Agent Revision Markup

Security Limits

What Agent Revision Markup can prove, and what it does not claim.

Agent Revision Markup verifies records, not identities.

It can check that a turn was signed by a key listed in the manifest. It does not certify that the display name in the manifest belongs to a legal person or organization.

Important limits

  • serverRef is a locator, not a trust root.
  • Custom XML can be stripped by sanitizers.
  • Cache state is not the full signed ledger.
  • A manifest can state identity, but it does not certify identity.
  • E-signature tools still execute the final agreement.

What is protected

The tested kernel protects:

  • turn hash integrity
  • turn signature verification
  • manifest binding
  • duplicate turn id replay
  • approval replay across sessions, manifests, and drafts
  • agent signing keys that require human approval

Agent Revision Markup signs the record of action. It does not sign the final contract.

Extensions

Keep the core small while allowing private traceability.

Reference

Normative files, schemas, examples, and design decisions.

On this page

Important limitsWhat is protected