AIIR Commit Receipt Specification

The normative specification for aiir/commit_receipt.v1 — the open format for tamper-evident AI authorship receipts.

Read SPEC.md on GitHub → JSON Schema →

Overview

The AIIR specification defines a content-addressed receipt format for recording AI involvement in git commits. A receipt is a JSON document with 6 core fields that are hashed using canonical JSON + SHA-256. Any modification to the core fields invalidates the receipt.

Spec version: 1.0.1
Schema identifier: aiir/commit_receipt.v1
Status: Stable
Permanent URL: invariantsystems.io/spec

Core fields

These 6 keys form the hash input — and only these 6:

Field Type Description
typestringAlways "aiir.commit_receipt"
schemastringSchema identifier, e.g. "aiir/commit_receipt.v1"
versionstringSemVer of generating tool
commitobjectGit commit metadata (sha, author, committer, diff_hash, …)
ai_attestationobjectAI authorship detection results
provenanceobjectRepository, tool, and generator identifiers

All other fields (receipt_id, content_hash, timestamp, extensions) are derived and do not affect the hash.

Canonical JSON

The canonical encoding ensures identical bytes for identical input:

  • Sorted keys — all object keys sorted lexicographically (recursive)
  • No whitespace — separators are , and :
  • ASCII-safe — all non-ASCII escaped as \uXXXX
  • Depth limit — 64 levels maximum

Python equivalent:

json.dumps(obj, sort_keys=True, separators=(",", ":"), ensure_ascii=True, allow_nan=False)

Verification algorithm

  1. Validate receipt JSON structure and type fields
  2. Extract core = {k: v for k in CORE_KEYS}
  3. Compute content_hash = "sha256:" + hex(SHA-256(canonical_json(core)))
  4. Compute receipt_id = "g1-" + content_hash[7:39]
  5. Compare using constant-time comparison (prevent timing attacks)

Try the web verifier → Integrations

Resources

Governance

This specification is maintained by Invariant Systems, Inc. Changes follow Semantic Versioning and require corresponding updates to the reference implementation and test vectors. See §15 Specification Governance for the full change process.

Third-party implementations claiming AIIR compatibility should reference the spec version they conform to and pass all published test vectors. See TRADEMARK.md for badge usage guidelines.