Provisioning Event Records
Record evidence for provisioning events: API key issuance, OAuth client registration, certificate provisioning, secret rotation, access grants and revocations, and service authorization. Every record is observer-scope, and PEAC never stores inline credentials.
Packages: @peac/schema, @peac/protocol
Extension group
org.peacprotocol/provisioning-lifecycle records ten *-observed type URIs. Validate with validateProvisioningLifecycle() from @peac/schema before issuing.
| Type URI | What it records |
|---|---|
org.peacprotocol/provisioning-catalog-observed | A provisioning catalog or offering |
org.peacprotocol/provisioning-provider-link-observed | A link to an upstream provisioning provider |
org.peacprotocol/provisioning-account-observed | A provisioning account or workload identity |
org.peacprotocol/provisioning-resource-observed | A provisioned resource |
org.peacprotocol/provisioning-credential-observed | A credential (API key, token, certificate) issuance or rotation |
org.peacprotocol/provisioning-payment-authorization-observed | A payment authorization for provisioning |
org.peacprotocol/provisioning-budget-observed | A budget allocation or limit |
org.peacprotocol/provisioning-subscription-observed | A subscription lifecycle event |
org.peacprotocol/provisioning-domain-observed | A domain registration, transfer, or release |
org.peacprotocol/provisioning-deployment-observed | A deployment lifecycle event |
Opaque references required
All *_ref fields must use the opaque reference grammar (urn:, ref:, did:, sha256:, or https:). Inline credential material, bearer tokens, and connection strings are rejected by the validator.
import { validateProvisioningLifecycle } from '@peac/schema';
const result = validateProvisioningLifecycle({
typ: 'access',
ext: [{
'org.peacprotocol/provisioning-lifecycle': {
event_kind: 'provisioning-credential-observed',
provider_ref: 'urn:provider:aws-iam',
subject_ref: 'urn:agent:my-agent',
storage_surface: {
kind: 'external_secret_store',
provider_ref: 'urn:provider:aws-secrets-manager',
},
},
}],
});Credential scanner and storage surface
validateProvisioningLifecycle() runs a recursive credential-material scanner that rejects inline secrets at any nesting depth, with stable error codes in the provisioning.* family (Section 31).
storage_surface.kind is an abstract enum with no vendor-specific names: external_secret_store, local_encrypted_file, local_plaintext_file, environment_file, runtime_secret_binding, none, and unknown.
Semantic Boundary
PEAC records observed provisioning events as evidence. It does not issue credentials, rotate secrets, grant access, or operate the provisioning system; it carries opaque references to what an upstream tool did. A provisioning event record proves what the issuer observed, not more, and never carries the secret itself.
Links
Portable Provisioning Evidence
A signed provisioning record lets an auditor confirm what was provisioned offline, with only the issuer's public key and no exposure of the credential itself.