[{"data":1,"prerenderedAt":1812},["ShallowReactive",2],{"docs:\u002Fdocs\u002Faudit-challenge-protocol":3},{"id":4,"title":5,"body":6,"description":1804,"extension":1805,"meta":1806,"navigation":1807,"path":1808,"seo":1809,"stem":1810,"__hash__":1811},"docs\u002Fdocs\u002Faudit-challenge-protocol.md","Audit-challenge protocol",{"type":7,"value":8,"toc":1795},"minimark",[9,13,18,34,176,183,219,223,226,324,335,339,1301,1305,1312,1670,1677,1681,1702,1709,1712,1729,1732,1736,1754,1758,1791],[10,11,12],"p",{},"The audit-challenge protocol is the regulator-facing surface of Iqrar's commitment ledger. It lets an authority — DFSA, ESMA, FCA — verify agent behaviour cryptographically, end-to-end, without trusting the operator running the agent or Iqrar itself.",[14,15,17],"h2",{"id":16},"what-the-regulator-submits","What the regulator submits",[10,19,20,21,25,26,29,30,33],{},"A ",[22,23,24],"code",{},"Challenge"," is a signed envelope ",[22,27,28],{},"{ body, sig }"," where ",[22,31,32],{},"body"," carries:",[35,36,37,50],"table",{},[38,39,40],"thead",{},[41,42,43,47],"tr",{},[44,45,46],"th",{},"Field",[44,48,49],{},"Purpose",[51,52,53,64,74,84,94,107,121,138,156,166],"tbody",{},[41,54,55,61],{},[56,57,58],"td",{},[22,59,60],{},"id",[56,62,63],{},"Globally unique challenge id (UUID or hash-derived).",[41,65,66,71],{},[56,67,68],{},[22,69,70],{},"issuer_kid",[56,72,73],{},"The authority's kid in the foundation registry.",[41,75,76,81],{},[56,77,78],{},[22,79,80],{},"predicate.jurisdiction",[56,82,83],{},"Match agents whose declared jurisdiction equals this. The issuer's registered scope must encompass it.",[41,85,86,91],{},[56,87,88],{},[22,89,90],{},"predicate.capabilities[]",[56,92,93],{},"Optional. Match agents declaring at least one of these capabilities.",[41,95,96,101],{},[56,97,98],{},[22,99,100],{},"predicate.time_window",[56,102,103,106],{},[22,104,105],{},"{ start, end }"," in ms — the inclusive ts window over the audit chain.",[41,108,109,114],{},[56,110,111],{},[22,112,113],{},"predicate.action_types[]",[56,115,116,117,120],{},"Optional event-type filter (e.g. ",[22,118,119],{},"[\"decision.made\", \"human_review.recorded\"]",").",[41,122,123,128],{},[56,124,125],{},[22,126,127],{},"sampling.method",[56,129,130,133,134,137],{},[22,131,132],{},"\"all\""," or ",[22,135,136],{},"\"random\"",".",[41,139,140,149],{},[56,141,142,145,146],{},[22,143,144],{},"sampling.rate",", ",[22,147,148],{},"sampling.seed",[56,150,151,152,155],{},"Required when ",[22,153,154],{},"method: \"random\"",". The seed drives a deterministic SHA-256 PRF the regulator can recompute.",[41,157,158,163],{},[56,159,160],{},[22,161,162],{},"bound_directive_id",[56,164,165],{},"Optional. When set, the response also returns inclusion proofs for the directive's lifecycle audit-chain entries.",[41,167,168,173],{},[56,169,170],{},[22,171,172],{},"issued_at",[56,174,175],{},"Issuance wall-clock time.",[10,177,178,179,182],{},"The regulator signs ",[22,180,181],{},"canonical(body)"," with their private key. The CLI helper does this for you:",[184,185,187,209],"terminal",{"title":186},"DFSA issues a challenge",[10,188,189,190,193,194,196,197,199,200,202,203,205,206,208],{},"$ bun run challenge:issue ",[191,192],"br",{},"\n--issuer DFSA ",[191,195],{},"\n--jurisdiction AE-DIFC ",[191,198],{},"\n--since '24h ago' ",[191,201],{},"\n--sample-rate 0.1 ",[191,204],{},"\n--bound-directive dir-3a91b...c4e ",[191,207],{},"\n--publish",[10,210,211,212,218],{},"▸ Loaded DFSA private key from ~\u002F.iqrar\u002Fkeys\u002Fdfsa.json\n▸ Built canonical body (4 predicates, sampling=random rate=0.1)\n▸ Signed with Ed25519\n▸ POST ",[213,214,215],"a",{"href":215,"rel":216},"https:\u002F\u002Fapi.iqrar.io\u002Faudit\u002Fchallenge",[217],"nofollow","\n▸ challenge_id: chl-7f3a...\n▸ matched_agents: 12\n▸ proofs returned: 87\n▸ directive_audit.audit_chain_entries: 24",[14,220,222],{"id":221},"what-the-worker-does","What the worker does",[10,224,225],{},"For every challenge the worker, atomically:",[227,228,229,237,247,257,276,285,299,305,315],"ol",{},[230,231,232,236],"li",{},[233,234,235],"strong",{},"Verifies the signature"," against the pinned foundation registry.",[230,238,239,242,243,246],{},[233,240,241],{},"Scope-checks"," the predicate's jurisdiction against ",[22,244,245],{},"authorities[issuer_kid].scope.jurisdictions",". A regulator cannot challenge an agent outside their remit.",[230,248,249,252,253,256],{},[233,250,251],{},"Capability-checks"," that the issuer holds the ",[22,254,255],{},"audit_challenge"," capability.",[230,258,259,262,263,145,266,145,269,272,273,120],{},[233,260,261],{},"Resolves the matching agents"," by joining the predicate against the agents table (",[22,264,265],{},"agent_id IN ...",[22,267,268],{},"org = ...",[22,270,271],{},"jurisdiction = ...",", capability join via SQLite ",[22,274,275],{},"json_each",[230,277,278,284],{},[233,279,280,281],{},"Loads matching ",[22,282,283],{},"audit_entries"," within the time window + action-type filter.",[230,286,287,290,291,294,295,298],{},[233,288,289],{},"Applies the deterministic sample"," — ",[22,292,293],{},"sampleDeterministic(candidate_keys, rate, seed)"," — using SHA-256 as a PRF over ",[22,296,297],{},"(seed, agent_id, seq)",". The regulator can recompute the expected sample independently.",[230,300,301,304],{},[233,302,303],{},"Builds inclusion proofs"," for every sampled entry against the smallest STH that covers it (per agent), grouped per agent.",[230,306,307,310,311,314],{},[233,308,309],{},"Persists the challenge"," in ",[22,312,313],{},"audit_challenges"," with the result so the directive→challenge investigative chain is itself recorded.",[230,316,317,320,321,137],{},[233,318,319],{},"Returns"," ",[22,322,323],{},"{ proofs[], directive_audit?, rekor_url }",[10,325,326,327,330,331,334],{},"Every step is committed: a rejected challenge is recorded with ",[22,328,329],{},"status: 'rejected'",", a verified challenge with ",[22,332,333],{},"status: 'verified'",". The challenge transcript is itself an auditable artifact.",[14,336,338],{"id":337},"what-the-response-looks-like","What the response looks like",[340,341,346],"pre",{"className":342,"code":343,"language":344,"meta":345,"style":345},"language-json shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","{\n  \"ok\": true,\n  \"challenge_id\": \"chl-7f3a...\",\n  \"matched_agents\": [\"acme-bot-1\", \"acme-bot-7\", \"...\"],\n  \"matched_entries\": 871,\n  \"sampled\": 87,\n  \"proofs\": [\n    {\n      \"agent_id\": \"acme-bot-1\",\n      \"seq\": 412,\n      \"entry\": {\n        \"agent_id\": \"acme-bot-1\",\n        \"seq\": 412,\n        \"entry_hash\": \"8a2f...c1e9\",\n        \"ts\": 1746478291000,\n        \"event_type\": \"decision.made\",\n        \"event_canonical\": \"{\\\"agent_id\\\":\\\"acme-bot-1\\\",...}\"\n      },\n      \"sth\": {\n        \"tree_size\": 500,\n        \"root_hash\": \"1f9c...7e2a\",\n        \"signed_at\": 1746478320000,\n        \"signer_kid\": \"foundation:root-1\",\n        \"signature\": \"BASE64...\",\n        \"rekor_log_id\": \"...\",\n        \"rekor_index\": 12345678,\n        \"rekor_uuid\": \"abcd...\"\n      },\n      \"proof\": [\"...\", \"...\", \"...\"],\n      \"leaf_hash\": \"f8e1...0a7d\",\n      \"rekor_url\": \"https:\u002F\u002Frekor.sigstore.dev\u002Fapi\u002Fv1\u002Flog\u002Fentries\u002Fabcd...\"\n    }\n  ],\n  \"directive_audit\": {\n    \"directive_id\": \"dir-3a91b...c4e\",\n    \"applied_at\": 1746391891000,\n    \"expired_at\": 1746478291000,\n    \"agents\": [\"acme-bot-1\", \"acme-bot-7\"],\n    \"audit_chain_entries\": [\n      {\n        \"agent_id\": \"acme-bot-1\",\n        \"seq\": 311,\n        \"entry\": { \"event_type\": \"directive.applied\", \"ts\": 1746391891000, \"...\" },\n        \"sth\": { \"tree_size\": 500, \"root_hash\": \"1f9c...7e2a\", \"...\" },\n        \"proof\": [\"...\", \"...\"],\n        \"leaf_hash\": \"...\",\n        \"rekor_url\": \"https:\u002F\u002Frekor.sigstore.dev\u002Fapi\u002Fv1\u002Flog\u002Fentries\u002F...\"\n      }\n    ]\n  }\n}\n","json","",[22,347,348,357,376,400,444,462,479,494,500,522,539,554,574,589,610,627,648,687,693,707,724,745,762,783,804,824,841,860,865,903,924,943,949,955,969,991,1008,1024,1054,1068,1074,1093,1109,1162,1211,1240,1259,1277,1283,1289,1295],{"__ignoreMap":345},[349,350,353],"span",{"class":351,"line":352},"line",1,[349,354,356],{"class":355},"sMK4o","{\n",[349,358,360,363,367,370,373],{"class":351,"line":359},2,[349,361,362],{"class":355},"  \"",[349,364,366],{"class":365},"spNyl","ok",[349,368,369],{"class":355},"\"",[349,371,372],{"class":355},":",[349,374,375],{"class":355}," true,\n",[349,377,379,381,384,386,388,391,395,397],{"class":351,"line":378},3,[349,380,362],{"class":355},[349,382,383],{"class":365},"challenge_id",[349,385,369],{"class":355},[349,387,372],{"class":355},[349,389,390],{"class":355}," \"",[349,392,394],{"class":393},"sfazB","chl-7f3a...",[349,396,369],{"class":355},[349,398,399],{"class":355},",\n",[349,401,403,405,408,410,412,415,417,420,422,425,427,430,432,434,436,439,441],{"class":351,"line":402},4,[349,404,362],{"class":355},[349,406,407],{"class":365},"matched_agents",[349,409,369],{"class":355},[349,411,372],{"class":355},[349,413,414],{"class":355}," [",[349,416,369],{"class":355},[349,418,419],{"class":393},"acme-bot-1",[349,421,369],{"class":355},[349,423,424],{"class":355},",",[349,426,390],{"class":355},[349,428,429],{"class":393},"acme-bot-7",[349,431,369],{"class":355},[349,433,424],{"class":355},[349,435,390],{"class":355},[349,437,438],{"class":393},"...",[349,440,369],{"class":355},[349,442,443],{"class":355},"],\n",[349,445,447,449,452,454,456,460],{"class":351,"line":446},5,[349,448,362],{"class":355},[349,450,451],{"class":365},"matched_entries",[349,453,369],{"class":355},[349,455,372],{"class":355},[349,457,459],{"class":458},"sbssI"," 871",[349,461,399],{"class":355},[349,463,465,467,470,472,474,477],{"class":351,"line":464},6,[349,466,362],{"class":355},[349,468,469],{"class":365},"sampled",[349,471,369],{"class":355},[349,473,372],{"class":355},[349,475,476],{"class":458}," 87",[349,478,399],{"class":355},[349,480,482,484,487,489,491],{"class":351,"line":481},7,[349,483,362],{"class":355},[349,485,486],{"class":365},"proofs",[349,488,369],{"class":355},[349,490,372],{"class":355},[349,492,493],{"class":355}," [\n",[349,495,497],{"class":351,"line":496},8,[349,498,499],{"class":355},"    {\n",[349,501,503,506,510,512,514,516,518,520],{"class":351,"line":502},9,[349,504,505],{"class":355},"      \"",[349,507,509],{"class":508},"sBMFI","agent_id",[349,511,369],{"class":355},[349,513,372],{"class":355},[349,515,390],{"class":355},[349,517,419],{"class":393},[349,519,369],{"class":355},[349,521,399],{"class":355},[349,523,525,527,530,532,534,537],{"class":351,"line":524},10,[349,526,505],{"class":355},[349,528,529],{"class":508},"seq",[349,531,369],{"class":355},[349,533,372],{"class":355},[349,535,536],{"class":458}," 412",[349,538,399],{"class":355},[349,540,542,544,547,549,551],{"class":351,"line":541},11,[349,543,505],{"class":355},[349,545,546],{"class":508},"entry",[349,548,369],{"class":355},[349,550,372],{"class":355},[349,552,553],{"class":355}," {\n",[349,555,557,560,562,564,566,568,570,572],{"class":351,"line":556},12,[349,558,559],{"class":355},"        \"",[349,561,509],{"class":458},[349,563,369],{"class":355},[349,565,372],{"class":355},[349,567,390],{"class":355},[349,569,419],{"class":393},[349,571,369],{"class":355},[349,573,399],{"class":355},[349,575,577,579,581,583,585,587],{"class":351,"line":576},13,[349,578,559],{"class":355},[349,580,529],{"class":458},[349,582,369],{"class":355},[349,584,372],{"class":355},[349,586,536],{"class":458},[349,588,399],{"class":355},[349,590,592,594,597,599,601,603,606,608],{"class":351,"line":591},14,[349,593,559],{"class":355},[349,595,596],{"class":458},"entry_hash",[349,598,369],{"class":355},[349,600,372],{"class":355},[349,602,390],{"class":355},[349,604,605],{"class":393},"8a2f...c1e9",[349,607,369],{"class":355},[349,609,399],{"class":355},[349,611,613,615,618,620,622,625],{"class":351,"line":612},15,[349,614,559],{"class":355},[349,616,617],{"class":458},"ts",[349,619,369],{"class":355},[349,621,372],{"class":355},[349,623,624],{"class":458}," 1746478291000",[349,626,399],{"class":355},[349,628,630,632,635,637,639,641,644,646],{"class":351,"line":629},16,[349,631,559],{"class":355},[349,633,634],{"class":458},"event_type",[349,636,369],{"class":355},[349,638,372],{"class":355},[349,640,390],{"class":355},[349,642,643],{"class":393},"decision.made",[349,645,369],{"class":355},[349,647,399],{"class":355},[349,649,651,653,656,658,660,662,665,669,671,673,675,677,679,681,684],{"class":351,"line":650},17,[349,652,559],{"class":355},[349,654,655],{"class":458},"event_canonical",[349,657,369],{"class":355},[349,659,372],{"class":355},[349,661,390],{"class":355},[349,663,664],{"class":393},"{",[349,666,668],{"class":667},"sTEyZ","\\\"",[349,670,509],{"class":393},[349,672,668],{"class":667},[349,674,372],{"class":393},[349,676,668],{"class":667},[349,678,419],{"class":393},[349,680,668],{"class":667},[349,682,683],{"class":393},",...