ScopeBlind
diff --git a/‎.gitignore‎
Lines changed: 16 additions & 0 deletions b/‎.gitignore‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎CALL-AGENDA.md‎
Lines changed: 54 additions & 0 deletions b/‎CALL-AGENDA.md‎
Lines changed: 54 additions & 0 deletions
diff --git a/‎DESIGN.md‎
Lines changed: 84 additions & 0 deletions b/‎DESIGN.md‎
Lines changed: 84 additions & 0 deletions
diff --git a/‎LICENSE‎
Lines changed: 21 additions & 0 deletions b/‎LICENSE‎
Lines changed: 21 additions & 0 deletions
diff --git a/‎README.md‎
Lines changed: 141 additions & 0 deletions b/‎README.md‎
Lines changed: 141 additions & 0 deletions
@@ -0,0 +1,16 @@
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+dist/
+*.egg-info/
+.pytest_cache/
+.tox/
+.coverage
+htmlcov/
+.venv/
+venv/
+.env
+*.bak
@@ -0,0 +1,54 @@
+# Proposed agenda: bindu-scopeblind design review
+
+30 minutes. Proposed by @raahulrahl on [GetBindu/Bindu#459](https://github.com/GetBindu/Bindu/pull/459). Slot TBD from the three offered (Mon 22 Apr 10:00 UTC / Wed 24 Apr 14:00 UTC / Thu 25 Apr 08:00 UTC).
+
+## Attendees (proposed)
+
+- @raahulrahl (Bindu, chair)
+- @tomjwxf (ScopeBlind / Veritas Acta)
+- @vipul674 (author of #459, optional)
+- @desiorac (ArkForge, optional)
+
+## Reading to bring to the call
+
+- This package's [`README.md`](./README.md) and [`DESIGN.md`](./DESIGN.md).
+- The relevant sections of [draft-farley-acta-signed-receipts-02](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) (§9 Key Distribution; appendix Implementation Status).
+- [`ScopeBlind/agent-governance-testvectors`](https://github.com/ScopeBlind/agent-governance-testvectors) negative vectors directory.
+- [`VeritasActa/agt-integration-profile`](https://github.com/VeritasActa/agt-integration-profile) for the AGT-to-receipt normative mapping (mirrors what this extension will emit).
+
+## Agenda
+
+### Block 1: Shape of the shadow-mode-first plan (10 min)
+
+- Confirm the default posture (shadow, no policy-dir required, receipts observable only).
+- Confirm the enforce-mode contract (explicit opt-in, policy-dir required, optional `require_conformance_check=True`).
+- Confirm what passes the bar for flipping the default to enforce at the Bindu core level (vs. at the operator level). Candidate criteria documented in [`DESIGN.md`](./DESIGN.md) §Open Questions.
+
+### Block 2: Key anchoring model (10 min)
+
+- Walk through the four `KeySource` subclasses (`PinnedTrustAnchor`, `JwksKeySource`, `DidDocumentKeySource`, `AgentCardKeySource`).
+- Decide the preferred default for Bindu agents. The DID-document path reuses existing Bindu infrastructure; the agent-card-extension path is new but A2A-native. Either or both.
+- Decide where the policy manifest URL lives (if anywhere): agent card extension field, DID document service endpoint, or deferred.
+
+### Block 3: Test-vector hookup and enforcement readiness (10 min)
+
+- Negative conformance vectors from [`agent-governance-testvectors`](https://github.com/ScopeBlind/agent-governance-testvectors) wired into this package's CI.
+- Agreement on the specific vectors that must fail-closed before enforce-mode default is acceptable.
+- Agreement on what "ready to enable enforcement by default" looks like: which vectors, which implementation count in the draft-02 appendix, which third-party reviews.
+
+## Outputs expected from the call
+
+- A merged plan (written up in this repo or in a Bindu-side doc) with decisions on:
+  - Package repo location (assumed: `ScopeBlind/bindu-scopeblind`).
