Developer Gateway · Action Envelope hub
Action Envelope — guidance transport for ECZ-ID
A canonical, machine-readable envelope that carries a ResultState, ReasonCodes, Resolver links, TrustOps links, and a policy_mode. Local policy decides. Re-check before reliance.
Why a single envelope shape
Verifiers, MCP servers, agents, and platforms all need to describe the same kind of observation in the same shape. The Action Envelope is that shape. It carries a ResultState, ReasonCodes, Resolver links, optional TrustOps links, a policy_mode, and three always-true safety flags: local_policy_decides, recheck_before_reliance, and no_safety_or_approval_inference.
The four envelope variants
- Resolver Action Envelope™ — produced when a public Resolver lookup is the source.
- MCP Action Envelope™ — produced by an MCP verifier check.
- Agent Action Envelope™ — produced by a KYA / Agent Credential check.
- Reciprocal Reliance Envelope™ — exchanged between two parties that both rely on each other.
Action Envelope field reference
| Field | Type | Purpose |
|---|---|---|
| schema_version | string | Envelope schema version, for example action-envelope-v1. |
| envelope_type | string | One of resolver, mcp, agent, reciprocal_reliance. |
| target_type | string | What is being checked, for example mcp_server, agent_credential, api_passport, package, domain, sbom. |
| target_value | string | Canonical identifier or URL for the target. |
| result_state | enum | One of the 18 canonical ResultStates. |
| reason_codes | string[] | Granular reason codes that explain the ResultState. |
| resolver_url | string | Public Resolver URL for the target, where available. |
| machine_json_url | string | Machine-readable JSON URL for the target, where available. |
| recommended_next_steps | string[] | Suggested next steps for the relying party. Guidance only. |
| trustops_action_url | string | TrustOps handoff URL for setup or lifecycle, where applicable. |
| developer_guidance_url | string | Developer Gateway guidance URL for the target type. |
| policy_mode | enum | OPEN, PREFER, or REQUIRE — the relying party local policy mode. |
| local_policy_decides | boolean | Always true. The relying party decides the outcome locally. |
| recheck_before_reliance | boolean | Always true. Re-check Resolver before any high-risk action. |
| no_safety_or_approval_inference | boolean | Always true. The envelope is not a safety or approval claim. |
The envelope is not proof authority
An Action Envelope is a transport for guidance. It carries a ResultState and ReasonCodes, points at the Resolver for proof, and points at TrustOps for setup. It is not itself proof authority. Resolver remains the public proof surface for current state.
No overclaim posture
- No public resolver proof found yet does not mean unsafe.
- Re-check before reliance.
- Local policy decides.
- The verifier does not create or change verification state.
ECZ-ID separates setup, verification state, and public proof so operators can prepare evidence and relying parties can re-check before they act. TrustOps handles setup. Resolver remains the public proof surface. The verifier does not create or change verification state. Start setup in TrustOps when you operate the target. Share resolver guidance when you do not. Local policy decides. Re-check before reliance.