DefaultVerifier
SAR-402 · Path A delivery evidence · Path B recording attribution · Path C deterministic evaluation

A paid-resource workflow was recorded. The evidence is a receipt built for public inspection — and the recording is now attributable to DefaultVerifier.

SAR (Settlement Attestation Receipt) is the evidence object that binds a requested AI operation to independently verifiable records of what was requested, evaluated, recorded, and delivered. SAR-402 has three paths. Path A is delivery evidence: a resource server delivers a resource, emits settlement evidence, and DefaultVerifier records a SAR receipt — built for SAR Explorer inspection, publicly resolvable by receipt ID, with payload hash binding and explicit role separation. Path B is recording attribution: DefaultVerifier signs the recording wrapper so a third party can confirm DefaultVerifier — not the submitter alone — recorded the receipt. Path C is deterministic conditional-release evaluation: a deterministic evaluator checks submitted output against a committed acceptance spec and signs the pre-execution evaluation state in a Continuity Evaluation Receipt. DefaultVerifier records evidence. It does not deliver the resource, authorize access, execute payment, or control resource release.

Path A attests resource-server delivery evidence; Path B attests that DefaultVerifier recorded the receipt. Path B attests only that DefaultVerifier recorded this receipt. It does not attest to delivery, payment execution, access authorization, release control, legal payment finality, or mainnet settlement.

Published canonical public_demo receipt · publicly resolvable

This artifact was generated through the real ingestion code (record_sar402_receipt) and resolved through the real lookup helper (get_receipt). The canonical public_demo receipt is published and publicly resolvable by receipt ID. No mainnet payment occurred — this is testnet (Base Sepolia) evidence, issuer.environment = test. The receipt ID, lookup path, and Explorer URL below are the canonical published values.

The claim, bounded

What this proves, and what it explicitly does not.

Path A proves recorded delivery evidence. Every clause below is backed by shipped, tested code in attest-service — and every excluded claim is stated so no reader infers more than the receipt supports.

What Path A proves

  • Recorded. DefaultVerifier recorded a SAR-402 delivery event through the same ingestion path SAR Explorer reads from.
  • Structured for public inspection. The receipt resolves by receipt_id through GET /v1/attest/receipt/{id} — the same lookup path SAR Explorer uses, and the canonical public_demo receipt is publicly resolvable on that surface.
  • Payload-bound. delivery.evidence_digest matches the delivered bytes and is independently recomputable.
  • Role-separated. The recorder (issuer.verifier) and the deliverer (acting_party) are different parties; the endpoint hard-rejects any receipt claiming verifier execution authority.

What Path A does not claim

  • DefaultVerifier cryptographically signed the recorded receipt.
  • DefaultVerifier delivered the resource.
  • DefaultVerifier authorized access.
  • DefaultVerifier executed payment.
  • DefaultVerifier proves legal payment finality.
  • DefaultVerifier controls resource release.
Boundary

This Path A demo proves recorded delivery evidence. It does not claim DefaultVerifier signed the recorded receipt, delivered the resource, authorized access, executed payment, controlled release, or proved legal payment finality.

The proof chain

Eight steps from paid request to role-separated receipt.

Each step names the system that performs it and what an independent third party can confirm. Delivery and recording are performed by separate parties — that separation is the load-bearing property.

