mpcp-protocol
diff --git a/‎reference/reference/sdk/index.html‎
Lines changed: 47 additions & 2 deletions b/‎reference/reference/sdk/index.html‎
Lines changed: 47 additions & 2 deletions
diff --git a/‎reference/search/search_index.json‎
Lines changed: 1 addition & 1 deletion b/‎reference/search/search_index.json‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎spec/architecture/actors/index.html‎
Lines changed: 3 additions & 0 deletions b/‎spec/architecture/actors/index.html‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎spec/profiles/full-profile/index.html‎
Lines changed: 112 additions & 0 deletions b/‎spec/profiles/full-profile/index.html‎
Lines changed: 112 additions & 0 deletions
diff --git a/‎spec/profiles/lite-profile/index.html‎
Lines changed: 89 additions & 0 deletions b/‎spec/profiles/lite-profile/index.html‎
Lines changed: 89 additions & 0 deletions
@@ -1085,6 +1085,17 @@
     </span>
   </a>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#cumulative-budget-enforcement" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Cumulative Budget Enforcement
+      
+    </span>
+  </a>
+  
 </li>
 
         <li class="md-nav__item">
@@ -1482,6 +1493,17 @@
     </span>
   </a>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#cumulative-budget-enforcement" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Cumulative Budget Enforcement
+      
+    </span>
+  </a>
+  
 </li>
 
         <li class="md-nav__item">
@@ -1554,14 +1576,17 @@ <h2 id="import">Import</h2>
 <span class="p">}</span><span class="w"> </span><span class="kr">from</span><span class="w"> </span><span class="s2">&quot;mpcp-service/sdk&quot;</span><span class="p">;</span>
 </code></pre></div>
 <h2 id="policy-grant">Policy Grant</h2>
-<div class="highlight"><pre><span></span><code><span class="k">import</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nx">createPolicyGrant</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">from</span><span class="w"> </span><span class="s2">&quot;mpcp-service/sdk&quot;</span><span class="p">;</span>
+<div class="highlight"><pre><span></span><code><span class="k">import</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nx">createPolicyGrant</span><span class="p">,</span><span class="w"> </span><span class="nx">createSignedPolicyGrant</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="kr">from</span><span class="w"> </span><span class="s2">&quot;mpcp-service/sdk&quot;</span><span class="p">;</span>
 
