HATS StandardSpecificationsProtocol Stability
PricingDemo
Log InGet API Key
Home / Schemas / Governance Proof Bundle Schema

Governance Proof Bundle Schema — v1.0.0

Version: 1.0.0
Status: Production
Last Updated: 2026-05-22
Canonical URL: https://h33.ai/schemas/governance-proof/
Schema Draft: JSON Schema draft 2020-12
Editor: Eric Beans, H33.ai, Inc.

1. Overview

A governance proof bundle is a self-contained package that enables independent verification of a governance chain. It contains the complete governance graph, optional replay frames for deterministic re-execution, a signature bundle with all three PQ signature families, and a verification manifest that describes how the bundle was produced.

Proof bundles are the primary export format for governance evidence. They are designed to be consumed by independent verifiers that have no prior knowledge of the producing system's internal state.

2. Definitions

Proof Bundle
A JSON object containing all data necessary to independently verify a governance chain segment.
Replay Frame
A snapshot of the inputs, state, and outputs at a specific governance decision point. Replay frames enable deterministic re-execution: given the same inputs, an independent verifier must produce the same outputs.
Signature Bundle
The set of three PQ signatures (ML-DSA-65, FALCON-512, SLH-DSA-SHA2-128f-simple) over the bundle's root hash.
Verification Manifest
Metadata about how the bundle was produced: proof profile, hash algorithm, serialization version, and the expected verification result.

3. Bundle Structure

FieldTypeRequiredDescription
bundle_versionstringYesSchema version. "1.0.0" for this version.
produced_bystringYesTenant identifier that produced this bundle.
produced_atstring (ISO 8601)YesTimestamp of bundle production.
governance_graphobjectYesThe full governance graph (nodes + edges). Same structure as the HATS Attestation Schema graph.
replay_framesarrayNoOrdered array of replay frames. If present, enables deterministic re-execution.
signature_bundleobjectYesThree PQ signatures over the bundle root hash.
verification_manifestobjectYesProduction metadata and expected verification outcome.

4. JSON Schema Definition

{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://h33.ai/schemas/governance-proof/v1.0.0", "title": "Governance Proof Bundle", "type": "object", "required": [ "bundle_version", "produced_by", "produced_at", "governance_graph", "signature_bundle", "verification_manifest" ], "properties": { "bundle_version": { "type": "string", "const": "1.0.0" }, "produced_by": { "type": "string", "minLength": 1 }, "produced_at": { "type": "string", "format": "date-time" }, "governance_graph": { "type": "object", "required": ["nodes", "edges", "root_hash"], "properties": { "nodes": { "type": "array", "items": { "$ref": "#/$defs/GovernanceNode" }, "minItems": 1 }, "edges": { "type": "array", "items": { "$ref": "#/$defs/GovernanceEdge" } }, "root_hash": { "type": "string", "pattern": "^[a-f0-9]{64}$" } } }, "replay_frames": { "type": "array", "items": { "$ref": "#/$defs/ReplayFrame" } }, "signature_bundle": { "type": "object", "required": ["ml_dsa", "falcon", "slh_dsa"], "properties": { "ml_dsa": { "$ref": "#/$defs/SignatureEntry" }, "falcon": { "$ref": "#/$defs/SignatureEntry" }, "slh_dsa": { "$ref": "#/$defs/SignatureEntry" } } }, "verification_manifest": { "type": "object", "required": ["proof_profile", "hash_algorithm", "serialization_version"], "properties": { "proof_profile": { "type": "string" }, "hash_algorithm": { "type": "string", "const": "SHA3-256" }, "serialization_version": { "type": "integer", "minimum": 1 }, "expected_status": { "type": "string", "enum": ["VERIFIED", "PARTIAL"] }, "node_count": { "type": "integer", "minimum": 1 }, "edge_count": { "type": "integer", "minimum": 0 } } } }, "$defs": { "GovernanceNode": { "type": "object", "required": ["node_id", "node_type", "hash", "timestamp"], "properties": { "node_id": { "type": "string", "format": "uuid" }, "node_type": { "type": "string", "enum": ["DECISION", "CONTROL", "POLICY", "ATTESTATION", "CHECKPOINT"] }, "hash": { "type": "string", "pattern": "^[a-f0-9]{64}$" }, "timestamp": { "type": "string", "format": "date-time" }, "payload": { "type": "object" }, "parent_ids": { "type": "array", "items": { "type": "string", "format": "uuid" } } } }, "GovernanceEdge": { "type": "object", "required": ["source", "target", "edge_type"], "properties": { "source": { "type": "string", "format": "uuid" }, "target": { "type": "string", "format": "uuid" }, "edge_type": { "type": "string", "enum": ["DEPENDS_ON", "CAUSES", "ATTESTS", "SUPERSEDES"] } } }, "ReplayFrame": { "type": "object", "required": ["frame_id", "node_id", "input_hash", "output_hash", "timestamp"], "properties": { "frame_id": { "type": "string", "format": "uuid" }, "node_id": { "type": "string", "format": "uuid" }, "input_hash": { "type": "string", "pattern": "^[a-f0-9]{64}$" }, "output_hash": { "type": "string", "pattern": "^[a-f0-9]{64}$" }, "state_snapshot": { "type": "object" }, "timestamp": { "type": "string", "format": "date-time" } } }, "SignatureEntry": { "type": "object", "required": ["algorithm", "public_key_hash", "signature_hex"], "properties": { "algorithm": { "type": "string" }, "public_key_hash": { "type": "string", "pattern": "^[a-f0-9]{64}$" }, "signature_hex": { "type": "string", "pattern": "^[a-f0-9]+$" } } } }, "additionalProperties": false }

