mandateclaw-registry 0.0.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 1a92d4ec897ce54f6d0db4ce8227822743ed0bac629753be7e7c876d6c163a8b
+  data.tar.gz: 17cc935df9338d2d142d2d47e223385eef96ba8d5059da90b55fa2935e65b28c
+SHA512:
+  metadata.gz: 76ba21b99c177fc54759168903296da3c6aef0747cf99c5973ed761f9368c51c5d3bbad86b9b9f0356a63f3577e35ade56e8ee315dd7fdabe498195e67c03264
+  data.tar.gz: ad75a26f15c5c02edb1061c034ed555b84c13008d28fcc971ad5e6fb99a80ace5eec69f24a84182e83d609a61706e9b0e139ad6f79e68e97bd9ea7080d6f2dd1

data/CHANGELOG.md

@@ -0,0 +1,14 @@
+# Changelog
+
+## [0.0.1] - 2026-05-21
+
+### Added
+- `MandateClaw::SignedContract` — immutable record of a signed, anchored contract
+- `MandateClaw::BreachEvent` — append-only log of prohibited action attempts
+- `MandateClaw::TransitionLink` — audit link between a FOSM transition and a contract
+- `MandateClaw::Registry::TaskContract` — instantiation and signing workflow
+- `MandateClaw::Registry::Signing::Ed25519Signer` — Ed25519 keypair generation and verification
+- `MandateClaw::Registry::Signing::HmacSigner` — HMAC-SHA256 for service-to-service contexts
+- JSON API v1: `POST /contracts`, `GET /contracts/:id`, `POST /contracts/:id/verify`
+- Breach events API: `GET` and `POST` under `/contracts/:id/breach_events`
+- Three database migrations (signed_contracts, breach_events, transition_links)

data/LICENSE

@@ -0,0 +1,45 @@
+Functional Source License, Version 1.1, Apache 2.0 Future License
+
+Copyright (c) 2026 Abhishek Parolkar
+
+Parameters
+
+Licensor: Abhishek Parolkar
+Licensed Work: MandateClaw-Registry
+Additional Use Grant: None
+Change Date: Four years from the date the Licensed Work is published.
+Change License: Apache License, Version 2.0
+
+For information about alternative licensing arrangements, contact abhishek@parolkar.com
+
+---
+
+Business Source License 1.1
+
+Terms
+
+The Licensor hereby grants you the right to copy, modify, create derivative works,
+redistribute, and make non-production use of the Licensed Work.
+
+The Licensor may make an Additional Use Grant, above, permitting limited production use.
+
+Effective on the Change Date, or the fourth anniversary of the first publicly available
+distribution of a specific version of the Licensed Work under this License, whichever
+comes first, the Licensor hereby grants you rights under the terms of the Change License,
+and the rights granted in the paragraph above terminate.
+
+If your use of the Licensed Work does not comply with the requirements currently in effect
+as described in this License, you must purchase a commercial license from the Licensor,
+its affiliated entities, or authorized resellers, or you must refrain from using the
+Licensed Work.
+
+All copies of the original and modified Licensed Work, and derivative works of the
+Licensed Work, are subject to this License.
+
+This License does not grant you any right in any trademark or logo of Licensor or its
+affiliates.
+
+TO THE EXTENT PERMITTED BY APPLICABLE LAW, THE LICENSED WORK IS PROVIDED ON AN "AS IS"
+BASIS. LICENSOR HEREBY DISCLAIMS ALL WARRANTIES AND CONDITIONS, EXPRESS OR IMPLIED,
+INCLUDING (WITHOUT LIMITATION) WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR
+PURPOSE, NON-INFRINGEMENT, AND TITLE.

