extension mechanism. Strict schema. Version bump for changes.
Post-quantum path. v2 = composite ML-DSA-65+Ed25519 via version bump. No negotiation, no downgrade.

Envelope Structure

{
  "v":       1,
  "id":      "69d3c106c939654ef325...",
  "kid":     "88aaeeaca05eba4d",
  "iat":     1712412000,
  "type":    "governed-action",
  "payload": "eyJ0b29sIjoiQmFzaCIs...",
  "sig":     "qpAqou278Yks...",
  "prev":    null
}

Field	Type	Description
`v`	integer	Format version. `1` = Ed25519 + SHA-256 + ZLAR canonical JSON. Reject unknown versions.
`id`	string	Unique receipt identifier. Hex timestamp + random bytes.
`kid`	string	Key identifier. First 16 chars of SHA-256 of the public key file.
`iat`	integer	Issued-at as Unix epoch seconds.
`type`	string	Receipt type. v1 supports `"governed-action"` only.
`payload`	string	Base64url-encoded (no padding) UTF-8 bytes of canonical JSON payload.
`sig`	string	Base64url-encoded Ed25519 signature.
`prev`	string\|null	SHA-256 of previous receipt for chain linking, or null.

Payload Structure

The payload is canonical JSON (per Canonicalization Spec v1.0) containing all governance fields:

Field	Type	Required
`tool`	string	Yes
`domain`	string	Yes
`detail_hash`	string (hex64)	Yes
`outcome`	enum	Yes
`rule`	string	Yes
`authorizer`	enum	Yes
`ts`	string (ISO 8601)	Yes
`policy_version`	string	Yes
`manifest_agent_id`	string\|null	Yes
`manifest_principal`	string\|null	Yes
`delegation_chain`	array	Yes
`audit_event_id`	string	Yes
`audit_prev_hash`	string	Yes

Verification Protocol

Parse the envelope JSON. Check v === 1.
Base64url-decode the payload field to get raw UTF-8 bytes.
SHA-256 hash those bytes. Output as lowercase hex string (64 characters).
Base64url-decode sig to get the 64-byte Ed25519 signature.
Verify: Ed25519 over the hex string bytes using the public key identified by kid.
If valid, parse the payload bytes as JSON to read the governance fields.

No re-canonicalization. The verifier hashes the stored payload bytes directly. It never needs to know the canonicalization rules. This eliminates the cross-language canonicalization divergence that is the primary failure mode of inline-signed JSON formats.

Verify a Receipt

# Clone the repo
git clone https://github.com/ZLAR-AI/ZLAR.git

# Verify any receipt (v0 or v1)
node bin/zlar-verify receipt.json --pubkey key.pub --verbose

What a Valid Receipt Proves

A specific action was attempted by an AI agent
Deterministic policy was evaluated against that action
The decision was made by the stated authority (policy rule or human)
The record has not been tampered with since creation
The receipt is anchored to the ZLAR audit hash chain

Permanent URL: https://zlar.ai/specs/receipt-v1
Schema: etc/receipt-v1.schema.json
Payload schema: etc/receipt-v1-payload.schema.json
Decision record: ADR-007
License: Apache 2.0 — ZLAR Inc.