+  - Default KeySource for Bindu agents.
+  - Policy manifest publication convention (or explicit deferral).
+  - CI conformance gate specification.
+  - Criteria for enforce-mode default flip.
+- Owner + rough date for a 0.1.0 tag.
+- Disposition of [#459](https://github.com/GetBindu/Bindu/pull/459): close with thanks to @vipul674, or merge a stripped-down version as a shadow-only receipt-attachment hook inside Bindu core while this package owns the full extension surface.
+
+## What this call is NOT
+
+- Not a live demo. Demos move faster over async review of the code.
+- Not a VOPRF deep-dive. VOPRF is orthogonal to this extension (see [`DESIGN.md`](./DESIGN.md) §3); separate conversation if useful.
+- Not a commitment to specific Bindu core changes. The extension is designed to work against existing Bindu primitives (agent card, DID document, middleware pipeline) without core modifications.
@@ -0,0 +1,84 @@
+# Design notes: bindu-scopeblind
+
+Pre-call design document for the Bindu maintainer review (week of 2026-04-22). Captures the three concerns raised on [GetBindu/Bindu#459](https://github.com/GetBindu/Bindu/pull/459) and how this package addresses them.
+
+## 1. Key anchoring (embedded-key rejection)
+
+**Concern raised on #459.** `verify_receipt()` in that PR falls back to `receipt.get("verification_key")` when no external key is passed. That collapses the issuer-blind property: a malicious issuer signs any payload with a fresh key pair and ships the matching pubkey in the receipt body.
+
+**Resolution in this package.**
+
+- No embedded-key fallback exists. `sign_receipt()` REJECTS payloads containing `verification_key`, `issuer_key`, or `signer_public_key`. `verify_receipt()` rejects envelopes whose payload contains any of those fields even when an external key is also provided.
+- A negative-conformance check can be wired at `ScopeBlindExtension` construction via `require_conformance_check=True`. The check exercises a synthetic embedded-key receipt and raises if the library accepts it.
+- Key anchoring is pluggable via four reference `KeySource` subclasses: `PinnedTrustAnchor`, `JwksKeySource`, `DidDocumentKeySource`, `AgentCardKeySource`. Operators pick the transport that fits their Bindu deployment.
+- The extension exposes `ScopeBlindExtension.agent_card_extension()` so Bindu can publish the issuer pubkey via the A2A agent card mechanism without the receipt body ever carrying it.
+
+**Spec anchor.** [draft-farley-acta-signed-receipts-02 §9 (Key Distribution and Trust Anchors)](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) establishes this requirement normatively. draft-02 is being submitted to datatracker this week.
+
+## 2. Policy content anchoring
+
+**Concern raised on #459.** Receipts commit to a `policy_hash` but a verifier has no way to recover the policy text, so the hash proves which policy ran but not what it says.
+
+**Resolution in this package.**
+
+- Cedar policies MUST live in a file directory (`cedar_policy_dir`). The directory is scanned for `.cedar` files at extension startup; their concatenated source is hashed into `payload.policy_digest` as `sha256:<hex>`.
+- Operators publishing the policy text at a discoverable URL (alongside the JWKS) close the loop. The current release does not ship a publication mechanism; this is called out as an open design question for the call.
+- Inline policy strings are NOT supported. This avoids the silent-fallback-to-literal-string path where a typo like `policies/authz.cedar` survives startup and fails only during authorization.
+
+**Open for discussion on the call.** Does Bindu want a normative `policyManifestUrl` field in the agent card extension? Or should the policy text live in the DID document service endpoint? Both are viable; we defer the choice.
+
+## 3. VOPRF scope clarification
+
+**Concern raised on #459.** "VOPRF (RFC 9497) solves a different problem than 'verify a signature without trusting the signer.'"
