Provisioning Event Records
PEAC records evidence for agent provisioning events: API key issuance, OAuth client registration, certificate provisioning, secret rotation, access grants and revocations, and service authorization. All records are observer-scope -- PEAC never stores inline credentials.
Extension group (v0.14.2+)
org.peacprotocol/provisioning-lifecycle -- 10 *-observed type URIs:
| Type URI | What it records |
|---|---|
provisioning-catalog-observed | A provisioning catalog or offering |
provisioning-provider-link-observed | A link to an upstream provisioning provider |
provisioning-account-observed | A provisioning account or workload identity |
provisioning-resource-observed | A provisioned resource |
provisioning-credential-observed | A credential (API key, token, certificate) issuance or rotation |
provisioning-payment-authorization-observed | A payment authorization for provisioning |
provisioning-budget-observed | A budget allocation or limit |
provisioning-subscription-observed | A subscription lifecycle event |
provisioning-domain-observed | A domain registration, transfer, or release |
provisioning-deployment-observed | A deployment lifecycle event |
Opaque references required
All *_ref fields must use the opaque reference grammar: urn:, ref:, did:, sha256:, or https: prefixes. Inline credential material, bearer tokens, and connection strings are blocked by the validator.
import { validateProvisioningLifecycle } from '@peac/schema';
const result = validateProvisioningLifecycle({
typ: 'access',
ext: [{
'org.peacprotocol/provisioning-lifecycle': {
event_kind: 'provisioning-credential-observed',
provider_ref: 'urn:provider:aws-iam',
subject_ref: 'urn:agent:my-agent',
storage_surface: {
kind: 'external_secret_store',
provider_ref: 'urn:provider:aws-secrets-manager',
},
},
}],
});
Credential scanner
validateProvisioningLifecycle() runs a recursive credential-material scanner that rejects inline secrets at any nesting depth. 21 stable error codes in the provisioning.* family (Section 31 PROV-LIFE-001..010).
Storage surface abstraction
storage_surface.kind is an abstract enum (7 values): external_secret_store, local_encrypted_file, local_plaintext_file, environment_file, runtime_secret_binding, none, unknown. No vendor-specific names in core.