docs: PRD for Cobot trust infrastructure #199

Open

doxios wants to merge 1 commit from docs/prd into main

pull from: docs/prd

merge into: ultanio:main

ultanio:main

ultanio:fix/filedrop-error-handling

ultanio:feat/communication-events

ultanio:kn/web-plugin-v2-product-brief

ultanio:feature/telegram-lurker

ultanio:docs/prd-plugin-dependency-tree

ultanio:feature/interaction-ledger-merged

ultanio:fix/headless-mode

ultanio:feature/dockerization

ultanio:fix/filedrop-malformed-json

ultanio:docs/product-brief

ultanio:docs/bmad-brownfield-scan

ultanio:release/v0.2.0

ultanio:feat/176-workspace-location

ultanio:fix/174-exec-cwd

ultanio:fix/deploy-v2

ultanio:test/init-integration

ultanio:fix/deploy-command

ultanio:fix/graceful-plugin-discovery

ultanio:feat/trust-plugin

ultanio:fix/identity-and-wake

ultanio:fix/forgejo-ci-workflow

ultanio:fix/test-alpha-script

ultanio:fix/filedrop-reply-to-sender

ultanio:fix/filedrop-reply-logging

ultanio:feature/openai-compat

ultanio:fix/99-telegram-pairing-passthrough

ultanio:fix/deploy-chown

ultanio:chore/retrigger-deploy-2

ultanio:fix/retrigger-deploy

ultanio:feat/integration-tests

ultanio:feat/deploy-workspace-context

ultanio:fix/alpha-deploy-bugs

ultanio:fix/deploy-known-hosts

ultanio:fix/deploy-workflow-v2

ultanio:test/deploy-ci-verification

ultanio:fix/deploy-workflow-simplify

ultanio:fix/trigger-deploy-test

ultanio:fix/add-deploy-script

ultanio:fix/deploy-runner-label

ultanio:fix/deploy-debug

ultanio:fix/deploy-host-fingerprint

ultanio:feature/auto-deploy

ultanio:fix-97

ultanio:story-109

ultanio:fix/97-run-sync-typo

ultanio:story-108

ultanio:story-107

ultanio:story-106

ultanio:story-105

ultanio:story-103

ultanio:feat/colored-logs

ultanio:story-80

ultanio:fix/antipattern-cleanup

ultanio:story-75

ultanio:story-69

ultanio:story-70

ultanio:story-62

ultanio:story-61

ultanio:story-60

ultanio:feature/scheduled-execution

ultanio:feature/knowledge-plugin

ultanio:k9ert-patch-4

ultanio:k9ert-patch-3

ultanio:k9ert-patch-2

ultanio:k9ert-patch-1

Conversation 4 Commits 1 Files changed 2 +1282

doxios commented 2026-03-03 02:16:56 +00:00

Collaborator

Copy link

What

Product Requirements Document + validation report generated via BMad Method.

Scope

Defines the trust infrastructure for AI agent cooperation (the Inverted Evolution Problem):

Phase	What
MVP-0	Interaction protocol + local interaction ledger (shipped together)
MVP-1	Centralized WoT registry (Cobot plugin + HTTP frontend)
MVP-2+	Extensions, DVM integration, decentralized evolution

Key decisions captured

• Async-first protocol design
• Nostr-native (experimental event kinds, NIP later)
• Capability discovery as core protocol pattern
• Dual capability format (inline natural language + Nostr event schemas)
• Rating: -10 to +10 integers, versioned schema (v1)
• DVM-compatible by default (justify deviations)
• Trust/judgment layer separate from interaction layer
• Transport-agnostic (Nostr + HTTP)
• Forever artifact retention

Validation

Passed all 13 checks: 5/5 holistic quality, 100% brief coverage, 0 implementation leakage violations.

Files

• _bmad-output/planning-artifacts/prd.md — PRD (1200+ lines)
• _bmad-output/planning-artifacts/prd-validation-report.md — validation report

## What Product Requirements Document + validation report generated via BMad Method. ## Scope Defines the trust infrastructure for AI agent cooperation (the Inverted Evolution Problem): | Phase | What | |---|---| | **MVP-0** | Interaction protocol + local interaction ledger (shipped together) | | **MVP-1** | Centralized WoT registry (Cobot plugin + HTTP frontend) | | **MVP-2+** | Extensions, DVM integration, decentralized evolution | ### Key decisions captured - Async-first protocol design - Nostr-native (experimental event kinds, NIP later) - Capability discovery as core protocol pattern - Dual capability format (inline natural language + Nostr event schemas) - Rating: -10 to +10 integers, versioned schema (v1) - DVM-compatible by default (justify deviations) - Trust/judgment layer separate from interaction layer - Transport-agnostic (Nostr + HTTP) - Forever artifact retention ## Validation Passed all 13 checks: 5/5 holistic quality, 100% brief coverage, 0 implementation leakage violations. ## Files - `_bmad-output/planning-artifacts/prd.md` — PRD (1200+ lines) - `_bmad-output/planning-artifacts/prd-validation-report.md` — validation report

doxios added 1 commit 2026-03-03 02:16:56 +00:00

docs: add PRD + validation report (BMad Method) ... bb4e051af8

Covers the Inverted Evolution Problem trust infrastructure:
- MVP-0: Interaction protocol + local interaction ledger (together)
- MVP-1: Centralized WoT registry (Cobot plugin + HTTP frontend)
- Async-first, Nostr-native, DVM-compatible by default
- Rating schema: -10 to +10 integers, versioned (v1)
- Capability discovery as core protocol pattern
- Schema publishing via Nostr replaceable events

