Integration Guide

This guide describes how to emit, sign, store, and verify Reciprium receipts in real-world delivery systems.

End-to-End Flow

1. Build intent context and compute content digest for approved input.
2. Populate subject and scope from runtime identity/target metadata.
3. Execute mutation and collect runtime evidence into execution/artifacts.
4. Run checks and write verification outcomes.
5. Canonicalize and sign according to Signatures.
6. Optionally chain with hashChain metadata.
7. Persist receipt and associated evidence artifacts.

Minimum Integration Contract

• Emit valid envelope shape.
• Sign with trusted key material.
• Preserve receipt bytes/fields after signing.
• Keep artifact references stable and retrievable.

Platform Patterns

Reference integrations (separate examples repo):

• Terraform
• GitHub Actions
• Kubernetes
• Argo CD

Reference receipt documents (this spec repo):

• v1/examples/terraform-basic.json
• v1/examples/terraform-full.json
• v1/examples/gitops-basic.json
• v1/examples/database-migration.json
• v1/examples/secret-rotation.json
• v1/examples/break-glass-access.json

Verification Pipeline Guidance

At ingestion time:

1. Validate structure against JSON Schema.
2. Verify signatures and signedContent.contentHash.
3. Validate chain continuity if chaining is used.
4. Evaluate verification policy requirements.

Extension Strategy

Use namespaced extension keys (reverse.domain) for provider-specific metadata such as dev.reciprium.terraform.

Useful Links

• Schema and Artifact Reference
• Execution semantics
• Verification model
• Extensions model
• Versioning policy