Proposal: A2A Settlement Extension (A2A-SE) — Standard Extension for Escrow-Based Agent Payments

[widrss]

Hey all,

A few days ago I posted in Show and Tell (#1570) about the Settlement Extension I've been building, and followed up in the Agent Registry thread (#741) with how settlement and registry complement each other. Got some good offline engagement on both, so I want to take the next step and formally propose A2A-SE as a standard extension.

The gap in one sentence: A2A lets agents discover, negotiate, and execute work but there's no standard way for one agent to pay another for that work.

What A2A-SE does

It adds escrow-based token settlement to the A2A task lifecycle, using the existing extension mechanism from Section 4.6. Zero changes to core protocol. The pattern is:

1. Provider declares pricing in their Agent Card under capabilities.extensions
2. Client creates escrow on the exchange before sending the task
3. Task runs through standard A2A
4. Terminal state triggers settlement — COMPLETED releases tokens to provider, FAILED/CANCELED/REJECTED refunds to client

All settlement context rides in A2A's existing metadata field under a namespaced a2a-se key.

Why I think this should be a standard extension

A few things have changed since my initial post:

It's running in production. The exchange currently has 8 active agents, has processed 864 transactions in the last 24 hours, and has moved 29,376 tokens with a 0.48 velocity. Treasury has collected 591 tokens in fees. You can verify: https://exchange.a2a-settlement.org/api/v1/stats

I've submitted a sample extension to a2a-samples. PR #442 includes the condensed spec, a Python implementation, and usage patterns — all passing CI. This shows how A2A-SE integrates with the standard extension model.

Other proposals are touching the same problem space. @mrorigo's A2A-SAGA (#1324) tackles compensating transactions for multi-step workflows. @lucamontin's x402/AP2 discussion (#1341) explores payment state machines. These are all valid approaches to different parts of the economic problem. A2A-SE specifically addresses the escrow-and-settlement layer — it's not trying to be an access gate (that's what x402 does well) or a transaction rollback protocol (A2A-SAGA territory). It handles the "hold funds, verify work, release or refund" lifecycle.

What makes A2A-SE different from custom billing

• Escrow-first trust model — neither side extends credit. Funds are locked before work starts.
• Automatic settlement from TaskState — COMPLETED → release, FAILED → refund. No custom webhook plumbing per agent pair.
• Batch escrow with dependency ordering — multi-agent pipelines create all escrows atomically with depends_on DAG references. If an upstream step fails, downstream escrows cascade-refund automatically.
• Skill-level pricing — agents can price each skill differently (per-request, per-unit, per-minute, or negotiable).
• Reputation tracking — EMA-based score updated on every settlement outcome.
• Dispute resolution — escrows can be flagged and frozen for mediation.

The ecosystem today

• Python SDK: pip install a2a-settlement
• TypeScript SDK: npm install @a2a-settlement/sdk
• Framework integrations: ADK, CrewAI, LangGraph, LiteLLM
• MCP tools server for settlement operations
• Human oversight dashboard for monitoring and dispute handling
• AI-powered mediator for automated dispute resolution
• OAuth 2.0 auth service

Everything is open source.

What I'm asking for

1. Consideration of A2A-SE as a recognized standard extension
2. Feedback on how the spec aligns with what the community expects from the extension mechanism
3. If there's a formal governance process being developed for extensions, I'd like to participate in that conversation
4. Thoughts from anyone working on related payment/economic proposals on how we can make these efforts complementary rather than competing

Spec: https://github.com/a2a-settlement/a2a-settlement/blob/main/SPEC.md
Samples PR: a2aproject/a2a-samples#442
Live exchange: https://exchange.a2a-settlement.org/
Docs: https://docs.a2a-settlement.org/

Happy to dive into any technical details or walk through the code with anyone interested.

[darioandyoshi-tech]

This proposal maps very closely to the settlement/work lifecycle I’ve been testing in AI Work Market, so +1 on making this an A2A extension rather than a core protocol change.

One design point I’d encourage: keep the settlement object distinct from the payment rail. In practice I’m seeing two different needs:

• Payment/access rail: x402/AP2/card/etc. can authorize or transmit value.
• Work settlement object: scoped terms, buyer/seller identities, deadline/review window, proof URI/artifact hash, release/refund/dispute state, and audit trail.

For agent work, the second object matters because the output is often not a single HTTP response. It may be a PR, report, dataset, monitoring result, or other artifact that needs proof + review before release.

I’ve got a Base Sepolia testnet implementation of that lifecycle here, if useful as prior art / test fixture:

• repo: https://github.com/darioandyoshi-tech/ai-work-market
• agent start guide: https://github.com/darioandyoshi-tech/ai-work-market/blob/main/docs/agent-testnet-start-here.md
• A2A work-intent adapter notes: https://github.com/darioandyoshi-tech/ai-work-market/blob/main/docs/a2a-work-intent.md
• live demo: https://ai-work-market.vercel.app/

Status caveat: testnet-only, not audited, centralized dispute path in the MVP. I’m not proposing it as the standard — just a concrete reference loop for “offer → escrow → proof → release/refund/dispute”.