  1. Client ↔ Resource server Request A client requests the paid resource (/pay/url-summary) and receives an x402-style quote. Proves: a paid-resource flow, not a free fetch.
  2. Resource server / access layer Access decision The resource server — not DefaultVerifier — decides whether to grant access after payment evidence is presented. Proves: DefaultVerifier did not decide access.
  3. Resource server Delivery The resource server delivers the URL summary to the client. DefaultVerifier delivers nothing. Proves: the resource server is the deliverer (acting_party = resource_server).
  4. Resource server (fail-open SDK) Evidence emission As a byproduct of delivery, the deliverer emits a delivered-resource descriptor plus a digest of the payload. Emission never blocks delivery. Proves: the delivery evidence originates from the deliverer, not the verifier.
  5. DefaultVerifier Receipt recording DefaultVerifier records the evidence as a SAR-402 receipt: verification_mode = record, verification_point = post_delivery. No signing step runs. Proves: verification left evidence; the verifier recorded — it did not deliver, authorize, or execute.
  6. SAR Explorer Built for public inspection The receipt is resolvable by receipt_id using the same lookup path the SAR Explorer inspection surface reads — the canonical public_demo receipt is published and publicly resolvable at that URL. Proves: the evidence is structured for public inspection, not private to Default Settlement.
  7. Independent third party Payload hash binding A third party re-hashes the delivered payload with the canonical method and compares to delivery.evidence_digest. Proves: the recorded delivered payload was not swapped.
  8. Reader, over the receipt Role separation confirmation The reader inspects issuer.verifier (recorder) vs. authority_binding.acting_party (deliverer) and verifier_has_execution_authority = false. Proves: DefaultVerifier could not have fabricated the whole event alone.

Receipt & inspection

One content-addressed ID keys the lookup and the public Explorer URL.

The receipt_id is the inbound integrity.digest — a content hash the resource server computed, adopted (not generated) by DefaultVerifier. The same ID resolves the published canonical record and keys the public SAR Explorer URL — the same receipt shape and lookup path SAR Explorer uses.

receipt_idsha256:91e2ae85f03c7a8e7df10e8862895b99456cb13abc50b4e23ba84f1c15b3b8c9
receipt_contextpublic_demo
receipt_typesar_402_settlement
receipt_lookup_path/v1/attest/receipt/sha256%3A91e2ae85f03c7a8e7df10e8862895b99456cb13abc50b4e23ba84f1c15b3b8c9
explorer_urlhttps://sarexplorer.com/?receipt_id=sha256%3A91e2…b8c9Canonical public_demo receipt — published and publicly resolvable at this URL
payment_refdemo:canonical-public-demo-v2-20260623

Resolving the lookup path returns the published canonical record — resolved by receipt_id: TRUE:

GET /v1/attest/receipt/{receipt_id}public_demo · published
# resolved against the published public receipt surface (testnet)
{
  "receipt_id": "sha256:91e2ae85f03c7a8e7df10e8862895b99456cb13abc50b4e23ba84f1c15b3b8c9",
  "receipt_type": "sar_402_settlement",
  "receipt_context": "public_demo",
  "created_at": "2026-06-23T17:01:58Z",
  "agent_id": "agent:x402:eip155:84532:0xPAYER0000000000000000000000000000000002",  // payer-derived, NOT the deliverer
  "receipt": { /* inner SAR-402 settlement payload */ }
}

The agent_id is the payer-derived agent identity, derived from settlement. It is not the deliverer — the deliverer is named by authority_binding.acting_party.

Payload hash binding

The receipt is bound to the actual delivered bytes.

The delivered object carries a delivery_evidence_digest computed by the /pay/url-summary delivery logic: SHA-256 over the canonical delivered object (sorted keys, compact separators), excluding the digest field itself. That value is copied verbatim into the receipt as delivery.evidence_digest. A third party can recompute it and confirm the payload was not swapped.

Captured digestsha256:ea24c8369b31816546e07644b3621831d2e8d780e527ccb0c9fd26471dd2a8c6
Recomputed digestsha256:ea24c8369b31816546e07644b3621831d2e8d780e527ccb0c9fd26471dd2a8c6
In receiptdelivery.evidence_digest = sha256:ea24c8369b31816546e07644b3621831d2e8d780e527ccb0c9fd26471dd2a8c6
All three matchTRUE
third-party recomputationpython3
# 1. Save the delivered payload (section: delivered object) as delivered.json
# 2. Recompute the canonical SHA-256 digest:
import hashlib, json
obj = json.load(open('delivered.json'))
obj.pop('delivery_evidence_digest', None)   # digest excludes itself
canon = json.dumps(obj, sort_keys=True, separators=(',',':'),
                   ensure_ascii=False).encode('utf-8')
print('sha256:' + hashlib.sha256(canon).hexdigest())
# 3. Compare the printed value to delivery.evidence_digest in the receipt.

Role separation

Recorder, deliverer, and payer are three different parties.

