BoundBound Docs
Protocol

Certificate Schema

The structure of a containment certificate — every field and what it means.

Certificate Schema

A containment certificate is a JSON object with a defined schema. This page documents every field.

Top-Level Structure

{
  "version": "0.2.0",
  "certificate_id": "uuid",
  "identity": { ... },
  "validity": { ... },
  "constraints": [ ... ],
  "reserve": { ... },
  "dependency_disclosure": { ... },
  "derived_metrics": { ... },
  "attestations": [ ... ],
  "operator_metadata": { ... }
}

Identity

{
  "agent_id": "0x...",         // On-chain address of the agent
  "operator_id": "0x...",      // On-chain address of the operator
  "chain_id": 1,               // EVM chain ID
  "agent_name": "string",      // Human-readable name (optional)
  "operator_name": "string"    // Human-readable name (optional)
}

Validity

{
  "issued_at": "2026-04-01T00:00:00Z",
  "expires_at": "2026-06-01T00:00:00Z",
  "status": "ACTIVE"           // ACTIVE | REVOKED | EXPIRED | CHALLENGED
}

Maximum expiry by class:

  • C1: 90 days
  • C2: 60 days
  • C3: 30 days

Constraints

Each constraint describes a single containment layer:

{
  "type": "SPENDING_LIMIT",
  "value": {
    "amount": "50000",
    "denomination": "USDC",
    "period": "DAY"
  },
  "enforcement": {
    "mechanism": "SMART_CONTRACT",
    "contract_address": "0x...",
    "function_selector": "0x..."
  },
  "formally_verified": true,
  "agent_independent": true     // Critical flag
}

Constraint Types

TypeDescription
SPENDING_LIMITMaximum value the agent can transfer per period
PERMISSION_BOUNDARYActions the agent is prohibited from taking
EXECUTION_ENVIRONMENTTEE, HSM, or MPC configuration
TIME_LOCKDelay between initiation and execution of high-value actions
MULTI_SIGMultiple signatures required for actions above threshold
KILL_SWITCHMechanism to halt agent operations immediately
REVERSIBILITY_WINDOWTime period during which transactions can be reversed

The agent_independent Flag

This is the most important field in the entire schema. It declares whether this constraint can be degraded by the agent's outputs.

  • true — the agent cannot influence, circumvent, or weaken this constraint through any output channel
  • false — the constraint depends on human judgment, off-chain processes, or systems the agent can interact with

Only constraints marked agent_independent: true contribute to the containment bound.

Reserve

{
  "amount": "150000",
  "denomination": "USDC",
  "contract_address": "0x...",
  "exogenous": true,           // Must be true for valid reserves
  "reserve_ratio": 3.0,        // Reserve / max periodic loss
  "lock_mechanism": "SMART_CONTRACT"
}

The exogenous flag means the reserve is denominated in assets the operator cannot mint or control the supply of. Governance tokens, self-minted tokens, or operator-issued IOUs are not valid reserves.

Derived Metrics

Computed from the constraint and reserve data:

{
  "containment_bound": "50000",
  "containment_bound_denomination": "USDC",
  "agent_independent_layer_count": 3,
  "agent_influenceable_layer_count": 2,
  "certificate_class": "C2"
}

The containment_bound is the worst-case economic loss assuming only agent-independent layers hold and all agent-influenceable layers fail simultaneously.

Attestations

{
  "attestations": [
    {
      "auditor_id": "0x...",
      "auditor_name": "Trail of Bits",
      "scope": "SMART_CONTRACT_VERIFICATION",
      "signature": "0x...",
      "report_hash": "ipfs://...",
      "stake_amount": "25000",
      "stake_contract": "0x..."
    }
  ]
}

Each attestation is scoped — the auditor signs off on what they actually verified, not the entire certificate.

On-Chain Registry Interface

interface ICCPRegistry {
    enum Status { ACTIVE, REVOKED, EXPIRED, CHALLENGED }
    enum CertificateClass { NONE, C1, C2, C3 }

    struct CertificateRecord {
        address operator;
        address agent;
        CertificateClass certificateClass;
        uint48 issuedAt;
        uint48 expiresAt;
        Status status;
        uint128 containmentBound;
        address reserveVault;
        address spendingLimit;
        string ipfsUri;
        address[] auditors;
    }

    function publish(
        PublishParams calldata params,
        bytes calldata operatorSig,
        bytes[] calldata attestorSigs
    ) external;

    function revoke(bytes32 certHash) external;

    function isValid(bytes32 certHash) external view returns (bool);

    function verify(
        address agent,
        CertificateClass minClass,
        uint128 maxAcceptableLoss
    ) external view returns (bool acceptable, bytes32 certHash);

    function getActiveCertificate(address agent) external view returns (bytes32);

    function getCertificate(bytes32 certHash) external view returns (CertificateRecord memory);

    event CertificatePublished(
        bytes32 indexed certHash, address indexed agent,
        address indexed operator, CertificateClass certificateClass,
        uint128 containmentBound, uint48 expiresAt
    );
    event CertificateRevoked(bytes32 indexed certHash, address indexed agent);
}

Dependency Disclosure

{
  "dependency_disclosure": {
    "model_provider": "anthropic",
    "model_version": "claude-4",
    "framework": "langchain",
    "external_apis": ["stripe", "twilio"],
    "data_sources": ["postgres://..."]
  }
}

Dependencies are disclosed but not verified by the certificate — they inform the counterparty's risk assessment.