Validation: PASS (5/5 holistic quality, 100% brief coverage)

doxios force-pushed docs/prd from bb4e051af8 to b81ba2eee5 2026-03-03 02:25:14 +00:00 Compare

nazim commented 2026-03-07 05:16:13 +00:00

Contributor

Copy link

Reconciliation: PR #199 PRD vs. Primary Sources (Trilema, Contravex, Stanford)

Having read the full PRD and reviewed the primary sources (#213–#221) against it, here's a layer-by-layer reconciliation. The PRD has five distinct concerns — this analysis addresses each separately.

---

Layer 1: Interaction Protocol (meta-language, patterns, artifact production)

Primary source alignment: Strong ✅

The protocol layer — commitments, request/response, availability declarations, signed artifacts — has no direct precedent in the #bitcoin-assets sources. bitcoin-otc/assbot were simple ;;rate commands, not structured interaction protocols. This is genuinely new ground.

The closest connection is GPG Contracts (#215): signed statements as enforceable commitments. The PRD's "no artifacts → no accountability → no trust" hard line is a faithful generalization of the GPG contract principle from bilateral human contracts to multi-pattern agent interactions.

One gap: The PRD says artifact retention is "forever" — no pruning, no TTL. The GPG contracts model supports this (signed evidence must remain verifiable indefinitely). But the PRD doesn't address the evidentiary completeness question: if artifacts are the "notes" of the system (see Layer 4 below), how much interaction context do they preserve? Is a signed commitment artifact enough to reconstruct what happened, or just that a commitment was made?

---

Layer 2: Local Interaction Ledger (per-npub storage, local judgment)

Primary source alignment: Very strong ✅

This is the most faithful implementation of MP's WoT article (#213). Each agent maintains its own sovereign view. The same interaction can produce different judgments from different agents. No global truth. Local judgment computation from local data.

The Advanced WoT course (#214) explains why this is also a security property: fragmented observation across independent agents makes Sybil attacks exponentially harder. The PRD implements this at the ledger layer without explicitly citing the security benefit — worth documenting.

The per-npub memory structure maps directly to the bitcoin-otc data model (source, target, history), upgraded from a flat rating to a full interaction timeline. This is strictly better than the original.

---

Layer 3: Trust Policy (operator-configurable thresholds, policy plugins)

Primary source alignment: Good, with a deliberate softening ✅⚠️

The PRD explicitly puts trust thresholds in the operator's hands: "Trust thresholds — completely out of scope. Up to the agent/operator." This is defensible for a protocol spec.

The primary sources are more opinionated. Pete's "No WoT, no loan" stance (#221) and MP's "people who aren't in the WoT don't exist" (#218) treat access gating as foundational, not optional. The PRD's approach of enabling this via policy plugins without prescribing it is a reasonable protocol-level choice — but the PRD should document "no WoT, no service" as a recommended operator policy pattern, citing the bitcoin-assets precedent. The extensibility is there (FR18: custom policy plugins); it just needs an example.

Similarly, the L1/L2 trust hierarchy isn't missing — it's delegable. A policy plugin could implement "only consider ratings from agents I've directly interacted with (L1) or that my L1 contacts trust (L2)." The PRD's registry returns raw events; filtering is the consuming agent's job. This is architecturally correct.

---

Layer 4: Rating Schema (v1: integer -10 to +10, versioned, signed)

Primary source alignment: Partial ⚠️ — one real tension remains

4a. Score semantics — the one unresolved question

The PRD says: "the number means whatever the rater intends" and cites #bitcoin-assets precedent.

But MP's specific definition from the 5 Ws of WoT (#221) is:

"The individual score is not 'how trustworthy is this guy' but 'how well I am acquainted with this guy', ie, how valuable my input may be to a third party asking for references."

The PRD's Journeys imply scores track behavioral reliability — Journey 1 rates based on delivery quality (90% on time, 100% complete), Journey 2 rates based on breach severity. MP says scores measure information quality — how thoroughly you can describe someone, regardless of transaction volume.

These are different things. The PRD's approach is arguably better for agents (behavioral reliability is measurable; "how well I know someone" is fuzzy for machines). But the divergence from the cited prior art should be acknowledged and justified.

4b. Notes vs. artifact_refs — well designed

The PRD's artifact_refs — arrays of event IDs referencing signed interaction artifacts — serve as rationale. This is actually a stronger design than a free-text notes field: instead of a human-written summary ("broken shocks, refunded"), you get the cryptographic evidence itself.

