Protocol Scopev0.12.6

What PEAC verifies

PEAC produces signed, portable evidence across ten verification domains. Each domain maps to specific receipt types, policy fields, and packages. 12 typed extension groups, 9 pillar usage profiles, and 219 conformance requirements.

access attribution consent commerce compliance privacy provenance safety identity purpose

Identity

Agent identity verification

Cryptographic proof-of-control for agent identity with 8 proof types. ActorBinding schema with origin-only enforcement, MVIS validation, and key lifecycle management with rotation and revocation.

ActorBinding with 8 proof types (ed25519-cert-chain, sigstore-oidc, did, spiffe, x509-pki, custom)
MVIS: 5 required fields (issuer, subject, key_binding, time_bounds, replay_protection)
Key lifecycle (PENDING, ACTIVE, DEPRECATED, RETIRED, REVOKED) with 30-day overlap
Kid reuse detection and revoked_keys[] in issuer config

@peac/crypto@peac/protocol@peac/schema

identity.ts

// ActorBinding with proof type
import { ActorBindingSchema } from '@peac/schema';

const binding = ActorBindingSchema.parse({
  id: 'agent-xyz',
  proof_type: 'sigstore-oidc',
  origin: 'https://org.example',
  intent_hash: 'sha256:abc123...',
});
// ext["org.peacprotocol/actor_binding"]

Purpose

Intent declaration and enforcement

Purpose-based access control with canonical purpose tokens. Agents declare intent, services enforce terms, and receipts record what purpose was applied.

Canonical purpose tokens (train, search, inference, index)
Purpose declaration via PEAC-Purpose header
Purpose enforcement in control chains
Purpose audit trail in receipts (purpose_declared, purpose_enforced)

@peac/control@peac/policy-kit@peac/protocol

purpose.ts

// Purpose-based access
const receipt = await issue({
  iss: 'https://api.example.com',
  purpose_declared: ['inference'],
  purpose_enforced: 'inference',
  purpose_reason: 'policy_match',
  privateKey,
  kid: 'key-2026-02',
});

Privacy

Data protection

Privacy-preserving hashing with evidence redaction. k-anonymity >= 20 for aggregated metrics with minimal data exposure.

Privacy-preserving content hashing
Evidence redaction for sensitive fields
k-anonymity (k >= 20) for metrics
Minimal PII exposure design

@peac/privacy@peac/crypto@peac/protocol

privacy.ts

// Privacy-preserving hash
const hash = privacyHash(content, {
  algorithm: 'sha256',
  salt: ephemeralSalt,
});

// Redact sensitive evidence
const safe = redactEvidence(evidence, {
  fields: ['email', 'ip'],
});

Safety

AI safety evidence

Portable evidence for AI safety reviews, incident response, and governance workflows. Receipts capture what terms applied and what happened for post-hoc analysis.

Incident response evidence bundles
Safety review audit trails
Governance workflow artifacts
Post-hoc interaction analysis

@peac/audit@peac/protocol@peac/control

safety.ts

// Generate incident evidence
const bundle = await createAuditBundle({
  receipts: incidentReceipts,
  policy_snapshot: activePolicy,
  time_range: incidentWindow,
});

// Portable evidence for review
// No trust in issuer required

Access

Discovery and authorization

Standardized discovery via peac.txt and AIPREF headers. Control Abstraction Layer (CAL) evaluation with DPoP L3/L4 binding for secure request authorization.

peac.txt discovery at /.well-known/peac.txt
AIPREF HTTP headers for policy signaling
Control Abstraction Layer evaluation
DPoP proof-of-possession (L3/L4)

@peac/policy-kit@peac/control@peac/protocol

access.ts

// Fetch and evaluate policy
const policy = await fetchPeacTxt(
  'https://example.com'
);

const decision = await evaluate(policy, {
  purpose: 'inference',
  subject_type: 'agent',
});

if (decision.allowed) {
  // Proceed with request
}

Commerce

Multi-rail payments

HTTP 402 payment flow with cryptographic receipts. Support for x402, Stripe, card, and Razorpay payments with unified receipt format.

