AP2 mandates (Intent / Cart / Payment) are verifiable credentials: the signature proves who authorized and what was authorized. The embedded timestamp, though, is asserted by the signer. For chargeback and audit, the contested question is often when: did this mandate exist before the disputed charge, before a price change, before a revocation? A self-asserted clock is weak evidence against a motivated counterparty.
This is distinct from the post-checkout action record in #290 and the settlement-side bindings in #255 / #224. Those record what happened after authorization. The proposal here anchors the authorization artifact itself, and is orthogonal to all of them.
Proposal: attach an optional markovian-provenance/v1 commitment to a mandate as an extension, carried outside the signed bytes so it never affects VC verification. The issuer hashes the canonical mandate, POSTs the hash to an external service, and stores the returned record (a Merkle root plus a BN128 Pedersen commitment, anchored to Bitcoin with a block height). Later, any verifier re-hashes the mandate and checks the anchor with no account. The VC proves who, the anchor adds an independent proof of when.
Honest boundary: this is provenance, not truth. It proves a mandate existed at a point in time, it does not validate the payment, the authority, or the agent's behavior. It is additive, not a replacement for the signature or any settlement attestation, and it requires no change to the mandate schema (an extension field only).
Shape: POST sha256(canonical mandate) to https://api.quantsynth.net/stamp, store {merkle_root, block_height, verify_url} as a mandate extension, verify later at /verify/<root>.
Repo (Apache-2.0): https://github.com/MarkovianProtocol/markovian-protocol
Site: https://markovianprotocol.com
AP2 mandates (Intent / Cart / Payment) are verifiable credentials: the signature proves who authorized and what was authorized. The embedded timestamp, though, is asserted by the signer. For chargeback and audit, the contested question is often when: did this mandate exist before the disputed charge, before a price change, before a revocation? A self-asserted clock is weak evidence against a motivated counterparty.
This is distinct from the post-checkout action record in #290 and the settlement-side bindings in #255 / #224. Those record what happened after authorization. The proposal here anchors the authorization artifact itself, and is orthogonal to all of them.
Proposal: attach an optional
markovian-provenance/v1commitment to a mandate as an extension, carried outside the signed bytes so it never affects VC verification. The issuer hashes the canonical mandate, POSTs the hash to an external service, and stores the returned record (a Merkle root plus a BN128 Pedersen commitment, anchored to Bitcoin with a block height). Later, any verifier re-hashes the mandate and checks the anchor with no account. The VC proves who, the anchor adds an independent proof of when.Honest boundary: this is provenance, not truth. It proves a mandate existed at a point in time, it does not validate the payment, the authority, or the agent's behavior. It is additive, not a replacement for the signature or any settlement attestation, and it requires no change to the mandate schema (an extension field only).
Shape:
POST sha256(canonical mandate)tohttps://api.quantsynth.net/stamp, store{merkle_root, block_height, verify_url}as a mandate extension, verify later at/verify/<root>.Repo (Apache-2.0): https://github.com/MarkovianProtocol/markovian-protocol
Site: https://markovianprotocol.com