{
  "version": "chain-anchor-v1",
  "system": "satsignal",
  "chain": "bsv-mainnet",
  "txid": "1e4abc4a18f73e1000d210ec4c6f3041e9176ae7862adb9c06888c3b237ed4e4",
  "bundle_id": "65b3b34eccf24fcf",
  "root_hash": "e84d93b1340cbbe60c21d96f8d82015cada0b5eb3c1f02cda467c27b4b10f97e",
  "height": 948824,
  "block_hash": "00000000000000001f1c2978fe6a50049dfab9ec3833d773e200ad9d17b12e22",
  "category": "evidence_bundle",
  "matter_slug": "agent-runs",
  "leaf_count": 2,
  "leaf_hashing": "leaf = sha256(JCS({label, sha256_hex})) per /spec-mbnt manifest mode",
  "tree": "satsignal merkle row, dup-last-when-odd; proof shape {sib, side} per /spec-merkle-row",
  "interop_target": {
    "kind": "visa-trusted-agent-protocol",
    "spec_repo": "https://github.com/visa/trusted-agent-protocol",
    "wire_format": "RFC 9421 HTTP Message Signatures",
    "note": "Built from RFC 9421 (public IETF standard) — Visa's TAP repo is referenced for the wire-shape conventions (covered components, signature-params field order) but no code from that repo was copied or redistributed. Demo is faithful to TAP's signing pattern using a stdlib + python-cryptography Ed25519 implementation."
  },
  "items": [
    {
      "index": 0,
      "label": "tap-agent-registration",
      "sha256_hex": "913f75c4b21681b2ff7adf6be750efd93b2dfeeb436276bd8d0e343bcd8cbff6",
      "leaf_hash": "4bcd553f573d6ff4791773e4885b63f772639ba1c3f1a4377417444ba725af12",
      "inclusion_proof": [
        {"sib": "add5a0e8259dfbf76db1da8f3199bf1cb77c6e3758de81fd5390f000bc66730d", "side": "R"}
      ],
      "source": {
        "kind": "tap-style-registration-record",
        "file": "tap-agent-registration.json",
        "agent_id": "satsignal-chain-anchor-demo-agent",
        "key_id": "satsignal-tap-demo-ed25519-1",
        "alg": "ed25519",
        "public_key_b64": "CmrN2Y7JF2VM2EQNWgBcaz6daqD/NIRQO1tNVVRKEPs=",
        "purpose": "Anchors the agent's TAP identity (the key the merchant verifies signatures against) so the key's existence at this point in time is post-hoc auditable without trusting any registry's continued operation."
      }
    },
    {
      "index": 1,
      "label": "tap-signed-request-rfc9421",
      "sha256_hex": "5b40ec22c1ddd901974d4f5ad8ad2ef147fa4ac66e36910cf7183fe9d9d67e9d",
      "leaf_hash": "add5a0e8259dfbf76db1da8f3199bf1cb77c6e3758de81fd5390f000bc66730d",
      "inclusion_proof": [
        {"sib": "4bcd553f573d6ff4791773e4885b63f772639ba1c3f1a4377417444ba725af12", "side": "L"}
      ],
      "source": {
        "kind": "tap-style-signed-http-request",
        "file": "tap-signed-request.json",
        "wire_format": "RFC 9421 HTTP Message Signatures",
        "covered_components": ["@authority", "@path"],
        "alg": "ed25519",
        "key_id": "satsignal-tap-demo-ed25519-1",
        "tag": "tap-purchase-intent",
        "authority": "demo.satsignal.cloud",
        "path": "/tap-demo/cart/checkout?item=widget&qty=1",
        "purpose": "Anchors a single signed-request envelope so the request's existence and contents at this point in time are chain-rooted, independent of any merchant log retention or registry availability."
      }
    }
  ],
  "verification": {
    "two_independent_paths": [
      {
        "name": "RFC 9421 signature path",
        "tool": "python-cryptography Ed25519.verify(signature, signature_base)",
        "validates": true,
        "trust_root": "agent public key (carried in tap-agent-registration.json, also covered by chain anchor leaf 0)"
      },
      {
        "name": "chain-anchor path",
        "tool": "walk inclusion_proof from leaf to root, fetch txid OP_RETURN, confirm root matches",
        "validates": true,
        "trust_root": "BSV mainnet block headers (independent of TAP registry, independent of merchant logs)"
      }
    ],
    "what_chain_anchor_adds_to_tap": "TAP gives merchants real-time agent identity verification at transaction boundary. Chain-anchor adds a permanent third-party-verifiable record of: (a) what key the agent was registered under at time T, (b) what specific signed request the agent produced at time T. Useful for dispute resolution, regulatory audit, or any forensic check that happens long after the merchant's session logs and the TAP registry's then-state are unavailable.",
    "stdlib_only": false,
    "extra_dep": "python-cryptography (any Ed25519 lib works; stdlib has no Ed25519 — that's a Python limitation, not a TAP/chain-anchor design choice)"
  },
  "reproducibility": {
    "script": "tap-demo.py",
    "deterministic_seed": "sha256(b'satsignal chain-anchor-v1 / visa TAP interop demo / agent#1')",
    "note": "Re-running tap-demo.py produces byte-identical agent keypair, registration record, signature base, and signature. All leaf hashes and the merkle root are reproducible offline."
  },
  "explorer_urls": {
    "whatsonchain": "https://whatsonchain.com/tx/1e4abc4a18f73e1000d210ec4c6f3041e9176ae7862adb9c06888c3b237ed4e4",
    "bitails": "https://bitails.io/tx/1e4abc4a18f73e1000d210ec4c6f3041e9176ae7862adb9c06888c3b237ed4e4"
  },
  "issued_at": "2026-05-12T18:00:00Z"
}