}",[349,685,686],{"class":355},"\"\n",[349,688,690],{"class":351,"line":689},18,[349,691,692],{"class":355},"      },\n",[349,694,696,698,701,703,705],{"class":351,"line":695},19,[349,697,505],{"class":355},[349,699,700],{"class":508},"sth",[349,702,369],{"class":355},[349,704,372],{"class":355},[349,706,553],{"class":355},[349,708,710,712,715,717,719,722],{"class":351,"line":709},20,[349,711,559],{"class":355},[349,713,714],{"class":458},"tree_size",[349,716,369],{"class":355},[349,718,372],{"class":355},[349,720,721],{"class":458}," 500",[349,723,399],{"class":355},[349,725,727,729,732,734,736,738,741,743],{"class":351,"line":726},21,[349,728,559],{"class":355},[349,730,731],{"class":458},"root_hash",[349,733,369],{"class":355},[349,735,372],{"class":355},[349,737,390],{"class":355},[349,739,740],{"class":393},"1f9c...7e2a",[349,742,369],{"class":355},[349,744,399],{"class":355},[349,746,748,750,753,755,757,760],{"class":351,"line":747},22,[349,749,559],{"class":355},[349,751,752],{"class":458},"signed_at",[349,754,369],{"class":355},[349,756,372],{"class":355},[349,758,759],{"class":458}," 1746478320000",[349,761,399],{"class":355},[349,763,765,767,770,772,774,776,779,781],{"class":351,"line":764},23,[349,766,559],{"class":355},[349,768,769],{"class":458},"signer_kid",[349,771,369],{"class":355},[349,773,372],{"class":355},[349,775,390],{"class":355},[349,777,778],{"class":393},"foundation:root-1",[349,780,369],{"class":355},[349,782,399],{"class":355},[349,784,786,788,791,793,795,797,800,802],{"class":351,"line":785},24,[349,787,559],{"class":355},[349,789,790],{"class":458},"signature",[349,792,369],{"class":355},[349,794,372],{"class":355},[349,796,390],{"class":355},[349,798,799],{"class":393},"BASE64...",[349,801,369],{"class":355},[349,803,399],{"class":355},[349,805,807,809,812,814,816,818,820,822],{"class":351,"line":806},25,[349,808,559],{"class":355},[349,810,811],{"class":458},"rekor_log_id",[349,813,369],{"class":355},[349,815,372],{"class":355},[349,817,390],{"class":355},[349,819,438],{"class":393},[349,821,369],{"class":355},[349,823,399],{"class":355},[349,825,827,829,832,834,836,839],{"class":351,"line":826},26,[349,828,559],{"class":355},[349,830,831],{"class":458},"rekor_index",[349,833,369],{"class":355},[349,835,372],{"class":355},[349,837,838],{"class":458}," 12345678",[349,840,399],{"class":355},[349,842,844,846,849,851,853,855,858],{"class":351,"line":843},27,[349,845,559],{"class":355},[349,847,848],{"class":458},"rekor_uuid",[349,850,369],{"class":355},[349,852,372],{"class":355},[349,854,390],{"class":355},[349,856,857],{"class":393},"abcd...",[349,859,686],{"class":355},[349,861,863],{"class":351,"line":862},28,[349,864,692],{"class":355},[349,866,868,870,873,875,877,879,881,883,885,887,889,891,893,895,897,899,901],{"class":351,"line":867},29,[349,869,505],{"class":355},[349,871,872],{"class":508},"proof",[349,874,369],{"class":355},[349,876,372],{"class":355},[349,878,414],{"class":355},[349,880,369],{"class":355},[349,882,438],{"class":393},[349,884,369],{"class":355},[349,886,424],{"class":355},[349,888,390],{"class":355},[349,890,438],{"class":393},[349,892,369],{"class":355},[349,894,424],{"class":355},[349,896,390],{"class":355},[349,898,438],{"class":393},[349,900,369],{"class":355},[349,902,443],{"class":355},[349,904,906,908,911,913,915,917,920,922],{"class":351,"line":905},30,[349,907,505],{"class":355},[349,909,910],{"class":508},"leaf_hash",[349,912,369],{"class":355},[349,914,372],{"class":355},[349,916,390],{"class":355},[349,918,919],{"class":393},"f8e1...0a7d",[349,921,369],{"class":355},[349,923,399],{"class":355},[349,925,927,929,932,934,936,938,941],{"class":351,"line":926},31,[349,928,505],{"class":355},[349,930,931],{"class":508},"rekor_url",[349,933,369],{"class":355},[349,935,372],{"class":355},[349,937,390],{"class":355},[349,939,940],{"class":393},"https:\u002F\u002Frekor.sigstore.dev\u002Fapi\u002Fv1\u002Flog\u002Fentries\u002Fabcd...",[349,942,686],{"class":355},[349,944,946],{"class":351,"line":945},32,[349,947,948],{"class":355},"    }\n",[349,950,952],{"class":351,"line":951},33,[349,953,954],{"class":355},"  ],\n",[349,956,958,960,963,965,967],{"class":351,"line":957},34,[349,959,362],{"class":355},[349,961,962],{"class":365},"directive_audit",[349,964,369],{"class":355},[349,966,372],{"class":355},[349,968,553],{"class":355},[349,970,972,975,978,980,982,984,987,989],{"class":351,"line":971},35,[349,973,974],{"class":355},"    \"",[349,976,977],{"class":508},"directive_id",[349,979,369],{"class":355},[349,981,372],{"class":355},[349,983,390],{"class":355},[349,985,986],{"class":393},"dir-3a91b...c4e",[349,988,369],{"class":355},[349,990,399],{"class":355},[349,992,994,996,999,1001,1003,1006],{"class":351,"line":993},36,[349,995,974],{"class":355},[349,997,998],{"class":508},"applied_at",[349,1000,369],{"class":355},[349,1002,372],{"class":355},[349,1004,1005],{"class":458}," 