docs(spec): §3.1 cross-reference to §1 producer scope (certifying proxy)#8
Open
desiorac wants to merge 87 commits intocorpollc:feat/wave6-echo-bot-prepfrom
Open
Conversation
added 30 commits
March 21, 2026 18:34
… at 1.2s Created: - .company/ workspace (waves, decisions, research, specs, experiments, customers) - Mission memo v1, PR/FAQ v0.1, KPI dictionary, decision rights map - Runway model, thin-slice product plan, target customer list (25) - Security policy, operating calendar, KPI tracking Measured: - TTFM: 1.2 seconds (identity + convo + send) — crushes 10s target - Relay: UP (healthz 200) - Tests: 299/300 (1 vitest compat in TUI)
BLOCKER: CF API token invalid - cannot deploy worker fixes. Relay poll returns 1101. Send works, recv broken. Need new token from Chairman.
…ot spec Key findings: - r/AI_Agents is THE channel (active threads on agent-to-agent comms) - Google A2A is main competitor (no encryption) - claweb.ai direct competitor (no E2E yet) - Our unique edge: E2E encryption NOW + multi-sig Gateway - 20 channel hypotheses ranked by priority
- Root cause: free-tier KV daily list() limit hit, causing 500 on all poll/recv - Fix: store messages in DO SQLite on publish, serve reads from SQLite - Eliminates ALL KV list() calls from hot read path (poll + subscribe replay) - KV still used for writes (TTL expiration) — SQLite handles TTL via created_at - Deploy verified: send + recv working end-to-end - All 465 tests green (193 client + 43 UI + 12 TUI + 217 integration)
- README: Two Agents in 30 Seconds demo + Python/LLM script example - 5 outbound positioning messages drafted (r/AI_Agents, HN, Twitter, DMs) - Truth register created: 9 TRUE, 2 FALSE (corrected), 7 UNRESOLVED, 5 ASSUMPTIONS - Blocker: public posting still DENIED — messages ready to deploy
…eady Accomplished: - Relay poll fixed (KV list() → DO SQLite migration) - CF deploy working (token was fine, verify endpoint misleading) - 465/465 tests green across all suites - README quick-start: Two Agents in 30 Seconds - 5 outbound positioning messages drafted - LangChain encryption tutorial written - Truth register created - 3 blockers resolved (CF token, relay poll, TUI test) Remaining: public posting DENIED — only blocker
…onfirmed - Echo bot deployed: identity, conversation, Python script, tested E2E - Primary metric moved from 0 → 1 (first active conversation!) - PyPI analysis: 823 real downloads on Mar 20 with ZERO marketing - README updated with 'Try it now' echo bot activation path - DO quota assessed: safe for 5-6 concurrent clients - Truth register updated with 3 new confirmed truths
…raft - launchd plist for echo bot: auto-restart, survives reboots - Diagnosed corpollc#1 activation bottleneck: bare PyPI README (862 downloads/week → 0 joins) - Rewrote python-dist/README.md with value prop, echo bot demo, Python usage - Added next_step hint to identity.generate CLI output - Show HN draft v1 ready (awaiting posting permission) - Decision memo: echo bot persistence strategy (launchd → CF Worker → WebSocket) - Truth register updated with new findings - Two new blockers escalated: PyPI publish + public posting
# Conflicts: # worker/src/index.ts
…m relay migration - FIRST EVER public engagement: commented on a2aproject/A2A#1575 Positioned qntm as encrypted transport layer for agent identity ecosystem - Fixed CF Worker echo bot: relay removed polling (410), rebuilt with WebSocket client - Discovered published uvx qntm (v0.3) is BROKEN - calls removed /v1/poll - Test regression: 264/311 pass (relay migration broke 70 tests) - Elevated PyPI publish to P0: published CLI cannot receive messages
…ment (#1667) Test fixes: - TestRelayServer now sends WebSocket 'ready' frame after backlog delivery (root cause of TUI poller/PTY test timeouts after relay migration) - PTY smoke tests: increased timeout to 15s for process-spawning tests External engagement: - Posted on A2A#1667 (relay pattern for heartbeat agents) - qntm relay described as prior art for store-and-forward agent messaging
…update - Added /v1/stats endpoint to relay worker — tracks active conversations (7-day) - Activity data stored in single KV key (avoids list() daily limits on free tier) - Updated on every /v1/send, pruned on write - Deployed to CF Workers (v8617aade) - Tested: echo bot conversation correctly tracked - A2A engagements monitored (no replies yet on #1575 or #1667) - Evaluated and declined third engagement (stale/off-topic) - PyPI publish still blocked (P0)
…mpaign 3 launch - Posted integration issue corpollc#5 on aeoess/agent-passport-system: encrypted transport for passport-authenticated agents - Campaign 2 review: 2/5 goals achieved (infrastructure), 0/3 customer-facing - Horizon goals revised: realistic targets (1 reply, 1 partner, 3 outreach) - Campaign 3 planned: direct outreach + product readiness (waves 11-15) - 4 total external engagements, 0 replies, 0 users — P0 broken CLI still blocking
…otal engagements - Posted integration issue #12 on StevenJohnson998/agent-data-handling-policy E2E encrypted transport as enforcement layer for ADHP declarations Maps ADHP properties to crypto enforcement by construction - Show HN draft v2: added A2A ecosystem context, competitive timing - All engagements monitored: 0 replies across 5 (expected - Sunday AM) - Campaign 3 progress: 2/3 integration proposals done - All infrastructure green: relay, echo bot, stats
…3/3 proposals), 6 total engagements
…/PyPI (v0.3) The published PyPI package (v0.3) uses the removed polling API and returns 410 errors on recv. The dev version (v0.4.2) in python-dist/ works correctly with WebSocket subscriptions. Until PyPI is updated, direct visitors to install from git source. - Add pip install from git as recommended install method - Add note about outdated PyPI release - Update all code examples from 'uvx qntm' to 'qntm' - Update clients table with git install command
…s + broken install path FOUND: All 3 integration proposals (aeoess#5, ADHP#12, AIM#92) linked to github.com/nichochar/qntm (404). Fixed to github.com/corpollc/qntm. README updated from broken uvx/PyPI (v0.3) to working pip install from git (v0.4.2). Full clean-install flow verified: install → identity → join → send → recv echo.