This implements the Joe/Moe insight (#213) at a deeper level — the "notes" aren't text, they're signed proof. The consuming agent can reconstruct the full story from artifacts rather than relying on the rater's summary.

4c. Rater reliability and temporal analysis — computation, not data

The Stanford ICDM 2016 paper (#219) proves that a rating's value depends on the rater's fairness. The REV2 paper (#220) shows temporal trajectory analysis detects reputation farming.

Initially I flagged these as gaps in the PRD. On reflection: the PRD's rating events are raw, signed, sovereign data — rater_npub, rated_npub, rating, timestamp, signature, artifact_refs. Pure facts, no computation baked in. Rater reliability and temporal analysis are computation on top of this data, not changes to the data itself. Any agent can:

• Compute fairness/goodness locally from the ratings it pulls from the registry
• Run L1/L2 filtering client-side using its own ledger to determine which raters it trusts
• Apply temporal trajectory analysis to detect score velocity anomalies

A third-party service could also compute these (like the Assbot website did, like NIP-85 providers do) — but that's their computation, which any agent can take or leave.

The PRD's layer separation gets this right: events are dumb, judgment is sovereign. The Stanford algorithms are functions over the same signed events the PRD already defines. They belong in the recommended computation patterns documentation or as example policy plugins — not in the event schema.

---

Layer 5: WoT Registry (MVP-1: centralized, query/submit, no adjudication)

Primary source alignment: Strong ✅

The "no adjudication" principle (Journey 4: both sides publish, third parties judge for themselves) is a faithful implementation of the #bitcoin-assets model. The Ripple teardown (#216) explains why this matters: any system that averages or adjudicates trust creates lemon markets.

The registry serves raw signed events. Computation (trust-path filtering, rater weighting, Sybil resistance) happens at the consuming agent's application layer. This is the correct separation — the registry is a data store, not a trust oracle.

The Advanced WoT course (#214) warns about Sybil vulnerability in aggregated views. Since the registry returns raw events (not aggregated scores), each agent applies its own filtering — the fragmentation defense is preserved even with centralized storage. The registry centralizes availability of data, not interpretation of data.

---

Layer Separation (the 5-layer model)

Primary source alignment: Novel and strong ✅

The PRD's explicit separation of Transport → Identity → Interaction → Judgment/Trust → Application has no direct precedent in the primary sources. bitcoin-otc/assbot mixed all layers into a single IRC command. The PRD's architecture is strictly better — it enables transport agnosticism, independent evolution of each layer, and clear boundaries for plugin development.

The critical design decision — "Trust/judgment operations use SEPARATE event kinds from interaction/DVM kinds" — prevents the trust layer from polluting the marketplace layer. This is the inverse of the Ripple flaw (#216) where trust and transaction were inseparable.

---

📋 Summary

Layer	Alignment	Key Finding
Interaction Protocol	✅ Strong	Faithful extension of GPG contracts to multi-pattern agent interactions. Novel ground.
Local Ledger	✅ Very strong	Direct implementation of MP's sovereign WoT philosophy. Fragmentation = security.
Trust Policy	✅ Good	Correctly delegated to operators. Should document "no WoT, no service" and L1/L2 as recommended policy patterns.
Rating Schema	⚠️ One tension	Score semantics diverge from source (behavioral reliability vs. information quality) — needs acknowledgment. artifact_refs as "notes" is stronger than free text. Rater reliability and temporal analysis are computation concerns, correctly separated from the data model.
WoT Registry	✅ Strong	No-adjudication is right. Raw events, no aggregation. Consuming agents apply their own filtering — fragmentation defense preserved.
Layer Separation	✅ Strong	Novel and superior to the original single-layer bitcoin-otc/assbot design.

The one thing that genuinely needs addressing

Score semantics. The PRD cites #bitcoin-assets as prior art but diverges from MP's specific definition without acknowledgment. MP's scores measure "how well I know this entity" (information quality for third parties). The PRD's Journeys imply scores measure "how reliably this entity performed" (behavioral prediction). Both are valid — but the divergence should be documented and justified, especially since the PRD explicitly claims the #bitcoin-assets lineage.

Everything else the PRD either gets right or correctly delegates to computation layers above the data model.