1746391891000",[349,1007,399],{"class":355},[349,1009,1011,1013,1016,1018,1020,1022],{"class":351,"line":1010},37,[349,1012,974],{"class":355},[349,1014,1015],{"class":508},"expired_at",[349,1017,369],{"class":355},[349,1019,372],{"class":355},[349,1021,624],{"class":458},[349,1023,399],{"class":355},[349,1025,1027,1029,1032,1034,1036,1038,1040,1042,1044,1046,1048,1050,1052],{"class":351,"line":1026},38,[349,1028,974],{"class":355},[349,1030,1031],{"class":508},"agents",[349,1033,369],{"class":355},[349,1035,372],{"class":355},[349,1037,414],{"class":355},[349,1039,369],{"class":355},[349,1041,419],{"class":393},[349,1043,369],{"class":355},[349,1045,424],{"class":355},[349,1047,390],{"class":355},[349,1049,429],{"class":393},[349,1051,369],{"class":355},[349,1053,443],{"class":355},[349,1055,1057,1059,1062,1064,1066],{"class":351,"line":1056},39,[349,1058,974],{"class":355},[349,1060,1061],{"class":508},"audit_chain_entries",[349,1063,369],{"class":355},[349,1065,372],{"class":355},[349,1067,493],{"class":355},[349,1069,1071],{"class":351,"line":1070},40,[349,1072,1073],{"class":355},"      {\n",[349,1075,1077,1079,1081,1083,1085,1087,1089,1091],{"class":351,"line":1076},41,[349,1078,559],{"class":355},[349,1080,509],{"class":458},[349,1082,369],{"class":355},[349,1084,372],{"class":355},[349,1086,390],{"class":355},[349,1088,419],{"class":393},[349,1090,369],{"class":355},[349,1092,399],{"class":355},[349,1094,1096,1098,1100,1102,1104,1107],{"class":351,"line":1095},42,[349,1097,559],{"class":355},[349,1099,529],{"class":458},[349,1101,369],{"class":355},[349,1103,372],{"class":355},[349,1105,1106],{"class":458}," 311",[349,1108,399],{"class":355},[349,1110,1112,1114,1116,1118,1120,1123,1125,1128,1130,1132,1134,1137,1139,1141,1143,1145,1147,1149,1151,1153,1155,1157,1159],{"class":351,"line":1111},43,[349,1113,559],{"class":355},[349,1115,546],{"class":458},[349,1117,369],{"class":355},[349,1119,372],{"class":355},[349,1121,1122],{"class":355}," {",[349,1124,390],{"class":355},[349,1126,634],{"class":1127},"swJcz",[349,1129,369],{"class":355},[349,1131,372],{"class":355},[349,1133,390],{"class":355},[349,1135,1136],{"class":393},"directive.applied",[349,1138,369],{"class":355},[349,1140,424],{"class":355},[349,1142,390],{"class":355},[349,1144,617],{"class":1127},[349,1146,369],{"class":355},[349,1148,372],{"class":355},[349,1150,1005],{"class":458},[349,1152,424],{"class":355},[349,1154,390],{"class":355},[349,1156,438],{"class":1127},[349,1158,369],{"class":355},[349,1160,1161],{"class":355}," },\n",[349,1163,1165,1167,1169,1171,1173,1175,1177,1179,1181,1183,1185,1187,1189,1191,1193,1195,1197,1199,1201,1203,1205,1207,1209],{"class":351,"line":1164},44,[349,1166,559],{"class":355},[349,1168,700],{"class":458},[349,1170,369],{"class":355},[349,1172,372],{"class":355},[349,1174,1122],{"class":355},[349,1176,390],{"class":355},[349,1178,714],{"class":1127},[349,1180,369],{"class":355},[349,1182,372],{"class":355},[349,1184,721],{"class":458},[349,1186,424],{"class":355},[349,1188,390],{"class":355},[349,1190,731],{"class":1127},[349,1192,369],{"class":355},[349,1194,372],{"class":355},[349,1196,390],{"class":355},[349,1198,740],{"class":393},[349,1200,369],{"class":355},[349,1202,424],{"class":355},[349,1204,390],{"class":355},[349,1206,438],{"class":1127},[349,1208,369],{"class":355},[349,1210,1161],{"class":355},[349,1212,1214,1216,1218,1220,1222,1224,1226,1228,1230,1232,1234,1236,1238],{"class":351,"line":1213},45,[349,1215,559],{"class":355},[349,1217,872],{"class":458},[349,1219,369],{"class":355},[349,1221,372],{"class":355},[349,1223,414],{"class":355},[349,1225,369],{"class":355},[349,1227,438],{"class":393},[349,1229,369],{"class":355},[349,1231,424],{"class":355},[349,1233,390],{"class":355},[349,1235,438],{"class":393},[349,1237,369],{"class":355},[349,1239,443],{"class":355},[349,1241,1243,1245,1247,1249,1251,1253,1255,1257],{"class":351,"line":1242},46,[349,1244,559],{"class":355},[349,1246,910],{"class":458},[349,1248,369],{"class":355},[349,1250,372],{"class":355},[349,1252,390],{"class":355},[349,1254,438],{"class":393},[349,1256,369],{"class":355},[349,1258,399],{"class":355},[349,1260,1262,1264,1266,1268,1270,1272,1275],{"class":351,"line":1261},47,[349,1263,559],{"class":355},[349,1265,931],{"class":458},[349,1267,369],{"class":355},[349,1269,372],{"class":355},[349,1271,390],{"class":355},[349,1273,1274],{"class":393},"https:\u002F\u002Frekor.sigstore.dev\u002Fapi\u002Fv1\u002Flog\u002Fentries\u002F...",[349,1276,686],{"class":355},[349,1278,1280],{"class":351,"line":1279},48,[349,1281,1282],{"class":355},"      }\n",[349,1284,1286],{"class":351,"line":1285},49,[349,1287,1288],{"class":355},"    ]\n",[349,1290,1292],{"class":351,"line":1291},50,[349,1293,1294],{"class":355},"  }\n",[349,1296,1298],{"class":351,"line":1297},51,[349,1299,1300],{"class":355},"}\n",[14,1302,1304],{"id":1303},"how-the-regulator-verifies-locally","How the regulator verifies — locally",[10,1306,1307,1308,1311],{},"The regulator does ",[233,1309,1310],{},"not need to trust Iqrar's response",". Every proof is verifiable against the public Rekor log.",[340,1313,1316],{"className":1314,"code":1315,"language":617,"meta":345,"style":345},"language-ts shiki shiki-themes material-theme-lighter material-theme material-theme-palenight","import { verifyInclusionProof, leafHash } from \"@iqrar\u002Frules\u002Fmerkle\";\n\nfor (const item of response.proofs) {\n  \u002F\u002F 1. Recompute the leaf hash from the entry's entry_hash.\n  const expected = await leafHash(item.entry.entry_hash);\n  if (expected !== item.leaf_hash) throw new Error(\"leaf mismatch\");\n\n  \u002F\u002F 2. Verify the inclusion proof reproduces the STH root.\n  const ok = await verifyInclusionProof(\n    item.leaf_hash,\n    item.seq,\n    item.sth.tree_size,\n    item.proof,\n    item.sth.root_hash,\n  );\n  if (!ok) throw new Error(\"inclusion proof invalid\");\n\n  \u002F\u002F 3. Confirm the STH was actually published to Rekor.\n  const rekorEntry = await fetch(item.rekor_url).then((r) => r.json());\n  \u002F\u002F Verify the Rekor entry's body matches our STH root + signer key.\n  \u002F\u002F (See @iqrar\u002Frules\u002Frekor for the canonical verification helper.)\n}\n",[22,1317,1318,1350,1356,1383,1389,1425,1470,1474,1479,1495,1506,1516,1530,1540,1554,1561,1593,1597,1602,1656,1661,1666],{"__ignoreMap":345},[349,1319,1320,1324,1326,1329,1331,1334,1337,1340,1342,1345,1347],{"class":351,"line":352},[349,1321,1323],{"class":1322},"s7zQu","import",[349,1325,1122],{"class":355},[349,1327,1328],{"class":667}," verifyInclusionProof",[349,1330,424],{"class":355},[349,1332,1333],{"class":667}," leafHash",[349,1335,1336],{"class":355}," }",[349,1338,1339],{"class":1322}," from",[349,1341,390],{"class":355},[349,1343,1344],{"class":393},"@iqrar\u002Frules\u002Fmerkle",[349,1346,369],{"class":355},[349,1348,1349],{"class":355},";\n",[349,1351,1352],{"class":351,"line":359},[349,1353,1355],{"emptyLinePlaceholder":1354},true,"\n",[349,1357,1358,1361,1364,1367,1370,1373,1376,1378,1381],{"class":351,"line":378},[349,1359,1360],{"class":1322},"for",[349,1362,1363],{"class":667}," (",[349,1365,1366],{"class":365},"const",[349,1368,1369],{"class":667}," item ",[349,1371,1372],{"class":355},"of",[349,1374,1375],{"class":667}," response",[349,1377,137],{"class":355},[349,1379,1380],{"class":667},"proofs) ",[349,1382,356],{"class":355},[349,1384,1385],{"class":351,"line":402},[349,1386,1388],{"class":1387},"sHwdD","  \u002F\u002F 1. Recompute the leaf hash from the entry's entry_hash.\n",[349,1390,1391,1394,1397,1400,1403,1406,1409,1412,1414,1416,1418,1420,1423],{"class":351,"line":446},[349,1392,1393],{"class":365},"  const",[349,1395,1396],{"class":667}," expected",[349,1398,1399],{"class":355}," =",[349,1401,1402],{"class":1322}," await",[349,1404,1333],{"class":1405},"s2Zo4",[349,1407,1408],{"class":1127},"(",[349,1410,1411],{"class":667},"item",[349,1413,137],{"class":355},[349,1415,546],{"class":667},[349,1417,137],{"class":355},[349,1419,596],{"class":667},[349,1421,1422],{"class":1127},")",[349,1424,1349],{"class":355},[349,1426,1427,1430,1432,1435,1438,1441,1443,1445,1448,1451,1454,1457,1459,1461,1464,1466,1468],{"class":351,"line":464},[349,1428,1429],{"class":1322},"  if",[349,1431,1363],{"class":1127},[349,1433,1434],{"class":667},"expected",[349,1436,1437],{"class":355}," !==",[349,1439,1440],{"class":667}," item",[349,1442,137],{"class":355},[349,1444,910],{"class":667},[349,1446,1447],{"class":1127},") ",[349,1449,1450],{"class":1322},"throw",[349,1452,1453],{"class":355}," new",[349,1455,1456],{"class":1405}," Error",[349,1458,1408],{"class":1127},[349,1460,369],{"class":355},[349,1462,1463],{"class":393},"leaf mismatch",[349,1465,369],{"class":355},[349,1467,1422],{"class":1127},[349,1469,1349],{"class":355},[349,1471,1472],{"class":351,"line":481},[349,1473,1355],{"emptyLinePlaceholder":1354},[349,1475,1476],{"class":351,"line":496},[349,1477,1478],{"class":1387},"  \u002F\u002F 2. Verify the inclusion proof reproduces the STH root.