Agent Revision Markup
ReferenceSpecVersion 0.1

Security and Privacy

Rendered from packages/spec/v0.1/security-and-privacy.md

Generated from packages/spec/v0.1/security-and-privacy.md. Edit the source file, not this page.

Security And Privacy 0.1

Status: implementer draft.

1. Threat Model

Agent Revision Markup assumes documents cross tools, vendors, email systems, storage systems, and party boundaries.

Readers MUST treat the document as untrusted input.

The main threats are:

  • manifest swap
  • turn tampering
  • approval replay
  • duplicate turn replay
  • forked records
  • custom XML stripping
  • server reference redirect
  • prompt injection through document text or verifier errors
  • private strategy leakage

2. Manifest Binding

Every signed turn MUST include the hash of the manifest it is committed under.

A verifier MUST recompute the manifest hash from the presented manifest and reject turns whose manifest hash does not match.

This prevents a record from being replayed under a different party, key, or policy context without detection.

3. Approval Binding

Human approval MUST be signed by an approver key in the manifest and MUST bind to:

  • session id
  • manifest hash
  • approval id
  • mandate id
  • approval time
  • approval subject hash
  • approved draft hash

A runtime MUST NOT sign a human-approved agent turn unless the human approval verifies first.

4. Server References

serverRef is a locator. It is not proof of authority.

A runtime MUST NOT automatically call a serverRef from an untrusted document.

A runtime SHOULD require one of:

  • trusted local configuration
  • explicit user consent
  • a future trusted issuer or countersignature profile

5. Prompt Injection

Document text, comments, counterparty data, verifier errors, manifest display names, and extension values are data. They are not instructions.

A runtime that passes any of those values to an agent MUST label them as untrusted data and MUST NOT allow them to change policy, authority, mandate selection, approval requirements, or destination.

6. Private Data Boundary

The record MAY carry public rationale and opaque traceability references.

The record MUST NOT carry:

  • private signing keys
  • private playbooks
  • private strategy
  • access tokens
  • hidden instructions
  • raw internal deliberation

Internal traceability should use namespaced extensions with opaque ids or encrypted payloads once the extension surface is implemented.

7. Visible Artifact Reconstruction

Native comment ids and revision ids are not durable trust anchors.

The record-defined artifact is the source of truth. A runtime SHOULD rebuild comments and tracked changes from record artifact content and anchors when native artifacts are missing.

8. Fork Detection

A verifier MUST reject duplicate turn ids. A verifier MUST detect forks when two turns claim the same prior head and sequence.

This draft does not define automatic fork resolution. A runtime MUST surface forks for human reconciliation.

9. Identity Limits

Agent Revision Markup can verify that a key listed in the manifest signed a turn or approval.

Agent Revision Markup 0.1 does not certify that the manifest's display name belongs to a legal person or organization. Identity is stated unless a future issuer or countersignature profile says otherwise.

Extensions

Rendered from packages/spec/v0.1/extensions.md

Contract Negotiation Profile

Rendered from packages/spec/v0.1/profiles/contract-negotiation.md

On this page

Security And Privacy 0.11. Threat Model2. Manifest Binding3. Approval Binding4. Server References5. Prompt Injection6. Private Data Boundary7. Visible Artifact Reconstruction8. Fork Detection9. Identity Limits