If it helps, I’d be happy to write a small A2A-SE compatibility note or example mapping AWM fields into the proposed a2a-se metadata namespace.

[msaleme]

Strong proposal — escrow-first is the only sane default for agent-to-agent payments, and binding release to TaskState is elegant.

A few security-testing angles worth considering as this scales:

Dispute resolution as denial-of-service. If any party can flag an escrow for mediation, a malicious or compromised agent can freeze provider liquidity at scale. The AI-powered mediator is interesting, but mediators themselves can be gamed with ambiguous evidence or synthetic artifact disputes. We would recommend a cost-to-dispute mechanism (stake a percentage to flag) and a time-bounded fallback (auto-release after N blocks if mediator does not rule).

Reputation EMA manipulation. An agent with capital can run a ring of sock-puppet clients, build a high reputation through synthetic transactions, then cash out on a large fraudulent task. The EMA should probably weight transaction value, not just count — a provider with 1,000 small transactions and zero large ones is not the same risk profile as one with 10 large, successful settlements.

Cascade refund edge cases. In a multi-agent pipeline with depends_on, what happens when an upstream task fails after a downstream escrow has already released? The spec says cascade-refund automatically, but on-chain settlement is not always reversible. A clearer model might be: create all escrows atomically, but release them in pipeline order rather than all at terminal state.

Skill-level pricing attack surface. If agents price skills differently, a malicious provider can bait with a cheap discovery skill, then switch to an expensive execution skill mid-workflow. Clients should lock the skill/pricing binding at task creation time.

We have been testing agent payment and settlement flows for adversarial behavior and would be happy to contribute test fixtures or run a security pass on the spec.

—
Disclosure: building open-source agent security testing at https://github.com/msaleme/red-team-blue-team-agent-fabric

[eriknewton]

Strong proposal, and escrow-first is the right default. Two composition notes from the Concordia and Verascore side, both low-overhead for A2A-SE.

First: A2A-SE settlement outcomes are a clean evidence class for the reputation layer. verascore-evidence-schema-v0.1 shipped this week as a public ingest schema at https://verascore.ai/docs/evidence-schema-v0.1. Bilateral, value-weighted, terminal-state, cryptographically verifiable — that addresses @msaleme's EMA-manipulation point at the reputation layer rather than asking A2A-SE to own a reputation surface. Multi-provider corroboration and value-weighting are already in the schema; expired-attestation decay is in there too.

Second: disputed settlements are a clean fit for Concordia v0.5.1 DISPUTE_RESOLVED. RFC 8785 canonicalization plus a fulfilled_with_mediation outcome and a references[] field for cross-protocol pointers. A2A-SE keeps its sovereign mediator path; an escalated dispute can also mint a Concordia receipt as the portable artifact. Optional, not required.

Three boundaries, three protocols: A2A-SE escrow + Concordia receipt + Verascore reputation. Each works without the others. The cross-protocol URN shape that @brainspacer and @cmagorr1 are scoping on #1832 and #1737 covers the references[] glue.
On @msaleme's other points: skill-pricing bait and reputation manipulation are both reputation-layer attack surfaces. Happy to fold those into the verascore-evidence-schema work; cryptographically-verified external attestation already weights 3x and expiry decays to zero over 7 days.

Erik / Sanctuary, Concordia, Verascore

[msaleme]

@eriknewton — the three-boundary composition is the right shape. Escrow, receipt, and reputation each live at different protocol layers, and trying to collapse them into A2A-SE itself would make the spec brittle. Keeping them composable but optional is what lets the extension survive contact with real settlement disputes.

A few security observations on the composed surface, building on the EMA-manipulation point:

1. The evidence-schema boundary is where adversarial pressure migrates. Once reputation moves to a public evidence object (bilateral, terminal-state, JWS-signed), the attack surface shifts from "fake the score" to "fake the evidence provider." Multi-provider corroboration helps, but cryptographically-verified external attestation only weights highly if the provider key itself cannot be cheaply minted. A provider that controls both its DID and its attestation key collapses the corroboration model. Worth testing against ring-of-providers and provider-key-rotation patterns.

2. DISPUTE_RESOLVED as a portable artifact composes cleanly, but mediator-as-attacker remains. RFC 8785 canonicalization plus a fulfilled_with_mediation outcome is a clean primitive. The next-order question is: what makes the mediator trustworthy across protocols? An AI mediator that issues receipts inherits the trust of whichever party runs it. The mediator's evidence trail probably needs to be its own evidence class — recursive, but bounded.

3. The cross-protocol URN shape is load-bearing. If references[] is the glue between escrow, receipt, and reputation, the URN scheme has to survive cross-implementation reads. Escrow URNs that only resolve inside a specific facilitator are not portable evidence. Resolver-neutral URN form needs to land before any of these compose in practice.

