<?xml version="1.0" encoding="UTF-8"?>
  <?xml-stylesheet type="text/xsl" href="rfc2629.xslt" ?>
  <!-- generated by https://github.com/cabo/kramdown-rfc version 1.7.39 (Ruby 4.0.5) -->


<!DOCTYPE rfc  [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">

]>


<rfc ipr="trust200902" docName="draft-sergeev-wexp-core-00" category="info" submissionType="IETF" tocInclude="true" sortRefs="true" symRefs="true">
  <front>
    <title abbrev="WEXP Core">The Witnessed Execution Protocol (WEXP): Core Specification</title>

    <author initials="M." surname="Sergeev" fullname="Mikhail Sergeev" role="editor">
      <organization>Independent Researcher</organization>
      <address>
        <email>mikhailsergeev369@gmail.com</email>
      </address>
    </author>
    <author initials="V." surname="Ikher" fullname="Vladimir Ikher">
      <organization>Independent Researcher</organization>
      <address>
        <email>ikherva@gmail.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="05"/>

    <area>Security</area>
    
    <keyword>witnessability</keyword> <keyword>execution evidence</keyword> <keyword>boundary ceiling</keyword> <keyword>AI agents</keyword> <keyword>audit</keyword> <keyword>provenance</keyword>

    <abstract>


<?line 83?>

<t>The Witnessed Execution Protocol (WEXP) defines a record format and a verification procedure for classifying the strength of execution-related evidence about actions performed by software and AI systems. A WEXP record asserts, for a single action, a Witnessability Level (WL) bounded by the execution-relevant boundary that the witness controls. WEXP grades only the evidentiary strength of an execution claim; it does not certify the action's correctness, safety, or alignment. This document specifies WEXP Core: the record model, required fields, the two classification axes (Witnessability Level and Conformance Class), the honesty invariants that bound claims, the verifier procedure, and failure semantics. WEXP Core is profile-independent and validates standalone.</t>



    </abstract>



  </front>

  <middle>


<?line 87?>

<section anchor="notetoreaders"><name>Note to Readers (to be removed before publication)</name>

<t>The archival deposit of this specification is intended to be made available under CC BY 4.0; the IETF Internet-Draft is contributed under the IETF Trust's Legal Provisions (see the boilerplate). The reference implementation is being developed by WitSeal; no co-author or party holds ownership, licensing exclusivity, or veto rights over the specification.</t>

</section>
<section anchor="introduction"><name>Introduction</name>

<t>Modern AI and software systems produce many forms of execution-related evidence -- logs, traces, approvals, tool-call records, attestations, workflow histories -- that are frequently conflated. The conceptual foundation for distinguishing the <em>strength</em> of such evidence is the Witnessability Model <xref target="WITNESSABILITY"/>, which defines six witnessability levels (WL0-WL5) and the Boundary Ceiling Principle: a witness cannot honestly claim a level above the strongest execution-relevant boundary it controls or can independently verify.</t>

<t>WEXP operationalizes that model as a concrete, verifiable record protocol. Where the model is descriptive, WEXP is prescriptive: it defines what a conforming record MUST contain at each claimed level, and what a conforming verifier MUST check.</t>

<t>Attestation answers whether a record is authentic; a transparency service answers whether it existed as claimed. WEXP answers a third question that neither resolves: given the available evidence and the boundary at which it was obtained, what claim level is warranted? A related individual Internet-Draft proposes an architecture for auditing AI-agent delegation and interactions <xref target="AUDIT-ARCH"/>, whose proposed work items include canonical audit data models and semantics (WI-1) and an Action Record profile produced at the boundary where each tool or service call took effect (WI-4). That architecture records, correlates, and attests audit records across delegation and evolving authorization state; it does not define the evidential-status semantics that bound what such a record may honestly claim about execution. WEXP supplies that layer: a boundary-derived claim ceiling (verified_level &lt;= attainable(boundary_type, claimed_level, evidence)), a verifier verdict of accept, reject, or downgrade, non-inflation under composition, and fail-closed handling of unknown-critical content. WEXP is therefore an orthogonal contribution to such audit data models -- specifically the claimed-level and ceiling semantics for Action Records -- not a competing audit architecture or data model.</t>

<t>WEXP intentionally separates three concerns that are often conflated: (1) where an action is observed, (2) how authentic the resulting record is, and (3) what evidential claim that record can honestly support.</t>

<t>This document is differentiated by treating the boundary-derived ceiling as a verifier-enforced protocol invariant, rather than as an audit placement rule, attestation result, or transparency receipt. WEXP makes no chronological priority claim.</t>

<ul empty="true"><li>
  <t>Reference Implementation Non-Authority Clause. Where a reference implementation conflicts with this specification, the specification prevails. Where the specification is ambiguous, a resolution document is required before implementation behavior becomes normative.</t>
</li></ul>

<section anchor="scope"><name>Scope</name>

<t>This document specifies WEXP Core only. Profiles (domain-specific bindings) and Policy (Evidence Contract gating) are layered above Core and are out of scope here, except where Core constrains them. A Core record MUST validate without reference to any profile.</t>

<t>To bound Core precisely, the following are explicitly out of scope for this document and are left to profiles or future revisions:</t>

<t><list style="symbols">
  <t>This document does not define a COSE or JWS envelope profile.</t>
  <t>This document does not define internal provenance or independent-verification evidence schemas.</t>
  <t>This document does not define trust-anchor discovery or revocation.</t>
  <t>This document does not define chain construction, segment discovery, or delegation linkage.</t>
  <t>This document does not define a capabilities-document format beyond the fail-closed handling of <spanx style="verb">capabilities_ref</spanx> (<xref target="cc-maxcap"/>).</t>
</list></t>

<t>These deferred items are expected to be addressed by separate WEXP profiles, developed independently of and layered above this Core document. Such profiles are anticipated to bind WEXP records to existing mechanisms rather than re-specify them -- for example, a JOSE or COSE serialization profile, a boundary-grounding profile referencing RATS attestation evidence, provenance and independent-verification profiles aligned with supply-chain and transparency work (for example, <xref target="SCITT"/>), and deployment profiles that map WEXP evidence onto external record-keeping regimes. These profiles are informative with respect to this document: they extend and depend on Core, but a Core record is complete and verifiable without any of them (<xref target="verifier"/>).</t>

</section>
<section anchor="relatedwork"><name>Relationship to Related Work</name>

<t><xref target="AUDIT-ARCH"/> describes an architectural framework for distributed audit-record generation, audit-context propagation, attestation, and transparency logging in agent-driven interactions, and identifies candidate record types and IETF substrate profiles (RATS, SCITT, OAuth, WIMSE). It independently arrives at recorder independence (a record produced at the boundary, not as reported by the agent; an agent that records itself cannot deliver non-repudiation to a third party). WEXP is complementary: it does not define an agent audit architecture, an identity substrate, or a transparency service. It defines verifier-facing evidence-to-claim semantics -- the boundary-derived claim ceiling, the accept/reject/downgrade verdict, non-inflation, and fail-closed handling -- that <xref target="AUDIT-ARCH"/> does not specify. In <xref target="AUDIT-ARCH"/> terms these belong in WI-1 as the claimed-level and ceiling semantics the data models require but do not define, with the WI-4 Action Record profile carrying the claimed level.</t>

<t>A parallel line of work, <xref target="ACTA-RECEIPTS"/>, defines a portable signed receipt format for machine-to-machine access-control decisions. A subsequent profile, <xref target="ASQAV-COMPLIANCE"/>, binds <xref target="ACTA-RECEIPTS"/> fields to specific regulatory obligations including EU AI Act Articles 12 and 26 and DORA Article 17. WEXP is complementary to both: <xref target="ACTA-RECEIPTS"/> specifies a wire format and verification procedure for signed decision records; WEXP specifies the <em>evidential-status semantics</em> -- the boundary-derived claim ceiling, the verifier verdict of accept/reject/downgrade, non-inflation under composition, and fail-closed handling of unknown-critical content -- that bound what claim level any such record can honestly support. A WEXP record MAY be carried as an artifact in the <xref target="ACTA-RECEIPTS"/> format. Where an ACTA or ASQAV receipt carries a correlation identifier such as <spanx style="verb">action_ref</spanx>, a WEXP profile MAY use that value as a correlation hint between the receipt and the WEXP record witnessing the same action; such correlation is not execution evidence, is not required by WEXP Core, and does not raise the verified level. The WEXP layer adds the claim-strength semantics that the receipt format itself does not specify. WEXP defines no transparency service, no identity substrate, and no decision-recording wire format of its own -- it is the evidential-status layer over such substrates.</t>

<t>Additional Internet-Drafts in adjacent slots include <xref target="AGENT-AUDIT-TRAIL"/>, which specifies a hash-chained logging format with trust outcome levels, and <xref target="VERIFICATION-STATE"/>, which specifies a pre-action fail-closed gate primitive that may be wrapped in a <xref target="SCITT"/> envelope. WEXP is complementary to these: <xref target="AGENT-AUDIT-TRAIL"/> specifies how audit records are stored and chained; <xref target="VERIFICATION-STATE"/> specifies a gate primitive applied before action execution. WEXP specifies the claim-strength taxonomy that bounds what any such record or gate-result may honestly assert, and the verifier ladder that enforces it.</t>

<t>Further adjacent drafts include <xref target="VAC"/>, a conversation-record format for agent sessions with post-hoc divergence detection; <xref target="POB"/>, which combines signed behavior receipts, hash-chain linking, and a pre-execution policy gate; and <xref target="DRP"/>, which specifies pre-action delegation receipts anchored to an append-only log -- an authorization-plane object attesting what was authorized rather than what occurred. WEXP defines none of these objects; it defines the claim-strength semantics that bound what any such record, gate result, or delegation trace may honestly assert.</t>

<t>Two adjacent level schemes deserve explicit contrast. SLSA <xref target="SLSA"/> defines graduated build-integrity levels for the software supply chain: as in WEXP, a claim is bounded by the strength of the platform boundary that produced the evidence, but SLSA grades the build provenance of artifacts, not runtime execution events -- WEXP applies the same discipline to runtime actions, and a SLSA provenance statement is one natural source of the WL4 provenance artifact. Within the IETF, RATS Attestation Results for Secure Interactions <xref target="AR4SI"/> grades the trustworthiness of an attested environment from appraised evidence; WEXP grades the claim strength of an execution-event record, with environment attestation as one input that can raise the attainable level (<xref target="appendix-audit"/>). Neither scheme defines a claim ceiling bound to the execution boundary of a specific action; that is the layer WEXP specifies.</t>

</section>
</section>
<section anchor="terminology"><name>Conventions and Terminology</name>

<t>The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only when, they appear in all capitals, as shown here.</t>

