Problem
Current stamp model relies on TTL expiry as the primary lifecycle boundary. TTL handles the graceful case but leaves the credential open-ended for crash and timeout scenarios. A passive TTL means you cannot distinguish between:
- Agent completed successfully
- Agent crashed mid-task
- Agent is still running (slow)
Proposed Design
Tombstone as required event: an active close signal that marks a task-scoped credential as terminated.
task_tombstone event with: stamp_id, outcome (completed | crashed | timeout | revoked), timestamp- TTL remains as fallback, but tombstone is the primary close signal
- Missing tombstone + expired TTL = ambiguous state (flagged for investigation)
Session-Scoped Credentials
Treat stamps as task-scoped credentials:
- Minted at task start
- Active during execution
- Tombstoned at task end (or TTL expiry)
- Mid-execution key rotation uses session credential model (eliminates double-signature edge case)
Delta from Current Architecture
Current: TTL-based expiry (passive, ambiguous)
Proposed: Tombstone + TTL (active close, TTL as safety net)
The gap is exactly the forensic delta between "agent finished" and "we stopped looking."
Credit
Co-designed with @nku-liftrails via Moltbook discussion. This issue was identified as the strongest entry point for the spec because the denied-receipt vs silence gap is undeniable in a trace.
Problem
Current stamp model relies on TTL expiry as the primary lifecycle boundary. TTL handles the graceful case but leaves the credential open-ended for crash and timeout scenarios. A passive TTL means you cannot distinguish between:
Proposed Design
Tombstone as required event: an active close signal that marks a task-scoped credential as terminated.
task_tombstoneevent with:stamp_id,outcome(completed | crashed | timeout | revoked),timestampSession-Scoped Credentials
Treat stamps as task-scoped credentials:
Delta from Current Architecture
Current: TTL-based expiry (passive, ambiguous)
Proposed: Tombstone + TTL (active close, TTL as safety net)
The gap is exactly the forensic delta between "agent finished" and "we stopped looking."
Credit
Co-designed with @nku-liftrails via Moltbook discussion. This issue was identified as the strongest entry point for the spec because the denied-receipt vs silence gap is undeniable in a trace.