<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE rfc [
  <!ENTITY nbsp    "&#160;">
  <!ENTITY zwsp   "&#8203;">
  <!ENTITY nbhy   "&#8209;">
  <!ENTITY wj     "&#8288;">
]>

<rfc xmlns:xi="http://www.w3.org/2001/XInclude"
     ipr="trust200902"
     docName="draft-rampalli-scitt-capsule-provenance-binding-00"
     category="info"
     submissionType="IETF"
     xml:lang="en"
     version="3">

  <front>
    <title abbrev="AAC Provenance Binding">Binding Per-Action Authorization and Memory Provenance into Agent Action Capsules</title>

    <seriesInfo name="Internet-Draft" value="draft-rampalli-scitt-capsule-provenance-binding-00"/>

    <author fullname="Karthik Rampalli" initials="K." surname="Rampalli">
      <organization>Glyphzero, Inc.</organization>
      <address>
        <postal>
          <region>Delaware</region>
          <country>United States of America</country>
        </postal>
        <email>karthik@glyphzerolabs.com</email>
      </address>
    </author>

    <date year="2026" month="July" day="5"/>

    <keyword>agentic AI</keyword>
    <keyword>SCITT</keyword>
    <keyword>provenance</keyword>
    <keyword>authorization</keyword>
    <keyword>audit</keyword>

    <abstract>
      <t>
        The Agent Action Capsule (AAC) profile
        (draft-mih-scitt-agent-action-capsule) records what an autonomous
        agent actually did -- executed, blocked, denied, errored, or timed
        out -- with a structural binding that prevents an attempt from being
        presented as a completion.  AAC deliberately does not define the
        authority that permitted an action; it carries that authority as an
        opaque reference.  Two companion profiles supply what that reference
        can point to: a per-action authorization profile
        (draft-rampalli-aiagent-authz-hmac) records that an action was
        permitted (the "may"), and a memory-provenance profile
        (draft-rampalli-aiagent-memory-provenance) records the source and
        trust state of the belief on which the agent acted (the
        "why-believed").
      </t>
      <t>
        This document specifies how the latter two are bound into an AAC
        Capsule.  It defines (a) what the AAC "disposition.authority"
        reference MAY resolve to, (b) a namespaced, payload-only extension
        carrying an authorization-token reference, a memory chain root, and
        a quarantine attestation, and (c) an OPTIONAL divergence-class
        value, drawn from the per-action profile, that explains a
        non-executing AAC verdict.  The binding uses only mechanisms AAC
        already provides -- the opaque authority reference and the
        payload-extension namespacing convention -- and changes neither
        AAC's closed protected-header claim set nor its Class 1
        verification.  The result is a single verifiable record that
        answers "may," "did," and "why-believed" together.
      </t>
    </abstract>

    <note removeInRFC="false">
      <name>Defensive Publication Notice</name>
      <t>
        This memorandum is published in part to establish prior art on the
        binding it describes.  The author and Glyphzero, Inc. assert no
        patent claim over the technique of binding per-action authorization
        and memory provenance into an agent-action capsule considered in
        isolation.  Implementers and standards bodies are encouraged to
        incorporate it without seeking license.  Patent protection that
        Glyphzero, Inc. or its affiliates may hold or pursue is limited to
        enterprise-distinguishing extensions not specified here, such as
        cross-domain federation of provenance chains.  Hardware-rooted
        attestation and multi-tenant anchoring are treated as composition
        seams with open standards (the RATS architecture
        <xref target="RFC9334"/> and the SCITT transparency service
        <xref target="I-D.ietf-scitt-architecture"/>) rather than as patent
        reservations of this profile.
      </t>
    </note>
  </front>

