diff --git a/README.md b/README.md index 6b6d562..461308e 100644 --- a/README.md +++ b/README.md @@ -72,6 +72,9 @@ flowchart TD Full architecture diagrams: [`docs/architecture.md`](docs/architecture.md) +API contract: [`openapi/proofpath-guard-service-v0.1.yaml`](openapi/proofpath-guard-service-v0.1.yaml) +OpenAPI notes: [`docs/openapi.md`](docs/openapi.md) + ### Quickstart ```bash @@ -212,6 +215,8 @@ Reviewers can run the path locally without trusting a hidden service: start with - [Architecture diagrams](docs/architecture.md) - [Agent Payment Guard demo transcript](docs/demo-transcript-payment-guard.md) - [Agent Payment Guard service docs](docs/agent-payment-guard-service.md) +- [ProofPath Guard Service OpenAPI](openapi/proofpath-guard-service-v0.1.yaml) +- [OpenAPI notes](docs/openapi.md) - [Reviewer summary](docs/reviewer-summary.md) - [ProofPath v0.1 Product Milestone](docs/RELEASE_V0_1.md) - [Evidence Packet v0.1](docs/EVIDENCE_PACKET_V0_1.md) @@ -238,212 +243,132 @@ Run the one-minute AI agent dangerous action demo: python3 examples/upstream/demo_server.py cargo run -p proofpath-gateway bash examples/agent-dangerous-action/agent_delete_without_approval.sh -bash examples/agent-dangerous-action/agent_delete_with_approval.sh -cat proofpath-audit.jsonl ``` -Demo story: +Expected result: ```text -AI agent attempts irreversible delete without approval - -> ProofPath BLOCKS before protected API -AI agent repeats with explicit human approval - -> ProofPath ACCEPTS and forwards -Every decision - -> hash-chained audit trail +BLOCK IRREVERSIBLE_REQUIRES_HUMAN_APPROVAL ``` -See: - -- `examples/agent-dangerous-action/README.md` -- `docs/demo-transcript.md` -- `docs/launch-post.md` - -## Personal Agent Guard demo - -Run the local AI coding tool guard demo: +Then verify the audit log: ```bash -bash examples/personal-agent-guard/run_demo_check.sh +python3 scripts/verify_audit_log.py proofpath-audit.jsonl ``` -Demo story: +## v0.1 value proposition + +ProofPath v0.1 gives AI safety, infra, and platform teams a local, reproducible way to answer: ```text -AI coding tool proposes a guarded command - -> ProofPath Personal Agent Guard BLOCKS before approval -User creates a scoped time-limited approval - -> the same command is ALLOWed -Every decision - -> local .proofpath/audit.jsonl +Did this agent action have enough declared intent and causal authorization to execute? ``` -See: +The answer is enforced before the action reaches the protected service and written to a tamper-evident audit log that CI can verify. -- `examples/personal-agent-guard/README.md` -- `examples/personal-agent-guard/demo-transcript.md` -- `examples/personal-agent-guard/claude-settings.example.json` -- `examples/personal-agent-guard/codex-config.example.toml` +## Included runnable examples -## Execution-boundary demo matrix - -ProofPath is intentionally demonstrated across multiple high-risk action boundaries. See also: [Internet Action Layer](docs/internet-action-layer.md). - -| Demo | Core boundary | Expected decisions | +| Demo | Command | What it shows | | --- | --- | --- | -| [AI agent dangerous action](examples/agent-dangerous-action/README.md) | Valid agent/API access is not the same as valid irreversible action. | `BLOCK` unsafe action, `ACCEPT` approved action | -| [Website builder gate](examples/website-builder-gate/README.md) | Valid deploy access is not the same as valid website change. | `ACCEPT` safe edit, `BLOCK` production/destructive changes without approval | -| [Network and broker gate](examples/network-broker-gate/README.md) | Valid infra access is not the same as valid network or broker action. | `ACCEPT` diagnostic, `BLOCK` high-risk infra changes without approval | -| [Database migration gate](examples/database-migration-gate/README.md) | Valid DB credentials are not the same as valid schema or data change. | `ACCEPT` inspection, `BLOCK` schema/data changes without approval | -| [CI/CD deploy gate](examples/cicd-deploy-gate/README.md) | Valid CI credentials are not the same as valid production deployment. | `ACCEPT` preview