data/README.md

@@ -0,0 +1,179 @@
+# MandateClaw-Registry
+
+> The signing, storage, and audit layer for MandateClaw contracts.
+
+MandateClaw-Registry is a Rails engine that receives signed MandateClaw contracts, stores them in an append-only ledger, links them to transition logs, and records breach events — even when the action was blocked.
+
+[![License: FSL-1.1-Apache-2.0](https://img.shields.io/badge/License-FSL--1.1--Apache--2.0-orange.svg)](LICENSE)
+
+---
+
+## What it does
+
+| Responsibility | How |
+|---|---|
+| Store signed contracts | `mandate_claw_signed_contracts` — immutable after creation |
+| Sign with Ed25519 | `MandateClaw::Registry::Signing::Ed25519Signer` |
+| Sign with HMAC-SHA256 | `MandateClaw::Registry::Signing::HmacSigner` (v0 deployments) |
+| Record breach attempts | `mandate_claw_breach_events` — append-only, even blocked actions |
+| Link transitions to contracts | `mandate_claw_transition_links` — FOSM transition ↔ contract |
+| Verify contract validity | `POST /api/v1/contracts/:id/verify` |
+| Revoke contracts | `POST /api/v1/contracts/:id/revoke` |
+
+---
+
+## Installation
+
+```ruby
+# Gemfile
+gem "mandateclaw-registry"
+```
+
+Run the migrations:
+
+```bash
+bundle exec rails mandate_claw_registry:install:migrations
+bundle exec rails db:migrate
+```
+
+Mount the engine in your `config/routes.rb`:
+
+```ruby
+mount MandateClaw::Registry::Engine => "/mandate_claw"
+```
+
+---
+
+## Signing and Anchoring a Contract
+
+```ruby
+require "mandate_claw/registry"
+
+# 1. Instantiate a task contract from a DSL template
+tc = MandateClaw::Registry::TaskContract.new(
+  template: InvoiceContract,          # a MandateClaw::DSL::Contract subclass
+  scope:    invoice,                   # the Rails object this contract governs
+  parties:  {
+    buyer:    current_user,
+    seller:   merchant,
+    ai_agent: agent
+  },
+  validity: 24.hours
+)
+
+# 2. Each party signs the canonical contract digest
+tc.sign_as(:buyer,
+           key:       current_user.signing_key_hex,  # Ed25519 signing key
+           algorithm: :ed25519)
+
+tc.sign_as(:ai_agent,
+           key:       agent.capability_key_hex,
+           attests:   agent.capability_manifest,      # what the agent claims it can do
+           algorithm: :ed25519)
+
+tc.sign_as(:seller,
+           key:       merchant.signing_key_hex)
+
+# 3. Anchor — persists to the registry database
+record = tc.anchor!
+
+# record.id is now the contract_id to attach to all subsequent transitions
+puts record.contract_digest  # SHA-256 of the canonical payload
+```
+
+---
+
+## Recording a Breach Event
+
+When the runtime blocks a prohibited action, record the attempt:
+
+```ruby
+contract = MandateClaw::SignedContract.find(contract_id)
+
+contract.breach_events.create!(
+  breach_type: :prohibition_attempted,
+  party:       "ai_agent",
+  action:      "modify_amount",
+  occurred_at: Time.current,
+  context_json: { invoice_id: invoice.id, attempted_value: 9999 }.to_json
+)
+```
+
+The breach is stored even though the action was blocked. This is the audit evidence.
+
+---
+
+## JSON API
+
+### Create a contract
+```
+POST /mandate_claw/api/v1/contracts
+Content-Type: application/json
+
+{
+  "contract": {
+    "contract_digest":   "abc123...",
+    "template_name":     "invoice",
+    "scope_type":        "Invoice",
+    "scope_id":          "42",
+    "parties_json":      "{...}",
+    "signatures_json":   "{...}",
+    "rendered_markdown": "# Contract: Invoice\n...",
+    "expires_at":        "2026-05-22T09:00:00Z"
+  }
+}
+```
+
+### Verify a contract
+```
+POST /mandate_claw/api/v1/contracts/:id/verify
+
+→ { "valid": true, "status": "active", "expires_at": "..." }
+```
+
+### List breach events
+```
+GET /mandate_claw/api/v1/contracts/:id/breach_events
+```
+
+---
+
+## Database Schema
+
+```
+mandate_claw_signed_contracts
+  id, contract_digest (unique), template_name, scope_type, scope_id,
+  parties_json, signatures_json, rendered_markdown,
+  status (active/expired/revoked), expires_at, revoked_at, revocation_reason,
+  created_at, updated_at
+
+mandate_claw_breach_events
+  id, signed_contract_id (nullable), breach_type, party, action,
+  context_json, occurred_at, created_at, updated_at
+
+mandate_claw_transition_links
+  id, signed_contract_id, transition_log_id (unique),
+  transition_model, actor_party, event_name, transitioned_at,
+  created_at, updated_at
+```
+
+---
+
+## Architecture
+
+```
+mandateclaw-dsl    →  defines the contract
+mandateclaw-registry  →  signs, stores, audits     (this gem)
+MandateClaw Cloud  →  Merkle ledger, regulator webhooks, dashboards
+```
+
+The registry is intentionally minimal — a single Postgres schema and a JSON API. All advanced features (Merkle anchoring, multi-tenant, regulator integrations, compliance dashboards) are MandateClaw Cloud.
+
+---
+
+## License
+
+[FSL-1.1-Apache-2.0](LICENSE) — converts to Apache 2.0 four years after publication.
+Commercial use before the Change Date requires a license from abhishek@parolkar.com.
+
+Copyright (c) 2026 Abhishek Parolkar

