Approval argument match event
Inspectable evidence record
Claim ref: approval-argument-binding | Status: partial | Verification method: manual
Source ref: product-repo:internal/controlplane/approvals/* | Verified at: 2026-03-19
Verified by: security-engineering | Reproducible: yes
Product version: 0.1.0
Verification procedure: Reviewed redacted control-plane event envelope and matched normalized_args_hash against approval_args_hash semantics.
Verification confidence: medium
Verification command: node scripts/verify-proof.mjs approval-argument-match-event
Expected signal: hash-match=true
Output validation: contains (lenient) | hash-match=true
Normalize: trim
Verification artifact ref: approval-binding-evidence
Verification artifact hash: sha256:example-approval-binding-record
Command type: deterministic
Determinism assumptions: Verification command reads static redacted fixture and does not call external services.
Replay fidelity: approximate
Execution constraints: timeout=20s, noNetwork=true, readOnly=true
Reproduction steps:
- Open control-plane approval event export in docs/public-artifacts.
- Confirm normalized_args_hash equals approval_args_hash for allow decision.
- Confirm approval_id and decision fields exist in same event envelope.
Environment context:
Repo state: product-repo@redacted
Checkout command: git checkout <commit-from-proof-record>
- Access to sanitized event export from control-plane approvals pipeline
- Node.js 20+
Artifact refs: approval-binding-evidence
This record demonstrates the expected event shape for an approved action whose normalized argument digest matches the stored approval digest.
{
"event_id": "evt_01HTP5H8EYAX6KQ8M8RNGF8D90",
"approval_id": "apr_01HTP5G7Q3Y3Q70G1BT22K8HZE",
"action": "tool.exec.bash",
"normalized_args_hash": "sha256:81d7f4...",
"approval_args_hash": "sha256:81d7f4...",
"decision": "allow",
"reason": "approval_hash_match"
}
Limit note: this record is illustrative and redacted. Full replay transcript is pending publication.