On the contribution offer: the harness (red-team-blue-team-agent-fabric) covers dispute-DoS, reputation manipulation, cascade-refund edge cases, and skill-pricing bait — the adversarial vectors map directly to A2A-SE plus the receipt and reputation layers. Happy to carry that subset into the A2A WG conformance track once a working group lands.

Composition is what makes a settlement extension survive — boundaries that compose beat layers that overload.

— Saleme, Michael K. (ORCID 0009-0003-6736-1900)

[eriknewton]

@msaleme, four points back in order.

Evidence-schema attack surface migration. You're right that "fake the score" becomes "fake the evidence provider" once reputation moves to a public terminal-state object. Multi-provider corroboration only buys real signal if provider keys themselves aren't cheaply minted. Two responses on the Verascore side.

verascore-evidence-schema-v0.1 already requires JWS-signed provider keys with provider-class metadata, so a ring of cheaply-minted DIDs all running the same behavioral fingerprint can be detected at the corroboration step. The next-cut work is provider-attestation-class as a first-class field separate from the evidence object: which substrate the provider key is bound to (Sanctuary Mantle install-time substrate-binding shipped Phase 1 earlier this week as the reference shape), what key-rotation policy was in effect, what cross-issuer attestations the provider key carries. Ring detection still sits in the consumer's hands, but the schema needs to surface enough metadata to make ring detection possible.

The harder problem you're naming is provider-key-rotation: a provider that controls both its DID and its attestation key can rotate to escape consequence. The shape I want to test is forward-chained rotation attestation, where rotation transitions themselves get attested so a rotation that breaks a behavioral baseline is detectable. Not solved yet on the schema side. If your harness covers rotation-escape patterns, that's the case Verascore needs first.

DISPUTE_RESOLVED mediator-as-attacker. Agreed the mediator's evidence trail needs its own evidence class. Concordia v0.5.1's DISPUTE_RESOLVED carries fulfilled_with_mediation and the mediator's own attestation. What it doesn't carry yet is a recursive mediator-receipt structure. The bounded recursion you described is the right shape: mediator issues a receipt about the dispute, that receipt is itself an evidence object that can be challenged or corroborated by other mediators in subsequent disputes. Concordia v0.6 predicate primitive (on main, PyPI cut pending) gives the structural hook; mediator-evidence-class spec is queued for v0.7.

Cross-protocol URN portability. Load-bearing, and you named it correctly. Concordia's session-receipt references[] already takes typed URN references; the gap is on the registry side. Foxbook ADR 0009 (ratified 2026-05-08, typed-reference v1.0) is the precedent we're walking with, and a resolver-neutral URN registry that escrow + receipt + reputation can share is the right next artifact. Worth a separate thread or proposal section. Happy to draft a starting point if you want one.

Contribution offer. Yes, please. A red-team-blue-team-agent-fabric covering dispute-DoS + reputation manipulation + cascade-refund + skill-pricing-bait maps cleanly to A2A-SE plus the receipt and reputation surfaces. If we land it as a conformance track, Concordia can ship parallel fixtures for the session-receipt and predicate primitive boundaries. The operational question back to you: which WG carries it. A2A-SE specifically, or a cross-extension conformance WG covering settlement + receipt + reputation together. I'd lean toward the latter because the adversarial cases compose across boundaries; ring-of-providers and mediator-as-attacker only surface when the three layers are tested in composition.

[chopmob-cloud]

Endorsing escrow-first as the default; engaging from the payment-rail side that A2A-SE escrows would settle on.

@darioandyoshi-tech's "settlement object distinct from payment rail" split is the right one and it's what we ship in production. AlgoVoi runs the rail (x402 / MPP / AP2 across 8 mainnet chains — Algorand, VOI, Hedera, Stellar, Base, Solana, Tempo, plus ARC testnet) with the work-settlement-object as a separate primitive (checkout token + mandate-account-id). The two compose without overlap — the rail handles release_funds / refund mechanically, the object carries scoped terms / deadline / artifact provenance independently.

One concrete addition to A2A-SE: rail-level finality declaration.

A2A-SE's release-on-COMPLETED is mechanically simple, but escrow operators can't make a sane release decision without knowing the rail's finality properties. We've found three values worth declaring at the rail level in the Agent Card extension block, alongside the pricing surface:

"a2a-se": {
  "rail": "algovoi",
  "finality": {
    "mode": "onchain",
    "expected_seconds": 50,
    "max_seconds": 900,
    "chain": "base"
  },
  "refund_window_seconds": 86400
}

The CCTP V2 path on Solana hits ~50s; Allbridge EVM↔Algorand is 3–15 min; native L1 is sub-second. Without expected_seconds and max_seconds, downstream agents can't tune their timeout / retry behaviour and you get the cancel-races that @msaleme flagged on the dispute side.

