AgentAbuse Working draft

Agent Abuse · Accountable Accusations for Agent Interactions

Signing the Claim That Something Went Wrong

Receipts record what an agent did. Envelopes record what an agent was authorized to do. An abuse report records that someone accused one of those of being harmful — grounded in cited evidence, without pretending to settle whether the accusation is true.

An accusation is accountable when it can be checked, from a single signed object, exactly who made it, against whom, and grounded in exactly what evidence — not left as a disputable claim in a support ticket or chat log. The abuse report is that object: an eleven-field record naming the reporter, the accused, which side is accused, a category of harm, and at least one cited receipt or envelope, signed with Ed25519 and chained by hash to the reporter's own prior reports. Bidirectional by design — an agent can be accused of abusing a principal, or a principal of abusing an agent.

What a report binds

Every abuse report carries exactly eleven fields. Nothing optional, nothing implicit — a document with an extra member, a missing one, an empty evidence list, or a category outside the closed set is not a report and fails verification.

Parties

Who accused whom

reporter_id names the filer. accused_id names the accused. accused_role is agent or principal — which side stands accused.

Claim

What kind of harm, and why

category is a closed, versioned vocabulary — or other, where narrative carries the substance.

Evidence

Grounded, never bundled

evidence_refs is a non-empty list of {type, hash} pointers to real sm-arp receipts or sm-aae envelopes — never a copy of the artifact itself.

Chain

Linked to what came before

prev_hash is the hex SHA-256 of this reporter's previous report, or null for its first. A reporter's own report history is tamper-evident on its own.

Provenance

When, and by whom

issued_at is an RFC 3339 timestamp. sig is the Ed25519 signature over the canonical report; pubkey is the signer's raw Ed25519 public key.

Bidirectional, one schema

Abuse between a principal and an agent can run either way. accused_role distinguishes an agent accused of deceptive output, unauthorized scope expansion, resource abuse, or collusion, from a principal accused of injection, forced capability extraction, or harassment — one report type, not two, so the same verifier and the same conformance suite cover both directions.

Out of scope. A valid report proves an accountable accusation was made, signed, and grounded in evidence the reporter was actually party to. It does not, and cannot, prove the accusation is true — this library verifies signatures and evidence citations, never guilt. Whether an action actually happened is agency receipts' question; whether it was authorized is agent envelope's. This site answers a third, separate question: who claimed harm, about which of those, and grounded in what.