{ "schema_version": "satgate.evidence_pack.v1", "evidence_pack_id": "ep_demo_2026_05_10_001", "environment": "demo", "pack_type": "public_demo_redacted", "issued_at": "2026-05-10T14:26:31Z", "valid_from": "2026-05-10T14:22:31Z", "expires_at": "2026-05-17T14:26:31Z", "tenant": { "id": "tenant_acme_finance", "name": "Acme Finance", "region": "us-east-1" }, "subject": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "purpose": "Friday invoice reconciliation and export review", "issuer": { "id": "service:satgate-evidence-exporter", "kind": "service_account", "tenant_id": "satgate", "display_name": "SatGate Evidence Exporter", "issuer_kid": "satgate-evidence-demo-2026-05" }, "policy_snapshot": { "policy_id": "pol_invoice_reconciliation", "policy_version": "2026-05-10.7", "policy_digest": "sha256:demo_policy_digest_v7", "policy_name": "Invoice reconciliation worker policy", "mode": "Control", "decision_model": "authority_before_execution", "matched_rules": [ "allow_invoice_read_search", "deny_customer_data_export", "deny_when_budget_exhausted", "deny_when_revoked" ], "obligations": [ "record_receipt", "update_budget_ledger", "preserve_paid_rail_context" ] }, "budget_snapshot": { "budget_id": "bud_FIN_AP_042", "owner": "finance-automation", "cost_center": "FIN-AP-042", "currency": "USD", "unit_precision": 2, "root_limit": "25.00", "delegated_limit": "3.00", "spent": "0.78", "remaining": "0.00", "reset_window": "2026-05-10T00:00:00Z/2026-05-11T00:00:00Z", "exhausted": true, "ledger_root": "sha256:demo_budget_ledger_root" }, "authority_chain": [ { "grant_id": "grant_demo_root_001", "kind": "root_grant", "subject": { "id": "agent:dean-finance-automation", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Dean finance automation", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_parent_token_fingerprint" }, "issuer": { "id": "human:security-admin", "kind": "human", "tenant_id": "tenant_acme_finance", "display_name": "Security admin", "authn_method": "sso" }, "issuer_kid": "satgate-mint-demo-2026-05", "token_id": "tok_demo_parent", "token_fingerprint": "sha256:demo_parent_token_fingerprint", "scope": [ "invoices:read", "invoices:search", "mcp:invoice-tools", "mcp:document-ai" ], "effective_scope": [ "invoices:read", "invoices:search", "mcp:invoice-tools", "mcp:document-ai" ], "caveats": [ { "type": "tenant", "op": "eq", "value": "tenant_acme_finance" }, { "type": "budget_usd", "op": "lte", "value": "25.00" }, { "type": "delegation_depth", "op": "lte", "value": 1 }, { "type": "expires_at", "op": "lte", "value": "2026-05-10T15:22:31Z" } ], "delegation_depth_current": 0, "delegation_depth_max": 1, "budget_limit": "25.00", "expires_at": "2026-05-10T15:22:31Z", "receipt_hash": "sha256:bfabcfda2a24d28370627598c31d57fc4c46516df771af1152367a4c56a94d7f" }, { "grant_id": "grant_demo_child_001", "kind": "delegation", "delegation_id": "del_demo_001", "parent_grant_id": "grant_demo_root_001", "subject": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "parent_subject": { "id": "agent:dean-finance-automation", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Dean finance automation", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_parent_token_fingerprint" }, "issuer": { "id": "agent:dean-finance-automation", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Dean finance automation", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_parent_token_fingerprint" }, "token_id": "tok_demo_worker", "token_fingerprint": "sha256:demo_worker_token_fingerprint", "parent_token_id": "tok_demo_parent", "scope_before": [ "invoices:read", "invoices:search", "mcp:invoice-tools", "mcp:document-ai" ], "effective_scope": [ "invoices:read", "invoices:search", "mcp:document-ai.ocr" ], "caveats_added": [ { "type": "budget_usd", "op": "lte", "value": "3.00" }, { "type": "deny", "op": "eq", "value": "customer_data_export" }, { "type": "route_prefix", "op": "eq", "value": "/v1/invoices" } ], "delegation_depth_current": 1, "delegation_depth_max": 1, "budget_limit": "3.00", "budget_carved": "3.00", "expires_at": "2026-05-10T15:22:31Z", "attenuation_proof": { "scope_after_subset_of_before": true, "budget_within_parent": true, "depth_within_limit": true, "expiry_no_later_than_parent": true }, "receipt_hash": "sha256:7fa4779a47bbd10d30f0dc101cfc37259f149b9602662b675436bd616866708e" } ], "receipts": [ { "receipt_id": "rcpt_demo_001", "seq": 1, "type": "mint", "ts": "2026-05-10T14:22:31Z", "actor": { "id": "human:security-admin", "kind": "human", "tenant_id": "tenant_acme_finance", "display_name": "Security admin", "authn_method": "sso" }, "action": "mint_capability", "resource": "agent:dean-finance-automation", "result": "issued", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": null, "prev_receipt_hash": null, "reason_code": "root_capability_issued", "request_id": "req_demo_mint_001", "receipt_hash": "sha256:bfabcfda2a24d28370627598c31d57fc4c46516df771af1152367a4c56a94d7f" }, { "receipt_id": "rcpt_demo_002", "seq": 2, "type": "delegation", "ts": "2026-05-10T14:23:04Z", "actor": { "id": "agent:dean-finance-automation", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Dean finance automation", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_parent_token_fingerprint" }, "action": "delegate_capability", "resource": "agent:invoice-reconciler-worker", "result": "attenuated", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": null, "prev_receipt_hash": "sha256:bfabcfda2a24d28370627598c31d57fc4c46516df771af1152367a4c56a94d7f", "reason_code": "scope_budget_and_depth_attenuated", "delegation_id": "del_demo_001", "request_id": "req_demo_delegate_001", "receipt_hash": "sha256:7fa4779a47bbd10d30f0dc101cfc37259f149b9602662b675436bd616866708e" }, { "receipt_id": "rcpt_demo_003", "seq": 3, "type": "spend", "ts": "2026-05-10T14:23:18Z", "actor": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "action": "call_mcp_tool", "resource": "mcp:invoices.search", "result": "allowed", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": "led_demo_001", "prev_receipt_hash": "sha256:7fa4779a47bbd10d30f0dc101cfc37259f149b9602662b675436bd616866708e", "route": "/v1/invoices/search", "mcp_tool": "invoices.search", "amount": "0.18", "currency": "USD", "budget_remaining": "2.82", "payment_context_ref": "payctx_internal_ledger", "request_id": "req_demo_search_001", "receipt_hash": "sha256:9df4c4c272cd5db8ef2d49d1d1d4b4989d0287c83b6c0df95bb523e9fb9933da" }, { "receipt_id": "rcpt_demo_004", "seq": 4, "type": "spend", "ts": "2026-05-10T14:24:02Z", "actor": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "action": "call_api_route", "resource": "/v1/invoices/compare", "result": "allowed", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": "led_demo_002", "prev_receipt_hash": "sha256:9df4c4c272cd5db8ef2d49d1d1d4b4989d0287c83b6c0df95bb523e9fb9933da", "route": "/v1/invoices/compare", "amount": "0.42", "currency": "USD", "budget_remaining": "2.40", "payment_context_ref": "payctx_internal_ledger", "request_id": "req_demo_compare_001", "receipt_hash": "sha256:e9d86ea00d2ebd7f05965345c217cb3070fafc73f72d14f3e4f24627490d5f44" }, { "receipt_id": "rcpt_demo_005", "seq": 