  <middle>

    <section anchor="introduction" numbered="true" toc="default">
      <name>Introduction</name>
      <t>
        Three questions must be answered to hold an autonomous agent
        accountable for a consequential action:
      </t>
      <ul>
        <li>Why did the agent believe it should act?  (the "why-believed")</li>
        <li>Was the action permitted?  (the "may")</li>
        <li>What did the agent actually do, including the case where it was
            stopped?  (the "did")</li>
      </ul>
      <t>
        The Agent Action Capsule profile
        <xref target="I-D.mih-scitt-agent-action-capsule"/> answers the
        third with rigor.  It binds effect state to verdict so that a
        "confirmed" effect <bcp14>MUST</bcp14> carry a digest over the
        observed response, and it emits a Capsule on every verdict --
        including refusals, blocks, and timeouts -- rather than a
        survivorship-biased success-only log.  By design, AAC does not
        answer the first two questions: its <tt>disposition.authority</tt>
        field is an opaque reference, and authorization is delegated to a
        separate profile (Section 10 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/>).
      </t>
      <t>
        This is the correct separation of concerns, and it leaves a precise
        seam.  The per-action authorization profile
        <xref target="I-D.rampalli-aiagent-authz-hmac"/> answers "may": it
        binds an authorization token to the specific action so that the
        resolved action cannot diverge from the authorized one.  The
        memory-provenance profile
        <xref target="I-D.rampalli-aiagent-memory-provenance"/> answers
        "why-believed": it tags every memory write with a source class,
        quarantines content from non-user-intent sources, and exposes the
        trust state of any belief the agent acted upon.
      </t>
      <t>
        Either of those, standing alone, is incomplete, and so is AAC
        standing alone: a Capsule can faithfully record that an agent
        executed a payment without recording that the belief which
        triggered the payment came from a quarantined tool response, or
        that the action diverged from what was authorized.  This document
        binds the three together.  It does so additively, using only the
        extension points AAC already defines, so that an AAC Class 1
        verifier that has never heard of this profile continues to verify
        the Capsule unchanged, and a verifier that implements this profile
        can additionally confirm the authorization and provenance behind
        the recorded act.
      </t>
    </section>

    <section anchor="conventions" numbered="true" toc="default">
      <name>Conventions and Definitions</name>
      <t>
        The key words "<bcp14>MUST</bcp14>", "<bcp14>MUST NOT</bcp14>",
        "<bcp14>REQUIRED</bcp14>", "<bcp14>SHALL</bcp14>",
        "<bcp14>SHALL NOT</bcp14>", "<bcp14>SHOULD</bcp14>",
        "<bcp14>SHOULD NOT</bcp14>", "<bcp14>RECOMMENDED</bcp14>",
        "<bcp14>MAY</bcp14>", and "<bcp14>OPTIONAL</bcp14>" in this
        document are to be interpreted as described in BCP 14
        <xref target="RFC2119"/> <xref target="RFC8174"/> when, and only
        when, they appear in all capitals.
      </t>
      <dl>
        <dt>Capsule, verdict_class, disposition, assurance, effect, chain, ledger_mode, attestation_mode</dt>
        <dd>
          As defined in <xref target="I-D.mih-scitt-agent-action-capsule"/>.
        </dd>
        <dt>Authorization proof</dt>
        <dd>
          The artifact produced by
          <xref target="I-D.rampalli-aiagent-authz-hmac"/> that binds an
          authorization to a specific action.
        </dd>
        <dt>Memory chain root</dt>
        <dd>
          The <tt>chain_root</tt> value defined in Section 9 of
          <xref target="I-D.rampalli-aiagent-memory-provenance"/>: a
          base64url SHA-256 digest committing to a memory domain's state up
          to a sequence number.
        </dd>
        <dt>Divergence class</dt>
        <dd>
          A classification of how an action's actual capability flow
          diverged from its authorized flow (e.g., scope creep, injected
          delegation, unauthorized actor, expired delegation), as produced
          by the capability-flow detector that the per-action profile
          assumes.
        </dd>
      </dl>
    </section>

