OpenChainGraph Suite · OCG v0.8.7 · Know-Your-Agent Due Diligence

Agent Counterparty Due-Diligence Receipt (KYA)

Onboarding an autonomous agent counterparty means checking its key is not revoked, its delegated-authority attestation chain holds, its key rotation posture is healthy, and its provable reputation score clears a tunable bar, then binding its NDA acceptance by hash. A gate routes on the reputation score: below the threshold ends the chain with no acceptance receipt issued; at or above it continues straight to the acceptance binder. Built for any party onboarding an autonomous agent counterparty, not for asserting a broader safe-to-transact guarantee.

OpenChainGraph · 5 Steps attestation mandate 1 Reputation Gate chain_depth:5 Client-Side · Zero PII
Verify-only: this receipt asserts that the supplied revocation status, agent attestation, key rotation posture, reputation score, and (on the passing branch) NDA acceptance are internally consistent and compose into a Know-Your-Agent due-diligence record. It never executes or custodies a transaction, never determines counterparty solvency, and never asserts a broader safe-to-transact guarantee than the four conditions it checked. Not legal advice.
ℹ A Web Bot Auth signed-agent verification tail is an optional planned upgrade (rides the AGENTIC-NAV Section N2 landing, whose bypass-half is still unverified) — this receipt composes the live revocation, attestation, key-rotation, reputation, and acceptance evidence today, ahead of that signal. The reputation threshold theta is a composer policy_parameter, not a literal in kernel code, so it can be retuned without a rebuild.
Chain Topology — Revocation Status → Agent Attestation → Key Rotation Audit → Reputation Score ⚠ GATE → NDA Acceptance Binder
§4 Execution Hash · Chain Definition Anchor
execution_hash:computing…
Chain Stages · 5 Steps (1 reputation gate)
1 ROOT node
Revocation-Status Verifier art-287-revocation-status-verifier
revocation posture (BitstringStatusList lookup) feeds the delegated-authority attestation chain check
MCP Call · verify_revocation_status
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "verify_revocation_status",
    "arguments": {
      "credential_status": {
        "type": "BitstringStatusListEntry",
        "statusListIndex": "94",
        "statusListCredential": "https://issuer.example/status/3"
      },
      "status_list_credential": {}
    }
  },
  "id": 1
}
2 STEP node
Agent Identity & Authorization Attestation Checker art-04-agent-identity-attestation-checker
delegated-authority credential chain and scope classification feed the key rotation audit
MCP Call · check_agent_attestation
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "check_agent_attestation",
    "arguments": {
      "credential_chain": [],
      "requested_scope": "read-only",
      "as_of": "2026-07-16"
    }
  },
  "id": 2
}
3 STEP node
Agent Key Rotation Auditor art-132-agent-key-rotation-auditor
key rotation posture (HEALTHY / ROTATION_STAGED / ACTION_REQUIRED) feeds the reputation aggregation
MCP Call · audit_agent_key_rotation
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "audit_agent_key_rotation",
    "arguments": {
      "key_algorithm": "Ed25519",
      "key_created_at": "2026-01-15",
      "max_key_age_days": 180,
      "next_key_present": true,
      "overlap_window_days": 14
    }
  },
  "id": 3
}
4 STEP · REPUTATION GATE node gate
Provable Reputation Score Aggregator art-278-reputation-score-aggregator
composite reputation score gates continuation: GATE composite < theta ends the chain with no acceptance receipt issued; composite ≥ theta continues to the NDA acceptance binder
Reputation Threshold Gate
rule[0]: if output.composite < theta (policy_parameter, default 0.5)  →  next: end   (no acceptance receipt)
default:                                                              →  next: art-277-agreement-acceptance-binder
Default continues to: art-277-agreement-acceptance-binder
MCP Call · aggregate_reputation_score
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "aggregate_reputation_score",
    "arguments": {
      "subject_id": "agent-alpha",
      "attestations": [],
      "as_of": "2026-01-01",
      "decay_half_life_days": 180
    }
  },
  "id": 4
}
5 TERMINAL node
Agreement Acceptance Binder art-277-agreement-acceptance-binder
binds the counterparty's NDA acceptance by hash reference, completing the KYA receipt. Final stage.
MCP Call · bind_agreement_acceptance
{
  "jsonrpc": "2.0",
  "method": "tools/call",
  "params": {
    "name": "bind_agreement_acceptance",
    "arguments": {
      "agreement_execution_hash": "abc123def456abc123def456abc123def456abc123def456abc123def456ab",
      "template_id": "mutual-nda-v1",
      "body_sha256": "def456abc123def456abc123def456abc123def456abc123def456abc123de",
      "accepting_role": "counterparty"
    }
  },
  "id": 5
}
Export Chain Artifact
Download the §4 chain definition artifact (hash-anchored JSON) or the §13.11 W3C Verifiable Credentials view. Both derive from the chain definition — no new hash is minted. Available after hash computation.