HTTP 402 Payment Required flow
x402 blockchain payments (USDC)
Stripe SaaS billing + crypto payments
Card and Razorpay rail adapters

@peac/rails-x402@peac/rails-stripe@peac/rails-card@peac/protocol

commerce.ts

// Handle HTTP 402 response
const receipt = await acquire402Receipt({
  offer: response.headers['x-402-offer'],
  rail: 'x402',
  wallet: agentWallet,
});

// Retry with receipt
headers['PEAC-Receipt'] = receipt.jws;

Attribution

Provenance tracking

Track content usage with cryptographic attribution chains. Bind content hashes to receipts for verifiable provenance across AI workflows.

Attribution attestations with content hashes
Chain resolution up to 8 levels deep
Usage type tracking (quote, derive, summarize)
Weight-based contribution scoring

@peac/attribution@peac/protocol@peac/schema

attribution.ts

// Create attribution attestation
const attribution = createAttribution({
  sources: [{
    receipt_ref: 'jti:abc123',
    content_hash: 'sha256:...',
    usage: 'quote',
    weight: 0.3,
  }],
  issued_at: Date.now(),
});

Provenance

Verifiable records

Deterministic verification with dispute bundles. C2PA integration for media provenance with cryptographic proof chains.

Deterministic receipt verification
Dispute resolution workflow
C2PA media provenance integration
Cryptographic proof chains

@peac/protocol@peac/crypto@peac/audit

provenance.ts

// Verify receipt chain
const result = await verifyChain({
  receipt: signedReceipt,
  jwks_uri: issuerJwks,
  require_attribution: true,
});

// Deterministic verification
assert(result.valid === true);

Compliance

Audit and evidence

Audit bundles for regulatory compliance. SOC2 and EU AI Act ready exports with deterministic verification and portable evidence.

Audit bundles with signed manifests
Offline-verifiable evidence packages
SOC2 control mapping
EU AI Act transparency reports

@peac/audit@peac/protocol@peac/schema

compliance.ts

// Create audit bundle
const bundle = await createAuditBundle({
  receipts: verifiedReceipts,
  policy_snapshot: currentPolicy,
  time_range: { start, end },
  signing_key: auditKey,
});

// Export for SOC2 audit

Pillar Usage Profiles

9 profiles document how to use each extension group for regulatory, operational, or evidence workflows. Each profile includes schema-vs-profile field tables, non-goals, and strict-mode demonstrations.

Accessorg.peacprotocol/access

Identityorg.peacprotocol/identity

Consentorg.peacprotocol/consent

Privacyorg.peacprotocol/privacy

Safetyorg.peacprotocol/safety

Complianceorg.peacprotocol/compliance

Provenanceorg.peacprotocol/provenance

Attributionorg.peacprotocol/attribution

Purposeorg.peacprotocol/purpose

12 Typed Extension Groups

Each receipt type maps to a typed extension group. In strict mode, registered first-party evidence types require their mapped extension group to be present.

Commerceorg.peacprotocol/commerce

Payment, settlement, event

Accessorg.peacprotocol/access

Authorization, discovery

Challengeorg.peacprotocol/challenge

Proof requests

Identityorg.peacprotocol/identity

Actor binding, proofs

Correlationorg.peacprotocol/correlation

Tracing, causality

Consentorg.peacprotocol/consent

Policy-based consent

Privacyorg.peacprotocol/privacy

Redaction, hashing

Safetyorg.peacprotocol/safety

Incident, guardrails

Complianceorg.peacprotocol/compliance

Governance, audit

Provenanceorg.peacprotocol/provenance

Origin, history

Attributionorg.peacprotocol/attribution

Source, credit

Purposeorg.peacprotocol/purpose

Intent, control

Ready to implement?

Start with the quickstart guide or explore the full documentation.

Get Started Documentation