UC-022
UC-022: Deny Receipt Verification
Layer: C — Verifiable Receipts Threat: Audit Gap / Unverifiable Actions
Scenario
After a series of tool calls including denials, the deny receipts are exported and verified to confirm they are cryptographically valid and tamper-proof.
Expected Behavior
- Every denied call produces a signed receipt (not just silently dropped)
- Deny receipts include: reason code, ArgsHash, DecisionID, timestamp
- Deny receipts are Ed25519-signed and part of the ProofGraph DAG
- EvidencePack export includes deny receipts
Pass Criteria
- Deny receipt: valid Ed25519 signature
- Deny receipt: correct reason code matches denial reason
- Deny receipt: present in ProofGraph DAG with correct causal ordering
- EvidencePack:
helm verify --bundlepasses with deny receipts included