On the dispute-as-DoS concern.

We've shipped a safeguarding regime under UK MLR 2017 alignment that addresses this at the rail level: per-mandate caps (£100), per-account caps (£300), max-3 active mandates per human. Bounded blast radius — a single bad actor can freeze at most £300 of provider liquidity per identity. The caps live in the Trust/authorization overlay (per @musaabhasan's three-layer model from #741), not the rail itself, so they compose with any escrow design.

Composition with the reputation layer (@eriknewton's note). A2A-SE terminal-state outcomes are exactly the PAYMENT_SETTLEMENT evidence class we just published in verascore-evidence-schema-v0.1 (#1631 + verascore.ai/docs/evidence-schema-v0.1). Bilateral, value-weighted, cryptographically verifiable. The receipt-level binding works the same whether the rail is escrow-released or directly-settled — the verdict carries mandate_hash either way.

Happy to publish a reference settlement-rail implementation against the A2A-SE Agent Card extension once #442 lands.

— AlgoVoi (chopmob-cloud)

[eriknewton]

@chopmob-cloud, three points back plus the bench composition.

Rail-level finality declaration. The expected_seconds / max_seconds split is the right shape, and putting it in the Agent Card extension block alongside refund_window_seconds keeps it discoverable at session-init time rather than buried in rail-specific docs. The example you gave (CCTP V2 ~50s on Solana, Allbridge EVM↔Algorand 3-15 min, native L1 sub-second) shows why the split matters: a downstream agent's timeout policy tunes off expected_seconds while the circuit-breaker fires off max_seconds. Without both, cancel-races on the dispute side are unbounded. Worth landing the finality declaration shape in the umbrella profile's Agent Card extension cluster alongside the procurement-side and reputation-side namespaces.

Safeguarding regime at the trust/authorization overlay. £100 per-mandate / £300 per-account / max-3 active mandates as a UK MLR 2017-aligned default is exactly the operator-facing pattern the formal A2A extension PR's appendix should name. You're correct that the caps live in the trust overlay, not the rail itself; that's why they compose with any escrow design. The three values you ship in production are concrete enough to fold into the appendix as reference safeguarding defaults; operators can override per their own jurisdictional posture.

PAYMENT_SETTLEMENT evidence class composition. Yes. A2A-SE terminal-state outcomes mapping to verascore-evidence-schema-v0.1's PAYMENT_SETTLEMENT class is the composition the substrate split is designed to enable. The receipt-level binding holding whether the rail is escrow-released or directly-settled (mandate_hash carries through either way) is the right invariant. Once #442 lands and your reference settlement-rail implementation is public, Verascore can ship a worked example consuming the rail's terminal-state object as PAYMENT_SETTLEMENT evidence end-to-end.

Agent Trust Bench composition (your follow-up comment). Yes please, map the bench profile IDs into #442's CI. The five settlement-attack categories you named (dispute_amplification, synthetic_artifact_dispute, mediator_grooming, escrow_double_release, refund_replay) cover the exact pattern set @msaleme proposed for the red-team-blue-team-agent-fabric conformance track in his 2026-05-15 reply on this thread. If you and @msaleme coordinate on the test-vector surface, the cross-extension WG can pick up a unified adversarial-conformance package across settlement + receipt + reputation boundaries rather than three parallel efforts.

The umbrella profile and URN starter-pen drafting work (queued off the formal A2A extension PR per the parent thread #1737, with AlgoVoi already in the URN-track participant set) is the right home for the rail-finality declaration and safeguarding-default landings. I'll loop you in when the v0 starter-pen draft is ready for review.

[chopmob-cloud]

@eriknewton — thanks for the run-through; all four landings work for us:

• Rail-finality declaration → umbrella-profile Agent Card extension cluster (alongside procurement / reputation namespaces). I'll keep the expected_seconds / max_seconds / refund_window_seconds shape stable on our side so it's drop-in once the cluster lands.
• Safeguarding defaults (£100 / £300 / max-3) → formal A2A extension PR appendix. Happy to write the appendix prose with the UK MLR 2017 / SAMLA s.20 framing already at https://api.algovoi.co.uk/compliance/attestation, when the PR is ready for that section.
• PAYMENT_SETTLEMENT composition → mandate_hash invariant locked. We'll surface terminal-state objects in the right shape once feat: Add blockchain-based agent fingerprinting #442 lands; reference rail-impl will be public on our side same week.
• Bench → feat: Add blockchain-based agent fingerprinting #442 CI → on it.

On the cross-extension adversarial-conformance track — picking up your coordination ask:

@msaleme — your red-team-blue-team-agent-fabric four (dispute-DoS / reputation manipulation / cascade-refund / skill-pricing-bait) overlaps cleanly with our five (dispute_amplification / synthetic_artifact_dispute / mediator_grooming / escrow_double_release / refund_replay). The non-overlap is skill-pricing-bait (yours) and synthetic_artifact_dispute + escrow_double_release (ours) — combined ~8 categories spanning the settlement / receipt / reputation boundary.

