ark-forge · desiorac · Mar 24, 2026 · Mar 24, 2026
diff --git a/tests/test_identity.py b/tests/test_identity.py
@@ -57,6 +57,7 @@ def test_proof_contains_identity():
     )
     assert proof["parties"]["agent_identity"] == "my-agent-v1"
     assert proof["parties"]["agent_version"] == "1.2.3"
+    assert proof["parties"]["agent_identity_verified"] is None
 
 
 # --- 2. Proof without identity headers ---
@@ -71,6 +72,25 @@ def test_proof_without_identity():
     )
     assert proof["parties"]["agent_identity"] is None
     assert proof["parties"]["agent_version"] is None
+    assert proof["parties"]["agent_identity_verified"] is None
+
+
+# --- 2b. Proof with verified DID ---
+
+def test_proof_with_verified_did():
+    """generate_proof with agent_identity_verified=True → flag present in parties."""
+    proof = generate_proof(
+        request_data={"target": "https://example.com"},
+        response_data={"result": "ok"},
+        payment_data={"transaction_id": "pi_test"},
+        timestamp="2026-01-01T00:00:00Z",
+        buyer_fingerprint="fp_abc",
+        seller="example.com",
+        agent_identity="did:web:example.com",
+        agent_identity_verified=True,
+    )
+    assert proof["parties"]["agent_identity"] == "did:web:example.com"
+    assert proof["parties"]["agent_identity_verified"] is True
 
 
 # --- 3. Shadow profile stores identity ---

diff --git a/trust_layer/proofs.py b/trust_layer/proofs.py
@@ -44,6 +44,7 @@ def generate_proof(
     seller: str = "",
     agent_identity: Optional[str] = None,
     agent_version: Optional[str] = None,
+    agent_identity_verified: Optional[bool] = None,
     upstream_timestamp: Optional[str] = None,
     receipt_content_hash: Optional[str] = None,
     provider_payment: Optional[dict] = None,
@@ -83,6 +84,7 @@ def generate_proof(
             "buyer_fingerprint": buyer_fingerprint,
             "seller": seller,
             "agent_identity": agent_identity,
+            "agent_identity_verified": agent_identity_verified if agent_identity_verified else None,
             "agent_version": agent_version,
         },
         "certification_fee": payment_data,
@@ -193,6 +195,7 @@ def get_public_proof(proof: dict) -> dict:
         "dispute_id": proof.get("dispute_id"),
         "transparency_log": proof.get("transparency_log"),
         "agent_identity": proof.get("parties", {}).get("agent_identity"),
+        "agent_identity_verified": proof.get("parties", {}).get("agent_identity_verified"),
         "seller": proof.get("parties", {}).get("seller"),
     }
     # Redact provider_payment: keep only type, hash, verification_status

diff --git a/trust_layer/proxy.py b/trust_layer/proxy.py
@@ -517,8 +517,10 @@ async def execute_proxy(
     # DID override: if the key has a cryptographically verified DID, it takes
     # precedence over any X-Agent-Identity header declared by the caller.
     verified_did = key_info.get("verified_did")
+    agent_identity_verified: Optional[bool] = None
     if verified_did:
         agent_identity = verified_did
+        agent_identity_verified = True
 
     # 2. Validate inputs
     currency = validate_currency(currency)
@@ -725,6 +727,7 @@ async def execute_proxy(
     proof_id = proof_id_for_debit
     proof = generate_proof(request_data, response_data, payment_data, timestamp, buyer_fingerprint, seller,
                            agent_identity=agent_identity, agent_version=agent_version,
+                           agent_identity_verified=agent_identity_verified,
                            upstream_timestamp=upstream_timestamp,
                            receipt_content_hash=receipt_content_hash,
                            provider_payment=provider_payment_record)