+
+**Correct. The original issue text conflated two layers.**
+
+This extension emits **Ed25519 signed receipts** (conformance tier T1), not VOPRF tokens. The VOPRF tier is structurally separate:
+
+| Primitive | What this extension ships | Where VOPRF lives in the wider stack |
+|---|---|---|
+| Ed25519 receipts (tier T1) | Yes, all decision receipts | - |
+| JCS canonicalization (RFC 8785) | Yes | - |
+| External key anchoring | Yes, 4 reference sources | - |
+| Selective disclosure (AIP-0002) | Yes, pass-through | - |
+| VOPRF issuer-blind tokens (tier T4) | No | Verification currently PARTIAL in `@veritasacta/verify@0.5.0` (structural checks only; full dual DLEQ proof verification is being extracted from `/veritasacta-verify/` into the unified binary). Issuance is served by a proprietary ScopeBlind Cloudflare Worker at `api.scopeblind.com`. |
+
+The "issuer-blind" property in the Ed25519 tier comes from external key resolution (verifier does not have to trust the server emitting the receipt; the verifier resolves the key via a channel independent of the receipt body). This is a weaker property than VOPRF-style anonymous credentials but is the right property for authorization receipts, where the signer identity is expected to be known and carried in the agent card / DID document.
+
+For this extension, the VOPRF state does not matter. Bindu agents using this extension produce Ed25519 receipts that verify against `@veritasacta/verify`'s Ed25519 engine (production-ready). The partial VOPRF engine in the same binary is orthogonal: it processes a different token type this extension never emits.
+
+## 4. Shadow-mode-first adoption pattern
+
+**Guidance from the #459 review.** "Shadow mode only in the first iteration. No enforcement path. Receipts are produced, logged, attached to OpenTelemetry spans, but nothing in the task flow gates on them."
+
+**Resolution in this package.**
+
+- `ReceiptMode.SHADOW` is the default. No enforcement logic runs unless the operator passes `mode=ReceiptMode.ENFORCE` explicitly.
+- Enforce mode requires a non-empty Cedar policy directory. Constructor raises `ValueError` if misconfigured.
+- Enforce mode plus `require_conformance_check=True` is the full-lockdown configuration. A CI pipeline wiring the negative-conformance vector set from [`ScopeBlind/agent-governance-testvectors`](https://github.com/ScopeBlind/agent-governance-testvectors) is the recommended precondition for flipping default to enforce.
+
+## 5. Package boundary
+
+**Guidance from the #459 review.** "We'd prefer this live as a separate installable extension (e.g. `bindu-scopeblind`) rather than inside `bindu/extensions/` in the core repo."
+
+**Resolution.** This package is that separate installable. Planned publication at [ScopeBlind/bindu-scopeblind](https://github.com/ScopeBlind/bindu-scopeblind) (repo not yet public at the time of drafting). Release cadence is independent of Bindu core. The only Bindu-core touchpoint required is that the agent card publishing path supports extension blocks, which it already does per existing patterns (DID extension, X402 extension).
+
+## 6. Threat model
+
+The extension protects against:
+
+- **Tampering with signed decisions in transit or at rest.** Ed25519 + JCS canonicalization + `previousReceiptHash` chain linkage make any modification detectable by a verifier who already holds the issuer public key.
+- **Receipt forgery by third parties.** Verifier external key resolution ensures only the operator can produce receipts that verify against the agent card / DID document / JWKS.
+
+The extension does NOT protect against:
+
+- **A compromised operator.** If the operator's signing key is exfiltrated, the attacker can produce valid-looking receipts. Key rotation and revocation are operator responsibilities.
+- **A compromised verifier key-source endpoint.** If the JWKS URL is hijacked, verifiers can be pointed at attacker-controlled keys. Operators pinning trust anchors (`PinnedTrustAnchor`) avoid this class of attack.