deploy, `BLOCK` production deploy without approval, `ACCEPT` approved rollback | -| [Personal Agent Guard](examples/personal-agent-guard/README.md) | Valid local AI-tool access is not the same as valid high-impact command execution. | `BLOCK` before approval, `ALLOW` after scoped time-limited approval | -| [Agent Payment Guard](examples/agent-payment-guard/README.md) | Valid wallet/API access is not the same as valid causal permission to spend. | `ACCEPT` in-scope payments, `BLOCK` over-budget or off-scope recipient, `HOLD` for recurring without approval | +| Dangerous irreversible action | `bash examples/agent-dangerous-action/agent_delete_without_approval.sh` | Blocks an irreversible delete request before it reaches the upstream API. | +| Safe reversible action | `bash examples/agent-dangerous-action/agent_get_status.sh` | Allows a safe status read request. | +| Real model agent | `python3 examples/real-model-agent/real_model_agent_demo.py --mode safe` / `--mode unsafe` | Shows that even a model-generated request must pass the action boundary. | +| CI evidence gate | `python3 scripts/check_audit_metrics.py proofpath-audit.jsonl --max-block-rate 0.5` | Turns audit logs into CI pass/fail evidence. | +| Personal Agent Guard | `bash examples/personal-agent-guard/run_demo_check.sh` | Local seatbelt for Claude Code / Codex-style tools. | +| Agent Payment Guard | `bash examples/agent-payment-guard/run_e2e_evidence_demo.sh` | Signed intent, replay protection, hash-chained audit, and portable evidence bundle. | -Reviewer pattern: +## What changed in v0.1 -```text -valid credential - != valid action - != valid scope - != valid reversibility - != valid approval -``` - -Each demo uses the same execution-boundary structure: +Earlier ProofPath discussions were mostly protocol- or gateway-oriented. This v0.1 repository now demonstrates a compact product path: ```text -agent proposes action - -> ProofPath checks declared intent, causal parent, scope, reversibility, and approval - -> safe action is forwarded - -> high-risk action without approval is blocked - -> decision is written to hash-chained audit log +agent/API action + -> ProofPath gateway + -> explicit ACCEPT/BLOCK decision + -> audit log + -> CI-verifiable evidence metrics ``` -## Join the Lab - -ProofPath is open for community experiments. +That makes ProofPath easier to review, fund, and deploy incrementally. -We are not asking people to only confirm that it works. We want people to run it, break it, critique it, and tell us where the boundary is weak. +## Product milestone v0.1 -Pick an experiment level: +ProofPath v0.1 is a small but complete developer-facing evidence loop: ```text -L0 — Reader feedback: is the idea understandable? -L1 — Local demo: does the gateway work on your machine? -L2 — Real model: does the LLM boundary feel clear? -L3 — Red-team: can you break the model/action boundary? -L4 — Integration: can ProofPath protect another toy or real system? -L5 — Protocol critique: are the headers, reasons, and threat model right? +agent/API action + -> pre-execution guard + -> ACCEPT/BLOCK decision + -> hash-chained audit log + -> metrics summary + -> CI pass/fail gate ``` -Start here: - -- `COMMUNITY_EXPERIMENTS.md` -- #14 Reader feedback -- #15 Local gateway demo -- #16 Real model agent demo -- #17 Red-team the model boundary -- #18 Build an integration -- #19 Protocol and threat model critique - -Lab principle: - -> Do not only tell us what works. Tell us where ProofPath breaks, where it is confusing, and where the protocol is too weak. - -## Why - -Modern systems increasingly allow AI agents, services, and automated workflows to perform critical actions: - -- send emails -- execute payments -- deploy code -- modify infrastructure -- access private data -- call external APIs -- trigger irreversible operations +See [ProofPath v0.1 Product Milestone](docs/RELEASE_V0_1.md) for the full runbook and acceptance checks. -HTTPS secures the transport layer, but it does not answer: +## Evidence metrics v0.1 -- Why did this action happen? -- Who or what authorized it? -- Was