<t><list style="symbols">
  <t><strong>Witness.</strong> A system, component, runtime, service, process, organization, or verifier that records or verifies evidence about an action.</t>
  <t><strong>Action.</strong> An operation performed by a software or AI system that changes state, produces output, invokes a tool, executes code, or otherwise affects an environment.</t>
  <t><strong>Boundary.</strong> A control surface across which an action is observed, approved, invoked, executed, linked to provenance, or verified.</t>
  <t><strong>WEXP Record.</strong> A structured artifact conforming to this specification that asserts an execution-evidence claim at a stated Witnessability Level.</t>
  <t><strong>Witnessability Level (WL).</strong> A record-scoped level, WL0-WL5, expressing how deeply the runtime action is witnessed through the execution boundary (see <xref target="WITNESSABILITY"/> for the model).</t>
  <t><strong>Conformance Class (CC).</strong> An implementation-scoped class, CC0-CC5, expressing how technically verifiable a record is.</t>
</list></t>

<t>Relationship to WIMSE: WEXP and its reference implementation are distinct from the WIMSE Workload Identity Credential (WIT) <xref target="WIMSE"/>. A bounded-claim execution record is evidence about what occurred at a boundary, not a workload identity credential, and does not replace WIT.</t>

<t><strong>Note on Witnessability Level (WL) Versus Other Level Schemes.</strong> Numbered trust levels and graded conformance tiers appear in adjacent specifications and informal industry discussion (for example, trust outcome levels in <xref target="AGENT-AUDIT-TRAIL"/>, Bronze/Silver/Gold conformance tiers in <xref target="VAP-LAP"/>, and the multi-layer agent trust models discussed in industry analyses). These schemes classify outcome quality, infrastructure capability, or authorization-stack position. WEXP WL is distinct: it classifies the <em>claim-strength</em> that a record can honestly support given the <em>boundary</em> at which the evidence was produced. WL is an <em>epistemic ceiling</em> on what a witness may assert, not a trust rating, infrastructure grade, authorization tier, or maturity score. A WL3 record is not "more trusted" than a WL1 record; it is a claim about a stronger execution-evidence boundary having been controlled or independently verified. Whether a particular witness is honest or compromised is a question of attribution and grounding, not of the level taxonomy: the boundary assertion, its CC-bound attribution, and their limits are specified in <xref target="honesty-evidence"/>.</t>

</section>
<section anchor="wl-cc"><name>Witnessability Level (WL) and Conformance Class (CC)</name>

<t>WEXP separates two orthogonal axes.</t>

<t>The Core interpretation of each Witnessability Level, used by the verifier, is:</t>

<texttable>
      <ttcol align='left'>WL</ttcol>
      <ttcol align='left'>Core interpretation</ttcol>
      <c>WL0</c>
      <c>No execution-evidence claim is verified.</c>
      <c>WL1</c>
      <c>Intent or approval is bound to the action arguments.</c>
      <c>WL2</c>
      <c>Invocation crossed an observed boundary.</c>
      <c>WL3</c>
      <c>Execution was observed at an execution-ownership boundary.</c>
      <c>WL4</c>
      <c>WL3 plus a bound top-level provenance artifact.</c>
      <c>WL5</c>
      <c>WL3 plus a bound top-level independent-verification artifact.</c>
</texttable>

<t>This table defines the Core interpretation used by the verifier. It does not define provenance, attestation, independent-verification, policy, or trust-anchor schemas.</t>

<t>WL4 and WL5 are sibling evidence lifts over the WL3 base: WL4 adds a bound provenance artifact, WL5 a bound independent-verification artifact. WL5 is ordered above WL4 for verifier ceiling comparison (<xref target="verifier"/>), but a WL5 claim does not imply the presence of a provenance artifact unless required by a profile or policy. A policy that requires provenance MUST require it explicitly and MUST NOT infer it from <spanx style="verb">verified_level</spanx> &gt;= WL4.</t>

<t><strong>Witnessability Level (WL)</strong> is <em>record-scoped</em>: it describes how deeply a specific runtime action is witnessed through the execution boundary. WL ranges over WL0-WL5 as defined by the Witnessability Model.</t>

<t><strong>Conformance Class (CC)</strong> is <em>implementation-scoped</em>: it describes how technically verifiable a record is, independent of any single record's content. CC ranges over CC0-CC5. CC MUST NOT be a per-record self-claim; it is reachable only by reference (via a <spanx style="verb">capabilities_ref</spanx> to the implementation's published capabilities).</t>

<t>Criticality, reversibility, operational domain, and custody are not axes of WEXP. They MAY influence the minimum required WL or CC via policy or profiles, but they are not witnessability levels and MUST NOT be encoded as such.</t>

<section anchor="cc-scale"><name>Conformance Class (CC) scale</name>

<t>Conformance Class is implementation-scoped and ranges over CC0-CC5. CC
describes how technically verifiable an implementation's records are; it
MUST NOT be a per-record self-claim and is reachable only by reference,
via a <spanx style="verb">capabilities_ref</spanx> to the implementation's published capabilities.</t>

<texttable>
      <ttcol align='left'>CC</ttcol>
      <ttcol align='left'>Name</ttcol>
      <ttcol align='left'>Requirement</ttcol>
      <c>CC0</c>
      <c>No conformance</c>
      <c>The implementation does not meet WEXP structural requirements.</c>
      <c>CC1</c>
      <c>Structural</c>
      <c>The implementation emits records that validate against the Core schema.</c>
      <c>CC2</c>
      <c>Signature</c>
      <c>The implementation additionally emits records that carry a valid signature over the canonical signing input, per <spanx style="verb">seal.alg</spanx> (<xref target="verifier"/>).</c>
      <c>CC3</c>
      <c>Bound</c>
      <c>The implementation additionally binds each signature to a verified key identity; at CC3 and above a <spanx style="verb">boundary_type</spanx> assertion is attributed to that identity (stronger grounding of the assertion is out of scope for Core; see <xref target="honesty-evidence"/>).</c>
      <c>CC4</c>
      <c>Composed</c>
      <c>The implementation additionally verifies chains under composition without inflation (see <xref target="verifier-composition"/>).</c>
      <c>CC5</c>
      <c>Independent</c>
      <c>The implementation additionally produces records independently verifiable by a third party without the issuer.</c>
</texttable>

<t>The classes are cumulative: CCn includes the capabilities of CCn-1. CC is
orthogonal to a record's Witnessability Level: a high-CC implementation MAY
emit low-WL records.</t>

<section anchor="cc-maxcap"><name>Implementation capability ceiling</name>

<t>Each Conformance Class has a maximum Witnessability Level it can ground,
maxCapability(CC):</t>

<texttable>
      <ttcol align='left'>CC</ttcol>
      <ttcol align='left'>maxCapability(CC)</ttcol>
      <c>CC0</c>
      <c>WL0</c>
      <c>CC1</c>
      <c>WL0</c>
      <c>CC2</c>
      <c>WL2</c>
      <c>CC3</c>
      <c>WL3</c>
      <c>CC4</c>
      <c>WL4</c>
      <c>CC5</c>
      <c>WL5</c>
</texttable>

<t>The full Boundary Ceiling invariant (<xref target="honesty-boundary"/>) therefore caps a
claim by BOTH the boundary-and-evidence attainable level and the
implementation Conformance Class:</t>

<figure><artwork><![CDATA[
verified_level <= min(
    attainable(boundary_type, claimed_level, evidence),
    maxCapability(CC) )
]]></artwork></figure>

<t>A verifier MUST enforce both bounds; a high-capability boundary does not raise a
record above the issuing implementation's Conformance Class. For example, a
record claiming WL4 at a <spanx style="verb">tee</spanx> boundary with a bound provenance artifact, from a
CC3 implementation (maxCapability WL3), is bounded by min(WL4, WL3) = WL3 and is
downgraded accordingly.</t>

<t>Core treats <spanx style="verb">capabilities_ref</spanx> as an opaque reference. A verifier resolves it
through local configuration or a profile-defined mechanism to an accepted
Conformance Class; Core does not define the serialization, discovery, revocation,
or trust-anchor model for such capabilities. If <spanx style="verb">capabilities_ref</spanx> is absent,
unavailable, expired, unverifiable, or not accepted by the verifier's trust
configuration, resolution fails and the effective Conformance Class is CC0: the
record MAY still be structurally valid, but its verified level is bounded by
maxCapability(CC0) = WL0 (fail-closed). Core interoperability therefore covers structure, signature, and the ladder mechanics; the assignment of a verified level above WL0 is relative to the verifier's trust configuration, in the same way that RATS appraisal is relative to appraisal policy.</t>

<t><strong>Rationale for the maxCapability(CC) mapping.</strong> The mapping assigns to each Conformance Class the highest Witnessability Level whose claims that class can actually ground; it tracks verifier capability, not witness output. At CC0 and CC1 no signature is verified, so no runtime claim above observation (WL0) can be grounded. At CC2 a record's signature is verified against a published key: intent (WL1) and invocation (WL2) claims become groundable, since both are carried in the signed content and differ only in their conditional-required fields (<xref target="fields-conditional"/>); execution claims are not, because CC2 does not ground the boundary assertion itself. CC3 adds that grounding -- key identity bound to the declared boundary through attestation or an established trust anchor -- which <xref target="honesty-evidence"/> sets as the minimum for execution ownership, so maxCapability rises to WL3. CC4 adds verified composition (<xref target="verifier-result"/>), the property that makes a provenance bridge trustworthy across chained records, raising the bound to WL4. CC5 adds verification of an independent-verification path, the implementation-side counterpart of WL5. The scale is monotonic non-decreasing by construction, and the combined invariant of <xref target="honesty-boundary"/> -- which bounds the verified level by both the claim-relative attainable level of the boundary and maxCapability(CC) -- ensures that neither a high-ceiling boundary nor a high-capability implementation alone can raise a record's verified level.</t>

</section>
</section>
</section>
<section anchor="recordmodel"><name>Record Model</name>

<t>A WEXP artifact is composed of the following layers.</t>

<t><list style="symbols">
  <t><strong>WEXP Core Record.</strong> MUST be present; otherwise the artifact is not a WEXP Record.</t>
  <t><strong>WEXP Profile Binding.</strong> MUST be present inside a specific profile; OPTIONAL in pure-Core records.</t>
  <t><strong>WEXP Top-level Evidence.</strong> Typed blocks: provenance (for WL4), independent-verification / attestation (for WL5), and transparency (orthogonal). Each is carried as a typed <spanx style="verb">evidence-ref</spanx> (<xref target="schema"/>); Core checks only its presence and syntactic binding to the record, not its internal semantics. Such evidence is REQUIRED at its claimed WL, and a verifier MUST honor evidence only when carried at the top level. This evidence MUST NOT be carried inside extensions.</t>
  <t><strong>WEXP Extensions.</strong> An OPTIONAL map of the form <spanx style="verb">{ "&lt;registered-name&gt;": { "critical": &lt;bool&gt;, "value": &lt;...&gt; } }</spanx>. Extensions MAY strengthen explainability. Extensions MUST NOT raise the WL, and MUST NOT carry WL4 or WL5 evidence.</t>
</list></t>

