Spec. Normative. Verifiable. Industrial.
RPO defines a deterministic probative bundle: a sealed JSON core + a human-readable preview + a public hash. It is designed for institutional environments where decisions must remain reconstructible at Moment T.
1. Scope & non-goals
RPO v0.1 defines a minimal, deterministic bundle format used to preserve the integrity and reconstructibility of a decision record at Moment T. It standardizes what is sealed, how it is hashed, and how third parties verify integrity.
Non-goals
- RPO does not determine truth or falsity.
- RPO does not require machine learning or interpretation.
- RPO does not replace legal judgment or institutional governance.
2. Bundle layout
The RPO bundle MUST contain the following artifacts:
| Artifact | Required | Purpose |
|---|---|---|
core.json |
YES (MUST) | Sealed, deterministic decision core (hashed). |
preview.txt (or preview.md) |
YES (MUST) | Human-readable rendering for institutional review (not hashed in v0.1). |
public_hash.txt |
YES (MUST) | SHA-256 of the canonical serialized core.json. |
manifest.json |
OPTIONAL (MAY) | Bundle metadata, additional file hashes, provenance hints. |
3. Normative keywords
The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” are to be interpreted as described in RFC 2119.
4. Sealed core schema (core.json)
The sealed core MUST be valid JSON encoded in UTF-8.
Keys defined as REQUIRED MUST be present.
Implementations MAY add extension keys under extensions without breaking compatibility.
| Field | Type | Required | Meaning |
|---|---|---|---|
rpo_version |
string | MUST | Spec version identifier (e.g. "0.1"). |
mode |
string | MUST | "deterministic" for v0.1. |
context |
string | MUST | Context key (domain profile). Context changes lexicon/visibility rules, not structure. |
decision_type |
string | MUST | Decision category (e.g. workforce, compliance, incident governance). |
scope |
string | MUST | Organizational perimeter (sites/entities). |
authority |
string | MUST | Institutional authority responsible for the record (not necessarily the decision maker). |
moment_t |
string (date) | MUST | Reference date for reconstructibility (Moment T). Format: YYYY-MM-DD. |
owner |
string | MUST | Record owner (e.g. HR, IT, SEC, LEGAL, COMEX). |
sla_hours |
number | MUST | SLA for institutional reaction and record completion. |
deadline |
string | MUST | Deadline for action/closure. Recommended format: ISO 8601 local YYYY-MM-DD HH:MM. |
declared_sources |
array(string) | MUST | Declared evidence sources (e.g. HRIS, LMS, OPS, SEC, LEGAL, EXT). Sorted recommended. |
coverage_pct |
number | MUST | Deterministic coverage percentage (rule-based). |
missing_sources |
array(string) | MUST | Missing declared sources (explicit blockers). |
defensibility |
object | MUST | Defensibility label and score (rule-based). |
institutional_exposure |
string | MUST | Exposure band (LOW/MEDIUM/HIGH) derived from deterministic rules. |
escalation_path |
object | MUST | Governance actions implied by exposure/defensibility bands. |
lineage |
object | SHOULD | Minimal lineage hints (extract id, steward, attributable). |
quality_checks |
object | SHOULD | Deterministic proxies: freshness, completeness, drift, duplicates. |
invariants |
object | MUST | Explicit invariants (e.g. no_ai, hash_means_integrity_not_truth). |
extensions |
object | MAY | Forward-compatible extensions (namespaced). |
5. Canonical serialization
The public hash MUST be computed on a canonical serialization of core.json.
In v0.1, the canonical form is defined as:
- UTF-8 encoding
- No insignificant whitespace
- Stable key ordering: lexicographic ascending order for all object keys
- Arrays preserve order as written
6. Hashing (SHA-256)
The hash algorithm for v0.1 is SHA-256.
Implementations MUST output a lowercase hexadecimal digest in public_hash.txt.
7. Verification procedure
- Load
core.json. - Produce canonical serialization per §5.
- Compute SHA-256 digest per §6.
- Compare with
public_hash.txt. - If equal: integrity verified. If not: core was altered.
8. Conformance & test vectors
An implementation is RPO v0.1 compliant if it: (1) produces a valid sealed core per §4, (2) canonicalizes per §5, (3) hashes per §6, and (4) verifies per §7.
Test vectors and expected hashes are provided in the Tests page. Example bundles are provided in Examples.
9. Security considerations
- Tampering: altering
core.jsonchanges the hash; verification fails. - Replay: integrity does not imply freshness. Use
moment_t,deadline, and institutional governance to prevent stale replays. - Attribution: v0.1 provides integrity, not authorship. Signature support is planned for v0.2.
10. Versioning & forward compatibility
rpo_versionMUST be present and used for parsing.- Implementations SHOULD ignore unknown keys under
extensions. - Breaking changes require a new major version.