Skip to main content
The Keystone is the complete agentic-payment trust chain, expressed as one recomputable sequence of content-addressed references. It answers, in order, the five questions a payment agent’s actions raise, and binds each answer to the next so the whole chain is verifiable end to end with no issuer contact. 
passport_ref  ->  mandate_ref  ->  policy_bound_ref  ->  decision_ref  ->  execution_ref  ->  trust_query_ref
 who is it?       what may it      under which          was it           what did it          one verdict
                  spend?           policy?              authorized?      actually do?         over the chain
Each reference is "sha256:" + SHA-256(JCS(...)) over the reference before it, so recompute any input field and that reference and everything downstream of it diverges. A decision made for one agent, authority, or policy cannot be silently re-attributed; an execution recorded under one decision cannot be claimed by another.

What 1.0.0 closes

algovoi-substrate 1.0.0 closes the Keystone with execution_ref, decision-bound execution evidence. Identity proves who an agent is and a decision proves an action was authorized; execution_ref proves what the agent did and binds that execution to the exact decision that authorized it. This is the consistency property: the evidence is bound to the decision, not merely correlated with an identity. It is the gap the field has been naming as “post-identity trust,” now shipped, byte-verifiable, and optionally post-quantum signed.

The whole chain, in one call

from algovoi_substrate import build_keystone

k = build_keystone(
    passport_ref="sha256:b3594e33...",     # identity (Agent Passport)
    mandate_ref="sha256:a4f8cb5e...",       # authority (Payment Mandate)
    policy_bound_ref="sha256:aaee2091...",  # policy in force (Policy Binding)
    verdict="ALLOW",                         # the pre-payment decision
    action_type="payment", scope="bilateral",
    outcome="COMMITTED", executed_at_ms=1716460800000,
    trust_outcome="TRUSTED",
)

k["decision_ref"]     # the pre-payment decision
k["execution_ref"]    # decision-bound execution evidence
k["trust_query_ref"]  # one verdict over the whole ordered chain
k["chain"]            # [passport_ref, mandate_ref, policy_bound_ref, decision_ref, execution_ref]
Python and TypeScript (buildKeystone) produce byte-identical output. The three upstream references are issued by their own tiers (Agent Passport, Payment Mandate, Policy Binding) and supplied by value; the substrate composes the rest.

Verify the whole Keystone yourself

The end-to-end composition is proven byte-for-byte in the conformance corpus, offline, with no package import (an RFC 8785 JCS library and SHA-256 are the whole dependency): 
git clone https://github.com/chopmob-cloud/algovoi-jcs-conformance-vectors
cd algovoi-jcs-conformance-vectors
python composition/keystone_v1/verify_keystone.py   # 6/6 links byte-for-byte
node   composition/keystone_v1/verify_keystone.mjs  # Node == Python
keystone_v1 recomputes every reference from raw fields, shows each equals the published output of its own conformance set, and shows the execution tier binds the exact decision the chain produced. It is the flagship “verify it yourself” proof for the whole chain.

The full lifecycle composes onto the Keystone

The Keystone extends through the whole post-decision lifecycle. Each step is an additive composition in the conformance corpus (0.23.0), built on the same JCS + SHA-256 discipline with no new hashing primitive:
  • Settlement binds to execution. A settlement attestation whose settled_payment_ref is the exact execution_ref the Keystone produced, capped by one execution_binding over {execution_ref, settlement_ref, retention_chain_ref}. What settled binds to what executed, not to an identity. (composition/settlement_binding_v1)
  • Refund binds to execution. A refund receipt anchored to the execution_ref of the payment that committed, not merely to the decision that authorized it. (composition/refund_execution_v1)
  • PEF carries the Keystone. A Payment Evidence Frame is the signed transport envelope: it wraps a Keystone reference and pins it, so its frame_id commits to the exact Keystone position it carries. PEF is the delivery and attribution layer, not a new link in the chain. (composition/pef_keystone_v1)
  • Audit chain of frames (the capstone). The whole lifecycle, execution then settlement then refund, expressed as a chain of PEF frames whose receipt_hash equals the Keystone reference each one transports, linked by prev_hash and capped by one trust_query_ref. Tamper any frame and its frame_id, the downstream rows, and the cap all diverge. (composition/audit_chain_of_frames_v1)
Verify them the same way, offline from raw fields: 
python composition/settlement_binding_v1/verify_settlement_binding.py
python composition/refund_execution_v1/verify_refund_execution.py
python composition/pef_keystone_v1/verify_pef_keystone.py
python composition/audit_chain_of_frames_v1/verify_audit_chain_of_frames.py
Each has a Node twin (.mjs) that produces identical references, or run the whole corpus at once with python composition/verify_corpus.py.

Verified performance

The full Keystone, including the signed transport frames and the capped audit chain, recomputes in well under a millisecond. A sustained single core soak (Docker --cpus=1, 120 seconds, driven through the published algovoi-substrate canonicalizer) recorded:
RuntimeSustained throughputLatency p50 / p99Memory
Python (rfc8785)~3,850 keystones/sec0.20 / 0.60 msplateaus ~25 MB, no leak
Node (canonicalize)~14,200 keystones/sec0.05 / 0.29 msplateaus ~68 MB, no leak
Across 2.17 million recomputations over both runtimes the references never drifted: every reference still matched its published value at the end of the soak. Throughput held steady with no degradation and memory plateaued with no leak. One Keystone is about a dozen JCS + SHA-256 references, and throughput scales with cores.

Commercial: signed, CCC-ingestable execution evidence

The open tier binds and proves. The commercial tier signs and renders: the execution tier is co-signed with Falcon-1024 and ML-DSA-65 and emitted as a hash-linked execution_evidence chain that the Compliance Command Center ingests and re-verifies offline, surfacing a “Keystone, execution evidence” posture tier.

See also