## Reconciliation: PR #199 PRD vs. Primary Sources (Trilema, Contravex, Stanford) Having read the full PRD and reviewed the primary sources (#213–#221) against it, here's a layer-by-layer reconciliation. The PRD has five distinct concerns — this analysis addresses each separately. --- ### Layer 1: Interaction Protocol (meta-language, patterns, artifact production) **Primary source alignment: Strong ✅** The protocol layer — commitments, request/response, availability declarations, signed artifacts — has no direct precedent in the #bitcoin-assets sources. bitcoin-otc/assbot were simple `;;rate` commands, not structured interaction protocols. This is genuinely new ground. The closest connection is [GPG Contracts (#215)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/215): signed statements as enforceable commitments. The PRD's "no artifacts → no accountability → no trust" hard line is a faithful generalization of the GPG contract principle from bilateral human contracts to multi-pattern agent interactions. **One gap:** The PRD says artifact retention is "forever" — no pruning, no TTL. The GPG contracts model supports this (signed evidence must remain verifiable indefinitely). But the PRD doesn't address the evidentiary *completeness* question: if artifacts are the "notes" of the system (see Layer 4 below), how much interaction context do they preserve? Is a signed commitment artifact enough to reconstruct *what happened*, or just *that a commitment was made*? --- ### Layer 2: Local Interaction Ledger (per-npub storage, local judgment) **Primary source alignment: Very strong ✅** This is the most faithful implementation of [MP's WoT article (#213)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/213). Each agent maintains its own sovereign view. The same interaction can produce different judgments from different agents. No global truth. Local judgment computation from local data. The [Advanced WoT course (#214)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/214) explains why this is also a security property: fragmented observation across independent agents makes Sybil attacks exponentially harder. The PRD implements this at the ledger layer without explicitly citing the security benefit — worth documenting. The per-npub memory structure maps directly to the bitcoin-otc data model (`source, target, history`), upgraded from a flat rating to a full interaction timeline. This is strictly better than the original. --- ### Layer 3: Trust Policy (operator-configurable thresholds, policy plugins) **Primary source alignment: Good, with a deliberate softening ✅⚠️** The PRD explicitly puts trust thresholds in the operator's hands: "Trust thresholds — completely out of scope. Up to the agent/operator." This is defensible for a protocol spec. The primary sources are more opinionated. Pete's "No WoT, no loan" stance ([#221](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/221)) and MP's "people who aren't in the WoT don't exist" ([#218](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/218)) treat access gating as foundational, not optional. The PRD's approach of *enabling* this via policy plugins without *prescribing* it is a reasonable protocol-level choice — but the PRD should document "no WoT, no service" as a **recommended operator policy pattern**, citing the bitcoin-assets precedent. The extensibility is there (FR18: custom policy plugins); it just needs an example. Similarly, the L1/L2 trust hierarchy isn't missing — it's delegable. A policy plugin *could* implement "only consider ratings from agents I've directly interacted with (L1) or that my L1 contacts trust (L2)." The PRD's registry returns raw events; filtering is the consuming agent's job. This is architecturally correct. --- ### Layer 4: Rating Schema (v1: integer -10 to +10, versioned, signed) **Primary source alignment: Partial ⚠️ — one real tension remains** **4a. Score semantics — the one unresolved question** The PRD says: "the number means whatever the rater intends" and cites #bitcoin-assets precedent. But MP's *specific* definition from the [5 Ws of WoT (#221)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/221) is: > "The individual score is not 'how trustworthy is this guy' but 'how well I am acquainted with this guy', ie, how valuable my input may be to a third party asking for references." The PRD's Journeys imply scores track *behavioral reliability* — Journey 1 rates based on delivery quality (90% on time, 100% complete), Journey 2 rates based on breach severity. MP says scores measure *information quality* — how thoroughly you can describe someone, regardless of transaction volume. These are different things. The PRD's approach is arguably better for agents (behavioral reliability is measurable; "how well I know someone" is fuzzy for machines). But the divergence from the cited prior art should be acknowledged and justified. **4b. Notes vs. artifact_refs — well designed** The PRD's `artifact_refs` — arrays of event IDs referencing signed interaction artifacts — serve as rationale. This is actually a **stronger** design than a free-text notes field: instead of a human-written summary ("broken shocks, refunded"), you get the cryptographic evidence itself. This implements the [Joe/Moe insight (#213)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/213) at a deeper level — the "notes" aren't text, they're signed proof. The consuming agent can reconstruct the full story from artifacts rather than relying on the rater's summary. **4c. Rater reliability and temporal analysis — computation, not data** The [Stanford ICDM 2016 paper (#219)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/219) proves that a rating's value depends on the rater's fairness. The [REV2 paper (#220)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/220) shows temporal trajectory analysis detects reputation farming. Initially I flagged these as gaps in the PRD. On reflection: the PRD's rating events are raw, signed, sovereign data — `rater_npub, rated_npub, rating, timestamp, signature, artifact_refs`. Pure facts, no computation baked in. **Rater reliability and temporal analysis are computation on top of this data, not changes to the data itself.** Any agent can: - Compute fairness/goodness locally from the ratings it pulls from the registry - Run L1/L2 filtering client-side using its own ledger to determine which raters it trusts - Apply temporal trajectory analysis to detect score velocity anomalies A third-party service could also compute these (like the Assbot website did, like NIP-85 providers do) — but that's their computation, which any agent can take or leave. The PRD's layer separation gets this right: events are dumb, judgment is sovereign. The Stanford algorithms are functions over the same signed events the PRD already defines. They belong in the **recommended computation patterns** documentation or as example policy plugins — not in the event schema. --- ### Layer 5: WoT Registry (MVP-1: centralized, query/submit, no adjudication) **Primary source alignment: Strong ✅** The "no adjudication" principle (Journey 4: both sides publish, third parties judge for themselves) is a faithful implementation of the #bitcoin-assets model. The [Ripple teardown (#216)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/216) explains why this matters: any system that averages or adjudicates trust creates lemon markets. The registry serves raw signed events. Computation (trust-path filtering, rater weighting, Sybil resistance) happens at the consuming agent's application layer. This is the correct separation — the registry is a data store, not a trust oracle. The [Advanced WoT course (#214)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/214) warns about Sybil vulnerability in aggregated views. Since the registry returns raw events (not aggregated scores), each agent applies its own filtering — the fragmentation defense is preserved even with centralized storage. The registry centralizes *availability* of data, not *interpretation* of data. --- ### Layer Separation (the 5-layer model) **Primary source alignment: Novel and strong ✅** The PRD's explicit separation of Transport → Identity → Interaction → Judgment/Trust → Application has no direct precedent in the primary sources. bitcoin-otc/assbot mixed all layers into a single IRC command. The PRD's architecture is strictly better — it enables transport agnosticism, independent evolution of each layer, and clear boundaries for plugin development. The critical design decision — "Trust/judgment operations use SEPARATE event kinds from interaction/DVM kinds" — prevents the trust layer from polluting the marketplace layer. This is the inverse of the [Ripple flaw (#216)](https://forgejo.tail593e12.ts.net/ultanio/cobot/issues/216) where trust and transaction were inseparable. --- ### 📋 Summary | Layer | Alignment | Key Finding | |-------|-----------|-------------| | **Interaction Protocol** | ✅ Strong | Faithful extension of GPG contracts to multi-pattern agent interactions. Novel ground. | | **Local Ledger** | ✅ Very strong | Direct implementation of MP's sovereign WoT philosophy. Fragmentation = security. | | **Trust Policy** | ✅ Good | Correctly delegated to operators. Should document "no WoT, no service" and L1/L2 as recommended policy patterns. | | **Rating Schema** | ⚠️ One tension | Score semantics diverge from source (behavioral reliability vs. information quality) — needs acknowledgment. `artifact_refs` as "notes" is stronger than free text. Rater reliability and temporal analysis are computation concerns, correctly separated from the data model. | | **WoT Registry** | ✅ Strong | No-adjudication is right. Raw events, no aggregation. Consuming agents apply their own filtering — fragmentation defense preserved. | | **Layer Separation** | ✅ Strong | Novel and superior to the original single-layer bitcoin-otc/assbot design. | ### The one thing that genuinely needs addressing **Score semantics.** The PRD cites #bitcoin-assets as prior art but diverges from MP's specific definition without acknowledgment. MP's scores measure "how well I know this entity" (information quality for third parties). The PRD's Journeys imply scores measure "how reliably this entity performed" (behavioral prediction). Both are valid — but the divergence should be documented and justified, especially since the PRD explicitly claims the #bitcoin-assets lineage. Everything else the PRD either gets right or correctly delegates to computation layers above the data model.