<t>Profiles MUST NOT redefine Core fields; profiles MAY constrain, extend, or specialize them. A Core record MUST validate standalone, without a profile.</t>

</section>
<section anchor="fields"><name>Core Record Fields</name>

<t>A WEXP Core Record answers seven questions. The following fields MUST be present in every Core Record.</t>

<texttable>
      <ttcol align='left'>Question</ttcol>
      <ttcol align='left'>Field(s)</ttcol>
      <c>What happened?</c>
      <c><spanx style="verb">event.operation</spanx>, <spanx style="verb">event.event_type</spanx></c>
      <c>Who or what acted?</c>
      <c><spanx style="verb">subject{ agent_id, host_id }</spanx></c>
      <c>Where was the witness boundary?</c>
      <c><spanx style="verb">model.boundary_type</spanx></c>
      <c>What level is claimed?</c>
      <c><spanx style="verb">model.claimed_level</spanx> (a WL)</c>
      <c>Who witnessed, and signed with what?</c>
      <c><spanx style="verb">witness{}</spanx>, <spanx style="verb">seal{}</spanx></c>
      <c>What is disclosed?</c>
      <c><spanx style="verb">disclosure{}</spanx></c>
      <c>Identity of protocol and record</c>
      <c><spanx style="verb">protocol</spanx>, <spanx style="verb">protocol_version</spanx>, <spanx style="verb">record_id</spanx>, <spanx style="verb">created_at</spanx></c>
</texttable>

<t>The <spanx style="verb">record_id</spanx> is an opaque identifier: uniqueness is the issuing implementation's responsibility, and Core defines no format, namespace, or collision semantics beyond exact-match comparison.</t>

<section anchor="fields-conditional"><name>Conditional-required fields by claimed level</name>

<t>The following fields are conditionally required by <spanx style="verb">model.claimed_level</spanx>. These requirements are enforced by the verifier when evaluating the claimed level; their absence does not by itself make a Core Record structurally invalid and MUST instead result in a downgrade to the highest level, not exceeding the claim, whose own requirements are met (see <xref target="verifier-result"/> and <xref target="verifier-downgrade"/>). The schema validates structure; the verifier validates the claimed level.</t>

<t><list style="symbols">
  <t><strong>WL1</strong> -- <spanx style="verb">input.arguments_hash</spanx> MUST be present.</t>
  <t><strong>WL2</strong> -- <spanx style="verb">input.arguments_hash</spanx> MUST be present, and only that (invocation-evidence). At WL2, <spanx style="verb">policy</spanx> and timing are OPTIONAL and are not Core-required: policy is orthogonal to WL and is profile-scoped. A profile MAY require policy for gate-mediated actions.</t>
  <t><strong>WL3</strong> -- <spanx style="verb">execution.{ started_at, ended_at, outcome, result_hash }</spanx> MUST be present.</t>
  <t><strong>WL4</strong> -- a provenance artifact (see <xref target="recordmodel"/>, Top-level Evidence) MUST be present, in addition to the WL3 requirements.</t>
  <t><strong>WL5</strong> -- an independent-verification path MUST be present, in addition to the WL3 requirements.</t>
</list></t>

<t>Raw payloads MUST NOT be required by Core; see the Minimal Evidence floor (<xref target="honesty"/>).</t>

</section>
<section anchor="schema"><name>Core Record schema (CDDL)</name>

<t>The following CDDL (<xref target="RFC8610"/>) is the normative schema for a WEXP Core
Record. A complete worked JSON example, with accept and downgrade verification walkthroughs, will be provided in a subsequent revision. A Core Record MUST validate against this schema;
conditional-required fields by claimed level (<xref target="fields-conditional"/>) and
the honesty invariants (<xref target="honesty"/>) are additional constraints the
verifier enforces beyond structural validation.</t>

<figure><sourcecode type="cddl"><![CDATA[
wexp-core-record = {
  protocol: tstr,
  protocol_version: tstr,
  record_id: tstr,
  created_at: tdate,
  event: event-block,
  subject: subject-block,
  model: model-block,
  witness: witness-block,
  seal: seal-block,
  disclosure: disclosure-block,
  ? capabilities_ref: tstr, ; reference to published CC capabilities
  ? input: input-block,     ; required at WL1 and WL2
  ? execution: execution-block, ; required at WL3
  ? evidence: evidence-block,   ; top-level evidence only
  ? extensions: extensions-map,
}

; claimed_level encoding (ratified): string form
WL = "WL0" / "WL1" / "WL2" / "WL3" / "WL4" / "WL5"
; Comparison semantics (informative): "WLn" maps to integer n for the
; honesty invariants. The verified level is bounded by
;   min( claimed, attainable(boundary_type, claimed, evidence),
;        maxCapability(CC), recorder_ceiling, chain_min )
; Implementations MUST parse "WLn" as integer n for ordering
; comparisons, then re-encode as string in records.

; Hash-alg identifier; "sha-256" is the default. Each hash field
; carries its own algorithm so the record is self-describing.
hash-alg = "sha-256" / tstr

; All octet strings in JSON serialization (seal.sig, *_hash, digest)
; are encoded as base64url WITHOUT padding.

event-block = { operation: tstr, event_type: tstr }
subject-block = { agent_id: tstr, host_id: tstr }
model-block = { boundary_type: tstr, claimed_level: WL }

; witness / seal / disclosure internal fields are refined by
; profiles; beyond the mandatory identifiers below they are open
; maps pending field-byte alignment.
; id identifies the witnessing component or system (opaque).
witness-block = { id: tstr, * tstr => any }
; alg, sig, and kid are present iff the record is signed (CC2+);
; sig is base64url-encoded, no padding; kid is an opaque
; identifier of the signing key (resolution is out of scope).
seal-block = { ? alg: tstr, ? sig: tstr, ? kid: tstr, * tstr => any }
disclosure-block = { * tstr => any }

input-block = {
  arguments_hash_alg: hash-alg,
  arguments_hash: tstr,          ; base64url, no padding
  * tstr => any
}
execution-block = {
  started_at: tdate, ended_at: tdate,
  outcome: tstr,
  result_hash_alg: hash-alg,
  result_hash: tstr              ; base64url, no padding
}

; Top-level typed evidence refs. Core verifies their PRESENCE and
; SYNTACTIC binding (digest + optional bound_record_id);
; it does not validate internal semantics of the referenced artifact.
evidence-ref = {
  type: tstr,
  digest_alg: hash-alg,
  digest: tstr,                  ; base64url, no padding
  ? uri: tstr,
  ? bound_record_id: tstr,
  * tstr => any
}
evidence-block = {
  ; provenance is required for WL4; at WL5 it is optional
  ; unless a profile or policy requires it
  ? provenance: evidence-ref,
  ? independent_verification: evidence-ref, ; required for WL5
  ? transparency: evidence-ref,             ; orthogonal
}

extensions-map = { * tstr => { critical: bool, value: any } }
]]></sourcecode></figure>

<t>Extensions MUST NOT raise the Witnessability Level and MUST NOT carry WL4
or WL5 evidence (<xref target="recordmodel"/>).</t>

<t>A top-level evidence artifact is <em>bound</em> to a WEXP record when the record carries an <spanx style="verb">evidence-ref</spanx> whose <spanx style="verb">digest</spanx> identifies that artifact and that reference is included in the signed record payload; <spanx style="verb">bound_record_id</spanx>, when present, is a reverse reference from the artifact to the WEXP record. Core validates the presence and syntax of this binding; validation of the artifact's internal semantics is profile-specific.</t>

</section>
</section>
<section anchor="honesty"><name>Honesty Invariants (Ceilings)</name>

<t>Two ceilings and a floor bound what a record may honestly claim. A verifier MUST enforce the Boundary Ceiling and, when a qualification is asserted, the Recorder Ceiling; the Minimal Evidence floor is a content discipline on the producer.</t>

<section anchor="honesty-boundary"><name>Boundary Ceiling (MUST)</name>

<t>The Boundary Ceiling separates two mechanisms: the execution-evidence level a boundary directly grounds, and the lift that bound top-level evidence adds on top of it.</t>

<t><strong>Base execution level.</strong> Each boundary type grounds a base execution-evidence level, <spanx style="verb">base_execution_level(boundary_type)</spanx>, taken from the WEXP Boundary Types registry (<xref target="iana-boundary-types"/>): an intent or approval boundary grounds WL1, an invocation boundary WL2, and an execution-ownership boundary (including a trusted execution environment) WL3. No boundary grounds WL4 or WL5 by itself.</t>

<t><strong>Evidence lift.</strong> WL4 and WL5 are reached only by adding a bound top-level evidence artifact to an execution-ownership boundary, and each lift level is satisfied only by the artifact that defines it: a bound provenance artifact satisfies WL4; a bound independent-verification artifact satisfies WL5; neither satisfies the other's level. Attainability is claim-relative across the whole ladder -- the highest level, not exceeding the claimed level, whose own requirements are met. For WL1-WL3 the requirements are the boundary base and the conditional-required fields of <xref target="fields-conditional"/>; for WL4 and WL5 they are an execution-ownership base, the WL3 execution evidence (the level table defines WL4 and WL5 as "WL3 plus" an artifact), and the corresponding bound artifact. Here <spanx style="verb">evidence</spanx> denotes both the record's conditional-required fields and its bound top-level artifacts:</t>

<figure><artwork><![CDATA[
attainable(boundary_type, claimed_level, evidence):
  base = base_execution_level(boundary_type)
  best = WL0
  for n in WL1..WL3:
    if n <= base and n <= claimed_level and
       the conditional-required fields for n are present:
        best = n
  if base >= WL3 and claimed_level >= WL4 and
     the WL3 requirements are met and
     a bound provenance artifact is present:
      best = WL4
  if base >= WL3 and claimed_level >= WL5 and
     the WL3 requirements are met and
     a bound independent-verification artifact is present:
      best = WL5
  return best
]]></artwork></figure>

<t>An intent or invocation boundary (base &lt; WL3) cannot reach WL4 or WL5: a provenance or independent-verification artifact attached to a <spanx style="verb">manual-approval</spanx> or <spanx style="verb">proxy</spanx> record does not raise it. WL4 and WL5 are available at <spanx style="verb">host-hook</spanx>, <spanx style="verb">kernel</spanx>, <spanx style="verb">tool-runtime</spanx>, and <spanx style="verb">tee</spanx> boundaries, each requiring the corresponding bound artifact.</t>