+- **Policy content confusion.** The extension commits to `policy_digest` but does not enforce publication of the policy text. An operator running a permissive policy hashed as `sha256:...` can claim any policy without publishing; verifiers who do not fetch the policy text have no defense. This is the same gap the #459 review identified; resolving it requires a publication convention (see §2).
+
+## Open questions for the call
+
+1. **Policy manifest publication.** Agent card extension field or DID document service endpoint?
+2. **Revocation signal.** Does a revoked issuer pubkey get published back into the agent card extension, or is that an agent-card-level change?
+3. **OpenTelemetry integration.** Is the `@scopeblind/otel-exporter` Python port on Bindu's roadmap, or does Bindu want to consume the OpenTelemetry span attributes via the existing observability bus?
+4. **Enforce-mode default flip.** What passes your internal bar? Passing a named vector set? A specific implementation count? A Microsoft AGT conformance listing? Signet conformance listing?
@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Tom Farley (ScopeBlind)
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
@@ -0,0 +1,141 @@
+# bindu-scopeblind
+
+**Bindu extension for Ed25519-signed authorization receipts in the Veritas Acta format.** Shadow mode is the default; enforcement is an explicit opt-in. No embedded-key fallback, ever.
+
+Ships as a separate installable package (per the design discussion on [GetBindu/Bindu#459](https://github.com/GetBindu/Bindu/pull/459)): keeps the Bindu core review surface narrow and lets this extension iterate on its own cadence.
+
+> **Status.** Public Preview (0.1.0a1). Call-prep artifact for a design review with the Bindu maintainers scheduled for the week of 2026-04-22. API is expected to stabilize before 0.1.0.
+
+## Install
+
+```bash
+pip install bindu-scopeblind              # core: Ed25519 + JCS + agent card extension
+pip install "bindu-scopeblind[cedar]"     # + Cedar policy evaluation (enforce mode)
+```
+
+## Posture
+
+| Property | Choice | Rationale |
+|---|---|---|
+| Default mode | `shadow` | Receipts observable before enforcement lands. Aligns with [GetBindu/Bindu#459](https://github.com/GetBindu/Bindu/pull/459) review guidance. |
+| Verification key source | External only (agent card, DID doc, JWKS, pinned trust anchor) | Embedded keys fail verification because a malicious issuer could sign any payload with a fresh key pair. See [draft-farley-acta-signed-receipts-02 §9](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/). |
+| Cedar policies | File directory only | Avoids silent-fallback-to-inline-string path typos. Enforce mode with no `.cedar` files is a configuration error. |
+| Receipts format | [Veritas Acta (draft-02)](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/) | Byte-compatible with `@veritasacta/verify@0.5` and AGT integrations (protect-mcp, sb-runtime, protect-mcp-adk). |
+| Scope | Ed25519 receipts only (tier T1) | VOPRF issuer-blind tokens (tier T4) are a separate primitive served by a different product (`@scopeblind/verifier`). This extension does NOT emit VOPRF tokens. |
+
+## Quick start (shadow mode)
+
+```python
+from pathlib import Path
+from bindu import BinduConfig
+from bindu_scopeblind import ScopeBlindExtension
+
+config = BinduConfig(
+    name="my-agent",
+    extensions=[
+        ScopeBlindExtension(
+            signer_key_path=Path("/etc/scopeblind/issuer.key"),   # PEM Ed25519 private key
+            cedar_policy_dir=Path("./policies"),                  # directory of .cedar files
+            # mode=ReceiptMode.SHADOW is the default; omit to get it.
+        )
+    ],
+)
+```
+
+Every governed request produces a signed receipt attached to `request.state.scopeblind_receipt`. Task / artifact metadata includes the receipt. Nothing in the task flow gates on the decision in shadow mode.