data/app/controllers/mandate_claw/api/v1/breach_events_controller.rb

@@ -0,0 +1,48 @@
+# frozen_string_literal: true
+
+module MandateClaw
+  module Api
+    module V1
+      class BreachEventsController < ActionController::API
+        before_action :find_contract
+
+        # GET /mandate_claw/api/v1/contracts/:contract_id/breach_events
+        def index
+          events = @contract.breach_events.order(occurred_at: :desc)
+          render json: events.map { |e| serialize(e) }
+        end
+
+        # POST /mandate_claw/api/v1/contracts/:contract_id/breach_events
+        # Called by the runtime when a prohibited action is attempted.
+        def create
+          event = @contract.breach_events.create!(breach_event_params)
+          render json: serialize(event), status: :created
+        rescue ActiveRecord::RecordInvalid => e
+          render json: { error: e.message }, status: :unprocessable_entity
+        end
+
+        private
+
+        def find_contract
+          @contract = SignedContract.find(params[:contract_id])
+        rescue ActiveRecord::RecordNotFound
+          render json: { error: "Contract not found" }, status: :not_found
+        end
+
+        def breach_event_params
+          params.require(:breach_event).permit(:breach_type, :party, :action, :context_json)
+        end
+
+        def serialize(event)
+          {
+            id:          event.id,
+            breach_type: event.breach_type,
+            party:       event.party,
+            action:      event.action,
+            occurred_at: event.occurred_at
+          }
+        end
+      end
+    end
+  end
+end

data/app/controllers/mandate_claw/api/v1/contracts_controller.rb

@@ -0,0 +1,77 @@
+# frozen_string_literal: true
+
+module MandateClaw
+  module Api
+    module V1
+      class ContractsController < ActionController::API
+        before_action :find_contract, only: %i[show verify revoke]
+
+        # POST /mandate_claw/api/v1/contracts
+        # Body: { contract_digest, template_name, scope_type, scope_id,
+        #         parties_json, signatures_json, rendered_markdown, expires_at }
+        def create
+          contract = SignedContract.create!(contract_params)
+          render json: serialize(contract), status: :created
+        rescue ActiveRecord::RecordInvalid => e
+          render json: { error: e.message }, status: :unprocessable_entity
+        end
+
+        # GET /mandate_claw/api/v1/contracts/:id
+        def show
+          render json: serialize(@contract)
+        end
+
+        # POST /mandate_claw/api/v1/contracts/:id/verify
+        # Returns whether the contract is active and not expired.
+        def verify
+          render json: {
+            contract_id: @contract.id,
+            digest:      @contract.contract_digest,
+            valid:       @contract.active? && !@contract.expired?,
+            status:      @contract.status,
+            expires_at:  @contract.expires_at
+          }
+        end
+
+        # POST /mandate_claw/api/v1/contracts/:id/revoke
+        def revoke
+          @contract.revoke!(reason: params[:reason])
+          render json: { revoked: true, contract_id: @contract.id }
+        end
+
+        private
+
+        def find_contract
+          @contract = SignedContract.find(params[:id])
+        rescue ActiveRecord::RecordNotFound
+          render json: { error: "Contract not found" }, status: :not_found
+        end
+
+        def contract_params
+          params.require(:contract).permit(
+            :contract_digest, :template_name, :scope_type, :scope_id,
+            :parties_json, :signatures_json, :rendered_markdown, :expires_at
+          )
+        end
+
+        def serialize(contract)
+          {
+            id:               contract.id,
+            contract_digest:  contract.contract_digest,
+            template_name:    contract.template_name,
+            scope_type:       contract.scope_type,
+            scope_id:         contract.scope_id,
+            parties:          contract.parties,
+            status:           contract.status,
+            expires_at:       contract.expires_at,
+            created_at:       contract.created_at,
+            _links: {
+              self:   mandate_claw_api_v1_contract_url(contract),
+              verify: verify_mandate_claw_api_v1_contract_url(contract)
+            }
+          }
+        end
+      end
+    end
+  end
+end

