{"request_id":"req_b2245ddc2331cf9c","protocol":"TrigGuard","protocol_slug":"trigguard","authority":"trigguard-ai","version":"1.0","decision_states":["PERMIT","DENY","SILENCE"],"vectors":[{"name":"valid_receipt_permit","description":"POST /protocol/verify-receipt with this body returns valid:true (shape check only).","input":{"receipt":{"decision":"PERMIT","timestamp":"2026-01-01T00:00:00.000Z"}},"expected_decision":"PERMIT","expected_verify_receipt":{"valid":true}},{"name":"valid_receipt_deny_shape","description":"Receipt with DENY still passes minimal shape check (decision + timestamp present).","input":{"receipt":{"decision":"DENY","timestamp":"2026-01-01T00:00:00.000Z","reason_code":"POLICY_VIOLATION"}},"expected_decision":"DENY","expected_verify_receipt":{"valid":true}},{"name":"invalid_signature_deny","description":"Conceptual SDK check: bogus signature material must not verify (verify-signature returns valid:false).","input":{"payload":{"example":true},"signature":"invalid_example","public_key":"invalid_or_wrong_key"},"expected_decision":"DENY"},{"name":"valid_verify_signature_rsa_sha256","description":"POST /protocol/verify-signature with this body returns valid:true (RSA-SHA256 over canonicalize(payload)).","algorithm":"RSA-SHA256","input":{"payload":{"surface":"deploy.release","action":"test","timestamp":"2026-03-22T00:00:00.000Z"},"signature":"igDXBL9osG1G5G8nkV5ogSd6D29JGSs/6fzQbmUVQZh4Mhvb9Br4UFcoElykeUppXEqJ1JVhyXb7XDqFWICqZQsGsLXqJazJIj2jcTnmOJ2xSzUijy0qejrmIvAAgk2W+Ia9hyglXuszD5cttWzXmPAWt+ck5rg3KszmxDDU6T9lpK6wTp5Ea5TXyRE2jnMV/mOjXimovDNNmeJMvyukYj7HvF+VsVDK6tCdhmyc3M8mS4F77cnBOYDn4NU3A4WIgcNwVAChsOaLVbYs4Vbcx+XspL9LmUws1CY8a0UIOffrdOCzTJpRY/ZqsaWYwnCGV29FaXE4Xb3KDxXQh+Tx0Q==","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAui2gyn2f01nY5q9DZzXa\nNo5kwoJnHi2FPiCLcaCET61DYB+yVrKyndl0Va4oDyme1l1Vfaz4S+kqzLW8+yPr\njvgG1wG+PUPwhbBGOXFU3rbdPTUTNszXa0B2rEWp5Hb/tIaW3aX2ofVo+eHYWvwq\nJA+rnCD7/yiY9AuipdnOSIbsor97U2qsVcNpv+TF2HSu+SCAyU3QtCtYJ5CLJDq0\n2XZ2yBugr5z35Bzln80TpBRCz6jrE1t4yHdQeTW6gFtLracdtkdudZiR6E1IBmee\nYaTLgl2UZqmEhZAgonSLG07ZdE0fUEokw2eRPkYAxOcbwDTFZ2MLeesxtPHLa2sd\nrQIDAQAB\n-----END PUBLIC KEY-----"},"expected_verify_signature":{"valid":true}}],"verify_signature_post_body_example":{"payload":{"surface":"deploy.release","action":"test","timestamp":"2026-03-22T00:00:00.000Z"},"signature":"igDXBL9osG1G5G8nkV5ogSd6D29JGSs/6fzQbmUVQZh4Mhvb9Br4UFcoElykeUppXEqJ1JVhyXb7XDqFWICqZQsGsLXqJazJIj2jcTnmOJ2xSzUijy0qejrmIvAAgk2W+Ia9hyglXuszD5cttWzXmPAWt+ck5rg3KszmxDDU6T9lpK6wTp5Ea5TXyRE2jnMV/mOjXimovDNNmeJMvyukYj7HvF+VsVDK6tCdhmyc3M8mS4F77cnBOYDn4NU3A4WIgcNwVAChsOaLVbYs4Vbcx+XspL9LmUws1CY8a0UIOffrdOCzTJpRY/ZqsaWYwnCGV29FaXE4Xb3KDxXQh+Tx0Q==","public_key":"-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAui2gyn2f01nY5q9DZzXa\nNo5kwoJnHi2FPiCLcaCET61DYB+yVrKyndl0Va4oDyme1l1Vfaz4S+kqzLW8+yPr\njvgG1wG+PUPwhbBGOXFU3rbdPTUTNszXa0B2rEWp5Hb/tIaW3aX2ofVo+eHYWvwq\nJA+rnCD7/yiY9AuipdnOSIbsor97U2qsVcNpv+TF2HSu+SCAyU3QtCtYJ5CLJDq0\n2XZ2yBugr5z35Bzln80TpBRCz6jrE1t4yHdQeTW6gFtLracdtkdudZiR6E1IBmee\nYaTLgl2UZqmEhZAgonSLG07ZdE0fUEokw2eRPkYAxOcbwDTFZ2MLeesxtPHLa2sd\nrQIDAQAB\n-----END PUBLIC KEY-----"},"signature_canonicalization":"verify-signature hashes RSA-SHA256 over canonicalize(payload): compact JSON built by sorting object keys recursively (see authority verification/canonicalize.ts). Same logical payload must produce identical bytes in every SDK. Optional: omit public_key when TRIGGUARD_PUBLIC_KEY is set on the authority.","notes":"Use vectors to align client parsing with authority responses. Root decision_states matches the central enum. valid_verify_signature_rsa_sha256 uses a published conformance keypair (not production secrets)."}