Skip to content
Skip to content
TrustPlane
Action Certificates

Certified Writes you can verify before any side-effect

Every Certified Write mints a COSE-signed Action Certificate. Downstream systems can require a valid certificate before any write executes. Use the public verifier to inspect a live sample.

JSON schema excerpt

The full schema is versioned in our SDKs. Key fields appear below; hashes are portable across OpenTelemetry, SIEM, and transparency logs.

{
  "$id": "https://trustplane.cloud/schema/action-certificate.json",
  "type": "object",
  "required": ["certificate_id", "certified_write", "audit", "signatures"],
  "properties": {
    "certificate_id": { "type": "string" },
    "issued_at": { "type": "string", "format": "date-time" },
    "certified_write": {
      "type": "object",
      "required": ["use_case", "policy_version_hash", "approvals", "rollout"],
      "properties": {
        "use_case": { "type": "string" },
        "policy_version_hash": { "type": "string", "pattern": "^sha256:" },
        "evaluation_contract": { "type": "string" },
        "approvals": { "type": "array", "items": { "type": "string" } },
        "rollout": {
          "type": "object",
          "properties": {
            "percent": { "type": "number", "minimum": 0, "maximum": 100 },
            "mode": { "enum": ["governed_canary", "general_availability"] }
          }
        }
      }
    },
    "audit": {
      "type": "object",
      "required": ["request_hash", "response_hash"],
      "properties": {
        "request_hash": { "type": "string" },
        "response_hash": { "type": "string" },
        "transparency_log": { "type": "string" }
      }
    },
    "signatures": {
      "type": "array",
      "items": {
        "type": "object",
        "required": ["alg", "key_id", "sig", "format"],
        "properties": {
          "alg": { "enum": ["Ed25519"] },
          "key_id": { "type": "string" },
          "format": { "enum": ["COSE_Sign1"] },
          "sig": { "type": "string" }
        }
      }
    }
  }
}

Full schema includes optional budget/slo snapshots, connector metadata, and transparency log anchors. See SDK docs for machine-readable definitions.

Verify before any write

Downstream services (ServiceNow, Snowflake, Jira, custom APIs) can reject writes when any check fails. These are the five steps most customers enforce.

  1. Validate the COSE Ed25519 signature against your key registry.
  2. Ensure policy_version_hash matches the approved boundary for this environment.
  3. Confirm evaluation contract results meet thresholds (Learning Controls).
  4. Check required approvals (Security, FinOps, Data Owner, Legal, etc.).
  5. Verify rollout scope (percent/mode) and optional transparency log entry or revocation list.

Try it in the /verify sandbox—paste the demo certificate and watch signature + policy hash checks pass.

TypeScript verifier snippet

import { verifyCertificate } from "@trustplane/sdk/cert";
import type { ActionCertificate } from "@trustplane/sdk/types";

async function gateWrite(cert: ActionCertificate) {
  const ok = await verifyCertificate(cert, {
    requiredApprovals: ["security", "finops", "data-owner"],
    expectedPolicyHash: "sha256:9c73…f5a0",
    maxCanaryPercent: 30,
  });

  if (!ok.valid) {
    throw new Error(`Blocked — ${ok.reason}`);
  }
}

// Downstream usage
await gateWrite(parsedCertificate);
// proceed with ServiceNow change once certificate is valid

SDK helpers exist for TypeScript, Python, and Java. Each emits OpenTelemetry spans with certificate_id so you can correlate verification events with SIEM alerts.

Python verifier snippet

from trustplane_sdk.cert import verify_certificate
from trustplane_sdk.types import ActionCertificate


def gate_write(cert: ActionCertificate) -> None:
    result = verify_certificate(
        cert,
        required_approvals=["security", "finops", "data-owner"],
        expected_policy_hash="sha256:9c73…f5a0",
        max_canary_percent=30,
    )

    if not result.valid:
        raise RuntimeError(f"Blocked — {result.reason}")


# Downstream usage
gate_write(parsed_certificate)
# proceed with Snowflake/ServiceNow write once certificate is valid

Python helper returns a dataclass with valid, reason, and certificateId fields so you can log the outcome alongside your traces.

Java verifier snippet

import com.trustplane.sdk.cert.CertificateVerifier;
import com.trustplane.sdk.types.ActionCertificate;

var verifier = CertificateVerifier.builder()
    .expectedPolicyHash("sha256:9c73…f5a0")
    .maxCanaryPercent(30)
    .requiredApprovals("security", "finops", "data-owner")
    .build();

public void gateWrite(ActionCertificate cert) {
    var result = verifier.verify(cert);
    if (!result.isValid()) {
        throw new IllegalStateException("Blocked — " + result.reason());
    }
    // proceed with downstream write (Jira/Databricks/etc.)
}

Java SDK exposes builders so you can wire verification into Spring filters, Jakarta interceptors, or existing policy engines.

Supply-chain & transparency options

  • Transparency log hosted in your account (optional Merkle proofs linked in audit.transparency_log).
  • Certificate revocation list for distrusting compromised keys.
  • Signer key rotation with key_id tracking and historical retention.
  • SBOM + image signing for TrustPlane gateways; exportable COSE attestations.

Evidence bundles & references

Every evidence bundle (EU AI Act / NIST AI RMF) includes sample certificates, policy version hashes, DPIA/LLM-risk templates, and control mappings. Share them from the Security, Risk & Audit microsite.