<t><strong>Combined invariant.</strong> The verified level MUST NOT exceed any of the claimed level, the boundary-and-evidence attainable level, the implementation Conformance Class capability (<xref target="cc-maxcap"/>), the recorder ceiling (<xref target="honesty-recorder"/>), and the composition minimum (<xref target="verifier-composition"/>):</t>

<figure><artwork><![CDATA[
verified_level <= min(
    claimed_level,
    attainable(boundary_type, claimed_level, evidence),
    maxCapability(CC),
    recorder_ceiling,
    chain_min )
]]></artwork></figure>

<t>The verifier MUST derive <spanx style="verb">base_execution_level</spanx> from the boundary-types registry based on the actual <spanx style="verb">boundary_type</spanx>, and MUST NOT derive it from the implementation's Conformance Class. A high-capability boundary does not raise a record above the implementation's Conformance Class: an implementation at CC3 (maxCapability WL3) emitting a record at a <spanx style="verb">tee</spanx> boundary with a bound provenance artifact is still bounded at WL3, since min(WL4, WL3) = WL3.</t>

</section>
<section anchor="honesty-recorder"><name>Recorder Ceiling (MUST when asserted)</name>

<t>Core reserves a recorder-ceiling slot in the verified-level bound (<xref target="verifier"/>) but defines no recorder qualifications: the qualification vocabulary, its record fields, and the max_assurance() mapping are profile-defined. When no profile-defined qualification is asserted, the slot is inactive and does not constrain the record. When a profile asserts one, the claimed level MUST NOT exceed that profile's maximum assurance:</t>

<figure><artwork><![CDATA[
claimed_WL <= max_assurance(qualification_profile)
]]></artwork></figure>

</section>
<section anchor="honesty-minimal"><name>Minimal Evidence floor (SHOULD)</name>

<t>Record content SHOULD be minimal-sufficient for the claimed WL. Raw payloads are excluded by default (Core never requires them); hashes, commitments, references, summaries, or encrypted material SHOULD be preferred. Minimality is relative to the claimed WL: verification metadata grows with WL, while the payload does not.</t>

</section>
<section anchor="honesty-evidence"><name>Evidence is required, not implied</name>

<t>WL4 and WL5 require an actual bound evidence artifact, not merely a boundary label: a provenance artifact for WL4, and an independent-verification artifact for WL5. The <spanx style="verb">boundary_type</spanx> field is an assertion of the witness. At CC3 and above the assertion is bound to a verified key identity, which attributes it to a known signer but does not by itself prove the action was observed at the asserted boundary; stronger grounding of the boundary assertion (for example, boundary attestation evidence) is out of scope for Core and left to profiles and future work. Accordingly, a WEXP record does not prove that the declared boundary matches the actual execution environment.</t>

<section anchor="honesty-wl4"><name>WL4 attainability</name>

<t>WL4 is attainable when both hold: (a) the boundary grounds an execution
level of at least WL3 (<spanx style="verb">base_execution_level(boundary_type) &gt;= WL3</spanx>), and
(b) a bound top-level provenance artifact is present (see <xref target="recordmodel"/>
and <xref target="honesty-boundary"/>). WL4 is therefore reachable at any
execution-ownership boundary -- <spanx style="verb">host-hook</spanx>, <spanx style="verb">kernel</spanx>, <spanx style="verb">tool-runtime</spanx>, or
<spanx style="verb">tee</spanx> -- not only at <spanx style="verb">tee</spanx>: it is the bound provenance artifact, not a
special boundary, that lifts WL3 execution evidence to WL4. WL5 is reached
analogously, with a bound independent-verification artifact in place of the
provenance artifact. An intent or invocation boundary
(<spanx style="verb">base_execution_level &lt; WL3</spanx>) cannot reach WL4 or WL5 regardless of any
attached artifact.</t>

</section>
</section>
</section>
<section anchor="verifier"><name>Verifier Requirements</name>

<t>A conforming verifier MUST evaluate a record through the following ladder; the overview below is informative, and the normative order of checks is the pseudocode of <xref target="verifier-result"/>. The procedure is modular: Core, then (if present) Profile, then (if present) Policy.</t>

<figure><artwork><![CDATA[
structure (schema)
-> canonical signing input (JCS for JSON)
-> signature (per seal.alg; "Ed25519" MTI for JSON Core)
-> key binding
-> base execution level (boundary)
-> conditional-required + evidence lift (WL4/WL5 artifact)
-> Conformance Class capability
-> recorder ceiling
-> composition-min (chains)
-> [profile: action taxonomy, maker-checker, correction]
-> [policy: Evidence Contract gate -> ALLOW | DENY | REQUIRE_REVIEW]
]]></artwork></figure>

<t>Within this ladder, for the JSON serialization defined by this document, the signing input is the UTF-8 encoding of the JCS <xref target="RFC8785"/> canonical form of the WEXP Core Record with <spanx style="verb">seal.sig</spanx> absent, so that <spanx style="verb">seal.alg</spanx> and, when present, <spanx style="verb">seal.kid</spanx> are part of the signed payload. The signature is computed and verified according to <spanx style="verb">seal.alg</spanx>, a string identifier that MUST name a fully specified signature algorithm -- one requiring no external parameters such as an unstated curve or hash. For this JSON serialization, the value "Ed25519" of <spanx style="verb">seal.alg</spanx> identifies Ed25519 as specified in <xref target="RFC8032"/> and is mandatory to implement (<xref target="RFC7696"/>); a verifier MAY implement additional profile-defined algorithms. Additional values of <spanx style="verb">seal.alg</spanx> MUST be introduced by a WEXP serialization or cryptographic profile that specifies the algorithm identifier namespace and the exact verification procedure; such profiles SHOULD reuse registered JOSE or COSE algorithm identifiers, including post-quantum signature algorithms, rather than minting WEXP-specific algorithm names. This document defines no algorithm registry of its own. Algorithms that are unsupported, unrecognized, or disallowed by the verifier's trust configuration fail closed (E_UNSUPPORTED_ALGORITHM). Canonicalization is a property of the serialization: JCS applies to this JSON serialization, and profiles defining other envelopes (for example, COSE) define their own canonical signing input. After signature computation, <spanx style="verb">seal.sig</spanx> is inserted as a base64url-encoded octet string without padding. All octet strings in the JSON serialization -- <spanx style="verb">seal.sig</spanx>, <spanx style="verb">input.arguments_hash</spanx>, <spanx style="verb">execution.result_hash</spanx>, and any evidence <spanx style="verb">digest</spanx> -- MUST be base64url-encoded without padding. If <spanx style="verb">seal.sig</spanx> is present and <spanx style="verb">seal.alg</spanx> is absent, unsupported, or unrecognized, the record is rejected (E_UNSUPPORTED_ALGORITHM); if <spanx style="verb">seal.sig</spanx> is absent, the record is not rejected on that basis and is evaluated at most as CC1 for that record (<xref target="verifier-result"/>). An unsupported or unrecognized hash algorithm likewise fails closed: if the algorithm of a conditional-required hash (<spanx style="verb">input.arguments_hash_alg</spanx>, <spanx style="verb">execution.result_hash_alg</spanx>) or of an evidence <spanx style="verb">digest_alg</spanx> is unsupported, the affected field or artifact is not honored and the verified level is computed as if it were absent (<xref target="verifier-downgrade"/>). The key-binding step resolves <spanx style="verb">seal.kid</spanx> to a verified key identity; the resolution mechanism (a local key store or profile-defined discovery) is out of scope for Core.</t>

<section anchor="verifier-result"><name>Verifier result and verdict</name>

<t>A verifier computes a <spanx style="verb">verified_level</spanx> and emits a <spanx style="verb">verdict</spanx>:</t>

<figure><artwork><![CDATA[
claimed_level  = model.claimed_level
verified_level = level supported by structure, signature,
               key binding, base execution level, present
               bound evidence, Conformance Class capability,
               recorder ceiling, and chain minimum
verdict:
  reject    if the record cannot be safely interpreted or trusted
  accept    if verified_level == claimed_level
  downgrade if verified_level <  claimed_level and the record remains
            safely interpretable
]]></artwork></figure>

<t>The schema validates structure; the verifier validates the claimed level. A missing or unbound top-level evidence artifact required by the claimed level does not by itself cause rejection; it lowers <spanx style="verb">verified_level</spanx> and yields <spanx style="verb">downgrade</spanx> (<xref target="verifier-downgrade"/>). A verifier result SHOULD carry <spanx style="verb">verdict</spanx>, <spanx style="verb">claimed_level</spanx>, <spanx style="verb">verified_level</spanx>, <spanx style="verb">downgrade_reason</spanx> (zero or more error-code tokens), and <spanx style="verb">errors</spanx> (zero or more error-code tokens), with tokens drawn from <xref target="iana-error-codes"/>.</t>

<t>The following pseudocode is normative for the order of checks and for the accept/downgrade/reject outcome; it does not mandate a code structure:</t>

<figure><artwork><![CDATA[
if structure invalid:             reject(E_INVALID_SCHEMA)
if unknown critical extension:  reject(E_UNKNOWN_CRITICAL_EXTENSION)
if canonicalization fails:        reject(E_CANONICALIZATION_FAILED)
if timestamp invalid:             reject(E_TIMESTAMP_INVALID)
if boundary_type unregistered:    reject(E_UNKNOWN_BOUNDARY_TYPE)

; signature: absence is not an error (it caps the effective CC
; for this record); a present-but-invalid signature is rejected.
if seal.sig present:
    if seal.alg absent/unsupported: reject(E_UNSUPPORTED_ALGORITHM)
    if signature invalid:              reject(E_INVALID_SIGNATURE)
    if key binding fails:              reject(E_KEY_BINDING_FAILED)
    signed = true
else:
    signed = false

cc = resolve(capabilities_ref)        ; implementation-scoped CC
if cc unresolved or not accepted: cc = CC0  ; E_MISSING_CAPABILITIES
; a record without a valid signature is evaluated at most as
; CC1 (this record only)
effective_cc = cc if signed else min(cc, CC1)

base = min( claimed_level,
            attainable(boundary_type, claimed_level, evidence),
            maxCapability(effective_cc) )
if recorder qualification asserted:
    base = min( base, max_assurance(qualification_profile) )
verified_level = base
if a chain is supplied:
    verified_level = min( verified_level,
                       min over segments( segment.verified_level ) )

if verified_level == claimed_level: accept
else:                               downgrade
]]></artwork></figure>

<t>Here <spanx style="verb">attainable(boundary_type, claimed_level, evidence)</spanx> is the claim-relative bound of <xref target="honesty-boundary"/>: the highest level, not exceeding the claimed level, whose own evidence requirements are met -- WL4 only by a bound provenance artifact, WL5 only by a bound independent-verification artifact.</t>