5. Replay Frame Sub-Schema

Each replay frame captures the exact inputs and outputs at a governance decision point. An independent verifier re-executes the decision logic with the provided inputs and compares the output hash. If the hashes match, the frame is deterministic.

FieldTypeRequiredDescription
frame_idstring (UUID)YesUnique identifier for this replay frame.
node_idstring (UUID)YesThe governance node this frame corresponds to.
input_hashstring (hex64)YesSHA3-256 of the canonical input to the decision logic.
output_hashstring (hex64)YesSHA3-256 of the canonical output produced by the decision logic.
state_snapshotobjectNoOpaque snapshot of relevant state at frame execution time.
timestampstring (ISO 8601)YesWhen the frame was executed.

Replay frames are ordered. The verifier MUST process them in array order. A frame's node_id MUST reference a valid node in governance_graph.nodes.

6. Signature Bundle Sub-Schema

The signature bundle contains three independent PQ signatures over the governance graph's root_hash. All three MUST be present and valid.

FieldTypeRequiredDescription
algorithmstringYesAlgorithm identifier: "ML-DSA-65", "FALCON-512", or "SLH-DSA-SHA2-128f-simple".
public_key_hashstring (hex64)YesSHA3-256 of the signer's public key.
signature_hexstring (hex)YesHex-encoded signature bytes.

7. Cryptographic Assumptions

8. Canonical Valid Example

Valid Governance Proof Bundle
{ "bundle_version": "1.0.0", "produced_by": "tenant-acme-corp-001", "produced_at": "2026-05-22T12:00:00Z", "governance_graph": { "nodes": [ { "node_id": "d1e2f3a4-b5c6-7890-d1e2-f3a4b5c67890", "node_type": "POLICY", "hash": "c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2", "timestamp": "2026-05-22T11:59:50Z", "payload": { "policy_id": "GOV-PQ-REQUIRE-3SIG", "version": "1.0" } }, { "node_id": "e2f3a4b5-c6d7-8901-e2f3-a4b5c6d78901", "node_type": "DECISION", "hash": "7d793037a0760186574b0282f2f435e7a3c7b9f1d2e4c6a8b0d3f5e7a9c1b3d5", "timestamp": "2026-05-22T12:00:00Z", "payload": { "decision": "APPROVE", "rationale": "All controls passed" }, "parent_ids": ["d1e2f3a4-b5c6-7890-d1e2-f3a4b5c67890"] } ], "edges": [ { "source": "e2f3a4b5-c6d7-8901-e2f3-a4b5c6d78901", "target": "d1e2f3a4-b5c6-7890-d1e2-f3a4b5c67890", "edge_type": "DEPENDS_ON" } ], "root_hash": "b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5" }, "replay_frames": [ { "frame_id": "f3a4b5c6-d7e8-9012-f3a4-b5c6d7e89012", "node_id": "e2f3a4b5-c6d7-8901-e2f3-a4b5c6d78901", "input_hash": "1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b", "output_hash": "a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2", "timestamp": "2026-05-22T12:00:00Z" } ], "signature_bundle": { "ml_dsa": { "algorithm": "ML-DSA-65", "public_key_hash": "d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4", "signature_hex": "3045022100...truncated" }, "falcon": { "algorithm": "FALCON-512", "public_key_hash": "e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5", "signature_hex": "3082...truncated" }, "slh_dsa": { "algorithm": "SLH-DSA-SHA2-128f-simple", "public_key_hash": "f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6", "signature_hex": "3081...truncated" } }, "verification_manifest": { "proof_profile": "HATS-PROFILE-PQ-SHA3-256-v1", "hash_algorithm": "SHA3-256", "serialization_version": 1, "expected_status": "VERIFIED", "node_count": 2, "edge_count": 1 } }

