{"canonical_runtime_labels":{"decision_type":{"canonical_field":"decision_type","closed_enum":false,"raw_context_field":"context.decision_type_raw","recommended_values":["threshold_execution_request","privileged_access_request","counterparty_release_request","data_export_request","deployment_approval_request","manual_override_request","risk_score_escalation","cross_system_handoff","cross_org_handoff"]},"gate_type":{"canonical_field":"gate_type","closed_enum":false,"raw_context_field":"context.gate_type_raw","recommended_values":["threshold_gate","privileged_access_gate","counterparty_release_gate","data_export_gate","deployment_approval_gate","manual_override_gate","risk_escalation_gate","cross_system_handoff_gate","cross_org_handoff_gate"]},"system_scope":{"canonical_field":"system_scope","closed_enum":false,"raw_context_field":"context.system_scope_raw"}},"canonicalization":{"payload_bytes":{"determinism":"Craton emits deterministic object serialization for v1 receipts; third-party verifiers should not reconstruct these bytes from parsed JSON.","encoding":"UTF-8","format":"Canonical JSON bytes for the v1 signed payload.","producer":"Craton"},"payload_encoding":"base64","signature_encoding":"base64","signed_message":"Decode receipt.payload_b64 with standard base64 and verify the signature over those exact bytes.","verifier_must_reserialize_json":false},"compatibility_commitment":"Receipt verification semantics are stable for v1 receipts: decode receipt.payload_b64 and verify receipt.signature over those exact bytes with the Ed25519 public key selected by receipt.kid, then read the signed payload.","object":"craton.receipt.protocol.v1","offline_verification":{"interactive_verifier_page":"/verify","json_schema_endpoint":"/protocol/v1/schema","jwks_endpoint":"/protocol/v1/jwks.json","machine_spec_endpoint":"/protocol/v1/spec","offline_key_bundle_endpoint":"/self-service/verify-keys/offline-bundle","offline_verifier_repository":"https://github.com/cratonlayer/craton-verify","online_keys_endpoint":"/protocol/v1/jwks.json","public_protocol_page":"/protocol","rule":"Stored receipts can be verified with the v1 protocol spec, RFC 7517 JWKS, /verify, or the open-source offline verifier without giving Craton control over the customer host system."},"production_write":false,"stable_receipt_fields":{"commitment_id":"Stable signed commitment reference for the boundary snapshot.","receipt.kid":"Public key identifier used to select a verification key.","receipt.payload_b64":"Base64-encoded signed receipt payload bytes.","receipt.sig_alg":"Expected signature algorithm; v1 uses ed25519.","receipt.signature":"Base64-encoded Ed25519 signature over receipt.payload_b64 decoded bytes.","request_id":"Runtime request reference returned with the boundary check.","verdict":"Boundary verdict vocabulary: allow, constrain, reject."},"stable_resources":{"human_protocol":"https://cratonlayer.com/protocol","interactive_verifier":"https://cratonlayer.com/verify","json_schema":"https://cratonlayer.com/protocol/v1/schema","jwks":"https://cratonlayer.com/protocol/v1/jwks.json","machine_spec":"https://cratonlayer.com/protocol/v1/spec"},"third_party_use":{"allowed":true,"failure_rule":"Treat signature failure, unknown kid, malformed payload, or unsupported sig_alg as unverified evidence.","no_craton_callback_required":true,"required_inputs":["receipt.payload_b64","receipt.signature","receipt.kid","RFC 7517 JWKS public key"]},"version":"v1"}