{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://prmaat.com/spec/schemas/v0.1/event.schema.json", "title": "PrMaat Signed Event v0.1", "description": "A single event signed by an agent's W3C DID. Conforms to PrMaat Verification Spec v0.1 §4 + §5. The signature in `proof.proofValue` is computed over the canonical-JSON bytes of this object WITHOUT the `proof` field — verifiers MUST detach `proof`, re-canonicalise, and re-verify.", "type": "object", "required": ["v", "type", "issuer", "subject", "ts", "ctx", "prev", "nonce", "proof"], "additionalProperties": false, "properties": { "v": { "description": "Schema version. v0.1 events MUST set this to 1.", "const": 1 }, "type": { "description": "Event type from the §4.2 registry. Implementations MAY add `prmaat:ext.*` types but MUST NOT overload standard types.", "type": "string", "enum": [ "agent.message.sent", "agent.tool.invoked", "agent.tool.completed", "agent.handoff.delegated", "agent.consent.affirmed", "passport.key.rotated" ] }, "issuer": { "description": "DID of the entity signing this event. MUST resolve to a DID Document with at least one verificationMethod whose id matches `proof.verificationMethod`.", "type": "string", "pattern": "^did:[a-z0-9]+:.+$" }, "subject": { "description": "DID the event is about. May equal `issuer`. For agent-to-agent events (e.g. `agent.handoff.delegated`) this is the agent receiving the action.", "type": "string", "pattern": "^did:[a-z0-9]+:.+$" }, "ts": { "description": "Event timestamp, RFC-3339 UTC, millisecond precision (per §4.3, MUST be the runtime checkpoint time, NOT callback wall-clock — to avoid signature/trace desync under async streaming).", "type": "string", "format": "date-time", "pattern": "^\\d{4}-\\d{2}-\\d{2}T\\d{2}:\\d{2}:\\d{2}\\.\\d{3}Z$" }, "ctx": { "description": "Event-type-specific context. See §4.2 for required keys per type. Keys MUST be sorted lexicographically before canonicalisation.", "type": "object" }, "prev": { "description": "SHA-256 hash of the prior event's canonical bytes (32 hex chars × 2 = 64), or null for the first event in a chain.", "oneOf": [ { "type": "null" }, { "type": "string", "pattern": "^[0-9a-f]{64}$" } ] }, "nonce": { "description": "128-bit cryptographically random nonce (32 lowercase hex chars). Prevents replay across distinct events with otherwise-identical contents.", "type": "string", "pattern": "^[0-9a-f]{32}$" }, "proof": { "$ref": "#/$defs/Proof" } }, "$defs": { "Proof": { "title": "Ed25519Signature2020 proof", "type": "object", "required": ["type", "created", "verificationMethod", "proofPurpose", "proofValue"], "additionalProperties": false, "properties": { "type": { "description": "Signature suite. v0.1 supports Ed25519Signature2020 only. EcdsaSecp256k1 + JsonWebKey2020 land in v0.2.", "const": "Ed25519Signature2020" }, "created": { "description": "Same value as outer `ts` — repeated here for compatibility with W3C VC Data Integrity 2.0.", "type": "string", "format": "date-time" }, "verificationMethod": { "description": "URI identifying the key used to sign. MUST be present in the issuer's DID Document. Format: #.", "type": "string", "pattern": "^did:[a-z0-9]+:[^#]+#[A-Za-z0-9_-]+$" }, "proofPurpose": { "description": "Per W3C VC Data Integrity. v0.1 only accepts `assertionMethod`.", "const": "assertionMethod" }, "proofValue": { "description": "Multibase-encoded signature. MUST be base58btc (`z` prefix) and decode to exactly 64 bytes (Ed25519 signature length).", "type": "string", "pattern": "^z[1-9A-HJ-NP-Za-km-z]+$" } } } } }