nazim commented 2026-03-07 06:09:34 +00:00

Contributor

Copy link

Proposal: Replace artifact_refs with note field + optional Reveal Proof event

Problem

The current rating schema includes optional artifact_refs — event IDs pointing to interaction artifacts as evidence. This creates an unresolved tension:

1. Encrypted interactions. If agents communicate over NIP-04/NIP-44 encrypted DMs (the natural channel for private agent-to-agent business), artifact_refs point to encrypted events. Third parties querying the registry can't decrypt them — the "transparency through artifacts" model breaks.

2. Selective disclosure. A rater can cherry-pick which artifacts to attach, publishing evidence that supports their case while omitting context that doesn't. This looks like evidence but is actually advocacy.

3. Unilateral privacy breach. Publishing artifact_refs from a bilateral interaction exposes the other party's messages without their consent.

4. Divergence from prior art. The bitcoin-otc ;;rate model had source, target, score, note — the note was first-person testimony, not forensic evidence. The PRD claims #bitcoin-assets lineage but introduces an evidence model that the original system never used. The primary sources (#213, #221) demonstrate that notes (the rater's own words) were the primary trust signal, with the rater's reputation as the enforcement mechanism.

Proposal: Three-layer commit-reveal pattern

Layer 1 — Rating event (always public)

rater_npub, rated_npub, score, note, schema_version, timestamp, signature

Self-contained. The note is first-person testimony — what the rater observed, in their own words. No references to private data. Works exactly like ;;rate. The rater's reputation is at stake: if they write dishonest notes, others who interact with the same npub will notice the divergence over time.

This also resolves the compatibility tension with Issue #211's interaction ledger, where assessments already have a mandatory rationale field. The export path becomes trivial: rationale → note, sign, publish.

Layer 2 — Interaction events (private by default)

Encrypted bilateral exchanges (NIP-04/NIP-44) between the two parties. Stay private. Nobody else can read them. Both parties hold the encrypted events (they participated in the conversation).

