AIIR as a GUAC-style ingestor

A public implementation note for making AIIR receipts queryable as attestation-derived source metadata in a graph.

Status Draft public note. Narrow goal: make AIIR receipts queryable in a provenance graph without asking the graph to become a policy engine or adopt a new trust model.

Narrow goal

AIIR already produces structured receipts tied to commits. The graph-level opportunity is straightforward: ingest those receipts, or their in-toto-wrapped form, as source-change metadata so downstream queries can ask where declared AI involvement appears in a dependency path or repository history.

The cleanest first interoperability shape is an AIIR receipt wrapped in a standard in-toto Statement v1, with the AIIR commit receipt as the predicate. That keeps the first example inside GUAC's existing attestation ingestion path rather than inventing a custom graph surface first.

Public references: AIIR commit receipt predicate v2 and SPEC.md.

Minimum useful graph fields

A graph ingestor can normalize the AIIR receipt or the surrounding in-toto Statement into fields like:

  • Repository or source identifier
  • Commit SHA and receipt ID
  • Receipt content hash and optional signature state
  • Authorship class and declared signal set
  • Timestamp and generator information
{
  "commit": "<sha>",
  "receipt_id": "<aiir receipt id>",
  "content_hash": "sha256:<...>",
  "authorship_class": "human | ai_assisted | ai_generated | bot",
  "signals": ["co-authored-by", "editor-context"],
  "verified": true
}

Why this is a clean graph fit

  • The ingestor adds queryable metadata rather than redefining the surrounding attestation or policy surfaces.
  • The first example can reuse an in-toto Statement envelope instead of inventing a new ingestion shape.
  • Receipt verification stays in AIIR's domain, while graph traversal stays in the graph's domain.
  • The output supports operational questions such as which packages depend on source changes with declared AI involvement and valid receipts.

Boundaries

  • This note does not claim that AIIR proves hidden AI usage.
  • This note does not ask the graph to infer intent or authorship beyond the receipt.
  • This note is about graph ingestion and query, not allow-or-deny policy evaluation.
  • This note assumes AIIR receipts are one input among many, not the whole provenance record.

Next public step

If the direction is useful, the next public step is a small proposal or issue that links this note and scopes the first example to a single repo-to-commit-to-receipt path.

See in-toto policy input → Back to ecosystem →