Operator Metadata

{
  "operator_metadata": {
    "company": "Acme Corp",
    "contact": "ops@acme.com",
    "website": "https://acme.com",
    "jurisdiction": "US-DE",
    "insurance_provider": "Lloyd's",
    "insurance_policy_id": "POL-2026-001"
  }
}

Complete Example

A fully populated C2 certificate:

{
  "version": "0.2.0",
  "certificate_id": "550e8400-e29b-41d4-a716-446655440000",
  "identity": {
    "agent_id": "0x1234567890abcdef1234567890abcdef12345678",
    "operator_id": "0xabcdefabcdefabcdefabcdefabcdefabcdefabcd",
    "chain_id": 296,
    "agent_name": "alpha.operator.eth",
    "operator_name": "operator.eth"
  },
  "validity": {
    "issued_at": "2026-04-01T00:00:00Z",
    "expires_at": "2026-06-01T00:00:00Z",
    "status": "ACTIVE"
  },
  "constraints": [
    {
      "type": "SPENDING_LIMIT",
      "value": {
        "amount": "50000",
        "denomination": "USDC",
        "period": "DAY"
      },
      "enforcement": {
        "mechanism": "SMART_CONTRACT",
        "contract_address": "0x530ecF8Afddb752748aCE1Ece90e34FD1ca7eE6C",
        "function_selector": "0xa9059cbb"
      },
      "formally_verified": true,
      "agent_independent": true
    },
    {
      "type": "MULTI_SIG",
      "value": {
        "threshold": 2,
        "signers": ["agent", "ledger"],
        "trigger_above": "5000"
      },
      "enforcement": {
        "mechanism": "SMART_CONTRACT",
        "contract_address": "0x530ecF8Afddb752748aCE1Ece90e34FD1ca7eE6C"
      },
      "formally_verified": true,
      "agent_independent": true
    },
    {
      "type": "KILL_SWITCH",
      "value": {
        "mechanism": "pause_function",
        "authorized": ["operator"]
      },
      "enforcement": {
        "mechanism": "SMART_CONTRACT",
        "contract_address": "0x530ecF8Afddb752748aCE1Ece90e34FD1ca7eE6C"
      },
      "formally_verified": false,
      "agent_independent": true
    }
  ],
  "reserve": {
    "amount": "150000",
    "denomination": "USDC",
    "contract_address": "0xb2fFaf44Ae415b0e1dFc99c8E07dfDE2a5369Aa6",
    "exogenous": true,
    "reserve_ratio": 3.0,
    "lock_mechanism": "SMART_CONTRACT"
  },
  "dependency_disclosure": {
    "model_provider": "anthropic",
    "model_version": "claude-4",
    "framework": "custom",
    "external_apis": [],
    "data_sources": []
  },
  "derived_metrics": {
    "containment_bound": "50000",
    "containment_bound_denomination": "USDC",
    "agent_independent_layer_count": 3,
    "agent_influenceable_layer_count": 0,
    "certificate_class": "C2"
  },
  "attestations": [
    {
      "auditor_id": "0xe786eB0F88b8A30e0ABf4C634fc414084b2134eC",
      "auditor_name": "CCP Auditor",
      "scope": "FULL_STACK_VERIFICATION",
      "signature": "0x...",
      "report_hash": "ipfs://QmYwAPJzv5CZsnA625s3Xf2nemtYgPpHdWEz79ojWnPbdG",
      "stake_amount": "1500",
      "stake_contract": "0xe786eB0F88b8A30e0ABf4C634fc414084b2134eC"
    }
  ],
  "operator_metadata": {
    "company": "CCP Demo Operator",
    "contact": "demo@ccp.protocol",
    "jurisdiction": "CH",
    "insurance_provider": null,
    "insurance_policy_id": null
  }
}

Validation Rules

FieldRule
versionMust be "0.2.0"
certificate_idValid UUID v4
identity.agent_idValid EVM address
identity.chain_idMust match deployment chain
validity.expires_atMust not exceed class maximum (C1: 90d, C2: 60d, C3: 30d)
constraintsAt least one constraint with agent_independent: true
reserve.exogenousMust be true for valid reserves
reserve.reserve_ratioMinimum 1x for C1, 3x for C2, 5x for C3
attestationsAt least one for C2+; auditor must have staked
derived_metrics.containment_boundMust equal the tightest agent-independent spending limit

Game Theory

Why honest behavior is the Nash equilibrium for every Bound participant.

Constraint Types

All constraint types recognized by Bound, their enforcement mechanisms, and agent-independence classification.

On this page

Certificate SchemaTop-Level StructureIdentityValidityConstraintsConstraint TypesThe agent_independent FlagReserveDerived MetricsAttestationsOn-Chain Registry InterfaceDependency DisclosureOperator MetadataComplete ExampleValidation Rules