Skip to content

Dokugent Certification Specification

This document defines the structure and principles behind the Dokugent certification system. It ensures agents can be verified, trusted, and securely orchestrated in zero-trust environments.

Cryptographic Signing

Dokugent uses Ed25519 keypairs to sign agent specifications:

  • The full agent plan and metadata are compiled via dokugent preview into compiled.json.
  • A SHA-256 hash of compiled.json is generated.
  • This hash is signed using the owner's private key during dokugent certify, creating cert.json.

This makes the certification tamper-evident and portable. Any verifier can validate the certificate using the owner's public key without calling a central server.

Structure: compiled.json vs cert.json

  • compiled.json is a full manifest of the agent’s behavior, tools, inputs/outputs, and compliance tags.
  • cert.json contains a cryptographic signature, agent ID, signer info, and trust level metadata.

Only cert.json needs to be shared to verify the agent. compiled.json is used internally for structural validation and signature verification.

Packaging: .dokuagent.tar.gz

All files (agent config, compiled.json, cert.json, optional audit logs) are bundled into a .dokuagent.tar.gz for distribution or deployment.

This ensures agents can be moved across systems without losing their identity or certification.

Trust Levels

Dokugent allows certification at different trust tiers:

  • dev — experimental/test agents
  • review — approved by a team reviewer
  • prod — production-certified agents, safe for orchestration
  • Certification assumes the agent has passed all checks during preview. dokugent certify only signs what has been staged.

Trust levels are declared in cert.json and can be used by agent runners or orchestration layers to enforce policies.

Verification Command

To verify an agent:

dokugent certify --verify path/to/cert.json --key path/to/public.key

This validates the signature, compares the SHA-256 hash with compiled.json, and verifies declared trust metadata.

Future Extensions

  • Registry-based certificate discovery
  • Organizational signing with subkeys
  • Trust hierarchies and delegation chains
  • certify subcommands for bulk verification, diff, and expiration checks

Agent certification in Dokugent focuses on traceability, not enforcement. Downstream tools or orchestrators can build policies on top of this trust artifact.

Certifying agents is a foundation for secure, composable AI ecosystems. Dokugent provides the infrastructure to trust agents before they act — not after.