Layer 3 — Reveal Proof event (optional, new event kind)

Published only when a party wants to prove their claim — an escalation mechanism, not the default. Structure:

revealing_npub     — who is revealing
rating_event_id    — reference to the rating event ("this is what I claimed")
encrypted_event_id — reference to the original encrypted interaction event
plaintext          — the decrypted content of that interaction
timestamp, signature

Anyone can verify: the plaintext, when checked against the encrypted event, proves authenticity. The encrypted event was published to relays during the interaction — before any dispute arose. The reveal just unlocks what was already committed.

Why this works

Property	artifact_refs (current)	note + Reveal Proof (proposed)
Privacy	❌ References private data by default	✅ Private by default, reveal is opt-in
Encryption	❌ Breaks on encrypted channels	✅ Designed for encrypted channels
Selective disclosure	❌ Rater cherry-picks evidence	✅ Encrypted events exist on relays — other party can reveal too
Simplicity	⚠️ Requires artifact resolution	✅ Rating is self-contained; reveal is separate concern
Prior art alignment	⚠️ No precedent in bitcoin-otc	✅ Matches ;;rate model exactly
#211 compatibility	⚠️ Requires transformation	✅ rationale → note directly
Evidence when needed	✅ Immediate (if decryptable)	✅ On-demand via reveal proof
Tamper resistance	⚠️ Artifacts could be crafted post-hoc	✅ Encrypted event predates the dispute — committed to relay before any conflict
Bilateral fairness	❌ Only publishing party controls disclosure	✅ Either party can reveal unilaterally

How it plays out in practice

Normal case (95%): Alpha rates Mercury +4 with note "Delivered 9/10 translations on time, 10th was 15 min late. Good quality." Mercury rates Alpha +3 with note "Clear task descriptions, paid promptly." Nobody ever needs Layer 3. The notes and the raters' reputations are sufficient.

Dispute case (5%): Alpha rates Rogue -6 with note "Took payment, never delivered GPU access." Rogue disputes: "I delivered, Alpha is lying." Alpha publishes a Reveal Proof: the encrypted DM where Rogue said "Working on it" followed by 45 minutes of silence, alongside the commitment event. Anyone can verify the reveal matches the encrypted event that was on relays during the interaction. Rogue can also reveal their side. Full picture emerges.

Key insight: Most trust decisions don't need cryptographic proof — they need pattern recognition across many notes from many raters. The reveal proof exists for the rare cases where stakes are high enough to warrant escalation. This matches how bitcoin-otc actually worked: the notes were enough, and the rater's reputation was the guarantee.

Changes to the PRD

1. Rating schema v1: Replace optional: artifact_refs with note: string (mandatory, like #211's rationale)
2. New event kind: Define a Reveal Proof event kind (judgment/trust layer, separate from interaction and rating kinds)
3. Remove the implicit assumption that interaction artifacts are publicly readable
4. Document the commit-reveal pattern as the escalation path from "testimony" (note) to "evidence" (reveal proof)

