Skip to main content

Attested Action Envelope — a signed, per-agent-chained record of a pre-action authorization verdict

Project description

AAE — Attested Action Envelope

A signed, per-agent-chained record of a pre-action authorization verdict.

Reputation and receipts record what an agent did — after the fact. An Attested Action Envelope records what an agent may do: a small signed object, issued before an action runs, stating who asked to do what, which policy decided, and what the verdict was. A refusal is a first-class signed artifact — "we said no, here, then" is provable later, not merely an absence of evidence — and each of an agent's envelopes points at its predecessor by hash, so its authorization history is tamper-evident and gap-detectable on its own.

sm-aae is the minimal, dependency-light library that defines and cryptographically verifies that envelope. It is intentionally domain-neutral: it applies anywhere agents act under a policy and a verifiable audit record of what was permitted, and what was refused matters — enterprise workflows under internal policy, regulated data handling, SLA-bound automation, cross-team coordination.

The envelope — eight fields

Field Meaning
agent_id The acting agent's identity (whatever string your identity layer yields).
action {verb, resource, params} — what the agent asked to do.
policy_id The policy entry that produced the verdict.
outcome "authorized" | "denied" | "conditional" — refusals are first-class.
prev_hash Hex SHA-256 of this agent's previous envelope, or null for the first.
issued_at RFC 3339 timestamp (caller-supplied).
sig Hex Ed25519 signature over the canonical envelope minus sig.
pubkey Hex of the issuer's raw 32-byte Ed25519 public key.

Canonicalization is sorted-key, compact-separator JSON over the envelope without sig. Everything is deterministic: identical inputs produce byte-identical envelopes, and hostile input never raises out of the verifiers.

Install

pip install sm-aae

Runtime dependency: cryptography only.

Use

from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PrivateKey
from sm_aae import issue_envelope, verify_envelope, envelope_hash, order_chain

sk = Ed25519PrivateKey.generate().private_bytes_raw().hex()

granted = issue_envelope(
    sk, agent_id="agent-1", verb="read", resource="doc/1", params={},
    policy_id="rule:read-allow", outcome="authorized",
    prev_hash=None, issued_at="2026-07-04T00:00:00+00:00",
)
refused = issue_envelope(
    sk, agent_id="agent-1", verb="spend", resource="treasury", params={},
    policy_id="rule:deny", outcome="denied",
    prev_hash=envelope_hash(granted), issued_at="2026-07-04T00:01:00+00:00",
)

assert verify_envelope(granted) and verify_envelope(refused)
assert order_chain([refused, granted]) == [granted, refused]  # recovers the causal order

order_chain returns the agent's envelopes genesis-first, or None if they don't form exactly one intact chain — it rejects gaps (a deleted interior link), forks, duplicates, and a prev_hash that reaches into another agent's chain.

Public API

Function Purpose
issue_envelope(signing_key, *, …) Build and sign a complete envelope.
verify_envelope(candidate) -> bool Structural + signature check; never raises.
envelope_hash(envelope) -> str SHA-256 of the signed envelope (what prev_hash points at).
canonical_bytes(envelope) -> bytes The exact bytes the signature covers.
order_chain(envelopes) -> list | None The agent's unique causal chain, or None.

Where it fits

sm-aae is the per-action authorization primitive in a small family of agent evidence tools:

  • sm-arp — receipts: what an agent did.
  • sm-parc — portable reputation over those receipts.
  • sm-aae (this) — what an agent may do, and the refusals.

It complements NANDA's static agent facts (claims about who an agent is) with a dynamic, signed record of a decision taken about an agent's action at a moment in time. See SPEC.md for the normative wire format, WHITEPAPER.md for the argument, and THREATMODEL.md for what it does and does not defend.

Development

pip install -e ".[dev]"
ruff check . && ruff format --check . && mypy sm_aae && coverage run -m pytest && coverage report

License

MIT. See LICENSE.


Built at labs.stellarminds.ai.

First published: 2026-07-04 | Last modified: 2026-07-04

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

sm_aae-0.1.0.tar.gz (17.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

sm_aae-0.1.0-py3-none-any.whl (8.5 kB view details)

Uploaded Python 3

File details

Details for the file sm_aae-0.1.0.tar.gz.

File metadata

  • Download URL: sm_aae-0.1.0.tar.gz
  • Upload date:
  • Size: 17.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sm_aae-0.1.0.tar.gz
Algorithm Hash digest
SHA256 0887638328ddda1d69a5ea09b60a1ededa00559a2b1db288252dbaf6723e565c
MD5 dea8f9415a08e6de271ce187654f4065
BLAKE2b-256 3900f80cb1e5c75771ee6ad920de91b91793ec49ace28768309b914574993c1f

See more details on using hashes here.

Provenance

The following attestation bundles were made for sm_aae-0.1.0.tar.gz:

Publisher: publish.yml on Sharathvc23/sm-aae

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file sm_aae-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: sm_aae-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 8.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for sm_aae-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 9bf03f64737cf7843c617b9af54851461aa40001f4a6df3987ceaebc6dc574b9
MD5 55d10ab355aeb8c04d918d8705662632
BLAKE2b-256 d64018bc1d43908c8a8cb28fd706fa87c94c384a236332d2095fa9f273a2afef

See more details on using hashes here.

Provenance

The following attestation bundles were made for sm_aae-0.1.0-py3-none-any.whl:

Publisher: publish.yml on Sharathvc23/sm-aae

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page