\n",[349,1480,1481,1483,1486,1488,1490,1492],{"class":351,"line":502},[349,1482,1393],{"class":365},[349,1484,1485],{"class":667}," ok",[349,1487,1399],{"class":355},[349,1489,1402],{"class":1322},[349,1491,1328],{"class":1405},[349,1493,1494],{"class":1127},"(\n",[349,1496,1497,1500,1502,1504],{"class":351,"line":524},[349,1498,1499],{"class":667},"    item",[349,1501,137],{"class":355},[349,1503,910],{"class":667},[349,1505,399],{"class":355},[349,1507,1508,1510,1512,1514],{"class":351,"line":541},[349,1509,1499],{"class":667},[349,1511,137],{"class":355},[349,1513,529],{"class":667},[349,1515,399],{"class":355},[349,1517,1518,1520,1522,1524,1526,1528],{"class":351,"line":556},[349,1519,1499],{"class":667},[349,1521,137],{"class":355},[349,1523,700],{"class":667},[349,1525,137],{"class":355},[349,1527,714],{"class":667},[349,1529,399],{"class":355},[349,1531,1532,1534,1536,1538],{"class":351,"line":576},[349,1533,1499],{"class":667},[349,1535,137],{"class":355},[349,1537,872],{"class":667},[349,1539,399],{"class":355},[349,1541,1542,1544,1546,1548,1550,1552],{"class":351,"line":591},[349,1543,1499],{"class":667},[349,1545,137],{"class":355},[349,1547,700],{"class":667},[349,1549,137],{"class":355},[349,1551,731],{"class":667},[349,1553,399],{"class":355},[349,1555,1556,1559],{"class":351,"line":612},[349,1557,1558],{"class":1127},"  )",[349,1560,1349],{"class":355},[349,1562,1563,1565,1567,1570,1572,1574,1576,1578,1580,1582,1584,1587,1589,1591],{"class":351,"line":629},[349,1564,1429],{"class":1322},[349,1566,1363],{"class":1127},[349,1568,1569],{"class":355},"!",[349,1571,366],{"class":667},[349,1573,1447],{"class":1127},[349,1575,1450],{"class":1322},[349,1577,1453],{"class":355},[349,1579,1456],{"class":1405},[349,1581,1408],{"class":1127},[349,1583,369],{"class":355},[349,1585,1586],{"class":393},"inclusion proof invalid",[349,1588,369],{"class":355},[349,1590,1422],{"class":1127},[349,1592,1349],{"class":355},[349,1594,1595],{"class":351,"line":650},[349,1596,1355],{"emptyLinePlaceholder":1354},[349,1598,1599],{"class":351,"line":689},[349,1600,1601],{"class":1387},"  \u002F\u002F 3. Confirm the STH was actually published to Rekor.\n",[349,1603,1604,1606,1609,1611,1613,1616,1618,1620,1622,1624,1626,1628,1631,1633,1635,1639,1641,1644,1647,1649,1651,1654],{"class":351,"line":695},[349,1605,1393],{"class":365},[349,1607,1608],{"class":667}," rekorEntry",[349,1610,1399],{"class":355},[349,1612,1402],{"class":1322},[349,1614,1615],{"class":1405}," fetch",[349,1617,1408],{"class":1127},[349,1619,1411],{"class":667},[349,1621,137],{"class":355},[349,1623,931],{"class":667},[349,1625,1422],{"class":1127},[349,1627,137],{"class":355},[349,1629,1630],{"class":1405},"then",[349,1632,1408],{"class":1127},[349,1634,1408],{"class":355},[349,1636,1638],{"class":1637},"sHdIc","r",[349,1640,1422],{"class":355},[349,1642,1643],{"class":365}," =>",[349,1645,1646],{"class":667}," r",[349,1648,137],{"class":355},[349,1650,344],{"class":1405},[349,1652,1653],{"class":1127},"())",[349,1655,1349],{"class":355},[349,1657,1658],{"class":351,"line":709},[349,1659,1660],{"class":1387},"  \u002F\u002F Verify the Rekor entry's body matches our STH root + signer key.\n",[349,1662,1663],{"class":351,"line":726},[349,1664,1665],{"class":1387},"  \u002F\u002F (See @iqrar\u002Frules\u002Frekor for the canonical verification helper.)\n",[349,1667,1668],{"class":351,"line":747},[349,1669,1300],{"class":355},[10,1671,1672,1673,1676],{},"If any step fails, the operator's claim that the agent recorded a particular action ",[233,1674,1675],{},"at a particular time"," is not credible — even if Iqrar's response was 200 OK.",[14,1678,1680],{"id":1679},"the-directivechallenge-binding","The directive↔challenge binding",[10,1682,1683,1684,1686,1687,1689,1690,145,1693,145,1695,145,1698,1701],{},"When a challenge carries ",[22,1685,162],{},", the response's ",[22,1688,962],{}," section contains inclusion proofs for the directive's own lifecycle audit-chain entries — ",[22,1691,1692],{},"directive.received",[22,1694,1136],{},[22,1696,1697],{},"directive.skipped",[22,1699,1700],{},"directive.rejected"," — across every targeted agent.",[10,1703,1704,1705,1708],{},"This closes the §8.3 sub-claim: ",[233,1706,1707],{},"the investigative chain is itself committed and verifiable",". A tamper that excised a directive-application record from a regulator's view of the chain would invalidate the inclusion proof against the same STH that anchors the action records.",[10,1710,1711],{},"The regulator can therefore verify, in