there a valid human or system intention? -- Was the action reversible or irreversible? -- Can we prove the causal chain after the fact? +ProofPath can turn a hash-chained audit log into CI-verifiable metrics: -ProofPath adds this missing layer. - -## Core idea - -Every critical request should carry a verifiable action context: - -```http -POST /payments/transfer HTTP/1.1 -Host: api.example.com -traceparent: 00-4bf92f3577b34da6a3ce929d0e0e4736-00f067aa0ba902b7-00 -x-proofpath-intent-id: intent_9f21 -x-proofpath-causal-parent: decision_71ab -x-proofpath-scope: payments.transfer.once -x-proofpath-reversibility: irreversible -x-proofpath-decision: ACCEPT -signature-input: proofpath=("@method" "@target-uri" "x-proofpath-intent-id" "x-proofpath-causal-parent" "x-proofpath-scope" "x-proofpath-reversibility");created=1778430000;keyid="agent-key-1" -signature: proofpath=:BASE64_SIGNATURE: +```bash +python3 scripts/check_audit_metrics.py proofpath-audit.jsonl --max-block-rate 0.5 ``` -The request is not only checked for identity and transport security. It is checked for causal validity. - -## Decision model - -A ProofPath-compatible gateway can return: +Example output: ```json { - "decision": "ACCEPT", - "intent_id": "intent_9f21", - "causal_valid": true, - "scope_valid": true, - "reversibility": "irreversible", - "audit_hash": "sha256:..." + "total": 2, + "accepted": 1, + "blocked": 1, + "accept_rate": 0.5, + "block_rate": 0.5, + "decisions": { + "ACCEPT": 1, + "BLOCK": 1 + } } ``` -or: +This provides a simple release gate: -```json -{ - "decision": "BLOCK", - "reason": "MISSING_CAUSAL_AUTHORIZATION" -} +```text +if block_rate > allowed_threshold: + fail CI ``` -## Project goals +See [Evidence Metrics v0.1](docs/EVIDENCE_METRICS_V0_1.md) for details. + +## GitHub Action quickstart + +ProofPath can be used as a reusable CI gate: -- Define a minimal ProofPath HTTP header profile. -- Build a Rust gateway for validating ProofPath-aware requests. -- Support signed request context using HTTP Message Signatures. -- Integrate with W3C Trace Context where possible. -- Provide conformance fixtures for valid and invalid request chains. -- Build tools for inspecting, replaying, and auditing action traces. +```yaml +name: ProofPath Audit Gate -## Non-goals +on: [pull_request] -ProofPath does not replace HTTPS, TLS, OAuth, OpenTelemetry, or existing API gateways. +jobs: + proofpath-audit: + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - uses: ./ + with: + audit_log: proofpath-audit.jsonl + max_block_rate: "0.5" +``` -ProofPath complements them by adding causal authorization and verifiable intent. +See [GitHub Action quickstart](docs/GITHUB_ACTION_QUICKSTART.md) for a copy-paste workflow. -## Architecture +## Components ```text -Client / Agent - | - | HTTPS request + ProofPath headers - v -ProofPath Gateway - | - | validates intent, causal parent, scope, reversibility, signature - v +ProofPath protocol +ProofPath gateway +Policy engine Protected API - | - v Append-only audit log ``` @@ -452,40 +377,19 @@ See [`docs/architecture.md`](docs/architecture.md) for full Mermaid system diagr ## Planned components ```text -proofpath/ - specs/ - proofpath-http-profile-v0.1.md - headers.md - threat-model.md - signature-profile.md - crates/ - proofpath-gateway/ - proofpath-verifier/ - proofpath-policy/ - examples/ - payments-api/ - ai-agent-actions/ - ci-deploy-gate/ - conformance/ - valid/ - invalid/ - docs/ - philosophy.md - why-https-is-not-enough.md +ProofPath CLI +ProofPath SDK +ProofPath Policy Packs +ProofPath Dashboard ``` -## Standards alignment - -ProofPath aims to build on existing web infrastructure: +## Status -- HTTPS / TLS for secure transport -- W3C Trace Context for distributed trace propagation -- HTTP Message Signatures for signing request components -- OpenTelemetry-style observability for operational traces +ProofPath v0.1 is an experimental safety and audit prototype. -## Status +It is intended for local demos, grant review, early integration experiments, and safety-oriented design review. -Early protocol design. Expect