9. Canonical Invalid Example

Invalid Governance Proof Bundle
{ "bundle_version": "1.0.0", "produced_by": "tenant-acme-corp-001", "produced_at": "2026-05-22T12:00:00Z", "governance_graph": { "nodes": [ { "node_id": "d1e2f3a4-b5c6-7890-d1e2-f3a4b5c67890", "node_type": "POLICY", "hash": "c3ab8ff13720e8ad9047dd39466b3c8974e592c2fa383d4a3960714caef0c4f2", "timestamp": "2026-05-22T11:59:50Z" } ], "edges": [ { "source": "e2f3a4b5-c6d7-8901-e2f3-a4b5c6d78901", // ERROR: node_id not in nodes array "target": "d1e2f3a4-b5c6-7890-d1e2-f3a4b5c67890", "edge_type": "DEPENDS_ON" } ], "root_hash": "b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5" }, "signature_bundle": { "ml_dsa": { "algorithm": "ML-DSA-65", "public_key_hash": "d4e5f6a7b8c9d0e1", // ERROR: not 64 hex chars "signature_hex": "3045022100" } // ERROR: missing falcon and slh_dsa }, "verification_manifest": { "proof_profile": "HATS-PROFILE-PQ-SHA3-256-v1", "hash_algorithm": "SHA-256", // ERROR: must be SHA3-256 "serialization_version": 0 // ERROR: minimum is 1 } }

10. Bundle Verification Flow

  1. Schema validation. Validate the bundle against the JSON Schema in Section 4.
  2. Manifest consistency. Verify verification_manifest.node_count equals the length of governance_graph.nodes. Same for edge_count.
  3. Graph integrity. Verify all edge references are valid. Verify no cycles. Verify every node hash by recomputation.
  4. Root hash. Recompute the root hash from the canonical graph serialization. Compare to governance_graph.root_hash.
  5. Signature verification. Verify all three signatures in signature_bundle against governance_graph.root_hash.
  6. Replay (if frames present). For each frame in order: re-execute the decision logic with the frame's inputs and verify output_hash matches. Report DETERMINISTIC or DIVERGENT per frame.
  7. Final status. VERIFIED if all checks pass. PARTIAL if graph and signatures pass but replay diverges on some frames. FAILED if signatures or root hash fail.

11. Failure Modes

Failure CodeDescriptionSeverity
SCHEMA_INVALIDBundle does not conform to the JSON Schema.Fatal
ROOT_HASH_MISMATCHRecomputed root hash does not match governance_graph.root_hash.Fatal
SIGNATURE_INVALIDOne or more signatures fail verification.Fatal
SIGNATURE_MISSINGFewer than three signature families in signature_bundle.Fatal
DANGLING_EDGEAn edge references a non-existent node.Fatal
GRAPH_CYCLEThe governance graph contains a cycle.Fatal
NODE_HASH_MISMATCHA node's hash does not match recomputation.Fatal
REPLAY_DIVERGENTA replay frame's recomputed output does not match output_hash.Warning
MANIFEST_MISMATCHnode_count or edge_count in manifest does not match actual counts.Warning
FRAME_ORPHANA replay frame references a node_id not in the graph.Fatal

Related Schemas & Specifications

Schema Index HATS Attestation Schema H33-74 Receipt Schema Verification Result OIS Score Payload H33-74 Specification Governance Replay