Skip to main content
Version: v0.16.1

Provisioning Event Records

PEAC records evidence for agent provisioning events: API key issuance, OAuth client registration, certificate provisioning, secret rotation, access grants and revocations, and service authorization. All records are observer-scope -- PEAC never stores inline credentials.

Extension group (v0.14.2+)

org.peacprotocol/provisioning-lifecycle -- 10 *-observed type URIs:

Type URIWhat it records
provisioning-catalog-observedA provisioning catalog or offering
provisioning-provider-link-observedA link to an upstream provisioning provider
provisioning-account-observedA provisioning account or workload identity
provisioning-resource-observedA provisioned resource
provisioning-credential-observedA credential (API key, token, certificate) issuance or rotation
provisioning-payment-authorization-observedA payment authorization for provisioning
provisioning-budget-observedA budget allocation or limit
provisioning-subscription-observedA subscription lifecycle event
provisioning-domain-observedA domain registration, transfer, or release
provisioning-deployment-observedA deployment lifecycle event

Opaque references required

All *_ref fields must use the opaque reference grammar: urn:, ref:, did:, sha256:, or https: prefixes. Inline credential material, bearer tokens, and connection strings are blocked by the validator.

import { validateProvisioningLifecycle } from '@peac/schema';

const result = validateProvisioningLifecycle({
typ: 'access',
ext: [{
'org.peacprotocol/provisioning-lifecycle': {
event_kind: 'provisioning-credential-observed',
provider_ref: 'urn:provider:aws-iam',
subject_ref: 'urn:agent:my-agent',
storage_surface: {
kind: 'external_secret_store',
provider_ref: 'urn:provider:aws-secrets-manager',
},
},
}],
});

Credential scanner

validateProvisioningLifecycle() runs a recursive credential-material scanner that rejects inline secrets at any nesting depth. 21 stable error codes in the provisioning.* family (Section 31 PROV-LIFE-001..010).

Storage surface abstraction

storage_surface.kind is an abstract enum (7 values): external_secret_store, local_encrypted_file, local_plaintext_file, environment_file, runtime_secret_binding, none, unknown. No vendor-specific names in core.