DefaultVerifier could not have fabricated the whole event alone: the delivery digest originates from the deliverer, and the receipt structurally separates the recorder from the deliverer. The ingestion endpoint hard-rejects any receipt claiming the verifier holds execution or release authority.

Resource server
authority_binding.acting_party = "resource_server"
Delivered the paid resource and emitted the delivery evidence. resource_server_controls_delivery = true.
Payer-derived agent
identity.derived_identity.derived_agent_id = agent:x402:eip155:84532:0xPAYER…0002
The paying party, derived from settlement. Not the deliverer and not the recorder.
DefaultVerifier
issuer.verifier = "DefaultVerifier"
Recorded the evidence. Holds no execution authority and does not control release.
Field pathValueMeaning
authority_binding.acting_partyresource_serverThe deliverer — not DefaultVerifier.
authority_binding.verifier_has_execution_authorityfalseVerifier claimed no execution authority; endpoint rejects otherwise.
authority_binding.verifier_controls_resource_releasefalseVerifier does not control resource release.
authority_binding.resource_server_controls_deliverytrueThe resource server controls delivery.
issuer.verifierDefaultVerifierThe recorder. A self-asserted string in Path A; Path B binds the recording to a DefaultVerifier key (see Path B).
issuer.environmenttestDemo/testnet evidence — not mainnet, not legal finality.
verification_mode / verification_pointrecord / post_deliveryPost-hoc recording at the after-delivery seam — not gating.

In Path A, issuer.verifier = "DefaultVerifier" is a self-asserted string, not bound to a DefaultVerifier key. Path B adds that cryptographic attribution: a recording signature over the wrapper, verifiable against the published DefaultVerifier recording key (defaultverifier-recording-ed25519-1). Path B attributes recording only — it does not change the role separation above.

Reproduce

A third party confirms it in under ten minutes, trusting no single surface.

Path A reproduction proves inspectability, payload binding, and role separation. No CLI signature verification is part of Path A — that is Path B.

reproduction checklistpublic_demo · published
1. Resolve the receipt by its id on the public verifier surface:
   GET /v1/attest/receipt/sha256%3A91e2ae85f03c7a8e7df10e8862895b99456cb13abc50b4e23ba84f1c15b3b8c9
   → confirms the published canonical public_demo record resolves.

2. Open the public Explorer URL:
   https://sarexplorer.com/?receipt_id=sha256%3A91e2…b8c9
   → publicly resolvable; renders the same canonical receipt.

3. Recompute the payload binding:
   drop delivery_evidence_digest, hash the canonical bytes, compare to
   delivery.evidence_digest → match: TRUE.

4. Read the role-separation fields:
   issuer.verifier = DefaultVerifier (recorder);
   acting_party    = resource_server (deliverer);
   verifier_has_execution_authority = false
   → confirms recorder ≠ deliverer, no execution authority.

5. Sanity-check states:
   verification_mode = record · verification_point = post_delivery ·
   settlement_state = delivered · issuer.environment = test
   → post-hoc recorded demo/testnet evidence, not gating, not mainnet finality.

Source artifacts

Where this demo comes from.

The artifact was generated by attest-service and is preserved as a reproducible Path A demo. The canonical public_demo receipt is published and publicly resolvable on SAR Explorer.

Artifactsar402-path-a-demo-20260623T170158Z · attest-service · reports/sar402/path-a-demo/ (.json + .md + generate_demo.py)
Commit092e093 — docs: add SAR-402 Path A delivery evidence demo
Commitb8ba4d4 — test: harden SAR-402 receipt wrapper contract
Completionmorpheus · reports/proof-artifacts/sar-402/path-a-demo-completion-20260623.md
ProfileSAR-402 Settlement Attestation Receipt · sar_402_settlement_v0.1

Path B · recording attribution

Path B is live: the recording is attributable to DefaultVerifier.

Path B — live

Path B adds wrapper-level recording attribution. DefaultVerifier signs the recording wrapper, so a third party can confirm DefaultVerifier — and not the submitter alone — recorded the receipt. In SAR Explorer this renders as DefaultVerifier Recording Attribution: Recording wrapper found — DefaultVerifier recorded this receipt.