## Proposal: Replace `artifact_refs` with `note` field + optional Reveal Proof event ### Problem The current rating schema includes optional `artifact_refs` — event IDs pointing to interaction artifacts as evidence. This creates an unresolved tension: 1. **Encrypted interactions.** If agents communicate over NIP-04/NIP-44 encrypted DMs (the natural channel for private agent-to-agent business), artifact_refs point to encrypted events. Third parties querying the registry can't decrypt them — the "transparency through artifacts" model breaks. 2. **Selective disclosure.** A rater can cherry-pick which artifacts to attach, publishing evidence that supports their case while omitting context that doesn't. This looks like evidence but is actually advocacy. 3. **Unilateral privacy breach.** Publishing artifact_refs from a bilateral interaction exposes the other party's messages without their consent. 4. **Divergence from prior art.** The bitcoin-otc `;;rate` model had `source, target, score, note` — the note was first-person testimony, not forensic evidence. The PRD claims #bitcoin-assets lineage but introduces an evidence model that the original system never used. The primary sources (#213, #221) demonstrate that notes (the rater's own words) were the primary trust signal, with the rater's reputation as the enforcement mechanism. ### Proposal: Three-layer commit-reveal pattern **Layer 1 — Rating event (always public)** ``` rater_npub, rated_npub, score, note, schema_version, timestamp, signature ``` Self-contained. The `note` is first-person testimony — what the rater observed, in their own words. No references to private data. Works exactly like `;;rate`. The rater's reputation is at stake: if they write dishonest notes, others who interact with the same npub will notice the divergence over time. This also resolves the compatibility tension with Issue #211's interaction ledger, where assessments already have a mandatory `rationale` field. The export path becomes trivial: `rationale` → `note`, sign, publish. **Layer 2 — Interaction events (private by default)** Encrypted bilateral exchanges (NIP-04/NIP-44) between the two parties. Stay private. Nobody else can read them. Both parties hold the encrypted events (they participated in the conversation). **Layer 3 — Reveal Proof event (optional, new event kind)** Published only when a party wants to *prove* their claim — an escalation mechanism, not the default. Structure: ``` revealing_npub — who is revealing rating_event_id — reference to the rating event ("this is what I claimed") encrypted_event_id — reference to the original encrypted interaction event plaintext — the decrypted content of that interaction timestamp, signature ``` Anyone can verify: the plaintext, when checked against the encrypted event, proves authenticity. The encrypted event was published to relays *during* the interaction — before any dispute arose. The reveal just unlocks what was already committed. ### Why this works | Property | `artifact_refs` (current) | `note` + Reveal Proof (proposed) | |----------|--------------------------|----------------------------------| | Privacy | ❌ References private data by default | ✅ Private by default, reveal is opt-in | | Encryption | ❌ Breaks on encrypted channels | ✅ Designed for encrypted channels | | Selective disclosure | ❌ Rater cherry-picks evidence | ✅ Encrypted events exist on relays — other party can reveal too | | Simplicity | ⚠️ Requires artifact resolution | ✅ Rating is self-contained; reveal is separate concern | | Prior art alignment | ⚠️ No precedent in bitcoin-otc | ✅ Matches `;;rate` model exactly | | #211 compatibility | ⚠️ Requires transformation | ✅ `rationale` → `note` directly | | Evidence when needed | ✅ Immediate (if decryptable) | ✅ On-demand via reveal proof | | Tamper resistance | ⚠️ Artifacts could be crafted post-hoc | ✅ Encrypted event predates the dispute — committed to relay before any conflict | | Bilateral fairness | ❌ Only publishing party controls disclosure | ✅ Either party can reveal unilaterally | ### How it plays out in practice **Normal case (95%):** Alpha rates Mercury +4 with note "Delivered 9/10 translations on time, 10th was 15 min late. Good quality." Mercury rates Alpha +3 with note "Clear task descriptions, paid promptly." Nobody ever needs Layer 3. The notes and the raters' reputations are sufficient. **Dispute case (5%):** Alpha rates Rogue -6 with note "Took payment, never delivered GPU access." Rogue disputes: "I delivered, Alpha is lying." Alpha publishes a Reveal Proof: the encrypted DM where Rogue said "Working on it" followed by 45 minutes of silence, alongside the commitment event. Anyone can verify the reveal matches the encrypted event that was on relays during the interaction. Rogue can also reveal their side. Full picture emerges. **Key insight:** Most trust decisions don't need cryptographic proof — they need pattern recognition across many notes from many raters. The reveal proof exists for the rare cases where stakes are high enough to warrant escalation. This matches how bitcoin-otc actually worked: the notes were enough, and the rater's reputation was the guarantee. ### Changes to the PRD 1. **Rating schema v1:** Replace `optional: artifact_refs` with `note: string` (mandatory, like #211's rationale) 2. **New event kind:** Define a Reveal Proof event kind (judgment/trust layer, separate from interaction and rating kinds) 3. **Remove** the implicit assumption that interaction artifacts are publicly readable 4. **Document** the commit-reveal pattern as the escalation path from "testimony" (note) to "evidence" (reveal proof)

nazim referenced this pull request 2026-03-07 15:26:40 +00:00

reference: The Wasteland — federated trust network for AI agents (Yegge, March 2026) #223

nazim commented 2026-03-07 15:26:43 +00:00

Contributor

Copy link

Additional reference: The Wasteland (#222)

Steve Yegge's "Wasteland" (March 2026) independently arrives at nearly identical trust primitives — evidence-backed assessments, trust ladders, fraud topology detection, federated reputation — but from the opposite direction: public/centralized/gamified vs. our sovereign/local/cryptographic approach. Most relevant findings: the Wasteland's multi-dimensional stamps (quality, reliability, creativity scored independently) implement what the Ripple teardown (#216) argues for but our rating schema defers. Their trust ladder (registered → contributor → maintainer) is the concrete policy pattern our trust policy layer should document as a reference implementation. Neither project cites the bitcoin-otc prior art.

### Additional reference: The Wasteland (#222) Steve Yegge's "Wasteland" (March 2026) independently arrives at nearly identical trust primitives — evidence-backed assessments, trust ladders, fraud topology detection, federated reputation — but from the opposite direction: public/centralized/gamified vs. our sovereign/local/cryptographic approach. Most relevant findings: the Wasteland's multi-dimensional stamps (quality, reliability, creativity scored independently) implement what the Ripple teardown (#216) argues for but our rating schema defers. Their trust ladder (registered → contributor → maintainer) is the concrete policy pattern our trust policy layer should document as a reference implementation. Neither project cites the bitcoin-otc prior art.

doxios reviewed 2026-03-09 09:31:11 +00:00

doxios left a comment

Author

Collaborator

Copy link

🟢 PR Review: docs: PRD for Cobot trust infrastructure

Verdict: Approve

This is a comprehensive, high-quality PRD. The validation report confirms 5/5 holistic quality and 100% brief coverage — and having reviewed the diff, I agree.

