AgentAbuse Working draft

Documentation

FAQ

What an abuse report is, what it is not, and how the pieces fit.

What is an abuse report, in one sentence?+

A signed, per-reporter hash-chained accusation: a small object one party files against another, naming a category of harm and citing at least one existing receipt or envelope by hash — with the accusation itself never adjudicated by the primitive that signs it.

What are the eleven fields?+

protocol, reporter_id, accused_id, accused_role (agent/principal), category, evidence_refs, narrative, prev_hash, issued_at, sig, and pubkey. A document with any additional or missing member is not a report and fails verification. See What is an Abuse Report for the normative table.

Why is it bidirectional?+

Because abuse between a principal and an agent can run either way. accused_role lets one schema cover an agent accused of deceptive output or resource abuse and a principal accused of injection or forced capability extraction, rather than needing two separate report types for a distinction one field can carry.

Why must evidence be cited, and why isn't it bundled in?+

evidence_refs must be non-empty — a report with no citation is not well-formed at all. But citation is a hash-only pointer, never a copy of the artifact: this keeps reports small and avoids a second, potentially stale copy of data that's already signed elsewhere, the same pattern sm-aae's prev_hash and sm-dat's grant references use.

Who is allowed to file a report?+

Only a party to every piece of cited evidence — not a drive-by third party. If a report cites more than one artifact, the reporter must be a party to each one, not just one of them; otherwise an unrelated citation could be smuggled in alongside a legitimate accusation.

Does a report prove the accusation is true?+

No — this is the central limitation, not an edge case. A reporter can cite real evidence they were genuinely party to and still characterize it falsely or in bad faith. A report proves an accountable, evidence-linked accusation was made; it never adjudicates whether that accusation is correct.

What does "unconfirmed" mean, and why isn't it just pass or fail?+

Checking a citation requires holding the artifact it points at. A verifier who doesn't have it simply cannot run that check — that's a third, honest state distinct from both "confirmed" and any failure result. Treating "not checked" as either a pass or a fail would misrepresent what was actually verified.

How does chaining work, and what does it catch?+

Every report's prev_hash is the SHA-256 of the same reporter's previous report, including that report's signature. Reconstructing the unique genesis-first order rejects a gap (a deleted interior report), a fork (two reports claiming the same predecessor), a foreign-chain splice (a prev_hash reaching into another reporter's chain), and duplicates or multiple/zero genesis reports.

How does this relate to sm-arp, sm-aae, and sm-rep?+

sm-arp and sm-aae are the two evidence types a report can cite — receipts and envelopes, respectively. sm-rep is a portable reputation credential computed over an agent's receipt history; a confirmed report feeding into reputation is a named future direction in sm-abuse-report's WHITEPAPER, but no such coupling is built in this version. See Primitives.

Does anything rate-limit how many reports someone can file?+

Not in this library. Velocity controls belong at the deployment/registry layer, the same way sm-dat's velocity caps live in the grant grammar rather than in a receipt verifier.

Is this open source?+

Yes — MIT-licensed. The repository is currently private; source is available to accounts with access at github.com/Sharathvc23/sm-abuse-report. Not yet published to PyPI.

Is this a finished standard?+

No. SPEC.md is versioned v0.1 and marked a working draft, documenting the format the reference implementation produces and verifies — offered for review, not yet a normative standard. New category values require a minor protocol-version bump, never a silent addition.