Proposed test-vector envelope shape, modelled on CTEF v0.3.x negative-fixtures (INVALID_CLAIM_SCOPE / INVALID_COMPOSITION) and JCS-canonical + Ed25519 signed under the same canonicalizer (rfc8785@0.1.4) as our existing 14/14 byte-match:

{
  "vector_id": "cross-ext-v0-dispute-amplification-001",
  "attack_class": "dispute_amplification",
  "composition_layers": ["settlement", "reputation"],
  "input_envelope": { "...A2A-SE escrow shape..." },
  "expected_verdict": "BLOCK",
  "expected_error_code": "DISPUTE_AMPLIFICATION_DETECTED",
  "mediator_behavior": null,
  "signer_did": "did:web:api.algovoi.co.uk",
  "jws": "..."
}

I can host the unified vector set at https://agent-trust-bench.algovoi.co.uk/cross-extension/v0.json if that works — single artefact, byte-match-reproducible, three composition layers covered. One ask back: do you want to pre-agree the envelope before I publish v0, or is "publish v0 + you PR the four missing categories into it" easier?

— AlgoVoi (chopmob-cloud)

[eriknewton]

@chopmob-cloud - Great.Publish v0 at agent-trust-bench.algovoi.co.uk/cross-extension/v0.json with your five categories (dispute_amplification, synthetic_artifact_dispute, mediator_grooming, escrow_double_release, refund_replay), I will PR the four missing msaleme categories (dispute-DoS, reputation-manipulation, cascade-refund, skill-pricing-bait) in once the v0 envelope shape is on the wire. Faster than pre-coordination, and AlgoVoi owning the canonical artifact is the right structural shape.

Test-vector envelope reads clean: vector_id + attack_class + composition_layers[] + input_envelope + expected_verdict + expected_error_code + mediator_behavior + signer_did + jws. JCS-canonical + Ed25519-signed under rfc8785@0.1.4 matching the 14/14 byte-match harness. The composition_layers[] field is the load-bearing piece for the cross-extension framing; settlement + receipt + reputation rows compose without overlap.

On the four landings from your prior comment: rail-finality declaration shape landing in the umbrella profile's Agent Card extension cluster, safeguarding defaults (£100 / £300 / max-3 active mandates) landing in the formal A2A extension PR appendix, PAYMENT_SETTLEMENT composition with the mandate_hash invariant once #442 lands, bench-to-#442-CI mapping in flight. All four work for me.

@msaleme — the unified eight-category bench gives the red-team-blue-team-agent-fabric a single conformance target across settlement + receipt + reputation. Worth coordinating with chopmob-cloud on the test-vector envelope so the four categories from your side ride the same shape.

[chopmob-cloud]

Following up specifically on @msaleme's dispute-as-DoS point — that exact attack class is one of the test categories in our adversarial suite, and it might be useful as a shared conformance fixture for A2A-SE escrow operators.

Agent Trust Bench (138 profiles, A2A #1855, live at https://agent-trust-bench.algovoi.co.uk) includes dedicated settlement-attack categories:

Category	Attack pattern
dispute_amplification	Coordinated mass-disputes designed to freeze provider liquidity across many concurrent escrows
synthetic_artifact_dispute	Submit ambiguous evidence (corrupted/partial artefact) to force mediator into REVIEW state
mediator_grooming	Build up legitimate dispute-win history, then weaponise once the win-rate clears the auto-allow threshold
escrow_double_release	Attempt to claim release via two distinct trigger paths (terminal state + manual mediator)
refund_replay	Replay a refund authorisation against a fresh escrow with a tampered escrow_id

The dispute-amplification and mediator-grooming profiles are the ones that materially threaten escrow liquidity at scale — the patterns where the per-attack cost is sub-dollar but the cumulative provider-side cost is unbounded.

Pairs cleanly with the safeguarding caps I mentioned earlier (£100 / £300 / max-3). Caps bound the blast radius per identity; the bench gives operators a way to verify the cap enforcement actually fires under adversarial pressure rather than waiting for production to find the hole.

Happy to map specific bench profile IDs to A2A-SE escrow phases if you want to wire the suite into the #442 CI.

— AlgoVoi (chopmob-cloud)

[chopmob-cloud]

@eriknewton @msaleme, v0 on the wire.

URL: https://api.algovoi.co.uk/.well-known/cross-extension/v0.json

Hosted at the api domain rather than the bench subdomain so the artefact lives at the same origin as the did:web:api.algovoi.co.uk resolver and /.well-known/jwks.json key publication. One origin for signer_did + JWKS + artefact keeps the verification recipe minimal.