The recording signature is made with the published DefaultVerifier recording key, key id defaultverifier-recording-ed25519-1. The public key is published at /.well-known/sar-keys.json for independent confirmation. The signature attributes recording only: verifier_has_execution_authority stays false, and the resource server remains the deliverer.

Authority boundary. Path B attests only that DefaultVerifier recorded this receipt. It does not attest to delivery, payment execution, access authorization, release control, legal payment finality, or mainnet settlement.

Path C · deterministic conditional release

Path C: a deterministic gate where release depends on a committed acceptance spec.

DefaultVerifier was built around a simple commercial question: did the agent deliver what was specified, and can that be verified before payment, access, or resource release occurs? Path C is that founding thesis now live as a hosted DefaultVerifier endpoint — the deterministic version of the gate, evaluated and publicly verified.

Default Settlement can support evidence-producing gates where release depends on whether submitted output satisfies a declared, deterministic acceptance spec.

Path C — live hosted evaluation record

A request body carries a declared acceptance spec. Because the body is committed by body_digest, the spec is bound into request_digest and action_ref. A deterministic evaluator then checks submitted output against that committed spec and produces PASS, FAIL, INDETERMINATE, or EVALUATOR_TIMEOUT.

In the example: PASSrow_count 1200 satisfies the declared threshold row_count >= 1000, so the release policy says “should release.” FAILrow_count 740 does not satisfy the threshold, so the release policy says “should withhold.”

Step 2A — live hosted endpoint. DefaultVerifier retrieves the committed Action Commitment by action_ref, evaluates submitted output against the committed acceptance_spec, and returns a stored unsigned deterministic evaluation record. The evaluator does not accept acceptance_spec from the caller — the spec comes from the committed request_body.ds_conditional_release profile, preventing spec substitution at evaluation time. The Step 2A deterministic evaluation record is itself unsigned; the signed Continuity Evaluation Receipt is now live as Step 2B, below.

The spec is committed through the existing chain — body_digest → request_digest → action_ref — and the evaluator records a result against that action_ref. The following values are publicly retrievable from the live hosted endpoint.

GET /v1/evaluate/deterministic/{action_ref}live · publicly verified
# retrieve the committed evaluation record by action_ref
curl https://defaultverifier.com/v1/evaluate/deterministic/sha256%3Adb0ebf039e7ead24850f23070c950b739d7347caa21bee05fda071d295964e2e

# HTTP/2 200
{
  "result": "PASS",
  "declared_release_intent": "should release",
  "record": {
    "record_type": "deterministic_evaluation_record",
    "..."
  }
}
Committed specds_conditional_release.acceptance_spec — field_present · numeric_threshold (row_count >= 1000) · content_type_equals
body_digestsha256:e3c8dfe264870f680ab06f0a5598291c68d03d570dd39e8e5464120d61a9259d
request_digestsha256:67a6ddb97a2e708bf6564498f0bddb990b09a4205b3cfc65f238ab7df0ba5f1d
action_refsha256:db0ebf039e7ead24850f23070c950b739d7347caa21bee05fda071d295964e2e
PASS outputrow_count 1200 >= 1000 → result PASS · declared_release_intent = should release
FAIL outputrow_count 740 < 1000 → result FAIL · declared_release_intent = should withhold
declared_release_intentPASS → should release · FAIL → should withhold — declared intent, not a record of actual downstream release.
Path C — Step 2B · signed Continuity Evaluation Receipt (live)

Step 2B is now live alongside the Step 2A record. A continuity evaluator signs the pre-execution evaluation state over the same committed action_ref, producing a signed Continuity Evaluation Receipt under schema ds.continuity_evaluation.v0.1. The receipt is retrievable from the live hosted continuity-receipt endpoint and carries an Ed25519 signature whose public key is published in sar-keys.json.

