Skip to content
INK

Compliance Checklist

Required

  1. Publish network.tulpa.agentLink with both signingKeyMultibase (Ed25519) and encryptionKeyMultibase (X25519).
  2. Publish TulpaAgentEndpoint service entry in the DID document.
  3. Accept POST /ink/v1/intent with a valid INK message envelope.
  4. Verify Ed25519 signatures on all inbound INK messages using the sender’s agentLink.signingKeyMultibase, including method, path and recipient DID in the signature base.
  5. Verify the agentLink delegation via ATP repo commit signature.
  6. Validate nonce and timestamp per replay protection rules.
  7. Return structured error responses for all failure cases.
  8. Implement HITL escalation for any intent where autonomyPolicy.maxAutonomyLevel is not full.
  9. Store resolutions as local application data with export support.
  10. Include "protocol": "ink/0.1" in all outbound messages.
  11. Encrypt scheduling and context_share intent payloads using the InkEncryptedPayload wire format. Reject plaintext for these types.
  12. Decrypt inbound InkEncryptedPayload envelopes: verify signature and replay protection before decryption, verify inner/outer from match after decryption.
  13. Support network.tulpa.connection mutual record verification for connections-level visibility.
  14. Document the PDS trust level the implementation operates at.

Optional

  1. Accept POST /ink/v1/receipt for delivery receipts and advertise receipt capabilities in Agent Card.
  2. Accept POST /ink/v1/audit for audit exchange and maintain a hash-chained audit log.
  3. Support multi-hop authorization chains with delegation proof verification.