<t>A timestamp is invalid when <spanx style="verb">created_at</spanx>, or any <spanx style="verb">execution</spanx> timestamp present, is not a syntactically valid <spanx style="verb">tdate</spanx> per the schema (<xref target="schema"/>), or when <spanx style="verb">execution.ended_at</spanx> precedes <spanx style="verb">execution.started_at</spanx>. Freshness, skew tolerance, and validity windows are policy concerns, not Core: Core takes no position on how old a record may be.</t>

<t>A record without a valid <spanx style="verb">seal.sig</spanx> is not rejected on that basis alone; for that record the effective Conformance Class is at most CC1 (maxCapability WL0), since a valid signature is a property of CC2 and above (<xref target="cc-scale"/>). This is deliberate: an unsigned record can be structurally valid, but nothing binds its content to a producer, so it grounds no execution-evidence claim. A <spanx style="verb">seal.sig</spanx> that is present but cryptographically invalid, or present with an absent or unsupported <spanx style="verb">seal.alg</spanx>, or present without <spanx style="verb">seal.kid</spanx>, is rejected.</t>

</section>
<section anchor="verifier-composition"><name>Composition</name>

<t>For a chain of segments, the verified level is the minimum over segments:</t>

<figure><artwork><![CDATA[
Level(chain) = min over segments( verified_level )
]]></artwork></figure>

<t>Aggregation MUST NOT inflate the level: a chain MUST NOT be assigned a level higher than the lowest level any of its segments supports.</t>

<section anchor="verifier-downgrade"><name>Downgrade target for missing required evidence</name>

<t>At the conditional-required + evidence-lift step (<xref target="verifier"/>), if any
evidence required by the claimed level -- a conditional-required field
(<xref target="fields-conditional"/>) or a bound top-level artifact -- is absent, the
verifier MUST NOT reject solely on that basis; it MUST instead downgrade
the verified level to the highest level, not exceeding the claimed level,
whose own evidence requirements are met (the claim-relative attainable level
of <xref target="honesty-boundary"/>):</t>

<t><list style="symbols">
  <t>claimed WL5, a provenance artifact present but no
independent-verification path -&gt; WL4;</t>
  <t>claimed WL4 or WL5 with neither artifact -&gt; the level grounded by
the boundary alone;</t>
  <t>claimed WL4 with an independent-verification path but no provenance
artifact -&gt; the level grounded by the boundary alone: an
independent-verification artifact satisfies WL5, not WL4, and a level
above the claim is never assigned.</t>
</list></t>

<t>The same rule applies below the lift levels: a claimed WL1-WL3 whose conditional-required fields (<xref target="fields-conditional"/>) are absent is downgraded to the highest level, not exceeding the claim, whose requirements are met; a field or artifact whose hash algorithm is unsupported is treated as absent for this purpose (<xref target="verifier"/>). For example, a record claiming WL3 at an execution-ownership boundary with no <spanx style="verb">execution</spanx> block is downgraded to WL2 when <spanx style="verb">input.arguments_hash</spanx> is present, and to WL0 when it is not.</t>

<t>When neither artifact is present, the floor is at most the boundary's base
execution level (<xref target="honesty-boundary"/>), provided the corresponding
conditional-required fields (<xref target="fields-conditional"/>) are present: WL1 for an intent or approval boundary, WL2 for an
invocation boundary, and WL3 for an execution-ownership boundary (<spanx style="verb">host-hook</spanx>,
<spanx style="verb">kernel</spanx>, <spanx style="verb">tool-runtime</spanx>, <spanx style="verb">tee</spanx>). For example, a <spanx style="verb">tee</spanx> record claiming WL5, whose
independent-verification artifact is absent or unbound and which carries
no provenance artifact, is downgraded to WL3: the
attestation grounds execution ownership (WL3) but, absent a bound
independent-verification artifact, does not support WL5. A level downgraded in
this way propagates through composition under the non-inflation rule
(<xref target="verifier-composition"/>): a chain is never assigned a level higher than the
lowest its segments support.</t>

</section>
</section>
<section anchor="verifier-failure"><name>Safe failure</name>

<t>Unknown fields or extensions marked <spanx style="verb">critical: true</spanx> MUST fail closed, with error <spanx style="verb">E_UNKNOWN_CRITICAL_EXTENSION</spanx>. Unknown non-critical extensions MAY be ignored. A verifier MUST NOT accept unknown critical content partially, heuristically, or as non-critical content.</t>

</section>
</section>
<section anchor="implstatus"><name>Implementation Status</name>

<t>This section records the implementation status of WEXP, in the spirit of <xref target="RFC7942"/>. It is informational and is to be removed before publication as an RFC.</t>

<t>The reference implementation of WEXP is being developed by WitSeal: a witnessed-execution runtime implemented in TypeScript. The runtime today produces signed, hash-chained execution receipts in its v0.2 lineage format (policy-decision capture, approval state, artifact and result digests); these receipts are a compatibility lineage, not WEXP Core Records. A WEXP-conformant Core Record emitter and an offline verifier implementing the ladder of <xref target="verifier"/> are the next implementation milestone, tracked against this document.</t>

<t>A prospective design-partner deployment is evaluating WEXP across the WL0-WL3 boundaries. Implementation status is informational and does not affect the specification's standing.</t>

</section>
<section anchor="security"><name>Security Considerations</name>

<t>WEXP grades the <em>strength</em> of evidence about execution. It does not certify the correctness, safety, or alignment of the action. Implementers and relying parties MUST NOT treat a WEXP record as more than an execution-evidence claim at its stated level. In particular:</t>

<t><list style="symbols">
  <t><strong>Provenance is not runtime.</strong> A provenance artifact establishes origin/build, not that a specific runtime action occurred. Conflating the two is the error <spanx style="verb">E_PROVENANCE_RUNTIME_CONFUSION</spanx>; this code belongs to the policy layer -- it names a relying-party interpretation error, is not emitted by the Core verifier ladder, and its registered default handling is <spanx style="verb">policy</spanx>.</t>
  <t><strong>Attestation is not semantic correctness.</strong> Remote attestation can establish environment identity/integrity, not that the executed action was correct.</t>
  <t><strong>A hash is not payload truth.</strong> A hash-only payload proves integrity of a referenced object, not the truth of its contents.</t>
  <t><strong>Boundary assertion.</strong> As stated in <xref target="honesty-evidence"/>, a record does not prove that the declared boundary matches the actual execution environment; this is grounded externally (CC3+/attestation), not by the record.</t>
</list></t>

<t>These non-claims are normative limits on interpretation, not optional caveats.</t>

<t>Consistent with <xref target="AUDIT-ARCH"/>, WEXP does not address an adversarial executor that refuses to produce a record at its boundary, operator collusion across all roles, or model alignment. Under WEXP these do not yield a positive claim: missing or unobtainable evidence produces a downgraded or rejected verdict, never an inflated one. A transparency-log receipt establishes existence and content at registration, not the truth of the underlying claim; a self-asserted record does not establish that user intent was satisfied; a complete trace does not establish that authorization was valid. In particular, a transparency receipt alone does not constitute the independent-verification artifact required for WL5: a transparency log MAY carry or timestamp such an artifact, but WL5 requires an independent verification of the execution-evidence claim itself (<xref target="honesty-boundary"/>). WEXP forbids these inferences (non-inflation).</t>

<t>Independent custody of a record (for example, third-party countersigning or transparency-log registration) and independent observation of an executed effect (for example, attestation by a receiving counterparty) strengthen evidence in different ways: the former makes the record's custody independent while its content remains as originated; the latter corroborates the observed effect itself. Both are graded, like all other evidence, under the honesty invariants above and never inflate a claim.</t>

<t>A note on privacy and selective disclosure. WEXP references execution content by hash: <spanx style="verb">input.arguments_hash</spanx> and result commitments pin claims to specific payloads without storing them (the Minimal Evidence floor). Verification of integrity and claim strength therefore proceeds on hashes and record structure alone, and deployments may keep content fields opaque across administrative or domain boundaries. Profiles may add selective-disclosure mechanisms; Core neither requires nor precludes them. Hashes and digests are integrity commitments, not confidentiality mechanisms; low-entropy or guessable payloads may be vulnerable to dictionary or correlation attacks. Privacy-sensitive profiles SHOULD use salted commitments, keyed commitments, encryption, or selective disclosure.</t>

<t>A note on algorithm migration and long-lived evidence. The signature algorithm lies on the authenticity axis (Conformance Class), not the witnessability axis: a stronger algorithm does not raise WL, and non-inflation holds. The relevant quantum-era threat to signed records is not retrospective decryption but future forgery: records signed with a classical algorithm remain verifiable, but once that algorithm is broken an adversary can forge new records, including backdated ones. Durable evidentiary force therefore comes from contemporaneous anchoring -- a transparency registration or an independent countersignature fixed while the algorithm is unbroken (see the custody discussion above) -- and from algorithm migration via <spanx style="verb">seal.alg</spanx> and profiles, not from any single algorithm choice made today.</t>

</section>
<section anchor="iana"><name>IANA Considerations</name>

<t>This document defines registries for WEXP boundary types, error codes, and WEXP profiles. This revision specifies the WEXP Boundary Types registry and seeds the WEXP Error Codes registry; the WEXP Profiles registry is reserved here and specified in a subsequent revision. This document does not request a Conformance Classes registry: the classes CC0-CC5 are defined by this document (<xref target="cc-scale"/>). All registries in this section use the Specification Required <xref target="RFC8126"/> registration policy.</t>

<section anchor="iana-boundary-types"><name>WEXP Boundary Types</name>

<t>IANA is requested to create the WEXP Boundary Types registry. Each entry has a Boundary Type identifier, an Execution Level (the base execution-evidence level the boundary grounds, used as <spanx style="verb">base_execution_level(boundary_type)</spanx> in the Boundary Ceiling invariant of <xref target="honesty-boundary"/>), and a description of the control surface the boundary observes. The Execution Level is a base level, not a grant of the maximum claim: WL4 and WL5 are reached only by adding a bound top-level provenance or independent-verification artifact (<xref target="honesty-boundary"/>, <xref target="honesty-wl4"/>). The registry is initialized with the following values:</t>