Key binding. The receipt's signature.key_id and evaluator_id both identify the evaluator as agent:defaultverifier:continuity-v1 — an identity, not a raw key id. The Default Settlement Agent Key Binding Assertion (version 2) binds that evaluator identity to its Ed25519 public key, and binding version 2 covers both agent:morpheus and agent:defaultverifier:continuity-v1. The same evaluator key is also published in sar-keys.json under kid defaultverifier-evaluator-ed25519-1 (the raw key, a different encoding of the same public key). The assertion is published under production publication key sha256:1592a5cc4193760024db36a2ac33acd83cd153994259bd051440eeb7e98bc87b. Independent verification resolves the evaluator identity through the binding assertion and/or compares the bound public key against the key in sar-keys.json; the binding assertion is the authoritative identity attestation.

GET /v1/evaluate/deterministic/{action_ref}/continuity-receiptlive · signed
# retrieve the signed Continuity Evaluation Receipt by action_ref
curl https://defaultverifier.com/v1/evaluate/deterministic/sha256%3Adb0ebf039e7ead24850f23070c950b739d7347caa21bee05fda071d295964e2e/continuity-receipt

# HTTP/2 200
{
  "schema_id": "ds.continuity_evaluation.v0.1",
  "evaluation_state": "PASS",
  "action_ref": "sha256:db0ebf039e7ead24850f23070c950b739d7347caa21bee05fda071d295964e2e",
  "evaluator_id": "agent:defaultverifier:continuity-v1",
  "policy_ref": "policy:default-settlement/sar-402-deterministic-conditional-release-v1",
  "evaluated_at": "2026-06-27T03:12:07Z",
  "signature": {
    "alg": "ed25519",
    "key_id": "agent:defaultverifier:continuity-v1",
    "public_key": "MCowBQYDK2VwAyEArYiQHAFuLxlv/G0VAidYgoj3D+iX9Uk47w7qpWdWPuA="
  }
}
schema_idds.continuity_evaluation.v0.1
evaluation_stateresult PASS
action_refsha256:db0ebf039e7ead24850f23070c950b739d7347caa21bee05fda071d295964e2e
evaluator_idagent:defaultverifier:continuity-v1
policy_refpolicy:default-settlement/sar-402-deterministic-conditional-release-v1
evaluated_at2026-06-27T03:12:07Z
signature.alged25519
signature.key_idagent:defaultverifier:continuity-v1
signature.public_keyMCowBQYDK2VwAyEArYiQHAFuLxlv/G0VAidYgoj3D…WPuA= (truncated)
key binding/.well-known/defaultsettlement-agent-key-bindings.json · Agent Key Binding Assertion v2 · binds agent:defaultverifier:continuity-v1 → evaluator public key (authoritative identity attestation)
evaluator key/.well-known/sar-keys.json · kid defaultverifier-evaluator-ed25519-1 · same evaluator key, raw encoding · use continuity_evaluation_receipt_signing · status active

What Path C proves

  • Declared spec conformance. A deterministic evaluator applied a declared acceptance spec to a referenced output and produced a recorded result.
  • Spec binding. The acceptance spec is committed by body_digest and bound into request_digest and action_ref.
  • Reproducible verdict. PASS / FAIL / INDETERMINATE is recomputable from the committed body alone.
  • Signed evaluation state (Step 2B). A named evaluator (agent:defaultverifier:continuity-v1) signed the pre-execution evaluation_state under a stated policy_ref, in a signed Continuity Evaluation Receipt verifiable against the public key published in sar-keys.json.

What Path C does not claim

  • Objective correctness of the submitted output.
  • Payment finality.
  • Resource release finality.
  • Legal sufficiency.
  • That actual downstream release occurred.
  • That the Step 2A deterministic evaluation record is signed — it is unsigned; the signature lives in the Step 2B Continuity Evaluation Receipt.
  • That this is execution proof.
Boundary

This proves declared spec conformance under a deterministic evaluator. It does not prove objective correctness, payment finality, or actual downstream release. release_policy is declared intent. Actual release would require its own recorded outcome — a separate Execution Outcome Receipt against the same action_ref.