    <section anchor="three-axis" numbered="true" toc="default">
      <name>The Three-Axis Evidentiary Model</name>
      <t>
        The three profiles occupy three orthogonal axes of one record:
      </t>
      <artwork><![CDATA[
     why-believed              may                   did
  (memory provenance)   (per-action authz)   (agent action capsule)
+--------------------+ +------------------+ +--------------------+
| source_class       | | action-bound     | | verdict_class      |
| quarantine state   |-| authorization    |-| effect status +    |
| chain_root         | | proof            | | response_digest    |
| provenance read API| |                  | | assurance tiers    |
+--------------------+ +------------------+ +--------------------+
         L6                    L3                    AAC
          \                    |                    /
           \-------- one accountable record -------/
]]></artwork>
      <t>
        The axes are independent: a Capsule can record a clean execution
        (did) of a permitted action (may) whose triggering belief was
        quarantined (why-believed not satisfied).  Surfacing that
        combination is the purpose of the binding.  This document does not
        re-specify any axis; it specifies the references that join them.
      </t>
      <t>
        Position relative to AAC's non-goals.  Section 10 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/> lists
        authorization as out of scope and points to a Permits profile.
        This document is compatible with that division: where a Permits
        statement is present it <bcp14>MAY</bcp14> be referenced by the
        same authority field; where a per-action authorization proof
        <xref target="I-D.rampalli-aiagent-authz-hmac"/> is the authority,
        this document says how to reference it.  The two are not mutually
        exclusive.
      </t>
    </section>

    <section anchor="constraints" numbered="true" toc="default">
      <name>Design Constraints Inherited from AAC</name>
      <t>
        This profile is constrained by AAC's own rules and
        <bcp14>MUST NOT</bcp14> violate them:
      </t>
      <dl>
        <dt>C1. Closed header.</dt>
        <dd>
          The <tt>capsule_*</tt> protected-header claim set is CLOSED;
          extensions are payload-only (Section 9 of
          <xref target="I-D.mih-scitt-agent-action-capsule"/>).  Therefore
          the binding defined here lives ENTIRELY in the Capsule payload
          and in the <bcp14>OPTIONAL</bcp14> <tt>disposition.authority</tt>
          reference.  This document defines NO new COSE header claims.
        </dd>
        <dt>C2. Namespaced extension values.</dt>
        <dd>
          New payload vocabulary <bcp14>MUST</bcp14> be namespaced by a URI
          or reverse-DNS prefix (Section 9.1 of
          <xref target="I-D.mih-scitt-agent-action-capsule"/>); bare names
          are reserved for the base profile.  This document uses the prefix
          <tt>org.glyphzero.suradar.</tt>
        </dd>
        <dt>C3. Unknown values are informational.</dt>
        <dd>
          A base AAC verifier <bcp14>MUST</bcp14> treat unregistered values
          as informational and <bcp14>MUST NOT</bcp14> reject a Capsule for
          carrying one (Section 4 of
          <xref target="I-D.mih-scitt-agent-action-capsule"/>).  The
          extension defined here is, to a base verifier, exactly such an
          informational value.
        </dd>
        <dt>C4. Determinism.</dt>
        <dd>
          AAC Class 1 verification <bcp14>MUST NOT</bcp14> consult a model,
          a clock-dependent heuristic, or network state (Section 6 of
          <xref target="I-D.mih-scitt-agent-action-capsule"/>).  The checks
          added by this document that require fetching an external
          provenance record are therefore defined as a Class 2 extension
          (<xref target="verification"/>), never as Class 1.
        </dd>
        <dt>C5. No may/did conflation.</dt>
        <dd>
          Nothing in this binding may weaken AAC's confirmed-effect
          invariant or never-dispatch invariant.  The binding adds context
          to a verdict; it never changes one.
        </dd>
      </dl>
    </section>

