Variant · Reciprocal Reliance
Reciprocal Reliance Envelope™
Exchanged between two parties that both rely on each other. Each party re-checks Resolver before reliance and applies its own local policy.
When this envelope is exchanged
- Two operators rely on each other and both need machine-readable guidance.
- A platform routes between two MCP servers or two agents that must verify each other before any high-risk action.
Example envelope
Reciprocal Reliance Envelope (illustrative)
{
"schema_version": "action-envelope-v1",
"envelope_type": "reciprocal_reliance",
"target_type": "agent_credential",
"target_value": "<ECZ-XX-XXXXXX::AGENT-XXXXXX>",
"result_state": "RESOLVER_VERIFIABLE",
"reason_codes": [],
"resolver_url": "https://resolver.ecocitizenz.org/p/<...>",
"machine_json_url": "https://resolver.ecocitizenz.org/p/<...>.json",
"recommended_next_steps": [
"Both parties re-check Resolver before reliance.",
"Each side applies its own local policy."
],
"developer_guidance_url": "https://developers.ecocitizenz.com/action-envelope/reciprocal-reliance",
"policy_mode": "REQUIRE",
"local_policy_decides": true,
"recheck_before_reliance": true,
"no_safety_or_approval_inference": true
}Action Envelope field reference
| Field | Type | Purpose |
|---|---|---|
| schema_version | string | Envelope schema version, for example action-envelope-v1. |
| envelope_type | string | One of resolver, mcp, agent, reciprocal_reliance. |
| target_type | string | What is being checked, for example mcp_server, agent_credential, api_passport, package, domain, sbom. |
| target_value | string | Canonical identifier or URL for the target. |
| result_state | enum | One of the 18 canonical ResultStates. |
| reason_codes | string[] | Granular reason codes that explain the ResultState. |
| resolver_url | string | Public Resolver URL for the target, where available. |
| machine_json_url | string | Machine-readable JSON URL for the target, where available. |
| recommended_next_steps | string[] | Suggested next steps for the relying party. Guidance only. |
| trustops_action_url | string | TrustOps handoff URL for setup or lifecycle, where applicable. |
| developer_guidance_url | string | Developer Gateway guidance URL for the target type. |
| policy_mode | enum | OPEN, PREFER, or REQUIRE — the relying party local policy mode. |
| local_policy_decides | boolean | Always true. The relying party decides the outcome locally. |
| recheck_before_reliance | boolean | Always true. Re-check Resolver before any high-risk action. |
| no_safety_or_approval_inference | boolean | Always true. The envelope is not a safety or approval claim. |
The envelope is not proof authority
An Action Envelope is a transport for guidance. It carries a ResultState and ReasonCodes, points at the Resolver for proof, and points at TrustOps for setup. It is not itself proof authority. Resolver remains the public proof surface for current state.
No overclaim posture
- No public resolver proof found yet does not mean unsafe.
- Re-check before reliance.
- Local policy decides.
- The verifier does not create or change verification state.
ECZ-ID separates setup, verification state, and public proof so operators can prepare evidence and relying parties can re-check before they act. TrustOps handles setup. Resolver remains the public proof surface. The verifier does not create or change verification state. Start setup in TrustOps when you operate the target. Share resolver guidance when you do not. Local policy decides. Re-check before reliance.