<texttable>
      <ttcol align='left'>Boundary Type</ttcol>
      <ttcol align='left'>Execution Level</ttcol>
      <ttcol align='left'>Description</ttcol>
      <c>manual-approval</c>
      <c>WL1</c>
      <c>Recorded human approval, captured out of band; witnesses intent or authorization, not invocation or execution.</c>
      <c>proxy</c>
      <c>WL2</c>
      <c>Interposed invocation mediator (e.g. API or tool proxy); witnesses that a call crossed the boundary, not execution outcome.</c>
      <c>workflow</c>
      <c>WL2</c>
      <c>Workflow or orchestration engine recording step transitions; witnesses invocation and ordering, not in-process execution. Activity-owned execution should use host-hook or tool-runtime as appropriate.</c>
      <c>host-hook</c>
      <c>WL3</c>
      <c>In-host instrumentation (runtime, ABI, or syscall hook); witnesses execution start, outcome, and result commitment. A bound provenance artifact lifts to WL4; a bound independent-verification artifact lifts to WL5.</c>
      <c>kernel</c>
      <c>WL3</c>
      <c>Kernel-level mediation at the OS boundary; witnesses execution. A bound provenance artifact lifts to WL4; a bound independent-verification artifact lifts to WL5.</c>
      <c>tool-runtime</c>
      <c>WL3</c>
      <c>Tool or agent runtime performing the action in process; records execution directly. A bound provenance artifact lifts to WL4; a bound independent-verification artifact lifts to WL5.</c>
      <c>tee</c>
      <c>WL3</c>
      <c>Trusted execution environment owning execution; grounds WL3. Its attestation MAY contribute to a bound independent-verification artifact lifting to WL5 (and a bound provenance artifact lifts to WL4) when profile-defined, independently appraised, present, and bound.</c>
</texttable>

<t>The Execution Level is the base level a boundary grounds, not a grant of the maximum claim. By <xref target="fields-conditional"/> and <xref target="honesty-evidence"/>, a WL4 claim still requires a bound provenance artifact and a WL5 claim a bound independent-verification artifact, each carried as top-level evidence. WL4 and WL5 are therefore reachable at any execution-ownership boundary (<spanx style="verb">host-hook</spanx>, <spanx style="verb">kernel</spanx>, <spanx style="verb">tool-runtime</spanx>, <spanx style="verb">tee</spanx>) when the corresponding artifact is present and bound; a <spanx style="verb">tee</spanx> attestation is one source of the WL5 independent-verification artifact, not a privileged path. Where the required artifact is absent or not bound to the record, a verifier downgrades or rejects the record (<xref target="verifier"/>, <xref target="honesty-evidence"/>) rather than honoring a nominal level. A boundary label by itself never raises the claimable level above the base execution level.</t>

</section>
<section anchor="iana-error-codes"><name>WEXP Error Codes</name>

<t>IANA is requested to create the WEXP Error Codes registry, with the Specification Required <xref target="RFC8126"/> policy. Each entry has an error-code token, a default handling disposition (reject, downgrade, or policy), and a reference to its defining specification. The default handling indicates how a conforming verifier treats the condition absent an overriding profile or policy (<xref target="verifier-result"/>). This revision registers the error codes used normatively in this document:</t>

<texttable>
      <ttcol align='left'>Error Code</ttcol>
      <ttcol align='left'>Default handling</ttcol>
      <ttcol align='left'>Reference</ttcol>
      <c>E_INVALID_SCHEMA</c>
      <c>reject</c>
      <c><xref target="verifier-result"/> (this document)</c>
      <c>E_CANONICALIZATION_FAILED</c>
      <c>reject</c>
      <c><xref target="verifier-result"/> (this document)</c>
      <c>E_UNSUPPORTED_ALGORITHM</c>
      <c>reject</c>
      <c><xref target="verifier-result"/> (this document)</c>
      <c>E_INVALID_SIGNATURE</c>
      <c>reject</c>
      <c><xref target="verifier-result"/> (this document)</c>
      <c>E_KEY_BINDING_FAILED</c>
      <c>reject</c>
      <c><xref target="verifier-result"/> (this document)</c>
      <c>E_TIMESTAMP_INVALID</c>
      <c>reject</c>
      <c><xref target="verifier-result"/> (this document)</c>
      <c>E_UNKNOWN_BOUNDARY_TYPE</c>
      <c>reject</c>
      <c><xref target="iana-boundary-types"/> (this document)</c>
      <c>E_MISSING_CAPABILITIES</c>
      <c>downgrade</c>
      <c><xref target="cc-maxcap"/> (this document)</c>
      <c>E_CAPABILITY_BELOW_CLAIM</c>
      <c>downgrade</c>
      <c><xref target="cc-maxcap"/> (this document)</c>
      <c>E_BOUNDARY_CEILING_EXCEEDED</c>
      <c>downgrade</c>
      <c><xref target="honesty-boundary"/> (this document)</c>
      <c>E_MISSING_REQUIRED_EVIDENCE</c>
      <c>downgrade</c>
      <c><xref target="verifier-downgrade"/> (this document)</c>
      <c>E_EVIDENCE_NOT_BOUND</c>
      <c>downgrade</c>
      <c><xref target="honesty-evidence"/> (this document)</c>
      <c>E_RECORDER_CEILING_EXCEEDED</c>
      <c>downgrade</c>
      <c><xref target="honesty-recorder"/> (this document)</c>
      <c>E_CHAIN_INFLATION</c>
      <c>downgrade</c>
      <c><xref target="verifier-composition"/> (this document)</c>
      <c>E_UNKNOWN_CRITICAL_EXTENSION</c>
      <c>reject</c>
      <c><xref target="verifier-failure"/> (this document)</c>
      <c>E_PROVENANCE_RUNTIME_CONFUSION</c>
      <c>policy</c>
      <c><xref target="security"/> (this document)</c>
</texttable>

</section>
<section anchor="iana-reserved"><name>WEXP Profiles (reserved)</name>

<t>The WEXP Profiles registry is reserved by this document and will be specified in a subsequent revision under the Specification Required <xref target="RFC8126"/> policy. The Conformance Classes CC0-CC5 are defined normatively in <xref target="cc-scale"/>; this document does not request an IANA registry for them. No values are registered here.</t>

<t>Unknown registered values MUST be handled deterministically. Profiles MUST NOT introduce unregistered boundary types without a corresponding registry update.</t>

</section>
</section>


  </middle>

  <back>


<references title='References' anchor="sec-combined-references">

    <references title='Normative References' anchor="sec-normative-references">



<reference anchor="RFC2119">
  <front>
    <title>Key words for use in RFCs to Indicate Requirement Levels</title>
    <author fullname="S. Bradner" initials="S." surname="Bradner"/>
    <date month="March" year="1997"/>
    <abstract>
      <t>In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="2119"/>
  <seriesInfo name="DOI" value="10.17487/RFC2119"/>
</reference>
<reference anchor="RFC8174">
  <front>
    <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <date month="May" year="2017"/>
    <abstract>
      <t>RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="14"/>
  <seriesInfo name="RFC" value="8174"/>
  <seriesInfo name="DOI" value="10.17487/RFC8174"/>
</reference>
<reference anchor="RFC8785">
  <front>
    <title>JSON Canonicalization Scheme (JCS)</title>
    <author fullname="A. Rundgren" initials="A." surname="Rundgren"/>
    <author fullname="B. Jordan" initials="B." surname="Jordan"/>
    <author fullname="S. Erdtman" initials="S." surname="Erdtman"/>
    <date month="June" year="2020"/>
    <abstract>
      <t>Cryptographic operations like hashing and signing need the data to be expressed in an invariant format so that the operations are reliably repeatable. One way to address this is to create a canonical representation of the data. Canonicalization also permits data to be exchanged in its original form on the "wire" while cryptographic operations performed on the canonicalized counterpart of the data in the producer and consumer endpoints generate consistent results.</t>
      <t>This document describes the JSON Canonicalization Scheme (JCS). This specification defines how to create a canonical representation of JSON data by building on the strict serialization methods for JSON primitives defined by ECMAScript, constraining JSON data to the Internet JSON (I-JSON) subset, and by using deterministic property sorting.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8785"/>
  <seriesInfo name="DOI" value="10.17487/RFC8785"/>
</reference>
<reference anchor="RFC8032">
  <front>
    <title>Edwards-Curve Digital Signature Algorithm (EdDSA)</title>
    <author fullname="S. Josefsson" initials="S." surname="Josefsson"/>
    <author fullname="I. Liusvaara" initials="I." surname="Liusvaara"/>
    <date month="January" year="2017"/>
    <abstract>
      <t>This document describes elliptic curve signature scheme Edwards-curve Digital Signature Algorithm (EdDSA). The algorithm is instantiated with recommended parameters for the edwards25519 and edwards448 curves. An example implementation and test vectors are provided.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8032"/>
  <seriesInfo name="DOI" value="10.17487/RFC8032"/>
</reference>
<reference anchor="RFC8126">
  <front>
    <title>Guidelines for Writing an IANA Considerations Section in RFCs</title>
    <author fullname="M. Cotton" initials="M." surname="Cotton"/>
    <author fullname="B. Leiba" initials="B." surname="Leiba"/>
    <author fullname="T. Narten" initials="T." surname="Narten"/>
    <date month="June" year="2017"/>
    <abstract>
      <t>Many protocols make use of points of extensibility that use constants to identify various protocol parameters. To ensure that the values in these fields do not have conflicting uses and to promote interoperability, their allocations are often coordinated by a central record keeper. For IETF protocols, that role is filled by the Internet Assigned Numbers Authority (IANA).</t>
      <t>To make assignments in a given registry prudently, guidance describing the conditions under which new values should be assigned, as well as when and how modifications to existing values can be made, is needed. This document defines a framework for the documentation of these guidelines by specification authors, in order to assure that the provided guidance for the IANA Considerations is clear and addresses the various issues that are likely in the operation of a registry.</t>
      <t>This is the third edition of this document; it obsoletes RFC 5226.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="26"/>
  <seriesInfo name="RFC" value="8126"/>
  <seriesInfo name="DOI" value="10.17487/RFC8126"/>
</reference>
<reference anchor="RFC8610">
  <front>
    <title>Concise Data Definition Language (CDDL): A Notational Convention to Express Concise Binary Object Representation (CBOR) and JSON Data Structures</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="C. Vigano" initials="C." surname="Vigano"/>
    <author fullname="C. Bormann" initials="C." surname="Bormann"/>
    <date month="June" year="2019"/>
    <abstract>
      <t>This document proposes a notational convention to express Concise Binary Object Representation (CBOR) data structures (RFC 7049). Its main goal is to provide an easy and unambiguous way to express structures for protocol messages and data formats that use CBOR or JSON.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="8610"/>
  <seriesInfo name="DOI" value="10.17487/RFC8610"/>
</reference>