    <section anchor="extension" numbered="true" toc="default">
      <name>The Provenance-Binding Extension</name>
      <t>
        A Capsule <bcp14>MAY</bcp14> carry a single payload member named
        <tt>org.glyphzero.suradar.provenance</tt> (an object).  Its
        presence is <bcp14>OPTIONAL</bcp14>; when present it
        <bcp14>MUST</bcp14> contain:
      </t>
      <dl>
        <dt>authz_ref (string, REQUIRED)</dt>
        <dd>
          An opaque reference (URI or digest) to the per-action
          authorization proof
          <xref target="I-D.rampalli-aiagent-authz-hmac"/> for the
          Capsule's action_id.  The reference <bcp14>MUST</bcp14> resolve
          to a proof bound to the SAME action; a verifier that resolves it
          checks that binding (PB-1).
        </dd>
        <dt>memory_chain_root (string, OPTIONAL)</dt>
        <dd>
          The base64url SHA-256 memory chain root (Section 9 of
          <xref target="I-D.rampalli-aiagent-memory-provenance"/>) that the
          authorization decision relied upon.  Permits a verifier to fetch
          the provenance read API and confirm the source class and
          quarantine state of the triggering belief.
        </dd>
        <dt>quarantine_attested (boolean, OPTIONAL)</dt>
        <dd>
          Producer's claim that the high-privilege decision underlying this
          action was made only over memory entries that were NOT in the
          quarantine state, per the enforcement contract in Section 8 of
          <xref target="I-D.rampalli-aiagent-memory-provenance"/>.  A
          verifier with access to the provenance read API rederives this
          (PB-3); a verifier without it treats the value as informational.
        </dd>
        <dt>org.glyphzero.suradar.divergence_class (string, OPTIONAL)</dt>
        <dd>
          See <xref target="divergence"/>.
        </dd>
      </dl>
      <t>
        The member is part of the Capsule payload and is therefore covered
        by <tt>capsule_id</tt> (the JSON-DIGEST content address) and by the
        COSE_Sign1 signature, exactly like any other payload field.  No
        separate signature is introduced.
      </t>
      <t>
        The extension <bcp14>MUST NOT</bcp14> inline the internal structure
        of an authorization proof or a memory envelope.  Consistent with
        AAC's treatment of "authority" as "reference only, never internal
        structure" (Section 5.4 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/>), only
        references and digests appear here.
      </t>
    </section>

    <section anchor="authority" numbered="true" toc="default">
      <name>Populating disposition.authority</name>
      <t>
        AAC defines <tt>disposition.authority</tt> as an
        <bcp14>OPTIONAL</bcp14> opaque reference.  When a producer emits
        the extension of <xref target="extension"/>, it
        <bcp14>SHOULD</bcp14> also set <tt>disposition.authority</tt> to
        the same <tt>authz_ref</tt> value, so that a verifier that does not
        implement this profile still has a single, canonical pointer to the
        authority and a verifier that does implement it finds the two
        consistent.  When the two are both present they
        <bcp14>MUST</bcp14> be equal; a verifier that implements this
        profile reports inequality as a finding (PB-2).
      </t>
      <t>
        This document does not change the semantics of
        <tt>disposition.authority</tt>: it remains opaque to the base
        profile.  It merely specifies one thing it <bcp14>MAY</bcp14>
        point to.
      </t>
    </section>

    <section anchor="divergence" numbered="true" toc="default">
      <name>Divergence Class for Non-Executing Verdicts</name>
      <t>
        AAC records that an action did not execute via verdict_class values
        such as "blocked", "denied", "errored", and "engine_failure"
        (Section 5.4.1 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/>), but it does
        not record WHY a blocking constraint fired -- that is left to the
        private reason object behind <tt>reason_digest</tt>.  When the
        reason is a capability-flow divergence detected by the per-action
        layer, a producer <bcp14>MAY</bcp14> surface the class in the clear
        via <tt>org.glyphzero.suradar.divergence_class</tt>, turning "it
        was stopped" into "it was stopped because of injected delegation."
      </t>
      <t>
        The value, when present with an executing verdict_class, is a
        contradiction and a verifier reports it as a finding (PB-4).  The
        following NON-NORMATIVE mapping aligns the SURADAR divergence
        taxonomy with AAC verdict classes; per C3 a base verifier treats it
        as informational:
      </t>
      <table anchor="divergence-mapping">
        <name>Illustrative Divergence-Class Mapping</name>
        <thead>
          <tr>
            <th>divergence class</th>
            <th>typical AAC verdict_class</th>
          </tr>
        </thead>
        <tbody>
          <tr><td>ScopeCreep</td><td>blocked</td></tr>
          <tr><td>InjectedDelegation</td><td>blocked</td></tr>
          <tr><td>UnauthorizedActor</td><td>denied</td></tr>
          <tr><td>ExpiredDelegation</td><td>denied / expired</td></tr>
          <tr><td>(clean flow)</td><td>executed</td></tr>
        </tbody>
      </table>
      <t>
        This mapping is illustrative.  Because verdict_class is
        registry-governed under Specification Required, no value here is
        added to AAC's registry; divergence_class is a namespaced extension
        value, not a verdict_class.
      </t>
    </section>