5, "type": "spend", "ts": "2026-05-10T14:24:44Z", "actor": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "action": "call_paid_tool", "resource": "mcp:document_ai.ocr", "result": "allowed", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": "led_demo_003", "prev_receipt_hash": "sha256:e9d86ea00d2ebd7f05965345c217cb3070fafc73f72d14f3e4f24627490d5f44", "route": "/v1/invoices/ocr", "mcp_tool": "document_ai.ocr", "amount": "0.18", "currency": "USD", "budget_remaining": "2.22", "payment_context_ref": "payctx_x402_001", "request_id": "req_demo_ocr_001", "receipt_hash": "sha256:bfaaf3e9c47247c9049e861347b3bd872b39da79d0d69b34f1e640c4e14b46a2" }, { "receipt_id": "rcpt_demo_006", "seq": 6, "type": "denial", "ts": "2026-05-10T14:25:08Z", "actor": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "action": "call_api_route", "resource": "/v1/invoices/export", "result": "blocked", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": null, "prev_receipt_hash": "sha256:bfaaf3e9c47247c9049e861347b3bd872b39da79d0d69b34f1e640c4e14b46a2", "route": "/v1/invoices/export", "reason_code": "scope_violation:no_customer_data_export", "request_id": "req_demo_export_001", "receipt_hash": "sha256:a0e106e1a3bd927bc1bc6898e981f1572796a19a02fee6438d217b7c2079dcd4" }, { "receipt_id": "rcpt_demo_007", "seq": 7, "type": "denial", "ts": "2026-05-10T14:25:33Z", "actor": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "action": "call_api_route", "resource": "/v1/invoices/reconcile", "result": "blocked", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": "led_demo_004", "prev_receipt_hash": "sha256:a0e106e1a3bd927bc1bc6898e981f1572796a19a02fee6438d217b7c2079dcd4", "route": "/v1/invoices/reconcile", "reason_code": "budget_exhausted", "budget_remaining": "0.00", "request_id": "req_demo_reconcile_001", "receipt_hash": "sha256:018cfea0f59352202f0a6b30b95a8d34431a46b1fd420a58f96c8507a7d0e98b" }, { "receipt_id": "rcpt_demo_008", "seq": 8, "type": "revocation", "ts": "2026-05-10T14:26:11Z", "actor": { "id": "human:security-admin", "kind": "human", "tenant_id": "tenant_acme_finance", "display_name": "Security admin", "authn_method": "sso" }, "action": "revoke_capability", "resource": "agent:invoice-reconciler-worker", "result": "revoked", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": null, "prev_receipt_hash": "sha256:018cfea0f59352202f0a6b30b95a8d34431a46b1fd420a58f96c8507a7d0e98b", "reason_code": "incident_review_stop_worker", "request_id": "req_demo_revoke_001", "receipt_hash": "sha256:92e2271c311706d2421b87a687ddd9684fe0b9a5de6b1b20212daa7d74af6d9e" }, { "receipt_id": "rcpt_demo_009", "seq": 9, "type": "post_revoke_denial", "ts": "2026-05-10T14:26:16Z", "actor": { "id": "agent:invoice-reconciler-worker", "kind": "agent", "tenant_id": "tenant_acme_finance", "display_name": "Invoice reconciler worker", "authn_method": "macaroon", "token_fingerprint": "sha256:demo_worker_token_fingerprint" }, "action": "call_mcp_tool", "resource": "mcp:invoices.search", "result": "blocked", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": null, "prev_receipt_hash": "sha256:92e2271c311706d2421b87a687ddd9684fe0b9a5de6b1b20212daa7d74af6d9e", "route": "/v1/invoices/search", "mcp_tool": "invoices.search", "reason_code": "capability_revoked", "request_id": "req_demo_after_revoke_001", "receipt_hash": "sha256:155a43784a059dd677ebe6bb84582ed93400b26abd646a2208cbc67772dc79b9" }, { "receipt_id": "rcpt_demo_010", "seq": 