From 64175aef7b97fa27b9ebcd0255956fab1582c0b5 Mon Sep 17 00:00:00 2001 From: Albert Mavashev Date: Wed, 20 May 2026 08:36:46 -0400 Subject: [PATCH] docs: extend v0 citation to three-impl cross-validation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Follow-up to #9. The cross-impl citation landed with two non-overlapping JCS implementations (Python rfc8785@0.1.4, JavaScript canonicalize@3.0.0). Adding the Go reference impl (gowebpki/jcs v1.0.1) completes coverage across the three languages an AP2 conformance CI matrix would plausibly span — Python / JavaScript / Go. All 7 vectors and all 4 pair invariants pass under each impl. Three non-overlapping author sets (Woodruff / Erdtman+Rundgren / GoWebPKI), three languages, three codebases, same canonical bytes and hashes on every vector. One bullet edited. Still community-seeded, not AP2-spec-blessed. No public API, wire-shape, or protocol-conformance change. Below the AUDIT.md / CHANGELOG.md update thresholds (docs-only pointer). --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 8803796..e259654 100644 --- a/README.md +++ b/README.md @@ -304,7 +304,7 @@ CI runs all three checks on Python 3.10 and 3.12 for every push and pull request - [Preventing AP2 Open-Mandate Overuse with Runtime Idempotency](https://runcycles.io/blog/ap2-open-mandate-consume-once-runtime-idempotency) — engineering write-up of the keying decision (`open_mandate_hash` vs `transaction_id`), post-PSP commit uncertainty, and the AP2 §6 consume-once defense. - [AP2 GitHub Discussion #262](https://github.com/google-agentic-commerce/AP2/discussions/262) — spec-level discussion on `open_mandate_hash` canonicalization and adapter shape with the upstream AP2 community. -- [AP2 `open_mandate_hash` v0 conformance vectors](https://gist.github.com/chopmob-cloud/1dca25fd6107db4b7a30bed5dbf2ded8) — community-seeded 7-vector set covering JCS canonicalization edges (object-key order, array order, optional-field presence, currency minor-unit, Unicode NFC-vs-NFD) for `open_mandate_hash = SHA-256(JCS_RFC8785(unsigned mandate body))`. Hash input is the claims object, not the JWS envelope. Cross-implementation reproduced under two non-overlapping JCS impls — Python `rfc8785@0.1.4` (Woodruff) and JavaScript `canonicalize@3.0.0` (Erdtman + Rundgren, RFC 8785 author) — different authors, different languages, different codebases, same canonical bytes and hashes on every vector. Community-seeded, not AP2-spec-blessed — see discussion #262 for scope. +- [AP2 `open_mandate_hash` v0 conformance vectors](https://gist.github.com/chopmob-cloud/1dca25fd6107db4b7a30bed5dbf2ded8) — community-seeded 7-vector set covering JCS canonicalization edges (object-key order, array order, optional-field presence, currency minor-unit, Unicode NFC-vs-NFD) for `open_mandate_hash = SHA-256(JCS_RFC8785(unsigned mandate body))`. Hash input is the claims object, not the JWS envelope. Cross-implementation reproduced under three non-overlapping JCS impls — Python `rfc8785@0.1.4` (Woodruff), JavaScript `canonicalize@3.0.0` (Erdtman + Rundgren, RFC 8785 author), and Go `gowebpki/jcs v1.0.1` — different authors, different languages, different codebases, same canonical bytes and hashes on every vector. Community-seeded, not AP2-spec-blessed — see discussion #262 for scope. ## Documentation