Canonical vocabulary · ReasonCodes
MCP / KYA Reason Codes
Granular reason codes that accompany a ResultState. ResultState is the broad public state. ReasonCode gives the granular explanation.
How ResultState and ReasonCode work together
ResultState is the broad public state — for example NO_PUBLIC_RESOLVER_PROOF_FOUND or MISMATCH. ReasonCode gives the granular explanation — for example MANIFEST_NOT_FOUND, MANIFEST_HASH_MISMATCH, or KEYSET_HASH_MISMATCH. Verifiers must always emit both.
Reason code reference
| Reason code | Group | Meaning |
|---|---|---|
| OPERATOR_PROOF_NOT_FOUND | Operator | No public Resolver proof was found for the declared parent operator ECZ-ID. |
| ORIGIN_PROOF_NOT_FOUND | Operator | No proof binding the declared origin to the parent ECZ-ID was found. |
| MANIFEST_NOT_FOUND | Manifest | The declared .well-known manifest could not be fetched. |
| MANIFEST_HASH_MISMATCH | Manifest | The observed manifest hash does not match the canonical declared hash. |
| AGENT_CREDENTIAL_NOT_FOUND | Agent | No public Resolver proof was found for the declared Agent Credential. |
| API_PASSPORT_NOT_FOUND | API | No public Resolver proof was found for the declared API Passport. |
| API_PASSPORT_MISMATCH | API | The API Passport reference points at an origin or spec that does not match the canonical record. |
| IDENTITY_CONTINUITY_NOT_FOUND | Continuity | No public Identity Continuity proof was found across the referenced lifecycle. |
| SOFTWARE_SUPPLY_CHAIN_PROOF_NOT_FOUND | Supply chain | No public software supply chain / SBOM proof was found for the referenced release. |
| KEYSET_HASH_MISMATCH | Cryptography | The observed JWKS / keyset hash does not match the canonical declared hash. |
| PULSEGUARD_STALE | Liveness | Operator liveness pulse (PulseGuard) is stale beyond policy. |
| REVOKED_PARENT | Lifecycle | The parent ECZ-ID is currently revoked. |
| REVOKED_AGENT_CREDENTIAL | Lifecycle | The Agent Credential is currently revoked. |
| SUSPENDED_API_PASSPORT | Lifecycle | The API Passport is currently suspended. |
| DECLARED_PARENT_CANNOT_ACTIVATE | Role-split | The declared parent tier cannot activate the requested binding without an upgrade in TrustOps. |
| EXTERNAL_COMMERCE_CANNOT_ACTIVATE_PROOF | Role-split | External subscription or commerce surfaces handle acquisition only. They cannot create or change verification state. |
| TRUSTOPS_CANNOT_MARK_BOUND | Role-split | TrustOps handles setup and lifecycle. It does not itself create or change verification state on the public proof surface. |
| RESOLVER_READ_ONLY | Role-split | Resolver is public read-only proof. It cannot accept setup, checkout, or directory queries. |
| MARKETPLACE_CHECKOUT_NOT_ALLOWED | Role-split | Developer Gateway and verifiers do not host checkout. Route commercial CTAs to TrustOps. |
| LOCAL_POLICY_DECIDES | Policy | The relying party policy decides whether to allow, warn, or require based on the reported ResultState and ReasonCodes. |
No overclaim posture
- No public resolver proof found yet does not mean unsafe.
- Re-check before reliance.
- Local policy decides.
- The verifier does not create or change verification state.
ECZ-ID separates setup, verification state, and public proof so operators can prepare evidence and relying parties can re-check before they act. TrustOps handles setup. Resolver remains the public proof surface. The verifier does not create or change verification state. Start setup in TrustOps when you operate the target. Share resolver guidance when you do not. Local policy decides. Re-check before reliance.