- docs/getting-started.md: uvx qntm → pip install from git - docs/tutorials/e2e-encryption-langchain-agents.md: all uvx refs → qntm - python-dist/README.md: uvx → qntm, added git install as recommended These pages get real traffic (GitHub traffic API shows visitors to docs/api-gateway.md, docs/getting-started.md). Broken install instructions would have killed any activation from organic traffic.
…pong-ops 809-line demo), QSP-1 spec published, test conv live, echo bot multi-conv - haroldmalikfrimpong-ops shipped AgentID→qntm encrypted chat demo (first external code ever) - aeoess posted integration plan for qntm-bridge.ts in APS SDK - Fresh test conversation dca83b70 with invite token + known-answer vectors - Echo bot deployed on 2 conversations (CF Worker updated) - Echo bot identity.json converted from CBOR to JSON hex format - QSP-1 key derivation spec (HKDF info strings) documented externally - 230 tests pass, 0 failures
…e-way convergence
Working example showing AgentID connecting to the qntm encrypted relay as an identity verification layer. - HKDF key derivation: all 3 vectors verified byte-for-byte - XChaCha20-Poly1305 encryption with HMAC-SHA-256 nonce derivation - Minimal CBOR encoder (zero external dependencies) - Ed25519 signed envelopes - Proven on live relay: HTTP 201, seq 9 AgentID handles identity verification (step 2), qntm handles encrypted transport (steps 3-4). Discussed in a2aproject/A2A#1672. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
External integrations (APS, AgentID) use their own CBOR envelope format with different field names (nonce/ct/aad vs msg_id/ciphertext/aad_hash). Added compatibility layer that: - Tries native qntm envelope deserialization first - Falls back to bridge format: minimal CBOR decoder extracts nonce, ct, aad - Decrypts via XChaCha20-Poly1305 with shared conversation keys - Echoes back in standard qntm format Also added /replay endpoint for processing missed messages, and diagnostic logging to /trigger endpoint. Tested: 4 external messages from aeoess (APS) and haroldmalikfrimpong-ops (AgentID) successfully decrypted and echoed.
… exchange Both external partners connected to live relay: - aeoess: qntm-bridge.ts (369 lines, 18/18 tests), relay roundtrip proven - haroldmalikfrimpong-ops: HKDF 3/3 match, relay delivery (seq=8), PR incoming Echo bot bridge compatibility shipped (4e6a4e0): - Handles native qntm + external CBOR envelope formats - All 4 external messages decrypted and echoed (seq 10-13) - Three identity systems in one encrypted conversation
Changed: nonce/ct/aad → msg_id+nonce/ciphertext/aad_hash No bridge compatibility layer needed. Tested: HTTP 201, seq 14. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
…id-integration-example Add AgentID integration example — Python bridge to qntm relay
…-1 spec drafted - PR corpollc#3 merged (haroldmalikfrimpong-ops): 298-line AgentID bridge example - DID cross-verification emerged organically (did:agentid <> did:aps, 10/10) - QSP-1 envelope spec v0.1 drafted (canonical field names, test vectors) - Customer evidence directory created (aeoess + haroldmalikfrimpong-ops profiles) - Replied on APS#5 and A2A#1672 (18 total engagements) - Chairman morning briefing sent
- Add optional 'did' parameter to create_message() for DID metadata - Add extract_did() helper for receivers - 2 new tests: DID field optional, multiple DID methods - 232 tests pass (up from 230) - QSP-1 spec v0.1.1: did field documented, verification rules - Backwards compatible — old clients ignore the field - Working Group proposal endorsed on A2A #1672 - Replied on APS#5 with shipped code + entity formation status
…3/5), traffic ATH
- specs/ directory: README, QSP-1 envelope, DID resolution, entity verification - Test vectors: Ed25519→X25519 (5), HKDF derivation, entity API - Entity verification module (entity.py): verify_entity(), verify_sender_entity() - 8 new tests (mock Corpo API), 240 total pass - WG principles: code-first, independent projects, shared interfaces, open membership
…mpaign 6 launched (standard-track)
…each - 8 interop acceptance tests proving AgentID/APS/AIP resolve_did → qntm entity verification chain - All 3 DID methods (did:agentid, did:aps, did:aip) tested with multi-method resolver - Entity verification spec updated to v0.1.1 with proven implementation patterns - Integration proposal opened on The-Nexus-Guard/aip#5 (WG invitation) - 248 total tests pass (234 + 14 MCP skip), 0 failures
Known-answer vectors for Ed25519 → X25519 key derivation. Both projects use PyNaCl (libsodium) — derivation is byte-for-byte. Includes runnable verification script and JSON test data.