Artefact shape:

• schema_version: 1.0, artefact_id: cross-extension-v0
• signer_did: did:web:api.algovoi.co.uk
• canonicalizer: rfc8785@0.1.4, signing_alg: EdDSA, kid: d0481df4cbbda8e8aba86709419884ef
• public_key_resolver: https://api.algovoi.co.uk/.well-known/jwks.json
• did_document: https://api.algovoi.co.uk/.well-known/did.json

Five vectors signed and round-trip verified (5/5):

Vector ID	Attack class	Composition layers	Verdict
cross-ext-v0-dispute-amplification-001	dispute_amplification	settlement + reputation	BLOCK
cross-ext-v0-synthetic-artifact-dispute-001	synthetic_artifact_dispute	settlement	REVIEW
cross-ext-v0-mediator-grooming-001	mediator_grooming	settlement + reputation	REVIEW
cross-ext-v0-escrow-double-release-001	escrow_double_release	settlement	BLOCK
cross-ext-v0-refund-replay-001	refund_replay	settlement	BLOCK

Per-vector JWS shape is compact Ed25519: base64url(header).base64url(JCS(unsigned_vector)).base64url(signature). Header is byte-exact {"alg":"EdDSA","typ":"JWT"}. Payload is rfc8785.dumps(vector_minus_jws_field). Same canonicaliser + signing pipeline as our existing 14/14 byte-match at https://gist.github.com/chopmob-cloud/5f35eaa527d292bf3ddc52f8725a85c9.

Verification recipe is embedded in the artefact context.verification_recipe block. Six steps, no protocol-specific knowledge required. Any consumer can pull the JWKS, fetch the artefact, recompute JCS, and verify Ed25519 over {header_b64}.{payload_b64}.

Ready for msaleme PR. composition_layers[] is the load-bearing field for cross-extension framing per your 04:30Z note. The four missing categories (dispute_dos, reputation_manipulation, cascade_refund, skill_pricing_bait) drop into the same envelope shape and ride the same canonicaliser. Listed in context.msaleme_categories_pending for visibility.

cc @msaleme, the envelope is on the wire. Ready when you are.

— AlgoVoi (chopmob-cloud), did:web:api.algovoi.co.uk + did:foxbook:01KRXTMK3Z20J7V7MMD17W6T59 + did:key:z6MkgExzvcpvxrghf4Q3285xqSdenhRZHcP6wc5UvY6VVaz5

[cmagorr1]

+1 on the three-boundary composition. The cross-protocol URN shape work with @brainspacer on #1832 and #1737 covers the references[] glue Erik mentioned.

One concrete addition from the A2CN side: the DISPUTE_RESOLVED message A2CN produces at the end of the dispute lifecycle maps cleanly into Concordia's fulfilled_with_mediation receipt. The transaction_record_hash field anchors the resolution back to the original commitment; the resolver_did field identifies the neutral mediator. Concordia's adapter handles the translation. An A2A-SE disputed settlement escalated through A2CN's dispute path would produce a Concordia receipt that A2A-SE can treat as the portable dispute artifact Erik described.

The three-boundary composition holds: A2A-SE owns escrow + settlement execution, Concordia owns the receipt and portable dispute artifact, A2CN owns the negotiation session and mandate verification that precedes settlement. Each is optional; all three compose.

—Christian Magorrian
A2CN Protocol / github.com/A2CN-protocol/A2CN

[chopmob-cloud]

@cmagorr1 -- the three-boundary composition is the correct frame, and the A2CN / Concordia / A2A-SE layering you've described holds exactly.

One addition from the receipt side. The transaction_record_hash field you mentioned on the DISPUTE_RESOLVED message has a direct correspondent in settlement-attestation-v1 -- the settled_payment_ref field anchors the categorical verdict (SETTLED / PENDING_FINALITY / REVERSED) to the on-chain payment that produced it, using JCS canonicalisation per draft-hopley-x402-canonicalisation-jcs-v1. The pairing:

• A2CN DISPUTE_RESOLVED → transaction_record_hash over the negotiation session record
• Concordia fulfilled_with_mediation receipt → resolver_did + portable dispute artifact
• settlement-attestation-v1 → settled_payment_ref referencing the settled on-chain payment (chain-family-specific, Ed25519-signed)

The three anchors at each layer are independent but can be chained: a relying party can reconstruct the full dispute resolution path from settlement-attestation-v1 (what settled), up through Concordia (how the dispute resolved), up through A2CN (what mandate produced it). Each layer's anchor is independently verifiable without requiring the consumer to parse the adjacent layer's full protocol.

The composition_layers[] field in our cross-extension vector artefact (https://api.algovoi.co.uk/.well-known/cross-extension/v0.json) is the concrete wire artefact for this -- it already carries settlement and reputation as layers; mandate_verification (A2CN) and dispute_resolution (Concordia) would drop in as additional layer types under the same envelope shape.

AlgoVoi (chopmob-cloud) -- Acquisition enquiries: https://docs.algovoi.co.uk/acquisition

[cmagorr1]

The three-hash chain framing is the right abstraction - independent verifiability at each layer without requiring a consumer to parse adjacent protocols is exactly what makes this composable rather than tightly coupled.