10, "type": "export", "ts": "2026-05-10T14:26:31Z", "actor": { "id": "auditor:acme", "kind": "human", "tenant_id": "tenant_acme_finance", "display_name": "Acme auditor", "authn_method": "sso" }, "action": "export_evidence_pack", "resource": "evidence_pack:ep_demo_2026_05_10_001", "result": "evidence_pack_issued", "policy_decision_ref": "dec_demo_invoice_policy_v7", "budget_ledger_ref": null, "prev_receipt_hash": "sha256:155a43784a059dd677ebe6bb84582ed93400b26abd646a2208cbc67772dc79b9", "reason_code": "auditor_request", "request_id": "req_demo_export_pack_001", "receipt_hash": "sha256:ffae1b076b8bb9a01969bb03645bd155f182bfa5be54b96855a21a9c3d844087" } ], "payment_context": { "rail_neutral": true, "default_market": "internal_enterprise_agents", "internal_rail": "enterprise_ledger", "external_rails": [ "x402", "l402", "api_key_billing", "enterprise_contract" ], "events": [ { "payment_context_id": "payctx_internal_ledger", "rail": "enterprise_ledger", "amount": "0.60", "currency": "USD", "cost_center": "FIN-AP-042", "settlement_status": "posted", "policy_decision_ref": "dec_demo_invoice_policy_v7" }, { "payment_context_id": "payctx_x402_001", "rail": "x402", "amount": "0.18", "currency": "USD", "provider": "document_ai", "settlement_reference": "redacted_demo_tx_hash", "settlement_reference_hash": "sha256:demo_redacted_x402_tx", "settlement_status": "settled", "policy_context": "payment proves value moved; SatGate proves the worker had scoped authority to move it" } ] }, "receipt_chain": { "canonicalization": "RFC8785-JCS", "hash_algorithm": "sha256", "chain_type": "linear_hash_chain", "first_receipt_hash": "sha256:bfabcfda2a24d28370627598c31d57fc4c46516df771af1152367a4c56a94d7f", "last_receipt_hash": "sha256:ffae1b076b8bb9a01969bb03645bd155f182bfa5be54b96855a21a9c3d844087", "receipt_count": 10, "chain_root": "sha256:0fbd3a9a2a686c4a7c9ec9d061d64d1c69d94c50adc674567bacfec647bc74d9" }, "redaction": { "applied": true, "profile": "public_demo", "applied_at": "2026-05-10T14:26:31Z", "applied_by": "service:satgate-evidence-exporter", "fields": [ "/payment_context/events/1/settlement_reference", "/authority_chain/*/token_fingerprint" ], "method": "masked_with_hash_commitments", "original_chain_root": "sha256:demo_original_chain_root_redacted", "redacted_chain_root": "sha256:0fbd3a9a2a686c4a7c9ec9d061d64d1c69d94c50adc674567bacfec647bc74d9", "proof_mode": "redacted_hash_commitments" }, "export": { "export_id": "exp_demo_001", "export_type": "public_demo", "requested_by": "auditor:acme", "exported_by": "service:satgate-evidence-exporter", "exported_at": "2026-05-10T14:26:31Z", "formats": [ "json", "pdf", "viewer" ], "included_receipt_range": "1-10", "redaction_profile": "public_demo", "completeness": "complete_demo_lifecycle", "download_uris": [ "https://satgate.io/evidence-packs/sample-evidence-pack.v1.json", "https://satgate.io/evidence-packs/sample-evidence-pack.pdf" ] }, "verification": { "verifiable": false, "reason": "Public demo fixture uses deterministic demo hashes and placeholder signature. Production exports sign the canonical Evidence Pack envelope and receipt chain root.", "algorithm": "ed25519 + sha256 linear receipt chain", "public_key_id": "satgate-evidence-demo-2026-05", "signed_payload": "canonical EvidencePackV1 envelope plus receipt_chain.chain_root", "verify_url": "https://satgate.io/evidence-pack-demo", "cli": "satgate-cli proof export --tenant tenant_acme_finance" }, "chain_root": "sha256:0fbd3a9a2a686c4a7c9ec9d061d64d1c69d94c50adc674567bacfec647bc74d9", "signature": "ed25519:REDACTED_DEMO_SAMPLE_DO_NOT_VERIFY" }