docs(ap2): add Compliance Receipt - admission-time AlgoVoi attestation envelope bound to Payment/Cart Mandate#269
Open
chopmob-cloud wants to merge 8 commits into
Conversation
…n envelope bound to Payment/Cart Mandate Documents the canonical AlgoVoi-authored Compliance Receipt format (seven-field JSON, closed three-element ALLOW / REFER / DENY enum, JCS RFC 8785 canonicalisation, SHA-256 binding to Payment Mandate or Cart Mandate). AP2 references the format; AP2 does not redefine it. The wire format matches the canonical AlgoVoi Compliance Receipt as specified in IETF Internet-Draft draft-hopley-x402-compliance-receipt and documented at docs.algovoi.co.uk/compliance-gate-v1. Single new file at docs/ap2/compliance_receipt.md. No changes to existing spec files. No code changes. No samples.
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request introduces a new documentation file, docs/ap2/compliance_receipt.md, which specifies the Compliance Receipt format—a content-addressed attestation envelope used prior to settlement. The review feedback suggests a minor grammatical improvement to clarify a sentence fragment regarding the Apache 2.0 license.
| - [`algovoi-substrate`](https://pypi.org/project/algovoi-substrate/) on PyPI | ||
| - [`@algovoi/substrate`](https://www.npmjs.com/package/@algovoi/substrate) on npm | ||
|
|
||
| Both Apache 2.0. |
Contributor
There was a problem hiding this comment.
Improve the sentence fragment 'Both Apache 2.0.' to be grammatically complete and more professional.
Suggested change
| Both Apache 2.0. | |
| Both are licensed under Apache 2.0. |
Add 'text' language tag to the audit-chain ASCII diagram fence (docs/ap2/compliance_receipt.md:112) per markdownlint MD040. Add 22 project-specific words to .cspell/custom-words.txt: British- English orthography matching the AlgoVoi-authored IETF I-Ds (canonicalisation, canonicalised, unrecognised, unauthorised, recognised, tipping), authorship/host names (AlgoVoi, chopmob, hopley, datatracker), and regulatory acronyms (JCS, SAMLA, MiCA, OFAC, OFSI, RFC). Follows the same pattern as AP2#253.
canonicalise (bare verb form), Behavioural, behavioural, authorisation — British -ise / -our forms used in the AlgoVoi-authored IETF I-Ds.
chopmob-cloud
changed the title
chopmob-cloud
force-pushed
the
docs-ap2-compliance-receipt
branch
from
6be1f74 to
6750b14
Compare
This was referenced May 30, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the
Compliance Receiptspecification to the AP2 documentationset: the canonical AlgoVoi-authored seven-field attestation envelope
that records the admission-time compliance verdict (
ALLOW/REFER/DENY) bound to a Payment Mandate or Cart Mandate bysha256:reference under RFC 8785 (JCS) canonicalisation.
AP2 references the format; AP2 does not redefine it. The wire format
matches the canonical AlgoVoi Compliance Receipt as specified in IETF
Internet-Draft
draft-hopley-x402-compliance-receiptand documented atdocs.algovoi.co.uk/compliance-gate-v1.Single new file at
docs/ap2/compliance_receipt.md. No changes toexisting spec files. No code changes. No samples.
Why AP2 needs this
AP2 specifies the Cart Mandate and Payment Mandate primitives and the
agent-authorisation flow that produces them, but does not document the
admission-time compliance verdict format that a regulated verifying
party (Credential Provider, Network, Merchant Payment Processor) emits
before the mandate proceeds to settlement: "is this mandate permitted
to proceed?". This decision is required under SAMLA 2018 s.20, PSD2
sanctions-screening obligations, and MiCA Article 80 record-keeping.
Without a canonical format reference, every verifying party records
this verdict in a bespoke shape, breaking the property that a Shopping
Agent or downstream relying party can confirm an admission-time check
occurred by hashing a fixed-shape JSON object. This PR closes that gap
by referencing the AlgoVoi-authored format (already in production, on
IETF datatracker, with reference implementations on PyPI and npm) and
documenting how it composes with AP2's mandate primitives.
Production reference
The format is emitted in production by the AlgoVoi facilitator at
api.algovoi.co.uk/compliance/attestation,live since 2026-05-06 across eight chain families. Documentation:
docs.algovoi.co.uk/platform/compliance-engine.Public audit verifier:
docs.algovoi.co.uk/audit-verifier.This is not a theoretical proposal. The format described in this PR
has been emitting receipts against live settlement traffic for over
three weeks.
Authorship and substrate-author position
This PR is sole AlgoVoi authorship across the documented format,
normative seven-field shape, closed three-element verdict enumeration,
regulatory mapping, and the composition with the AlgoVoi-authored
canonicalisation pin (
urn:x402:canonicalisation:jcs-rfc8785-v1perIETF I-D
draft-hopley-x402-canonicalisation-jcs-v1).Companion IETF Internet-Draft:
draft-hopley-x402-compliance-receipt(Independent Submission, Informational, on IETF datatracker).
Reference implementation, AlgoVoi-authored, Apache 2.0:
algovoi-substrateon PyPI@algovoi/substrateon npmThe canonicalisation layer underneath the receipt is byte-for-byte
cross-validated across eight independent implementations (Python,
TypeScript, Go, Rust, Java, PHP, .NET, Ruby) per the AlgoVoi 8-impl
matrix; the receipt's
content_hashreproduces byte-identical underany of the eight. Conformance corpus:
chopmob-cloud/algovoi-jcs-conformance-vectors.The verdict enumeration is closed by design and may be amended
only by a normative successor specification authored by AlgoVoi or
with explicit AlgoVoi co-authorship. Re-publication of the format
under a different attribution does not constitute substrate authorship
of the elements defined here.
No coalition acknowledgements. This specification does not absorb
from, depend on, or share authorship with any other party's work.
Orthogonality
This specification defines the verdict format at the admission-time
sanctions and KYC screening layer. It is orthogonal to
counterparty-risk evidence formats, settlement-attestation formats
issued after on-chain settlement completes, post-settlement lifecycle
envelopes (covered by the sibling AlgoVoi-authored Payment Lifecycle
PR), and behavioural reputation, trust-scoring, or composable trust
evidence formats proposed elsewhere. The Compliance Receipt makes no
claims about, and depends on no fields from, any of the above.
Scope
Single new file at
docs/ap2/compliance_receipt.md. No changes toexisting spec files. No code changes. No samples. No glossary additions.
-- AlgoVoi (chopmob-cloud)
https://docs.algovoi.co.uk/acquisition