From 5a507c24a0af215111abcd6bf7c6c2e55099ecc5 Mon Sep 17 00:00:00 2001 From: Albert Mavashev Date: Wed, 20 May 2026 06:25:50 -0400 Subject: [PATCH] docs: strengthen v0 citation to cross-implementation evidence MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The README citation landed in #8 with the v0 vectors qualified as "Independently reproduced under rfc8785@0.1.4" — single-library evidence. The AP2 discussion #262 thread then escalated to cross-implementation: both @chopmob-cloud and we now have JS canonicalize@3.0.0 (erdtman + Rundgren, RFC 8785 author as contributor) reproducing all 7 vectors byte-for-byte against the Python rfc8785@0.1.4 output. Different authors, different languages, different codebases, same canonical bytes and hashes on every vector, all four pair invariants hold under both impls. Tighten the Background bullet to reflect that strengthened scope. Still qualified as community-seeded and not AP2-spec-blessed. No public API, wire-shape, or protocol-conformance change. Below the AUDIT.md / CHANGELOG.md update thresholds (docs-only pointer). --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 25c42f9..8803796 100644 --- a/README.md +++ b/README.md @@ -304,7 +304,7 @@ CI runs all three checks on Python 3.10 and 3.12 for every push and pull request - [Preventing AP2 Open-Mandate Overuse with Runtime Idempotency](https://runcycles.io/blog/ap2-open-mandate-consume-once-runtime-idempotency) — engineering write-up of the keying decision (`open_mandate_hash` vs `transaction_id`), post-PSP commit uncertainty, and the AP2 §6 consume-once defense. - [AP2 GitHub Discussion #262](https://github.com/google-agentic-commerce/AP2/discussions/262) — spec-level discussion on `open_mandate_hash` canonicalization and adapter shape with the upstream AP2 community. -- [AP2 `open_mandate_hash` v0 conformance vectors](https://gist.github.com/chopmob-cloud/1dca25fd6107db4b7a30bed5dbf2ded8) — community-seeded 7-vector set covering JCS canonicalization edges (object-key order, array order, optional-field presence, currency minor-unit, Unicode NFC-vs-NFD) for `open_mandate_hash = SHA-256(JCS_RFC8785(unsigned mandate body))`. Hash input is the claims object, not the JWS envelope. Independently reproduced under `rfc8785@0.1.4`. Community-seeded, not AP2-spec-blessed — see discussion #262 for scope. +- [AP2 `open_mandate_hash` v0 conformance vectors](https://gist.github.com/chopmob-cloud/1dca25fd6107db4b7a30bed5dbf2ded8) — community-seeded 7-vector set covering JCS canonicalization edges (object-key order, array order, optional-field presence, currency minor-unit, Unicode NFC-vs-NFD) for `open_mandate_hash = SHA-256(JCS_RFC8785(unsigned mandate body))`. Hash input is the claims object, not the JWS envelope. Cross-implementation reproduced under two non-overlapping JCS impls — Python `rfc8785@0.1.4` (Woodruff) and JavaScript `canonicalize@3.0.0` (Erdtman + Rundgren, RFC 8785 author) — different authors, different languages, different codebases, same canonical bytes and hashes on every vector. Community-seeded, not AP2-spec-blessed — see discussion #262 for scope. ## Documentation