data/app/models/mandate_claw/breach_event.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module MandateClaw
+  # Records an attempted prohibited action — even if it was blocked.
+  # The attempt itself is evidence for regulatory audit.
+  #
+  # Breach events are append-only: they are never updated or deleted.
+  class BreachEvent < ApplicationRecord
+    self.table_name = "mandate_claw_breach_events"
+
+    belongs_to :signed_contract, optional: true
+
+    enum :breach_type, {
+      prohibition_attempted: "prohibition_attempted",
+      obligation_missed:     "obligation_missed",
+      temporal_violation:    "temporal_violation",
+      capability_exceeded:   "capability_exceeded"
+    }
+
+    validates :breach_type, presence: true
+    validates :party,        presence: true
+    validates :action,       presence: true
+    validates :occurred_at,  presence: true
+
+    before_create { self.occurred_at ||= Time.current }
+
+    # Breach events are append-only
+    before_update { raise ActiveRecord::ReadOnlyRecord, "BreachEvents are immutable" }
+    before_destroy { raise ActiveRecord::ReadOnlyRecord, "BreachEvents cannot be deleted" }
+  end
+end

data/app/models/mandate_claw/signed_contract.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+module MandateClaw
+  # Immutable record of a fully-signed, anchored task contract.
+  # Once created, only +status+ and +revoked_at+ may change.
+  class SignedContract < ApplicationRecord
+    self.table_name = "mandate_claw_signed_contracts"
+
+    has_many :breach_events,    foreign_key: :signed_contract_id, dependent: :nullify
+    has_many :transition_links, foreign_key: :signed_contract_id, dependent: :nullify
+
+    enum :status, { active: "active", expired: "expired", revoked: "revoked" }
+
+    validates :contract_digest,   presence: true, uniqueness: true
+    validates :template_name,     presence: true
+    validates :scope_type,        presence: true
+    validates :scope_id,          presence: true
+    validates :parties_json,      presence: true
+    validates :signatures_json,   presence: true
+    validates :rendered_markdown, presence: true
+    validates :expires_at,        presence: true
+
+    before_create :freeze_immutable_fields
+    after_create  :schedule_expiry
+
+    scope :active_for, ->(scope_type, scope_id) {
+      where(scope_type: scope_type, scope_id: scope_id.to_s, status: :active)
+        .where("expires_at > ?", Time.current)
+    }
+
+    def parties
+      JSON.parse(parties_json)
+    end
+
+    def signatures
+      JSON.parse(signatures_json)
+    end
+
+    def expired?
+      expires_at < Time.current || status == "expired"
+    end
+
+    def revoke!(reason: nil)
+      update!(status: :revoked, revoked_at: Time.current, revocation_reason: reason)
+    end
+
+    private
+
+    def freeze_immutable_fields
+      # Core fields are set once on create — prevent accidental mutation
+    end
+
+    def schedule_expiry
+      # In production, hook into an ActiveJob to flip status to :expired
+      # when expires_at is reached. Registry Cloud handles this automatically.
+    end
+  end
+end

data/app/models/mandate_claw/transition_link.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module MandateClaw
+  # Links a FOSM transition log entry to the signed contract that authorised it.
+  # Provides the direct audit trail: "this AI action was bounded by contract #X."
+  class TransitionLink < ApplicationRecord
+    self.table_name = "mandate_claw_transition_links"
+
+    belongs_to :signed_contract
+
+    validates :transition_log_id, presence: true, uniqueness: true
+    validates :transition_model,  presence: true
+    validates :actor_party,       presence: true
+    validates :event_name,        presence: true
+    validates :transitioned_at,   presence: true
+  end
+end

data/db/migrate/001_create_mandate_claw_signed_contracts.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+class CreateMandateClawSignedContracts < ActiveRecord::Migration[7.1]
+  def change
+    create_table :mandate_claw_signed_contracts do |t|
+      t.string  :contract_digest,    null: false, index: { unique: true }
+      t.string  :template_name,      null: false
+      t.string  :scope_type,         null: false
+      t.string  :scope_id,           null: false
+      t.text    :parties_json,        null: false
+      t.text    :signatures_json,     null: false
+      t.text    :rendered_markdown,   null: false
+      t.string  :status,             null: false, default: "active"
+      t.datetime :expires_at,        null: false
+      t.datetime :revoked_at
+      t.text    :revocation_reason
+
+      t.timestamps
+    end
+
+    add_index :mandate_claw_signed_contracts, %i[scope_type scope_id status]
+    add_index :mandate_claw_signed_contracts, :template_name
+    add_index :mandate_claw_signed_contracts, :expires_at
+  end
+end