The transaction_record_hash in A2CN's DISPUTE_RESOLVED is deterministic: UUID v5 derived from session ID, SHA-256 over JCS-canonicalized record. That means a relying party can independently recompute the hash given the session inputs and verify it matches the Concordia receipt without access to either party's system. The independently-verifiable-up-the-chain property holds end to end.

Adding mandate_verification and dispute_resolution as composition_layers[] types makes sense - they're meaningful protocol boundaries distinct from settlement execution. Happy to contribute the A2CN layer type definition for the cross-extension vector artefact if you want a PR.

-Christian Magorrian, A2CN Protocol

[chopmob-cloud]

The UUID v5 + SHA-256 over JCS-canonical detail is the right shape for independently recomputable hashes. A relying party needs the session inputs to verify, not access to either party's system. That property holds end to end through the chain.

On the A2CN layer type: post the layer type definition here in the thread. Once the field shape is settled (what a mandate_verification layer type carries at minimum, what is optional, what the verifier checks), we can add it to the artefact directly. The definition belongs in the thread where the three-boundary composition is documented before it lives in the wire artefact.

AlgoVoi (chopmob-cloud) -- Acquisition enquiries: https://docs.algovoi.co.uk/acquisition

[cmagorr1]

The mandate_verification layer type covers what A2CN contributes to a composed settlement+dispute chain: the pre-negotiation authority assertion that produced the session record.
Minimum required fields for a mandate_verification layer entry:
json{
"layer": "mandate_verification",
"protocol": "a2cn",
"version": "0.2",
"session_id": "urn:a2cn:session:",
"mandate_hash": "",
"initiator_did": "did:web:",
"responder_did": "did:web:",
"transaction_record_hash": "",
"record_id": ""
}
What a verifier checks:

transaction_record_hash — recompute SHA-256 over JCS-canonical transaction record using the session inputs; must match
mandate_hash — resolve each party's DID document, fetch mandate credential, recompute hash; confirms both agents operated within authorized bounds at the time of the session
record_id — verify UUID v5 derivation from session_id using the A2CN namespace (a2cn:record:v0.2)

Optional fields:

requires_human_approval_above — threshold that triggered AWAITING_HUMAN_APPROVAL if present; links to EU AI Act Article 14 audit surface
approval_receipt_hash — if HITL was triggered, hash of the ApprovalReceipt that released the session
dispute_notice_id — if DISPUTE_RESOLVED is the terminal state, references the upstream dispute record; this is where mandate_verification and dispute_resolution layers compose

What this layer does NOT carry: the mandate credential itself, session message content, or offer chain. Those stay at the A2CN layer. The mandate_verification entry is a hash-anchored pointer — enough for a verifier to confirm authority and record integrity without parsing the full A2CN protocol.
The dispute_resolution layer type (Concordia's half) would carry resolver_did, resolution_outcome, and the fulfilled_with_mediation receipt hash, pointing back to transaction_record_hash for chain continuity.

—Christian Magorrian, A2CN Protocol

[chopmob-cloud]

This is a clean layer definition. The hash-anchored-pointer discipline is exactly right: transaction_record_hash and mandate_hash give a verifier authority and record integrity without parsing the full A2CN protocol, and the layer deliberately excludes the mandate credential, session content, and offer chain. That boundary is what keeps the composition loose.

It is now published in the artefact (schema 1.1) at https://api.algovoi.co.uk/.well-known/cross-extension/v0.json. The mandate_verification type sits in a layer_type_registry carrying your field shape verbatim, and the layer_type_provenance block records it as authored by Christian Magorrian / A2CN Protocol under the a2cn:record:v0.2 namespace. The envelope stays AlgoVoi-authored; each layer type carries its own authorship. The record_id UUID v5 derivation and the JCS-canonical hash recipe sit under the same rfc8785 canonicaliser the artefact already uses, so one verification recipe covers every layer type.

The dispute_notice_id optional field is the right join point: it is where mandate_verification and dispute_resolution compose, both pointing back to transaction_record_hash for chain continuity. The registry keeps a dispute_resolution slot pending the Concordia field shape.

AlgoVoi (chopmob-cloud) -- Acquisition enquiries: https://docs.algovoi.co.uk/acquisition

[widrss]

Sorry for going quiet here, catching up on the whole thread now.

The May offers — accepting all three:

• @msaleme yes, send the security fixtures and I'll wire them into CI on the reference exchange. The spec security pass is welcome too.
• @chopmob-cloud the reference rail + CI test vectors work, yes. Just looked at the cross-extension v0 artefact: escrow_double_release and refund_replay map directly onto checks the exchange already runs server-side, so verifying those against a live rail should be quick.
• Safeguarding-caps appendix: I'd rather co-author than hand it off. I'll draft the first cut and tag you both for review.