    <section anchor="anchoring" numbered="true" toc="default">
      <name>Anchoring and Hardware-Rooted Attestation Alignment</name>
      <t>
        AAC's assurance block orders ledger evidence as
        standalone &lt; chained &lt; anchored (Section 5.3 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/>).  The
        memory-provenance profile uses the same ladder: its per-domain hash
        chain corresponds to "chained", and its external anchoring of chain
        roots to a transparency log (Section 7 of
        <xref target="I-D.rampalli-aiagent-memory-provenance"/>)
        corresponds to "anchored".
      </t>
      <t>
        A producer <bcp14>MUST NOT</bcp14> report
        <tt>"ledger_mode": "anchored"</tt> on a Capsule on the basis of a
        referenced <tt>memory_chain_root</tt> UNLESS that chain root is
        itself committed to a transparency service whose receipt is
        verifiable, exactly as AAC requires for its own anchoring (a
        Capsule is "anchored" only with a verified SCITT Receipt, Section
        3.2 of <xref target="I-D.mih-scitt-agent-action-capsule"/>).  The
        two anchoring claims are independent: a Capsule <bcp14>MAY</bcp14>
        be anchored while the referenced memory chain is only chained, and
        vice versa.  No-overclaim is preserved on both axes.
      </t>
      <t>
        The transparency-service substrate used on both axes is the SCITT
        transparency service <xref target="I-D.ietf-scitt-architecture"/>;
        producers and verifiers <bcp14>SHOULD</bcp14> treat the substrate
        as shared rather than per-profile.  Hardware-rooted attestation
        evidence, where present on either the Capsule or the memory chain,
        composes with the RATS architecture <xref target="RFC9334"/> and is
        referenced rather than re-specified here.  This document defines no
        new attestation evidence format; it relies on the AAC
        <tt>attestation_mode</tt> field
        (<xref target="I-D.mih-scitt-agent-action-capsule"/>, Section 5.3)
        and on the provenance read API
        (<xref target="I-D.rampalli-aiagent-memory-provenance"/>, Section
        10) to surface attestation tier on each axis independently.
      </t>
    </section>

    <section anchor="verification" numbered="true" toc="default">
      <name>Verification</name>
      <t>
        The checks below EXTEND AAC verification.  They are Class 2
        (Section 8.2 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/>) because
        confirming a reference requires evidence outside the Capsule bytes;
        they <bcp14>MUST NOT</bcp14> be required for Class 1.  A Class 1
        verifier ignores the extension (C3).
      </t>
      <dl>
        <dt>PB-1 (authorization binding).</dt>
        <dd>
          If <tt>authz_ref</tt> resolves, the verifier confirms the
          authorization proof is bound to the Capsule's action_id per
          <xref target="I-D.rampalli-aiagent-authz-hmac"/>.  Unresolvable
          or mismatched binding is reported; it does not, by itself,
          invalidate the Capsule's "did" claim.
        </dd>
        <dt>PB-2 (authority consistency).</dt>
        <dd>
          If both <tt>disposition.authority</tt> and <tt>authz_ref</tt> are
          present they <bcp14>MUST</bcp14> be equal.
        </dd>
        <dt>PB-3 (quarantine rederivation).</dt>
        <dd>
          If <tt>memory_chain_root</tt> is present and the provenance read
          API is reachable, the verifier rederives
          <tt>quarantine_attested</tt> by checking that no memory entry
          that influenced the decision was in the quarantine state (Section
          8 of <xref target="I-D.rampalli-aiagent-memory-provenance"/>).
          A rederived value that contradicts the producer's claim is an
          overclaim finding, handled exactly as AAC handles assurance
          overclaims (Section 6, check 7).
        </dd>
        <dt>PB-4 (divergence/verdict consistency).</dt>
        <dd>
          A <tt>divergence_class</tt> present with an executing
          verdict_class ("executed") is a contradiction and is reported.
        </dd>
      </dl>
      <t>
        All four checks are deterministic given their inputs.  PB-1 and
        PB-3 depend on external resolution and therefore inherit Class 2
        status; PB-2 and PB-4 are computable from the Capsule alone and
        <bcp14>MAY</bcp14> be run by a Class 1 verifier as defensive
        assertions, consistent with AAC's allowance for defensive checks on
        hand-crafted input (Section 6).
      </t>
    </section>

