You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/receipts/RECEIPT_CHAIN_v0.2.md
+12-5Lines changed: 12 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -59,17 +59,24 @@ The minimum acceptable test is:
59
59
4. Any receipt body change changes `receipt_hash`.
60
60
5. Any broken `previous_receipt_hash` breaks chain verification.
61
61
62
+
## State snapshot rule
63
+
64
+
`mutation_committed: false` is only accepted when paired with a `state_snapshot_hash` taken after refusal and verified against the expected unchanged state for the tested path.
65
+
66
+
The snapshot is path-local. It does not prove that every downstream or external mutation route was blocked.
67
+
62
68
## Verification procedure
63
69
64
70
A verifier should check:
65
71
66
72
1.`decision` is `REFUSE`.
67
73
2.`mutation_committed` is `false`.
68
-
3.`payload_hash` matches the attempted payload.
69
-
4.`decision_record_hash` matches the DecisionRecord used by the gate.
70
-
5.`previous_receipt_hash` matches the prior receipt in the chain.
71
-
6.`receipt_hash` recomputes correctly from the canonical receipt body.
72
-
7. Optional signature verifies against the declared signing key, if signatures are enabled.
74
+
3.`state_snapshot_hash` matches the expected unchanged post-refusal state for the tested path.
75
+
4.`payload_hash` matches the attempted payload.
76
+
5.`decision_record_hash` matches the DecisionRecord used by the gate.
77
+
6.`previous_receipt_hash` matches the prior receipt in the chain.
78
+
7.`receipt_hash` recomputes correctly from the canonical receipt body.
79
+
8. Optional signature verifies against the declared signing key, if signatures are enabled.
0 commit comments