breaking changes. +It is not production-ready security infrastructure yet. ## License diff --git a/docs/openapi.md b/docs/openapi.md new file mode 100644 index 0000000..d5f9490 --- /dev/null +++ b/docs/openapi.md @@ -0,0 +1,53 @@ +# ProofPath Guard Service OpenAPI + +The Agent Payment Guard HTTP service has a formal OpenAPI contract: + +```text +openapi/proofpath-guard-service-v0.1.yaml +``` + +## What it documents + +```text +GET /v1/health +POST /v1/payment-proposals/evaluate +GET /v1/audit/records +GET /v1/replay-store +``` + +The spec includes schemas for payment proposals, signed intent envelopes, evaluation responses, audit records, replay-store diagnostics, and error responses. + +## Core semantics + +```text +enforce + ACCEPT -> execution_allowed=true, would_block=false +enforce + HOLD/BLOCK -> execution_allowed=false, would_block=true +shadow + ACCEPT -> execution_allowed=true, would_block=false +shadow + HOLD/BLOCK -> execution_allowed=true, would_block=true +``` + +Core principle: + +```text +Model output is a proposal, not authorization. +``` + +## Smoke check + +```bash +python3 - <<'PY' +from pathlib import Path +p = Path('openapi/proofpath-guard-service-v0.1.yaml') +assert p.exists() +text = p.read_text(encoding='utf-8') +for s in ['/v1/health', '/v1/payment-proposals/evaluate', '/v1/audit/records', '/v1/replay-store']: + assert s in text, s +for s in ['PaymentProposal', 'IntentEnvelope', 'EvaluationResponse', 'INTENT_REPLAYED']: + assert s in text, s +print('OpenAPI spec smoke check passed') +PY +``` + +## Non-goals + +This spec does not add generated SDKs, hosted API docs, real wallet integration, token transfers, custody, private keys, payment SDKs, RPC calls, JWS, or EIP-712. diff --git a/openapi/proofpath-guard-service-v0.1.yaml b/openapi/proofpath-guard-service-v0.1.yaml new file mode 100644 index 0000000..2f8b6f8 --- /dev/null +++ b/openapi/proofpath-guard-service-v0.1.yaml @@ -0,0 +1,447 @@ +openapi: 3.1.0 +info: + title: ProofPath Guard Service API + version: "0.1" + summary: External authorization and evidence API for AI-agent payment proposals. + description: | + ProofPath Guard Service evaluates AI-agent payment proposals before execution. + + Core principle: model output is a proposal, not authorization. + + This contract is simulation-only. It does not define real wallet custody, + token transfers, RPC calls, payment-provider SDKs, JWS, or EIP-712 signing. +servers: + - url: http://127.0.0.1:8787 + description: Local ProofPath Guard Service +tags: + - name: Health + - name: Evaluation + - name: Audit + - name: ReplayStore +paths: + /v1/health: + get: + tags: [Health] + summary: Return service health. + operationId: getHealth + responses: + "200": + description: Service is running. + content: + application/json: + schema: + $ref: "#/components/schemas/HealthResponse" + examples: + ok: + value: + status: ok + surface: agent-payment-guard-service + version: "0.1" + /v1/payment-proposals/evaluate: + post: + tags: [Evaluation] + summary: Evaluate an AI-agent payment proposal before execution. + operationId: evaluatePaymentProposal + description: | + Enforce/shadow semantics: + - enforce + ACCEPT -> execution_allowed=true, would_block=false + - enforce + HOLD/BLOCK -> execution_allowed=false, would_block=true + - shadow + ACCEPT -> execution_allowed=true, would_block=false + - shadow + HOLD/BLOCK -> execution_allowed=true, would_block=true + requestBody: + required: true + content: + application/json: + schema: + $ref: "#/components/schemas/EvaluatePaymentProposalRequest" + examples: + accept: + value: + mode: enforce + proposal: + action_type: agent_payment + agent_id: agent_researcher_01 + asset: USDC + amount: "0.25" + recipient: market-data-api.example + approved_recipient: market-data-api.example + approved_budget: "5.00" + human_intent_id: intent_market_research_001 + causal_parent: task_market_report_001 + budget_scope: daily_research_budget + payment_mode: one_time + purpose: buy_market_data_api_call + intent_envelope: + envelope_type: signed_human_intent + version: "0.1" + human_intent_id: