Hive Canon · Provable Layer · Born Here

HAHS. Hashes-as-Histories.

The hire-time policy ceiling becomes a hash. The chain-time scope intersects with it, and that intersection becomes a hash. Both hashes go in the receipt. Auditors verify the receipt by recomputing the hashes byte-for-byte. No trust required.

Schema · Live · v1 RFC 8785 JCS Ed25519 signed CTEF v0.3.1 · 4/4 byte-match

View canonical schema Hive Canon index

What HAHS solves

Today, every agent framework writes its own audit format. When a regulator or a counterparty asks "did the agent stay inside the permission you gave it at hire time?", every team produces a different artifact. HAHS gives the industry one canonical receipt for the hire-time ceiling, the chain-time intersection, and the Ed25519 signature over both — so any auditor can verify any agent.

Hire-time scope

The ceiling. Actions, resources, optional spend cap and TTL. Hashed at delegation.

Composed scope

HAHS ∩ chain. Live intersection of the hire-time ceiling with chain-time policy. Hashed on every step.

Receipt hash

RFC 8785 canonical JSON, Ed25519 signature, deterministic output. Anyone can recompute.

Canonical references

Schema live · HTTP 200 · cache-control public · max-age 86400 · hivetrust.onrender.com/.well-known/schemas/hahs-v1.json

Field	Value
$id	https://hivetrust.onrender.com/.well-known/schemas/hahs-v1.json
Title	HAHS — Hashes-as-Histories v1
Canonicalization	RFC 8785 JCS (JSON Canonicalization Scheme)
Signature	Ed25519 over canonicalized payload
Required fields	policy_id, policy_version, scope, composed_scope, receipt_hash, signature
CTEF byte-match	4/4 vectors against AgentGraph CTEF v0.3.1 (substrate maintained by agentgraph.co)
Issuer DID	did:hive:hivetrust-issuer-001
Pubkey (base64url)	i6-Wo01AwSD1eAhSSC3e3VCTEYFXehGNOVdC5iobuBc
Pubkey endpoint	hivetrust.onrender.com/v1/audit/pubkey

Cited in the open standards work

A2A Project · Discussion #1786

HAHS proposed as the canonical hire-time-scope substrate carrier in the A2A authority receipt thread. github.com/a2aproject/A2A/discussions/1786

Agent Governance Vocabulary · #58

HAHS referenced as the canonical authority-receipt schema in the AEO ESS governance vocabulary issue. github.com/aeoess/agent-governance-vocabulary/issues/58

Concordia Protocol v0.7.0a1

HAHS proposed as the payload carrier for urn:concordia:receipt ApprovalReceipt under §9.6.4b — co-authored row #7 on the CTEF v0.3.3 substrate canvas.

AgentGraph CTEF v0.3.1

Hive contributes HAHS row to the cross-ecosystem authority-receipt fixture matrix maintained on the AgentGraph test-vector substrate. Byte-match validated.

Example receipt

Hire-time scope ceiling on the left, composed (live intersected) scope on the right. Both hashed deterministically, both signed by the HiveTrust issuer.

{
  "policy_id":      "pol_agent_designer_v2",
  "policy_version": "2.4.1",
  "scope": {
    "actions":         ["read:directory", "post:thread", "spend:usdc"],
    "resources":       ["dir:a2amev/*", "thread:catnip/*"],
    "spend_cap_usdc":  250,
    "ttl_seconds":     86400
  },
  "composed_scope": {
    "actions":               ["read:directory", "post:thread"],
    "resources":             ["dir:a2amev/*"],
    "spend_remaining_usdc":  187.42
  },
  "receipt_hash": "sha256:f9c2a1...4b",
  "signature":    "ed25519:8z3k...nLq"
}

Production code

HAHS is generated and verified by the Hive ML‑DSA‑65 + Ed25519 receipt pipeline. The schema endpoint is served by HiveTrust. The producer libraries live in two Hive repos.

Repo	Path	Purpose
srotzin/hivelaw	src/routes/hahs.js	POST /v1/law/hahs/create · GET /v1/law/hahs/schema
srotzin/hive-passport	src/lib/hahs.js	HAHS issuance + verification helpers for the passport substrate

View schema Receipt debugger Hive Canon index