+
+## Enforce mode (explicit opt-in)
+
+```python
+from bindu_scopeblind import ScopeBlindExtension, ReceiptMode
+
+ScopeBlindExtension(
+    signer_key_path=Path("/etc/scopeblind/issuer.key"),
+    cedar_policy_dir=Path("./policies"),                 # required in enforce mode
+    mode=ReceiptMode.ENFORCE,
+    require_conformance_check=True,                      # CI gate
+)
+```
+
+`require_conformance_check=True` runs a minimal negative-conformance vector at construction: confirms the build rejects receipts carrying their own verification key. Construction fails if the check fails closed. CI operators SHOULD wire the full negative-vector set from [`ScopeBlind/agent-governance-testvectors`](https://github.com/ScopeBlind/agent-governance-testvectors) into their build.
+
+## Verification
+
+Receipts verify with `@veritasacta/verify` with no runtime dependency on Bindu or this extension:
+
+```bash
+# Operator publishes the issuer public key out-of-band (agent card / DID doc / JWKS)
+npx @veritasacta/verify receipt.json --jwks https://agent.example/.well-known/jwks.json
+```
+
+Or, from Python, using one of the provided `KeySource` subclasses:
+
+```python
+from bindu_scopeblind import (
+    AgentCardKeySource,
+    JwksKeySource,
+    DidDocumentKeySource,
+    PinnedTrustAnchor,
+    verify_receipt,
+)
+
+source = AgentCardKeySource(agent_card=agent_card_json)
+pub = source.resolve(receipt["signature"]["kid"])
+assert verify_receipt(receipt, pub)
+```
+
+## Key anchoring
+
+Four reference sources ship in `bindu_scopeblind.key_sources`:
+
+- `PinnedTrustAnchor`: single pinned Ed25519 public key. Simplest case.
+- `JwksKeySource`: resolves from a parsed JWKS document.
+- `DidDocumentKeySource`: resolves from a DID document's `verificationMethod` list. Fits Bindu's existing DID-first agent identity model.
+- `AgentCardKeySource`: resolves from an A2A agent card's `extensions["veritasacta:issuer"]` block. Returned by `ScopeBlindExtension.agent_card_extension()` so Bindu can publish it.
+
+The extension does not bake in HTTP-fetching behavior; operators choose the transport. This keeps the core module offline-by-default and testable without network.
+
+## Receipt payload
+
+```json
+{
+  "payload": {
+    "type": "scopeblind:decision",
+    "issuer_id": "scopeblind:<12-char-thumbprint>",
+    "agent_id": "did:bindu:acme:searchbot",
+    "action": "message/send:search",
+    "decision": "allow",
+    "mode": "shadow",
+    "policy_id": "scopeblind-policy:policies",
+    "policy_digest": "sha256:...",
+    "jsonrpc_method": "message/send",
+    "path": "/a2a",
+    "request_id": "req-1234",
+    "issued_at": "2026-04-19T...Z",
+    "previousReceiptHash": "..."
+  },
+  "signature": {
+    "alg": "EdDSA",
+    "kid": "<operator JWK thumbprint>",
+    "sig": "<base64url>"
+  }
+}
+```
+
+All fields covered by the Ed25519 signature. Tampering with any field fails verification.
+
+## Design artifacts
+
+- [`DESIGN.md`](./DESIGN.md): key-anchoring decision, shadow-mode semantics, threat model.
+- [`CALL-AGENDA.md`](./CALL-AGENDA.md): proposed agenda for the Bindu maintainer design review call.
+
+## License
+
+MIT. See `LICENSE` (to be added on repo publication).
+
+## Related
+
+- [GetBindu/Bindu#439](https://github.com/GetBindu/Bindu/issues/439): originating feature request.
+- [GetBindu/Bindu#459](https://github.com/GetBindu/Bindu/pull/459): alternative implementation in the Bindu core repo (superseded by this standalone package per maintainer guidance).
+- [draft-farley-acta-signed-receipts-02](https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/): receipt format specification.
+- [VeritasActa/agt-integration-profile](https://github.com/VeritasActa/agt-integration-profile): normative AGT-to-receipt field mapping.