 <span class="kd">const</span><span class="w"> </span><span class="nx">grant</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">createPolicyGrant</span><span class="p">({</span>
-<span class="w">  </span><span class="nx">policyHash</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;a1b2c3&quot;</span><span class="p">,</span>
+<span class="w">  </span><span class="nx">policyHash</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;a1b2c3d4e5f6&quot;</span><span class="p">,</span>
 <span class="w">  </span><span class="nx">allowedRails</span><span class="o">:</span><span class="w"> </span><span class="p">[</span><span class="s2">&quot;xrpl&quot;</span><span class="p">,</span><span class="w"> </span><span class="s2">&quot;evm&quot;</span><span class="p">],</span>
 <span class="w">  </span><span class="nx">allowedAssets</span><span class="o">:</span><span class="w"> </span><span class="p">[{</span><span class="w"> </span><span class="nx">kind</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;IOU&quot;</span><span class="p">,</span><span class="w"> </span><span class="nx">currency</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;RLUSD&quot;</span><span class="p">,</span><span class="w"> </span><span class="nx">issuer</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;rIssuer&quot;</span><span class="w"> </span><span class="p">}],</span>
 <span class="w">  </span><span class="nx">expiresAt</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;2030-12-31T23:59:59Z&quot;</span><span class="p">,</span>
 <span class="p">});</span>
+
+<span class="c1">// Signed (requires MPCP_POLICY_GRANT_SIGNING_PRIVATE_KEY_PEM — returns null if not set)</span>
+<span class="kd">const</span><span class="w"> </span><span class="nx">signedGrant</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">createSignedPolicyGrant</span><span class="p">(</span><span class="nx">grant</span><span class="p">);</span>
 </code></pre></div>
 <h2 id="budget-authorization">Budget Authorization</h2>
 <div class="highlight"><pre><span></span><code><span class="k">import</span><span class="w"> </span><span class="p">{</span>
@@ -1637,6 +1662,14 @@ <h2 id="verification">Verification</h2>
 <span class="kd">const</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nx">result</span><span class="p">,</span><span class="w"> </span><span class="nx">steps</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">verifySettlementWithReport</span><span class="p">(</span><span class="nx">context</span><span class="p">);</span>
 <span class="kd">const</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nx">valid</span><span class="p">,</span><span class="w"> </span><span class="nx">checks</span><span class="w"> </span><span class="p">}</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">verifySettlementDetailed</span><span class="p">(</span><span class="nx">context</span><span class="p">);</span>
 </code></pre></div>
+<h2 id="cumulative-budget-enforcement">Cumulative Budget Enforcement</h2>
+<p>When performing multiple payments in a session, pass <code>cumulativeSpentMinor</code> to the verification context so the budget check accounts for all prior spending:</p>
+<div class="highlight"><pre><span></span><code><span class="kd">const</span><span class="w"> </span><span class="nx">result</span><span class="w"> </span><span class="o">=</span><span class="w"> </span><span class="nx">verifySettlement</span><span class="p">({</span>
+<span class="w">  </span><span class="p">...</span><span class="nx">context</span><span class="p">,</span>
+<span class="w">  </span><span class="nx">cumulativeSpentMinor</span><span class="o">:</span><span class="w"> </span><span class="s2">&quot;5000&quot;</span><span class="p">,</span><span class="w"> </span><span class="c1">// total minor-unit amount spent before this payment</span>
+<span class="p">});</span>
+</code></pre></div>
+<p>The session authority MUST maintain this counter. The verifier is stateless and will not track prior payments on its own.</p>
 <h2 id="environment-variables">Environment Variables</h2>
 <table>
 <thead>
@@ -1670,6 +1703,18 @@ <h2 id="environment-variables">Environment Variables</h2>
 <td>MPCP_SPA_SIGNING_KEY_ID</td>
 <td>Key identifier (default: mpcp-spa-signing-key-1)</td>
 </tr>
+<tr>
+<td>MPCP_POLICY_GRANT_SIGNING_PRIVATE_KEY_PEM</td>
+<td>Private key for signing PolicyGrants</td>
+</tr>
+<tr>
+<td>MPCP_POLICY_GRANT_SIGNING_PUBLIC_KEY_PEM</td>
+<td>Public key for verifying PolicyGrant signatures (when set, unsigned grants are rejected)</td>
+</tr>
+<tr>
+<td>MPCP_POLICY_GRANT_SIGNING_KEY_ID</td>
+<td>Key identifier (default: mpcp-policy-grant-signing-key-1)</td>
+</tr>
 </tbody>
 </table>
 <h2 id="see-also">See Also</h2>
 
@@ -1943,6 +1943,9 @@ <h2 id="vehicle-wallet-machine-wallet">Vehicle Wallet (Machine Wallet)</h2>
 <li>Executes settlement transactions</li>
 </ul>
 <p>The wallet is the MPCP actor that signs SignedBudgetAuthorization and SignedPaymentAuthorization.</p>
+<blockquote>
+<p><strong>Note on Vehicle Identity:</strong> The <code>vehicleId</code> field in SBA artifacts is self-reported by the wallet. Production deployments SHOULD establish vehicle attestation via device key binding (e.g., a hardware-backed key whose public key is registered with the fleet operator). Without attestation, <code>vehicleId</code> cannot be cryptographically verified and is informational only.</p>
+</blockquote>
 <h2 id="service-provider">Service Provider</h2>
 <p>The entity that receives payment for a service (parking, charging, tolls).</p>
 <p><strong>Responsibilities:</strong></p>
 