    <section anchor="relationship" numbered="true" toc="default">
      <name>Relationship to Existing Standards</name>
      <t>This profile complements, and does not replace:</t>
      <ul>
        <li>
          <xref target="I-D.mih-scitt-agent-action-capsule"/> -- the
          post-execution Capsule.  This document fills its
          deliberately-opaque authority reference and adds why-believed
          context, without modifying its header, registries, or Class 1
          verification.
        </li>
        <li>
          <xref target="I-D.rampalli-aiagent-authz-hmac"/> -- the "may".
          Referenced by <tt>authz_ref</tt>.
        </li>
        <li>
          <xref target="I-D.rampalli-aiagent-memory-provenance"/> -- the
          "why-believed".  Referenced by <tt>memory_chain_root</tt>; its
          provenance read API is the Class 2 evidence source for PB-3.
        </li>
        <li>
          Permits <xref target="I-D.munoz-scitt-permit-profile"/>,
          referenced by AAC as its authorization companion.  Where a Permit
          is the authority, the same <tt>disposition.authority</tt> field
          references it; this document does not compete with that profile.
        </li>
        <li>
          SCITT architecture <xref target="I-D.ietf-scitt-architecture"/>
          -- the anchoring substrate, by reference on both the Capsule and
          the memory-chain axes (<xref target="anchoring"/>).
        </li>
      </ul>
    </section>

    <section anchor="security-considerations" numbered="true" toc="default">
      <name>Security Considerations</name>

      <section anchor="sec-ref-not-proof" numbered="true" toc="default">
        <name>A Reference Is Not a Proof</name>
        <t>
          Carrying <tt>authz_ref</tt> or <tt>memory_chain_root</tt> attests
          only that the producer claims an authority and a provenance; it
          does not establish their validity.  Validity is established only
          by resolving and verifying them (PB-1, PB-3).  A verifier
          <bcp14>MUST NOT</bcp14> upgrade its trust in a Capsule's "did"
          claim merely because the extension is present.
        </t>
      </section>

      <section anchor="sec-tamper" numbered="true" toc="default">
        <name>Tamper-Evidence Is Not Honesty</name>
        <t>
          As in AAC (Section 13 of
          <xref target="I-D.mih-scitt-agent-action-capsule"/>), this
          binding attests record bytes and referenced digests, not the
          honesty of the runtime at the moment of recording.
          <tt>quarantine_attested</tt> is a producer claim; only PB-3
          against the live chain converts it to evidence.
        </t>
      </section>

      <section anchor="sec-invariants" numbered="true" toc="default">
        <name>No Weakening of AAC Invariants</name>
        <t>
          This document adds no path by which an attempt can be presented
          as a completion; it cannot, because it never writes effect or
          verdict fields.  Confirmed-effect and never-dispatch invariants
          are unchanged.
        </t>
      </section>

      <section anchor="sec-divergence-disclosure" numbered="true" toc="default">
        <name>Divergence Disclosure</name>
        <t>
          Surfacing <tt>divergence_class</tt> in the clear reveals why an
          action was blocked, which is operationally useful but may aid an
          adversary probing a policy boundary.  Producers
          <bcp14>MAY</bcp14> withhold it and rely on <tt>reason_digest</tt>
          instead.
        </t>
      </section>

      <section anchor="sec-defensive-publication" numbered="true" toc="default">
        <name>Defensive Publication</name>
        <t>
          As stated in the front matter, this document establishes prior
          art on the binding it describes.
        </t>
      </section>
    </section>

    <section anchor="privacy-considerations" numbered="true" toc="default">
      <name>Privacy Considerations</name>
      <t>
        References and digests carried here (authz_ref, memory_chain_root)
        are low-entropy in some deployments and subject to the
        digest-leakage / dictionary-attack consideration AAC raises
        (Section 13 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/>); producers
        <bcp14>SHOULD</bcp14> salt or reference rather than inline.  The
        memory chain root and the provenance read API can reveal which
        upstream sources an agent has read (Section 14 of
        <xref target="I-D.rampalli-aiagent-memory-provenance"/>); verifiers
        <bcp14>SHOULD</bcp14> treat resolved provenance as sensitive and
        <bcp14>SHOULD NOT</bcp14> persist it beyond the verification
        decision.
      </t>
    </section>

