08. Security and Certification¶

Dokugent takes a pragmatic, cryptographically anchored approach to agent certification. Rather than relying on trust-by-assumption, every agent plan in Dokugent is explicitly certified using a signed fingerprint derived from the developer’s keypair.

Certification Process¶

Each time a plan is finalized, Dokugent generates a SHA-256 digest of the plan contents, creating a unique fingerprint. This fingerprint is then signed with the developer's private key to produce a verifiable certificate. During runtime, this certificate is used to validate that the executing agent conforms to the original, pre-approved scope and behavior.

This method ensures that:

• Plan contents cannot be modified post-signing without invalidating the cert.
• Every execution of an agent can be traced back to its certified author.
• Certification is locally verifiable without dependence on a centralized registry (though one can be used for external verification, if desired).

Why It Matters¶

Signed plans close the loop between design-time intent and runtime behavior. Without certification, any deviation—whether accidental or adversarial—becomes difficult to detect until damage is done. With Dokugent, certification makes trust concrete: you either have the signature, or you don’t.

Additional Notes¶

• The signing mechanism is not ECDSA or PGP-based. Instead, Dokugent uses modern lightweight keypair generation (compatible with libsodium/Ed25519 in future versions).
• Certification metadata is stored alongside the compiled agent file in .cert.json format.