@@ -1620,6 +1620,56 @@
     </span>
   </a>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#full-profile-security-requirements" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Full Profile Security Requirements
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Full Profile Security Requirements">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#policygrant-signing" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        PolicyGrant Signing
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#policyhash-length" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        policyHash Length
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#spa-nonce" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        SPA Nonce
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 
         <li class="md-nav__item">
@@ -1988,6 +2038,56 @@
     </span>
   </a>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#full-profile-security-requirements" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Full Profile Security Requirements
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Full Profile Security Requirements">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#policygrant-signing" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        PolicyGrant Signing
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#policyhash-length" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        policyHash Length
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#spa-nonce" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        SPA Nonce
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 
         <li class="md-nav__item">
@@ -2110,6 +2210,18 @@ <h2 id="optional-intent-attestation-layer-ial">Optional: Intent Attestation Laye
 <p>Full profile deployments may additionally publish the <code>intentHash</code> to the Intent Attestation Layer (IAL) before settlement execution. This creates a timestamped, tamper-evident public record that the commitment existed prior to the transaction, enabling third-party dispute resolution.</p>
 <p>See <a href="../../protocol/anchoring/">Anchoring</a> for the IAL integration specification.</p>
 <hr />
+<h2 id="full-profile-security-requirements">Full Profile Security Requirements</h2>
+<h3 id="policygrant-signing">PolicyGrant Signing</h3>
+<p>In Full Profile deployments, PolicyGrants MUST be signed by the policy authority. Configure <code>MPCP_POLICY_GRANT_SIGNING_PUBLIC_KEY_PEM</code> on the verifier; unsigned grants will be rejected.</p>
+<h3 id="policyhash-length">policyHash Length</h3>
+<p><code>policyHash</code> MUST be a full SHA-256 hash (64 lowercase hex characters), computed as:</p>
+<div class="highlight"><pre><span></span><code>policyHash = SHA256(&quot;MPCP:Policy:1.0:&quot; || canonicalJson(policyDocument))
+</code></pre></div>
+<p>Short or truncated hashes are rejected in Full Profile deployments. The minimum accepted length is 12 hex characters; the full SHA-256 output (64 chars) is strongly recommended.</p>
+<h3 id="spa-nonce">SPA Nonce</h3>
+<p>The <code>nonce</code> field SHOULD be present in Full Profile SPAs. The reference implementation auto-generates a UUID nonce on every <code>createSignedPaymentAuthorization()</code> call.</p>
+<p>Recipients SHOULD record nonces to detect and reject replayed SPAs within the same session. The verifier itself does not track nonces (stateless model); nonce uniqueness enforcement is the responsibility of the session authority.</p>
+<hr />
 <h2 id="see-also">See Also</h2>
 <ul>
 <li><a href="../lite-profile/">Lite Profile</a> — SPA-only settlement binding</li>
 
@@ -1581,6 +1581,45 @@
     </span>
   </a>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#security-considerations" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Security Considerations
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Security Considerations">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#backend-substitution-risk" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Backend Substitution Risk
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#memo-and-metadata" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Memo and Metadata
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 
         <li class="md-nav__item">
@@ -1966,6 +2005,45 @@
     </span>
   </a>
 
+</li>
+      
+        <li class="md-nav__item">
+  <a href="#security-considerations" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Security Considerations
+      
+    </span>
+  </a>
+  
+    <nav class="md-nav" aria-label="Security Considerations">
+      <ul class="md-nav__list">
+        
+          <li class="md-nav__item">
+  <a href="#backend-substitution-risk" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Backend Substitution Risk
+      
+    </span>
+  </a>
+  
+</li>
+        
+          <li class="md-nav__item">
+  <a href="#memo-and-metadata" class="md-nav__link">
+    <span class="md-ellipsis">
+      
+        Memo and Metadata
+      
+    </span>
+  </a>
+  
+</li>
+        
+      </ul>
+    </nav>
+  
 </li>
 
         <li class="md-nav__item">
@@ -2090,6 +2168,17 @@ <h2 id="spa-structure">SPA Structure</h2>
 <hr />
 <h2 id="verification-behavior">Verification Behavior</h2>
 <p>Step 3 of the MPCP verification algorithm (intent binding) is skipped when <code>intentHash</code> is absent. All other verification steps apply in full.</p>
+<p>The verification report will include:</p>
+<div class="highlight"><pre><span></span><code>Hash binding: NOT CHECKED (Lite Profile — intentHash absent)
+</code></pre></div>
+<p>The <code>hashBindingChecked</code> field in <code>VerificationReport</code> will be <code>false</code> when <code>intentHash</code> is absent.</p>
+<hr />
+<h2 id="security-considerations">Security Considerations</h2>
+<h3 id="backend-substitution-risk">Backend Substitution Risk</h3>
+<p>In Lite Profile deployments, a compromised backend can substitute payment amounts or destinations <strong>between policy authorization and settlement execution</strong> without invalidating the cryptographic chain. Only the fields explicitly carried in the SPA (rail, asset, amount, destination) are protected.</p>
+<p>Deployments that cannot tolerate this risk MUST use the Full Profile with <code>intentHash</code> binding.</p>
+<h3 id="memo-and-metadata">Memo and Metadata</h3>
+<p>Fields outside the SPA — memo content, ancillary metadata, extended transaction fields — receive no cryptographic protection in Lite Profile. If these fields affect business outcomes, use the Full Profile.</p>
 <hr />
 <h2 id="see-also">See Also</h2>
 <ul>