    <section anchor="iana-considerations" numbered="true" toc="default">
      <name>IANA Considerations</name>
      <t>
        This document requests no IANA registrations.  All vocabulary it
        introduces is namespaced under <tt>org.glyphzero.suradar.</tt> per
        the extension convention of Section 9.1 of
        <xref target="I-D.mih-scitt-agent-action-capsule"/> and is
        therefore registration-free.  It adds no values to AAC's
        "Specification Required" registries.
      </t>
    </section>
  </middle>

  <back>
    <references>
      <name>References</name>

      <references>
        <name>Normative References</name>

        <reference anchor="I-D.mih-scitt-agent-action-capsule">
          <front>
            <title>Agent Action Capsule: A SCITT Profile for Post-Execution Accountability of Autonomous Agents</title>
            <author fullname="Steven Mih" initials="S." surname="Mih"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-mih-scitt-agent-action-capsule-01"/>
        </reference>

        <reference anchor="I-D.rampalli-aiagent-authz-hmac">
          <front>
            <title>A Symmetric-Key Profile for Per-Action Authorization of Autonomous AI Agents</title>
            <author fullname="Karthik Rampalli" initials="K." surname="Rampalli"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-rampalli-aiagent-authz-hmac-00"/>
        </reference>

        <reference anchor="I-D.rampalli-aiagent-memory-provenance">
          <front>
            <title>A Memory-Provenance Profile for Autonomous AI Agents</title>
            <author fullname="Karthik Rampalli" initials="K." surname="Rampalli"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-rampalli-aiagent-memory-provenance-00"/>
        </reference>

        <reference anchor="RFC2119" target="https://www.rfc-editor.org/info/rfc2119">
          <front>
            <title>Key words for use in RFCs to Indicate Requirement Levels</title>
            <author fullname="S. Bradner" initials="S." surname="Bradner"/>
            <date month="March" year="1997"/>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="2119"/>
          <seriesInfo name="DOI" value="10.17487/RFC2119"/>
        </reference>

        <reference anchor="RFC8174" target="https://www.rfc-editor.org/info/rfc8174">
          <front>
            <title>Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words</title>
            <author fullname="B. Leiba" initials="B." surname="Leiba"/>
            <date month="May" year="2017"/>
          </front>
          <seriesInfo name="BCP" value="14"/>
          <seriesInfo name="RFC" value="8174"/>
          <seriesInfo name="DOI" value="10.17487/RFC8174"/>
        </reference>
      </references>

      <references>
        <name>Informative References</name>

        <reference anchor="I-D.ietf-scitt-architecture">
          <front>
            <title>An Architecture for Trustworthy and Transparent Digital Supply Chains</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="A. Delignat-Lavaud" initials="A." surname="Delignat-Lavaud"/>
            <author fullname="C. Fournet" initials="C." surname="Fournet"/>
            <author fullname="Y. Deshpande" initials="Y." surname="Deshpande"/>
            <author fullname="S. Lasker" initials="S." surname="Lasker"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-ietf-scitt-architecture"/>
        </reference>

        <reference anchor="I-D.munoz-scitt-permit-profile">
          <front>
            <title>A SCITT Permit Profile</title>
            <author fullname="A. Munoz" initials="A." surname="Munoz"/>
            <date year="2026"/>
          </front>
          <seriesInfo name="Internet-Draft" value="draft-munoz-scitt-permit-profile"/>
        </reference>

        <reference anchor="RFC9334" target="https://www.rfc-editor.org/info/rfc9334">
          <front>
            <title>Remote ATtestation procedureS (RATS) Architecture</title>
            <author fullname="H. Birkholz" initials="H." surname="Birkholz"/>
            <author fullname="D. Thaler" initials="D." surname="Thaler"/>
            <author fullname="M. Richardson" initials="M." surname="Richardson"/>
            <author fullname="N. Smith" initials="N." surname="Smith"/>
            <author fullname="W. Pan" initials="W." surname="Pan"/>
            <date month="January" year="2023"/>
          </front>
          <seriesInfo name="RFC" value="9334"/>
          <seriesInfo name="DOI" value="10.17487/RFC9334"/>
        </reference>
      </references>
    </references>
  </back>
</rfc>