    </references>

    <references title='Informative References' anchor="sec-informative-references">

<reference anchor="WITNESSABILITY" target="https://ssrn.com/abstract=6994720">
  <front>
    <title>Toward a Witnessability Model for AI and Software Execution Systems: A Boundary-Based Framework for Classifying Execution Evidence</title>
    <author initials="M. A." surname="Sergeev" fullname="Mikhail Anatolievich Sergeev">
      <organization></organization>
    </author>
    <author initials="V." surname="Ikher" fullname="Vladimir Ikher">
      <organization></organization>
    </author>
    <date year="2026"/>
  </front>
  <seriesInfo name="SSRN" value="Abstract 6994720"/>
<annotation>Deposited with SSRN; public posting pending at the time of this draft.</annotation></reference>


<reference anchor="RFC9334">
  <front>
    <title>Remote ATtestation procedureS (RATS) Architecture</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="D. Thaler" initials="D." surname="Thaler"/>
    <author fullname="M. Richardson" initials="M." surname="Richardson"/>
    <author fullname="N. Smith" initials="N." surname="Smith"/>
    <author fullname="W. Pan" initials="W." surname="Pan"/>
    <date month="January" year="2023"/>
    <abstract>
      <t>In network protocol exchanges, it is often useful for one end of a communication to know whether the other end is in an intended operating state. This document provides an architectural overview of the entities involved that make such tests possible through the process of generating, conveying, and evaluating evidentiary Claims. It provides a model that is neutral toward processor architectures, the content of Claims, and protocols.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9334"/>
  <seriesInfo name="DOI" value="10.17487/RFC9334"/>
</reference>

<reference anchor="AUDIT-ARCH" >
  <front>
    <title>An Architecture for Auditing AI Agent Delegation and Interactions</title>
    <author initials="M." surname="Kuehlewind" fullname="M. Kuehlewind">
      <organization></organization>
    </author>
    <author initials="H." surname="Birkholz" fullname="H. Birkholz">
      <organization></organization>
    </author>
    <date year="2026" month="May"/>
  </front>
  <seriesInfo name="Internet-Draft" value="draft-kuehlewind-audit-architecture-00"/>
</reference>


<reference anchor="SCITT">
  <front>
    <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
    <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
    <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
    <author fullname="C. Fournet" initials="C." surname="Fournet"/>
    <author fullname="Y. Deshpande" initials="Y." surname="Deshpande"/>
    <author fullname="S. Lasker" initials="S." surname="Lasker"/>
    <date month="June" year="2026"/>
    <abstract>
      <t>Traceability in supply chains is a growing security concern. While Verifiable Data Structures (VDSs) have addressed specific issues, such as equivocation over digital certificates, they lack a universal architecture for all supply chains. This document defines such an architecture for single-issuer signed statement transparency. It ensures extensibility and interoperability between different transparency services as well as compliance with various auditing procedures and regulatory requirements.</t>
    </abstract>
  </front>
  <seriesInfo name="RFC" value="9943"/>
  <seriesInfo name="DOI" value="10.17487/RFC9943"/>
</reference>

<reference anchor="WIMSE" >
  <front>
    <title>WIMSE Workload Credentials</title>
    <author >
      <organization></organization>
    </author>
    <date year="2026" month="July"/>
  </front>
  <seriesInfo name="Internet-Draft" value="draft-ietf-wimse-workload-creds-02"/>
</reference>



<reference anchor="ACTA-RECEIPTS">
   <front>
      <title>Signed Decision Receipts for Machine-to-Machine Access Control</title>
      <author fullname="Tom Farley" initials="T." surname="Farley">
         <organization>ScopeBlind (Veritas Acta)</organization>
      </author>
      <date day="28" month="June" year="2026"/>
      <abstract>
    <t>   This document defines a portable, cryptographically signed receipt
   format for recording machine-to-machine access control decisions.
   Each receipt captures the identity of the decision maker, the tool or
   resource being accessed, the policy evaluation result, and a
   timestamp — all signed with Ed25519 [RFC8032] and serialized using
   deterministic JSON canonicalization [RFC8785].

   The format is designed for environments where AI agents invoke tools
   on behalf of human operators, particularly the Model Context Protocol
   (MCP) ecosystem.  Receipts are independently verifiable without
   contacting the issuer, enabling offline audit, regulatory compliance,
   and cross-organizational trust federation.

    </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-farley-acta-signed-receipts-02"/>
   
</reference>

<reference anchor="ASQAV-COMPLIANCE">
   <front>
      <title>Compliance Profile of Signed Action Receipts for AI Agents</title>
      <author fullname="João André Gomes Marques" initials="J. A. G." surname="Marques">
         <organization>Asqav</organization>
      </author>
      <date day="1" month="July" year="2026"/>
      <abstract>
    <t>   This document defines a multi-jurisdiction compliance profile of the
   signed action receipt format used by AI agents to record machine-
   readable evidence of access-control decisions.  The profile binds
   receipt fields to two regulatory surfaces: on the European Union
   side, Articles 12 and 26 of the EU AI Act (Regulation (EU) 2024/1689)
   and Article 17 of DORA (Regulation (EU) 2022/2554); on the United
   States side, the NIST AI Risk Management Framework, the Colorado AI
   Act, the Texas Responsible AI Governance Act, the New York Department
   of Financial Services Cybersecurity Regulation (23 NYCRR Part 500),
   the HIPAA Security Rule, SEC Rule 17a-4, and the Cyber Incident
   Reporting for Critical Infrastructure Act of 2022 (CIRCIA).  Working
   entirely within the existing wire format, canonicalization
   transformation, and signing algorithms of the underlying receipt
   format, the profile tightens a subset of the OPTIONAL fields to
   REQUIRED, imposes a retention floor, and requires at least one
   timestamping anchor (RFC 3161 or OpenTimestamps).  It registers
   OPTIONAL extension fields for risk and incident classification,
   cross-agent envelope binding, per-action freshness and integrity,
   build provenance, threat-framework taxonomy, server-built enforcement
   attestation, producer-asserted risk acceptance, and producer-asserted
   code authorship, each subject to false-attestation guards where
   applicable, and registers receipt type namespaces for passive-
   telemetry, result-bound observation, risk-acceptance, and code-
   authorship receipts.  The full field set and its normative
   requirements are defined in the body of this document.

    </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-marques-asqav-compliance-receipts-06"/>
   
</reference>

<reference anchor="AGENT-AUDIT-TRAIL" >
  <front>
    <title>Agent Audit Trail: A Standard Logging Format for Autonomous AI Systems</title>
    <author initials="R." surname="Sharif" fullname="R. Sharif">
      <organization></organization>
    </author>
    <date year="2026" month="March"/>
  </front>
  <seriesInfo name="Internet-Draft" value="draft-sharif-agent-audit-trail-00"/>
</reference>



<reference anchor="VERIFICATION-STATE">
   <front>
      <title>The verification.* Constraint Family: Pre-Action Fail-Closed Gates for AI Agent Decisions</title>
      <author fullname="Joe Krausz" initials="J." surname="Krausz">
         <organization>TK Collective</organization>
      </author>
      <date day="12" month="June" year="2026"/>
      <abstract>
    <t>   This document specifies the verification.* constraint family --- a
   pre-action, fail-closed gate primitive for AI agent decisions,
   sibling in shape to the environment.* family used in Verifiable
   Intent specifications.  A verification.* receipt is a JWS-signed
   artifact ([RFC7515]) carrying a canonical input, a derived binary
   act/halt output, and a versioned mapping identifier that binds them.
   A relying party recomputes the gate locally from signed primitives
   under the named mapping; the verifier never trusts the issuer&#x27;s
   runtime.  This shape provides decision explainability and
   traceability evidence aligned with EU AI Act Article 12 record-
   keeping obligations and with the Decision Explainability tier of
   Anthropic&#x27;s Zero Trust for AI Agents framework [ANTHROPIC-ZT].  The
   format is forward-compatible across mapping revisions: receipts
   signed under one mapping ID remain verifiable as correct-under-that-
   mapping after newer mappings ship.

    </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-krausz-verification-state-01"/>
   
</reference>

<reference anchor="VAP-LAP" >
  <front>
    <title>Verifiable AI Provenance (VAP) Framework and Legal AI Profile (LAP)</title>
    <author initials="A." surname="Yamakawa" fullname="A. Yamakawa">
      <organization></organization>
    </author>
    <date year="2026" month="March"/>
  </front>
  <seriesInfo name="Internet-Draft" value="draft-ailex-vap-legal-ai-provenance-03"/>
</reference>



<reference anchor="VAC">
   <front>
      <title>Verifiable Agent Conversation Records</title>
      <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
         </author>
      <author fullname="Tobias Heldt" initials="T." surname="Heldt">
         </author>
      <author fullname="Orie Steele" initials="O." surname="Steele">
         </author>
      <date day="25" month="February" year="2026"/>
      <abstract>
    <t>   Autonomous agents based on large language models increasingly perform
   consequential tasks on behalf of humans and other agents.
   Demonstrating that recorded agent behavior truthfully represents
   actual behavior is essential for accountability, compliance, and
   human oversight.  This document defines a data format for verifiable
   agent conversation records using CDDL, with representations in both
   JSON and CBOR.  The format captures session metadata, message
   exchanges, tool invocations, reasoning traces, and system events in a
   structured, extensible CDDL definition for verifiable agent
   conversation records.  COSE is used as the signing method to allow
   for native interoperability in SCITT Transparency Services and the
   CDDL definition allows for seemless integration in Evidence as
   specified in RFC 9334.  The specification supports cross-vendor
   interoperability by defining a common representation that
   accommodates translation from multiple existing agent implementations
   with distinct data structure layouts that are typically represented
   in JSON.

    </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-birkholz-verifiable-agent-conversations-00"/>
   
</reference>

<reference anchor="POB">
   <front>
      <title>Proof-of-Behavior Protocol for Autonomous AI Agents</title>
      <author fullname="Jakub Dembowski" initials="J." surname="Dembowski">
         </author>
      <date day="20" month="April" year="2026"/>
      <abstract>
    <t>   Autonomous AI agents execute actions — file writes, API calls, shell
   commands — on behalf of human principals.  No standard mechanism
   exists for a third party to verify that an agent acted within its
   declared behavioral rules, that policy enforcement occurred before
   execution (not after), or that the action log has not been tampered
   with after the fact.

   This document defines the Proof-of-Behavior (PoB) protocol: a
   minimal, language-agnostic standard for tamper-evident audit trails
   and pre-execution policy enforcement in AI agent systems.  The
   protocol specifies a signed receipt format, a hash-chain linking
   scheme, a policy gate contract, and a cross-agent reference
   mechanism.

