Wire-format binding for the AARM v1 R1–R6 requirements.
Identity protocols (OAuth, SPIFFE, DID) say who an AI agent is. Policy engines (OPA, Cedar) say whether a given action would be allowed in the abstract. Neither defines the bytes that pause a tool call mid-flight, capture an asynchronous human approval, and emit a non-repudiable receipt. This repository defines those bytes.
- Homepage: https://machineauthority.org
- Governance:
GOVERNANCE.md - Contributing:
CONTRIBUTING.md - Conformance:
CONFORMANCE.md - License: MIT
Four normative specifications, plus the JSON Schemas, examples, and conformance vectors that pin them. Each specification satisfies one or more AARM v1 requirements; the mapping is in CONFORMANCE.md.
The Decision Envelope was a sub-section of CAR in pre-v1.0 drafts; at v1.0 it was promoted to its own spec because its signing rules, decision-state grammar, and verifier exit-code contract operate independently of the CAR payload it references. Older write-ups that say "three specs" predate that promotion.
| Specification | Status | File |
|---|---|---|
| Canonical Action Representation (CAR) v1.0 | Stable | spec/car.md |
| Decision Envelope v1.0 | Stable | spec/decision-envelope.md |
| Elicitation Loop v1.0 | Stable | spec/elicitation-loop.md |
| Cryptographic Attestation of Consent (CAC) v1.0 | Stable | spec/cryptographic-attestation.md |
A typed, RFC 8785-canonicalized, NFC-normalized JSON object describing a proposed tool call: tool_name, arguments, actor.identity (SPIFFE / DID / HTTPS), delegation_chain[], context.{env,time,geo,risk_tier,organizational,accumulated,extensions}, timestamp. Hashed to car_hash for downstream binding.
A signed (JWS-EdDSA, RFC 7797 detached) statement from the AAB carrying one of the five AARM v1 §R4 decisions (ALLOW, DENY, DEFER, MODIFY, STEP_UP) or the MAP-defined REVOKE extension that aborts an in-flight ALLOW. Each decision pins the payload that makes it actionable (e.g., DEFER carries a resume_token plus the dispatcher's RFC 7638 JWK thumbprint for DPoP binding).
A push-by-default four-message protocol (DeferredActionRequest → ApprovalDecision (signed JWS) → ExecutionReceipt) that pauses execution for asynchronous human review. Resume tokens are bound to the dispatcher's key per RFC 9449 (DPoP); approval decisions are signed; CAC is embedded inside the ApprovalDecision when the verdict is APPROVE.
A signed receipt of the approver's decision over the canonical CAR. Profile-multiplexed: MAP-CAC-JWS-1 (REQUIRED, JWS-EdDSA detached) and MAP-CAC-DSSE-1 (OPTIONAL, DSSE + in-toto Statement v1 with predicateType: https://machineauthority.org/spec/cac/v1). Carries intent_alignment so auditors can detect mismatches between what the agent declared and what the approver saw.
/spec/ Specification text (Markdown, versioned).
/schema/ JSON Schemas (Draft 2020-12) for CAR, Decision Envelope, CAC, Elicitation Loop.
/examples/ Worked example payloads, CACs, Agent Identity Documents, JWKS.
/test-vectors/ Machine-verifiable conformance vectors.
vectors/canonicalize/ RFC 8785 + NFC + empty-key canonicalizer vectors.
vectors/car/ CAR producer vectors (valid + invalid).
vectors/decision/ Decision Envelope consumer vectors (valid + invalid).
vectors/elicitation-loop/ Elicitation Loop approver vectors (valid + invalid).
vectors/cac/ CAC verifier vectors (jws + dsse, valid + invalid).
/tools/ Cross-language canonicalizer.
/reference/ v1 reference implementation (Node.js): CLIs + libs + conformance runner.
The Machine Authority Protocol was initiated by Plaw, Inc. during development of Veto, a commercial action-authorization platform. The same pattern produced SPIFFE (Scytale), OpenTelemetry (Google / LightStep / Microsoft / Uber), and Sigstore (Red Hat / Google / Purdue): a single vendor seeds a draft, the working group ratifies the wire format, governance moves out from under the vendor before v1.0.
From v1.0 onward MAP is governed independently. Plaw's maintainers hold at most a plurality on the council, never a majority. The spec is MIT-licensed, so no rights revert to Plaw. Veto is a conformant implementation, not the standard itself. See GOVERNANCE.md.
Read the specifications. File issues for ambiguities, edge cases, gaps, or threat-model adversaries that current MUSTs do not defeat. Submit PRs for spec text, schemas, examples, vectors, or reference tooling. All commits require a DCO sign-off (git commit -s).
See CONTRIBUTING.md.
v1.0 is stable. Wire formats, schemas, and the conformance vector suite are locked. Breaking changes require a 12-month deprecation window per GOVERNANCE.md. Founding co-maintainer recruitment is open; organizations interested in co-maintainership of any specification can open a Discussion.
The Node.js reference implementation under /reference/ ships a self-contained verifier set (cac-verify, env-verify, loop-verify) and a conformance runner that walks every vector under /test-vectors/:
bun install
bun run reference/cli/run-conformance.jsExit code 0 means every vector validated end-to-end against the v1 schemas and signatures.