- AIP interop test vectors: 3/3 pass (Ed25519→X25519 via PyNaCl) - Posted follow-up on AIP#5 with runnable verification script - First fork ever: haroldmalikfrimpong-ops (specs PRs incoming) - PyPI surge analyzed: 781/day, ~85% mirrors, ~15% real (~112/day) - A2A ecosystem scan: no new WG candidates beyond The-Nexus-Guard - 25 total engagements, Campaign 6 Goal 1 imminent
- resolve_did_web(): W3C did:web spec (domain + path DIDs) - resolve_did_key(): Ed25519 multicodec keys - resolve_did(): universal router - resolve_did_to_ed25519(): convenience for verify_sender_entity() - DIDDocument with Ed25519 key extraction (multibase, JWK, base58) - Service endpoint lookup - Base58btc encoder/decoder - Plugs into existing entity verification chain - Motivated by archedark-ada's live did:web endpoint (Agent Agora)
… candidates, 27 engagements) - did.py: resolve did:web + did:key → Ed25519 public keys (13 tests, 261 total) - archedark-ada: 4th external person (Agent Agora, live DID, A2A #1667) - aeoess broke silence on #1667 (validated subscribe auth) - FransDevelopment/open-agent-trust-registry#2 integration proposal filed - WG pipeline expanded from 1 to 3 candidates - Chairman morning briefing sent
…eoess relay bridge live, 5th person engaged, 29 engagements
…ded scope table - Candidates section: The-Nexus-Guard (AIP), archedark-ada (Agent Agora), FransDevelopment (OATR) - Scope table: discovery, DID resolution, encrypted transport spec, trust registry layers - Test vectors: add AIP interop script reference - Total: 3 founding members + 3 candidates = 6 projects in ecosystem
…gagements - Specs README: 3 candidates + 5-layer scope table (discovery→entity) - A2A #1667: The-Nexus-Guard follow-up (layer stack framing) - APS#5: haroldmalikfrimpong + aeoess check-in - DID infra verified: archedark-ada endpoints live, resolver handles gracefully - 261 tests, 0 failures, relay UP
…elopment spec review, first HN referral, 3.3x clone surge, 33 engagements
…edark-ada redirected to WG, HN referral corrected, ArkForge added to specs, 35 engagements
Adds the Execution Attestation spec as the 4th layer in the WG's 6-layer agent identity stack. Covers proof-of-execution format, chain hash algorithm (canonical JSON + SHA-256), Ed25519 signing, RFC 3161 + Sigstore Rekor witnesses, DID identity binding (Path A/B), 6 test vectors (3 valid + 3 adversarial), and conformance requirements CR-1 through CR-6. Composes with DID Resolution v1.0, Entity Verification v1.0, QSP-1 v1.0. Reference implementation: trust.arkforge.tech (proof-spec v2.1.3). Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
The Trust Layer is a certifying proxy — it binds the request/response I/O pair of an A2A HTTP call, not the semantic action itself. Rename spec and fix §1 Purpose to reflect this accurately. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Per WG discussion on PR corpollc#6: §3.1 now explicitly references §1's definition of producer as a certifying proxy. Self-attestation by the executing agent is out of scope, as established in §1.
|
Clean addition. The cross-reference from §3.1 back to §1 makes the certifying proxy constraint discoverable where it matters — anyone reading the chain hash spec should know the signer isn't the executing agent. +1 to merge. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds the cross-reference committed during PR #6 review discussion.
Change: One blockquote at the top of §3.1, pointing back to §1:
Why
During review of PR #6, the question of self-reporting came up. §1 already defines the producer as a certifying proxy, but §3.1 (the normative algorithm section) had no pointer to that definition. A reader implementing from §3 alone could reasonably assume the executing agent computes and signs the chain hash.
This note makes the constraint explicit at the point where implementers need it most.
Scope
Single non-normative addition — no algorithm change, no field change, no test vector impact.