a single pass:",[227,1713,1714,1717,1720,1723,1726],{},[230,1715,1716],{},"The directive was issued.",[230,1718,1719],{},"Every targeted agent received it.",[230,1721,1722],{},"The agents that matched applied it (with the recorded window).",[230,1724,1725],{},"The action records produced under the directive's window are committed under the same STHs.",[230,1727,1728],{},"Nothing has been retroactively altered.",[10,1730,1731],{},"That property is the regulator's primary audit guarantee.",[14,1733,1735],{"id":1734},"capability-gate","Capability gate",[10,1737,1738,1739,1742,1743,1746,1747,1750,1751,1753],{},"To issue an audit challenge, an authority must have ",[22,1740,1741],{},"may_issue: [\"audit_challenge\"]"," in the registry. By convention, ",[22,1744,1745],{},"rule_bundle"," and ",[22,1748,1749],{},"directive"," are the publication capabilities; ",[22,1752,255],{}," is the inquiry capability. The same authority typically holds all three — but the registry can grant them separately, e.g., for a regulator that delegates inquiry to a dedicated supervisory unit.",[14,1755,1757],{"id":1756},"see-also","See also",[1759,1760,1761,1771,1780],"ul",{},[230,1762,1763,1766,1767],{},[233,1764,1765],{},"Concepts overview"," — what the audit chain, Merkle commitment, and Rekor anchoring do — ",[213,1768,1770],{"href":1769},"\u002Fdocs\u002Fconcepts\u002Foverview","Concepts",[230,1772,1773,1776,1777],{},[233,1774,1775],{},"Foundation"," — why the registry's signing keys are governed by a structurally separate entity — ",[213,1778,1775],{"href":1779},"\u002Fdocs\u002Ffoundation",[230,1781,1782,1785,1786],{},[233,1783,1784],{},"Sigstore Rekor"," — the public transparency log Iqrar anchors STHs to — ",[213,1787,1790],{"href":1788,"rel":1789},"https:\u002F\u002Frekor.sigstore.dev",[217],"rekor.sigstore.dev",[1792,1793,1794],"style",{},"html pre.shiki code .sMK4o, html code.shiki .sMK4o{--shiki-light:#39ADB5;--shiki-default:#89DDFF;--shiki-dark:#89DDFF}html pre.shiki code .spNyl, html code.shiki .spNyl{--shiki-light:#9C3EDA;--shiki-default:#C792EA;--shiki-dark:#C792EA}html pre.shiki code .sfazB, html code.shiki .sfazB{--shiki-light:#91B859;--shiki-default:#C3E88D;--shiki-dark:#C3E88D}html pre.shiki code .sbssI, html code.shiki .sbssI{--shiki-light:#F76D47;--shiki-default:#F78C6C;--shiki-dark:#F78C6C}html pre.shiki code .sBMFI, html code.shiki .sBMFI{--shiki-light:#E2931D;--shiki-default:#FFCB6B;--shiki-dark:#FFCB6B}html pre.shiki code .sTEyZ, html code.shiki .sTEyZ{--shiki-light:#90A4AE;--shiki-default:#EEFFFF;--shiki-dark:#BABED8}html pre.shiki code .swJcz, html code.shiki .swJcz{--shiki-light:#E53935;--shiki-default:#F07178;--shiki-dark:#F07178}html .light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html.light .shiki span {color: var(--shiki-light);background: var(--shiki-light-bg);font-style: var(--shiki-light-font-style);font-weight: var(--shiki-light-font-weight);text-decoration: var(--shiki-light-text-decoration);}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .s7zQu, html code.shiki .s7zQu{--shiki-light:#39ADB5;--shiki-light-font-style:italic;--shiki-default:#89DDFF;--shiki-default-font-style:italic;--shiki-dark:#89DDFF;--shiki-dark-font-style:italic}html pre.shiki code .sHwdD, html code.shiki .sHwdD{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#546E7A;--shiki-default-font-style:italic;--shiki-dark:#676E95;--shiki-dark-font-style:italic}html pre.shiki code .s2Zo4, html code.shiki .s2Zo4{--shiki-light:#6182B8;--shiki-default:#82AAFF;--shiki-dark:#82AAFF}html pre.shiki code .sHdIc, html code.shiki .sHdIc{--shiki-light:#90A4AE;--shiki-light-font-style:italic;--shiki-default:#EEFFFF;--shiki-default-font-style:italic;--shiki-dark:#BABED8;--shiki-dark-font-style:italic}",{"title":345,"searchDepth":359,"depth":359,"links":1796},[1797,1798,1799,1800,1801,1802,1803],{"id":16,"depth":359,"text":17},{"id":221,"depth":359,"text":222},{"id":337,"depth":359,"text":338},{"id":1303,"depth":359,"text":1304},{"id":1679,"depth":359,"text":1680},{"id":1734,"depth":359,"text":1735},{"id":1756,"depth":359,"text":1757},"How a regulator issues a signed predicate-scoped challenge over an agent population and verifies the response — inclusion proofs against committed Signed Tree Heads anchored on the public Sigstore Rekor log, without trusting Iqrar's infrastructure.","md",{},{"order":905},"\u002Fdocs\u002Faudit-challenge-protocol",{"title":5,"description":1804},"docs\u002Faudit-challenge-protocol","YKxN7IrMYGueHoApROewMMOKgaZllToZZChVjPO5vJA",1781253131675]