# Trust Graduation Protocol

Trust Graduation is a permission protocol for agentic systems. Agents earn permission per action class through evidence, approval packets, and receipts.

Version: 0.1 (draft)
Status: Public protocol, open to external implementations
License: Public protocol — no usage restriction

## Why this exists

Most agent runtimes gate actions by tool name. Trust Graduation gates actions by consequence. A useful agent may safely observe, draft, and prepare long before it should send email, post publicly, spend money, or mutate production state.

## Canonical resources

- Homepage:        https://trustgraduation.org/
- Spec v0.1:       https://trustgraduation.org/spec/0.1/
- Well-known JSON: https://trustgraduation.org/.well-known/trust-graduation
- Human credits:   https://trustgraduation.org/humans.txt
- Sitemap:         https://trustgraduation.org/sitemap.xml
- Reference repo:  https://github.com/RonenTanchum/trust-graduation
- npm package:     https://www.npmjs.com/package/@trust-graduation/core

## Recommended crawler behavior

Agents and crawlers may index, summarize, cite, and use this protocol documentation for implementation assistance.
Use the canonical URLs above when citing the protocol. Prefer the JSON Schemas for machine validation and the v0.1 spec page for human-facing explanations.

## Schema files

All schemas use JSON Schema draft 2020-12 and resolve at their $id URL:

- https://trustgraduation.org/spec/0.1/action-class.schema.json
- https://trustgraduation.org/spec/0.1/decision.schema.json
- https://trustgraduation.org/spec/0.1/approval-packet.schema.json
- https://trustgraduation.org/spec/0.1/receipt.schema.json
- https://trustgraduation.org/spec/0.1/evidence-row.schema.json
- https://trustgraduation.org/spec/0.1/posterior.schema.json

## Three primitives

An implementation should expose three operations:

1. canExecute(actionClass, context) — returns one of six decision states
2. prepareApprovalPacket(...)        — local prepare-only artifact, external_actions: 0
3. recordReceipt(...)                — outcome record, feeds the posterior

## Six decision states

- allowed
- allowed_with_constraints   (post-approval execution boundary; not a bypass)
- review_required
- deferred                   (queued for asynchronous approval)
- blocked
- human_only

## Ten canonical action classes (v0.1)

- read.context               (internal)
- draft.compose              (internal)
- draft.response             (internal)
- tool.call.local            (internal)
- email.send.internal        (external controlled)
- email.send.external        (external)
- calendar.create            (external controlled)
- social.post.public         (external)
- payment.initiate           (human-only)
- proposal.submit            (external)

## Evidence model

evidence_weight = decision_weight × provenance_weight

Default provenance weights:
- receipt        1.00
- principal      1.00
- connector      0.30
- model_inferred 0.10

## Implementation status

Mission (https://gomission.io) is the v0.1 reference runtime. Additional implementations welcome — open an issue at the reference repo.

## Human context

Protocol steward: Ronen Tanchum.
The intended audience is builders of agent runtimes, MCP servers, approval systems, enterprise AI governance tooling, and auditors evaluating agent action controls.