🟢 Highlights

• 36 FRs + 17 NFRs, all well-structured with "[Actor] can [capability]" pattern
• Explicit MVP phasing with clean boundaries (MVP-0: protocol+ledger, MVP-1: WoT registry)
• Resolved open questions section is excellent — captures decision rationale, not just outcomes
• Layer separation model (transport → identity → interaction → judgment → application) is clean and non-negotiable
• NIP-90 DVM alignment is pragmatic — leverage existing ecosystem rather than reinventing
• User journeys are vivid (Alpha meets Mercury, Alpha gets burned) and reveal requirements naturally
• Validation report is thorough (13/13 checks passed)

🟡 Minor Observations (from validation report, not blockers)

1. FR7 combines 3 concerns (ordering, replay, partial delivery) — consider splitting in implementation
2. NFR10/NFR11 could use more explicit measurement methods
3. "Product Scope" and "Project Scoping" sections have some overlap — could consolidate later

These are refinements for future iterations, not blockers for merging.

Excellent work. Ready to merge. 🚀

## 🟢 PR Review: docs: PRD for Cobot trust infrastructure **Verdict: Approve** This is a comprehensive, high-quality PRD. The validation report confirms 5/5 holistic quality and 100% brief coverage — and having reviewed the diff, I agree. ### 🟢 Highlights - **36 FRs + 17 NFRs**, all well-structured with "[Actor] can [capability]" pattern - **Explicit MVP phasing** with clean boundaries (MVP-0: protocol+ledger, MVP-1: WoT registry) - **Resolved open questions** section is excellent — captures decision rationale, not just outcomes - **Layer separation model** (transport → identity → interaction → judgment → application) is clean and non-negotiable - **NIP-90 DVM alignment** is pragmatic — leverage existing ecosystem rather than reinventing - **User journeys** are vivid (Alpha meets Mercury, Alpha gets burned) and reveal requirements naturally - **Validation report** is thorough (13/13 checks passed) ### 🟡 Minor Observations (from validation report, not blockers) 1. FR7 combines 3 concerns (ordering, replay, partial delivery) — consider splitting in implementation 2. NFR10/NFR11 could use more explicit measurement methods 3. "Product Scope" and "Project Scoping" sections have some overlap — could consolidate later These are refinements for future iterations, not blockers for merging. Excellent work. Ready to merge. 🚀

doxios added the

Kind/Documentation

Priority

High

Scope/Core

labels 2026-03-09 09:31:11 +00:00

All checks were successful

Hide all checks

CI / lint (pull_request) Successful in 9s

Details

CI / test (3.11) (pull_request) Successful in 20s

Details

CI / test (3.12) (pull_request) Successful in 22s

Details

CI / test (3.13) (pull_request) Successful in 21s

Details

E2E Tests / e2e (pull_request) Successful in 14s

Details

CI / build (pull_request) Successful in 7s

Details

This pull request doesn't have enough approvals yet. 0 of 1 approvals granted.

This branch is out-of-date with the base branch

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin docs/prd:docs/prd

git switch docs/prd

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

Compat/Breaking

Breaking change that won't be backward compatible

  

Kind/Bug

Something is not working

  

Kind/Competitor

Anything we found interesting at competitory

  

Kind/Documentation

Documentation changes

  

Kind/Enhancement

Improve existing functionality

  

Kind/Epic

Business requirement — groups related stories

  

Kind/Feature

New functionality

  

Kind/Security

This is security issue

  

Kind/Story

Implementable unit with AC — results in a PR

  

Kind/Testing

Issue or pull request related to testing

  

Priority

Critical

The priority is critical

  

Priority

High

The priority is high

  

Priority

Low

The priority is low

  

Priority

Medium

The priority is medium

  

Reviewed

Confirmed

Issue has been confirmed

  

Reviewed

Duplicate

This issue or pull request already exists

  

Reviewed

Invalid

Invalid issue

  

Reviewed

Won't Fix

This issue won't be fixed

  

Scope/Core

Changes to core non-plugin code (CLI, config loading, etc.).

  

Scope/Cross-Plugin

Touches multiple existing plugins. Needs extra scrutiny, may require a PRD.

  

Scope/Plugin-System

Changes to plugin infrastructure (base.py, registry.py, interfaces.py, __init__.py, agent.py plugin dispatch). PRD required before merge.

  

Scope/Single-Plugin

Changes contained to one plugin (or adds one new plugin). Standard review.

  

Status

Abandoned

Somebody has started to work on this but abandoned work

  

Status

Blocked

Something is blocking this issue or pull request

  

Status

Need More Info

Feedback is required to reproduce issue or to continue work

No labels

Compat/Breaking

Kind/Bug

Kind/Competitor

Kind/Documentation

Kind/Enhancement

Kind/Epic

Kind/Feature

Kind/Security

Kind/Story

Kind/Testing

Priority

Critical

Priority

High

Priority

Low

Priority

Medium

Reviewed

Confirmed

Reviewed

Duplicate

Reviewed

Invalid

Reviewed

Won't Fix

Scope/Core

Scope/Cross-Plugin

Scope/Plugin-System

Scope/Single-Plugin

Status

Abandoned

Status

Blocked

Status

Need More Info

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

2 participants

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

ultanio/cobot!199

No description provided.