    </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-dembowski-agentledger-proof-of-behavior-00"/>
   
</reference>

<reference anchor="DRP">
   <front>
      <title>Delegation Receipt Protocol for AI Agent Authorization</title>
      <author fullname="Ryan Nelson" initials="R." surname="Nelson">
         <organization>Authproof</organization>
      </author>
      <date day="13" month="June" year="2026"/>
      <abstract>
    <t>   This document defines the Delegation Receipt Protocol (DRP), a
   cryptographic authorization primitive for AI agent deployments.
   Before any agent action executes, the authorizing user signs an
   Authorization Object containing scope boundaries, time window,
   operator instruction hash, and model state commitment.  This signed
   receipt is published to an append-only log before the agent runtime
   receives control.  The protocol reduces reliance on the operator as a
   trusted intermediary by making the user&#x27;s private key the sole
   signing authority over the delegation record.

    </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-nelson-agent-delegation-receipts-10"/>
   
</reference>

<reference anchor="AR4SI">
   <front>
      <title>Attestation Results for Secure Interactions</title>
      <author fullname="Eric Voit" initials="E." surname="Voit">
         <organization>Cisco Systems</organization>
      </author>
      <author fullname="Henk Birkholz" initials="H." surname="Birkholz">
         <organization>Fraunhofer SIT</organization>
      </author>
      <author fullname="Thomas Hardjono" initials="T." surname="Hardjono">
         <organization>MIT</organization>
      </author>
      <author fullname="Thomas Fossati" initials="T." surname="Fossati">
         <organization>Linaro</organization>
      </author>
      <author fullname="Vincent Scarlata" initials="V." surname="Scarlata">
         <organization>Intel</organization>
      </author>
      <date day="18" month="May" year="2026"/>
      <abstract>
    <t>   This document defines reusable Attestation Result information
   elements.  When these elements are offered to Relying Parties as
   Evidence, different aspects of Attester trustworthiness can be
   evaluated.  Additionally, where the Relying Party is interfacing with
   a heterogeneous mix of Attesting Environment and Verifier types,
   consistent policies can be applied to subsequent information exchange
   between each Attester and the Relying Party.

   This document also defines two serialisations of the proposed
   information model, utilising CBOR and JSON.

    </t>
      </abstract>
   </front>
   <seriesInfo name="Internet-Draft" value="draft-ietf-rats-ar4si-10"/>
   
</reference>

<reference anchor="SLSA" target="https://slsa.dev">
  <front>
    <title>Supply-chain Levels for Software Artifacts (SLSA)</title>
    <author >
      <organization></organization>
    </author>
    
  </front>
</reference>


<reference anchor="RFC7696">
  <front>
    <title>Guidelines for Cryptographic Algorithm Agility and Selecting Mandatory-to-Implement Algorithms</title>
    <author fullname="R. Housley" initials="R." surname="Housley"/>
    <date month="November" year="2015"/>
    <abstract>
      <t>Many IETF protocols use cryptographic algorithms to provide confidentiality, integrity, authentication, or digital signature. Communicating peers must support a common set of cryptographic algorithms for these mechanisms to work properly. This memo provides guidelines to ensure that protocols have the ability to migrate from one mandatory-to-implement algorithm suite to another over time.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="201"/>
  <seriesInfo name="RFC" value="7696"/>
  <seriesInfo name="DOI" value="10.17487/RFC7696"/>
</reference>
<reference anchor="RFC7942">
  <front>
    <title>Improving Awareness of Running Code: The Implementation Status Section</title>
    <author fullname="Y. Sheffer" initials="Y." surname="Sheffer"/>
    <author fullname="A. Farrel" initials="A." surname="Farrel"/>
    <date month="July" year="2016"/>
    <abstract>
      <t>This document describes a simple process that allows authors of Internet-Drafts to record the status of known implementations by including an Implementation Status section. This will allow reviewers and working groups to assign due consideration to documents that have the benefit of running code, which may serve as evidence of valuable experimentation and feedback that have made the implemented protocols more mature.</t>
      <t>This process is not mandatory. Authors of Internet-Drafts are encouraged to consider using the process for their documents, and working groups are invited to think about applying the process to all of their protocol specifications. This document obsoletes RFC 6982, advancing it to a Best Current Practice.</t>
    </abstract>
  </front>
  <seriesInfo name="BCP" value="205"/>
  <seriesInfo name="RFC" value="7942"/>
  <seriesInfo name="DOI" value="10.17487/RFC7942"/>
</reference>



    </references>

</references>


<?line 683?>

<section anchor="appendix-scitt"><name>SCITT Mapping (WL4-WL5)</name>

<t>This appendix is informative. WEXP is complementary to supply-chain transparency efforts. It maps WEXP WL4-WL5 evidence to SCITT <xref target="SCITT"/> vocabulary, so that a WEXP provenance artifact (WL4) and an independent-verification path (WL5) can be expressed against, or cross-checked with, a SCITT transparency service. WEXP remains a meta-layer over such services: it classifies what their receipts can honestly claim, rather than competing with them. Detailed field-level mapping will be provided in a subsequent revision.</t>

</section>
<section anchor="appendix-audit"><name>Mapping to the AI Agent Audit Architecture</name>

<t>This appendix is informative. WEXP relates to the proposed work items of <xref target="AUDIT-ARCH"/> in two distinct modes. At the contribution points WEXP supplies semantics the architecture does not define; at the composition points WEXP consumes an existing substrate without adding core semantics. WEXP does not redefine identity, attestation, transparency, or context-propagation substrates.</t>

<section anchor="appendix-audit-contribution"><name>Contribution points (WEXP supplies what the data models do not define)</name>

<t>WI-1 (Audit Data Models and Semantics): WEXP contributes the evidential-status semantics absent from the record structure -- the boundary-derived claim ceiling (verified_level &lt;= attainable(boundary_type, claimed_level, evidence)), the verifier verdict of accept, reject, or downgrade, non-inflation under composition, and fail-closed handling of unknown-critical content. WEXP is a semantic layer for WI-1, not a competing data model.</t>

<t>WI-4 (Action Record Profile): WEXP contributes a claimed_level bound to the boundary_type at which the action took effect, so that an Action Record produced "at the boundary" cannot claim more than that boundary can honestly witness. Placement (WI-4's concern) and claim strength (WEXP's contribution) are distinct.</t>

</section>
<section anchor="appendix-audit-composition"><name>Composition points (WEXP consumes an existing substrate; no core semantics added)</name>

<t>WI-6 (Profile of RATS Evidence): WEXP consumes RATS <xref target="RFC9334"/> Evidence and Attestation Results as environmental evidence inputs. RATS is not required by WEXP Core; profiles MAY use attestation evidence to ground a higher published Conformance Class, which Core still resolves only through <spanx style="verb">capabilities_ref</spanx> (<xref target="cc-maxcap"/>). WEXP adds no attestation semantics of its own here.</t>

<t>WI-7 (Profile of SCITT Transparency): WEXP treats a SCITT <xref target="SCITT"/> receipt as custody/existence evidence -- it establishes existence and content at registration, not the truth of the underlying claim. A WEXP record MAY be carried as a SCITT-registered payload or a receipt-bound artifact. WEXP defines no transparency service.</t>

<t>WI-11 (Audit Context Propagation): WEXP uses audit trace, parent, and delegation-chain references as context bindings only. Correlation is not proof of authorization; WEXP does not treat propagated context as a positive claim.</t>

</section>
<section anchor="appendix-audit-mapping"><name>Record/role mapping</name>

<texttable>
      <ttcol align='left'>AUDIT Architecture record/role</ttcol>
      <ttcol align='left'>WEXP role</ttcol>
      <ttcol align='left'>Mode</ttcol>
      <c>Interaction Record</c>
      <c>evidence input (interaction-scoped)</c>
      <c>input</c>
      <c>Action Record (boundary of effect)</c>
      <c>boundary-observation evidence; boundary sets ceiling</c>
      <c>contribution (WI-4)</c>
      <c>Delegation Record</c>
      <c>authority-chain evidence (correlation, not proof)</c>
      <c>input</c>
      <c>Authorization Transition Record</c>
      <c>temporal-authorization evidence</c>
      <c>input</c>
      <c>Audit Context (trace/parent/OBO)</c>
      <c>context binding -- correlation, not proof</c>
      <c>composition (WI-11)</c>
      <c>RATS Evidence / Attestation Result</c>
      <c>environmental evidence input (not required by Core)</c>
      <c>composition (WI-6)</c>
      <c>SCITT Receipt</c>
      <c>custody/existence evidence (not truth-of-claim)</c>
      <c>composition (WI-7)</c>
      <c>Auditor</c>
      <c>verifier (accept / reject / downgrade)</c>
      <c>contribution (WI-1)</c>
      <c>verification result</c>
      <c>portable bounded-claim execution receipt</c>
      <c>output</c>
</texttable>

</section>
</section>
<section anchor="appendix-rationale"><name>Design Rationale (non-normative)</name>

<t>This appendix preserves internal design-record provenance for the frozen Core decisions. These records are non-normative and do not alter the requirements above.</t>

<texttable>
      <ttcol align='left'>Frozen Core rationale marker</ttcol>
      <ttcol align='left'>Non-normative rationale preserved here</ttcol>
      <c>WEXP-R-01</c>
      <c>Criticality, reversibility, operational domain, and custody are not WEXP axes. They may influence policy or profile requirements, but they are not witnessability levels.</c>
      <c>WEXP-R-02</c>
      <c>Policy is orthogonal to Witnessability Level and is profile-scoped. At WL2, <spanx style="verb">policy</spanx> and timing are optional and are not Core-required.</c>
      <c>WEXP-R-03</c>
      <c>Conformance Class is not a per-record self-claim; it is reachable only by reference, for example through <spanx style="verb">capabilities_ref</spanx>.</c>
      <c>WEXP-R-04</c>
      <c>A Core record validates standalone, without a profile.</c>
      <c>WEXP-R-05</c>
      <c>WL4 and WL5 evidence is honored only when carried as top-level evidence; it is never carried in extensions.</c>
      <c>WEXP-R-06</c>
      <c>WL2 requires <spanx style="verb">input.arguments_hash</spanx> only as invocation evidence. Policy and timing remain optional at Core level.</c>
      <c>WEXP-R-07</c>
      <c>WL1 (Intent) requires <spanx style="verb">input.arguments_hash</spanx> so the intent claim is bound to specific arguments. Without this commitment an Intent claim would be a bare, non-falsifiable self-assertion, since arguments could be substituted later against the same record; the hash pins the claimed intent without storing the raw payload (Minimal Evidence floor). At WL2 the same hash additionally serves as invocation evidence.</c>
</texttable>

</section>
<section anchor="disclosure"><name>Disclosure</name>

<t>One author, Mikhail Sergeev, has a commercial interest in execution-evidence and runtime-assurance tooling. WitSeal is the reference implementation of WEXP. This specification presents a vendor-neutral open protocol and does not describe, evaluate, or endorse any specific proprietary implementation.</t>

</section>


  </back>


</rfc>