intent_market_research_001 + subject_agent_id: agent_researcher_01 + purpose: buy_market_data_api_call + causal_parent: task_market_report_001 + allowed_asset: USDC + max_amount: "5.00" + allowed_recipient: market-data-api.example + budget_scope: daily_research_budget + payment_mode: one_time + nonce: nonce_market_research_001 + expires_at: "2027-01-01T00:00:00Z" + signature_alg: demo-sha256-v0 + signature: sha256-demo-signature + responses: + "200": + description: Evaluation completed. Decision may be ACCEPT, HOLD, or BLOCK. + content: + application/json: + schema: + $ref: "#/components/schemas/EvaluationResponse" + examples: + accept: + value: + mode: enforce + decision: ACCEPT + reason: PAYMENT_WITHIN_SIGNED_INTENT_ENVELOPE + execution_allowed: true + would_block: false + audit_hash: sha256:6eece8a1... + replay_block: + value: + mode: enforce + decision: BLOCK + reason: INTENT_REPLAYED + execution_allowed: false + would_block: true + audit_hash: sha256:8ab40471... + shadow_block: + value: + mode: shadow + decision: BLOCK + reason: MISSING_INTENT_ENVELOPE + execution_allowed: true + would_block: true + audit_hash: sha256:7ae0d21c... + "400": + description: Malformed request body or invalid mode. + content: + application/json: + schema: + $ref: "#/components/schemas/ErrorResponse" + examples: + invalid_mode: + value: + error: mode must be 'enforce' or 'shadow' + /v1/audit/records: + get: + tags: [Audit] + summary: Return recent hash-chained audit records. + operationId: getAuditRecords + parameters: + - name: limit + in: query + required: false + schema: + type: integer + minimum: 1 + description: Maximum number of recent records. Values above configured maximum are clamped. + responses: + "200": + description: Recent audit records. + content: + application/json: + schema: + $ref: "#/components/schemas/AuditRecordsResponse" + examples: + recent: + value: + count: 1 + limit: 20 + records: + - ts: "2026-05-27T00:00:00Z" + surface: agent-payment-guard + decision: ACCEPT + reason: PAYMENT_WITHIN_SIGNED_INTENT_ENVELOPE + agent_id: agent_researcher_01 + asset: USDC + amount: "0.25" + approved_budget: "5.00" + recipient: market-data-api.example + causal_parent: task_market_report_001 + intent_verified: true + intent_envelope_id: intent_market_research_001 + intent_signature_alg: demo-sha256-v0 + intent_expires_at: "2027-01-01T00:00:00Z" + intent_nonce: nonce_market_research_001 + previous_hash: GENESIS + hash: sha256:6eece8a1... + "400": + description: Invalid limit parameter. + content: + application/json: + schema: + $ref: "#/components/schemas/ErrorResponse" + /v1/replay-store: + get: + tags: [ReplayStore] + summary: Return local diagnostic view of spent signed-intent nonces. + operationId: getReplayStore + description: Local diagnostics only. Not an authorization API. + responses: + "200": + description: Replay store entries. + content: + application/json: + schema: + $ref: "#/components/schemas/ReplayStoreResponse" + examples: + replay_store: + value: + nonces: 1 + entries: + nonce_market_research_001: + nonce: nonce_market_research_001 + human_intent_id: intent_market_research_001 + agent_id: agent_researcher_01 + used_at: "2026-05-27T00:00:00Z" + decision_hash: sha256:6eece8a1... + status: used +components: + schemas: + HealthResponse: + type: object + required: [status, surface, version] + properties: + status: + type: string + enum: [ok] + surface: + type: string + enum: [agent-payment-guard-service] + version: + type: string + example: "0.1" + EvaluatePaymentProposalRequest: + type: object + required: [proposal] + properties: + mode: + $ref: "#/components/schemas/EvaluationMode" + proposal: + $ref: "#/components/schemas/PaymentProposal" + intent_envelope: + oneOf: + - $ref: "#/components/schemas/IntentEnvelope" + - type: "null" + PaymentProposal: + type: object + required: [action_type, agent_id, asset, amount, recipient, approved_budget, human_intent_id, causal_parent, budget_scope, payment_mode, purpose] + properties: + action_type: + type: string + enum: [agent_payment] + agent_id: + type: string + asset: + type: string + example: USDC + amount: + type: string + example: "0.25" + recipient: + type: string + approved_recipient: + type: string + approved_budget: + type: string + example: "5.00" + human_intent_id: + type: string + causal_parent: + type: string + budget_scope: + type: string + payment_mode: + type: string + enum: [one_time, recurring] + purpose: + type: string + recurring_approval: + type: boolean + IntentEnvelope: + type: object + required: [envelope_type, version, human_intent_id, subject_agent_id, purpose, causal_parent, allowed_asset, max_amount, allowed_recipient, budget_scope, payment_mode, nonce, expires_at, signature_alg, signature] + properties: + envelope_type: + type: string + enum: [signed_human_intent] + version: + type: string + enum: ["0.1"] + human_intent_id: + type: string + subject_agent_id: + type: string + purpose: + type: string + causal_parent: + type: string + allowed_asset: + type: string + max_amount: + type: string + allowed_recipient: + type: string + budget_scope: + type: string + payment_mode: + type: string + enum: [one_time, recurring] + nonce: + type: string + expires_at: + type: string + format: date-time + signature_alg: + type: string + enum: [demo-sha256-v0] + description: Demo algorithm only; not JWS or EIP-712. + signature: + type: string + EvaluationResponse: + type: object + required: [mode, decision, reason, execution_allowed, would_block, audit_hash] + properties: + mode: + $ref: "#/components/schemas/EvaluationMode" + decision: + $ref: "#/components/schemas/Decision" + reason: + $ref: "#/components/schemas/Reason" + execution_allowed: + type: boolean + would_block: + type: boolean + audit_hash: + type: string + pattern: "^sha256:" + AuditRecordsResponse: + type: object + required: [records, count, limit] + properties: + records: + type: array + items: + $ref: "#/components/schemas/AuditRecord" + count: + type: integer + minimum: 0 + limit: + type: integer + minimum: 1 + AuditRecord: + type: object + required: [ts, surface, decision, reason, previous_hash, hash] + properties: + ts: + type: string + format: date-time + surface: + type: string + decision: + $ref: "#/components/schemas/Decision" + reason: + $ref: "#/components/schemas/Reason" + agent_id: + type: string + asset: + type: string + amount: + type: string + approved_budget: + type: string + recipient: + type: string + causal_parent: + type: string + intent_verified: + type: boolean + intent_envelope_id: + type: string + intent_signature_alg: + type: string + intent_expires_at: + type: string + intent_nonce: + type: string + previous_hash: + type: string + hash: + type: string + pattern: "^sha256:" + ReplayStoreResponse: + type: object + required: [nonces, entries] + properties: + nonces: + type: integer + minimum: 0 + entries: + type: object + additionalProperties: + $ref: "#/components/schemas/ReplayStoreEntry" + ReplayStoreEntry: + type: object + required: [nonce, used_at, status] + properties: + nonce: + type: string + human_intent_id: + type: string + agent_id: + type: string + used_at: + type: string + format: date-time + decision_hash: + type: string + pattern: "^sha256:" + status: + type: string + enum: [used] + ErrorResponse: + type: object + required: [error] + properties: + error: + type: string + EvaluationMode: + type: string + enum: [enforce, shadow] + Decision: + type: string + enum: [ACCEPT, HOLD, BLOCK] + Reason: + type: string + enum: + - PAYMENT_WITHIN_SIGNED_INTENT_ENVELOPE + - PAYMENT_WITHIN_SCOPE_AND_BUDGET + - RECURRING_PAYMENT_REQUIRES_APPROVAL + - INVALID_ACTION_TYPE + - ASSET_NOT_ALLOWED + - INVALID_AMOUNT + - INVALID_APPROVED_BUDGET + - OVER_BUDGET + - MISSING_PAYMENT_INTENT + - RECIPIENT_NOT_ALLOWED + - RECIPIENT_MISMATCH + - MISSING_INTENT_ENVELOPE + - INVALID_INTENT_SIGNATURE + - INTENT_EXPIRED + - INTENT_AGENT_MISMATCH + - INTENT_PURPOSE_MISMATCH + - INTENT_CAUSAL_PARENT_MISMATCH + - INTENT_ID_MISMATCH + - INTENT_PAYMENT_MODE_MISMATCH + - INTENT_ASSET_MISMATCH + - INTENT_RECIPIENT_MISMATCH + - INTENT_BUDGET_SCOPE_MISMATCH + - INTENT_AMOUNT_EXCEEDED + - INTENT_REPLAYED