This URI identifies the AIIR commit receipt predicate type for use in in-toto Statement v1 attestation envelopes.
| Property | Value |
|---|---|
| Predicate Type URI | https://invariantsystems.io/predicates/aiir/commit_receipt/v1 |
| Schema Identifier | aiir/commit_receipt.v1 |
| JSON Schema | commit_receipt.v1.schema.json |
| Specification | SPEC.md |
| Status | Stable (v1.0.0) |
When the --in-toto flag is used, AIIR wraps each receipt in a standard in-toto Statement v1:
{
"_type": "https://in-toto.io/Statement/v1",
"subject": [
{
"name": "https://github.com/example/repo@abc123...",
"digest": { "gitCommit": "abc123..." }
}
],
"predicateType": "https://invariantsystems.io/predicates/aiir/commit_receipt/v1",
"predicate": {
"type": "aiir.commit_receipt",
"schema": "aiir/commit_receipt.v1",
...
}
}The predicate (inner receipt) is verified using the AIIR verification algorithm (SPEC.md §9). The in-toto envelope is verified by standard supply-chain tools:
The subject identifies the git commit:
| Field | Value |
|---|---|
name | {repository}@{commit_sha} |
digest.gitCommit | Full hex SHA of the commit |
| Language | Package | Conformant |
|---|---|---|
| Python | aiir (reference) | ✅ |
| TypeScript | @aiir/verifier | ✅ |