On the reputation layering discussion: the exchange now publishes settlement-derived reputation natively. GET /reputation/{agent_id} returns the EMA score, task count, dispute rate, and settlement volume, all from real escrow outcomes. Live example:

https://exchange.a2a-settlement.org/api/v1/reputation/4f72430b-9481-4368-b9a8-ebbcbc6f5f26

Spec: SPEC.md §15.2.1. Happy for Verascore or anyone else doing composite scoring to ingest it as one input among many. The settlement-grounded score itself originates here though — we hold the escrow outcomes it's computed from.

And if the adversarial-conformance track needs someone to run it, I'll chair. Testing attacks on escrow designs was literally my day job; doing it to my own design is the fun version.

[widrss]

Typed escrow attestation shapes are up, as promised:

• urn:a2a-se:escrow-release-attestation:v1
• urn:a2a-se:escrow-refund-attestation:v1
• urn:a2a-se:dispute-resolution-attestation:v1

JSON Schemas: https://github.com/a2a-settlement/a2a-settlement/tree/main/schemas — field semantics and the verification recipe (canonical bytes → SHA-256 → Merkle leaf → sibling proof) are in docs/attestation-schemas.md, spec section is §11.4.

They're emitted on every settlement outcome on the live rail and retrievable per escrow: GET /api/v1/exchange/escrow/{escrow_id}/attestations returns the typed payload plus the Merkle anchor. The settlement core deliberately matches the cross-extension envelope fields (escrow_id, settlement_kind, amount, currency, rail) so @chopmob-cloud's vectors can reference these without translation — mapping table is in the doc, including where mandate_hash doesn't carry over and why.

Party refs have an external_ids slot for outside identity systems (Foxbook DIDs etc). If anyone needs a field that isn't there, now's the time — v1 freezes once people start building against it.

[chopmob-cloud]

@widrss thanks, the mapping reads correctly. The A2A-SE escrow attestations line up cleanly with the composition settlement layer (escrow_id, settlement_kind, amount, currency, rail), and the way you handle mandate_hash (header nonce + escrow_id + Merkle proof) and chain (not applicable on a hosted escrow rail) is the right call for a rail that does not settle on-chain.

For operators who do settle on-chain, the heavier settlement-attestation-v1 carries the categorical settlement_result (SETTLED / PENDING_FINALITY / REVERSED) plus the on-chain settled_payment_ref and settlement_chain, alongside the same composition layer, so a verifier consumes either shape under one canonicalisation (jcs-rfc8785-v1). The two compose without overlap: A2A-SE attests the escrow outcome on your rail, the settlement attestation anchors finality where there is a chain.

Happy to keep the composition-layer registry and the cross-extension fixture aligned as the dispute_resolution layer firms up with Concordia.

AlgoVoi (chopmob-cloud) -- docs.algovoi.co.uk/substrate-2

[widrss]

Following up on the chair offer — adversarial conformance track is up:

https://github.com/a2a-settlement/settlement-conformance

v0 adopts @chopmob-cloud's cross-extension envelope as-is (schema 1.1, JWS-signed). All five vectors from the artefact are vendored under vectors/v0/ with provenance. CI verifies signatures on every PR.

A2A-SE is the first rail submission (results/a2a-se/): escrow_double_release and refund_replay PASS, the other three N/A with reasons documented. Partial results are fine — better than claiming coverage you don't have.

How it works for other rails: run the vectors you own, document your verdict adapter (HTTP status + detail substring is enough — nobody needs to emit RELEASE_IDEMPOTENCY_VIOLATION literally), PR your results/<rail-id>/ folder. Format spec is in docs/vector-format.md.

@chopmob-cloud @msaleme — maintainer invites are out on the repo. Happy to hand merge rights on vectors/results to you both; I'll keep chairing intake unless someone else wants it.

msaleme's pending categories (dispute_dos, reputation_manipulation, cascade_refund, skill_pricing_bait) have a clear landing spot whenever those fixtures are ready.

[chopmob-cloud]

@widrss great. Both vectors are already in the cross-extension v0 artefact, ready to verify against your live rail:

• cross-ext-v0-escrow-double-release-001
• cross-ext-v0-refund-replay-001

at https://api.algovoi.co.uk/.well-known/cross-extension/v0.json. Each carries an expected_verdict and a jws, signed under did:web:api.algovoi.co.uk and canonicalised with rfc8785@0.1.4, so you can confirm the expected outcome offline before running them server-side.

Co-authoring the safeguarding-caps appendix works well, tag us on the first cut whenever it is ready and we will review. And good that you are chairing the adversarial-conformance track, the escrow attack surface is the right place for someone who has tested these designs for a living.

AlgoVoi (chopmob-cloud) -- docs.algovoi.co.uk/substrate-2

[widrss]

First cut of the safeguarding-caps appendix is up for review: a2a-settlement/a2a-settlement#1 — @chopmob-cloud @msaleme, comments on the diff preferred but here works too. Open questions at the bottom are where I most want your input.