Live endpoint · 2AGET https://defaultverifier.com/v1/evaluate/deterministic/sha256%3Adb0ebf039e7ead24850f23070c950b739d7347caa21bee05fda071d295964e2ePASS · declared_release_intent: should release · record_type: deterministic_evaluation_record
Signed receipt · 2BGET https://defaultverifier.com/v1/evaluate/deterministic/sha256%3Adb0ebf039e7ead24850f23070c950b739d7347caa21bee05fda071d295964e2e/continuity-receiptPASS · schema_id: ds.continuity_evaluation.v0.1 · signed ed25519
Evaluator key/.well-known/sar-keys.json · kid defaultverifier-evaluator-ed25519-1 · use continuity_evaluation_receipt_signing · status active
SDK examplepackages/continuity/examples/deterministic-conditional-release/ · runnable fixtures + derive.ts
Commitec1462b — feat: add deterministic conditional release evaluator
Commitaeaa592 — feat: add signed continuity evaluation receipts

Full verification chain

The whole composition — from request intent to independent verification.

Path A and Path B above describe the SAR-402 delivery receipt and its recording attribution. The architecture now binds that receipt into a longer chain: a committed request intent, signed continuity evaluation records, delivery evidence, and published key material. The Step 2B evaluator key is published in sar-keys.json, and the chain can be independently verified using Default Settlement's published Agent Key Binding Assertion.

The SAR composition chain — Action Commitment, deterministic evaluation, signed Continuity Evaluation Receipt, and SAR delivery evidence — is now publicly inspectable. Signed records can be checked against their published keys, and the chain can be independently verified using Default Settlement's published key-binding assertion, which now covers the new evaluator identity.

  1. Client → System Request intent A client requests a paid operation. The request carries the parameters that later records must correspond to. Establishes: the operation that was asked for.
  2. SAR Action Commitment Action Commitment (action_ref) The request is canonically bound and a request_digest is derived, producing a stable action_ref join key. This closes the correlation gap between the requested operation and the later verification records. Proves: requested operation and verification records share one binding key. Does not prove execution correctness.
  3. Continuity evaluator Continuity Evaluation Receipt A signed evaluator record returns PASS, FAIL, INDETERMINATE (evaluator completed but returned uncertainty), or EVALUATOR_TIMEOUT (evaluator did not complete). Proves: an evaluator reached — or could not reach — a continuity judgment, and signed it.
  4. Executor Execution Outcome Receipt A signed executor record reports the outcome of the operation. A missing Execution Outcome Receipt is a verifier finding — an audit gap — not an outcome state. Proves: the executor recorded and signed an outcome. Absence is surfaced as a gap, not silently passed.
  5. Resource server SAR delivery evidence The SAR-402 delivery receipt described in Path A: payload-bound, role-separated, recorded by DefaultVerifier, and — under Path B — attributable to a DefaultVerifier recording key. Proves: recorded delivery evidence, bound to the delivered bytes.
  6. Agent Key Binding Assertion Agent key binding Published bindings map public identities to trusted Ed25519 keys, including agent:defaultverifier:continuity-v1. The binding assertion covers the Step 2B evaluator key published in sar-keys.json under the production publication key. Proves: which public key each signature should verify against. Does not prove agent correctness — a valid signature attests authorship, not that the agent behaved correctly.
  7. Independent verifier Independent verification Using the shared canonical primitives — canonical JSON, SHA-256 digests, and the Ed25519 signing envelope — a third party re-derives each digest and checks each signature against the bound keys, joining the records on action_ref. Proves: the chain composes and verifies end to end, with each claim checked against its own evidence and explicit trust source.
Trust source — optional

Key Binding Assertions are an optional trust source. Verifiers may use Default Settlement's published bindings or supply their own. They are not a certificate authority, revocation system, or transparency log.

A valid signature attests authorship, not agent correctness. Action Commitment binds the requested operation to its verification records; it does not prove execution correctness. Each layer leaves evidence for the next to verify — capability, authority, execution, and verification remain distinct.

Two live documents make this independently checkable. The publication key signs Default Settlement's published assertions; the agent key bindings map public identities to their trusted Ed25519 keys.

Commit876563c — feat: add SAR action commitment primitive
Commit43c5aaa — feat: add continuity evaluation receipts
Commite45af28 — feat: extract shared canonical signing and digest primitives
Commit8084147 — feat: add agent key binding assertion layer