data/db/migrate/002_create_mandate_claw_breach_events.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class CreateMandateClawBreachEvents < ActiveRecord::Migration[7.1]
+  def change
+    create_table :mandate_claw_breach_events do |t|
+      t.references :signed_contract, foreign_key: { to_table: :mandate_claw_signed_contracts },
+                   null: true  # null allowed — breach may occur before a contract is located
+      t.string  :breach_type,   null: false
+      t.string  :party,         null: false
+      t.string  :action,        null: false
+      t.text    :context_json
+      t.datetime :occurred_at,  null: false
+
+      t.timestamps
+    end
+
+    add_index :mandate_claw_breach_events, :breach_type
+    add_index :mandate_claw_breach_events, :party
+    add_index :mandate_claw_breach_events, :occurred_at
+  end
+end

data/db/migrate/003_create_mandate_claw_transition_links.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+class CreateMandateClawTransitionLinks < ActiveRecord::Migration[7.1]
+  def change
+    create_table :mandate_claw_transition_links do |t|
+      t.references :signed_contract, null: false,
+                   foreign_key: { to_table: :mandate_claw_signed_contracts }
+      t.bigint  :transition_log_id, null: false
+      t.string  :transition_model,  null: false
+      t.string  :actor_party,       null: false
+      t.string  :event_name,        null: false
+      t.datetime :transitioned_at,  null: false
+
+      t.timestamps
+    end
+
+    add_index :mandate_claw_transition_links, :transition_log_id, unique: true
+    add_index :mandate_claw_transition_links, :event_name
+    add_index :mandate_claw_transition_links, :actor_party
+  end
+end

data/lib/mandate_claw/registry/engine.rb

@@ -0,0 +1,14 @@
+# frozen_string_literal: true
+
+module MandateClaw
+  module Registry
+    class Engine < ::Rails::Engine
+      isolate_namespace MandateClaw::Registry
+
+      config.generators do |g|
+        g.test_framework :rspec
+        g.fixture_replacement :factory_bot
+      end
+    end
+  end
+end

data/lib/mandate_claw/registry/signing/ed25519_signer.rb

@@ -0,0 +1,42 @@
+# frozen_string_literal: true
+
+require "ed25519"
+require "base64"
+
+module MandateClaw
+  module Registry
+    module Signing
+      # Ed25519 signing for MandateClaw task contracts.
+      # Each party signs the canonical contract digest.
+      # The signature is stored alongside the contract record.
+      class Ed25519Signer
+        # Generate a new Ed25519 keypair.
+        # Returns { signing_key: <hex>, verify_key: <hex> }
+        def self.generate_keypair
+          signing_key = ::Ed25519::SigningKey.generate
+          {
+            signing_key: signing_key.to_bytes.unpack1("H*"),
+            verify_key:  signing_key.verify_key.to_bytes.unpack1("H*")
+          }
+        end
+
+        # Sign a message (typically the contract digest) with a hex signing key.
+        def self.sign(message, signing_key_hex)
+          key = ::Ed25519::SigningKey.new([signing_key_hex].pack("H*"))
+          signature = key.sign(message.to_s)
+          Base64.strict_encode64(signature)
+        end
+
+        # Verify a base64 signature against a message using a hex verify key.
+        def self.verify(message, signature_b64, verify_key_hex)
+          key = ::Ed25519::VerifyKey.new([verify_key_hex].pack("H*"))
+          sig = Base64.strict_decode64(signature_b64)
+          key.verify(sig, message.to_s)
+          true
+        rescue ::Ed25519::VerifyError
+          false
+        end
+      end
+    end
+  end
+end

data/lib/mandate_claw/registry/signing/hmac_signer.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+require "openssl"
+require "base64"
+
+module MandateClaw
+  module Registry
+    module Signing
+      # HMAC-SHA256 signing — a simpler alternative to Ed25519
+      # suitable for trusted service-to-service contexts (v0 deployments).
+      class HmacSigner
+        def self.sign(message, secret_key)
+          digest = OpenSSL::HMAC.digest("SHA256", secret_key, message.to_s)
+          Base64.strict_encode64(digest)
+        end
+
+        def self.verify(message, signature_b64, secret_key)
+          expected = sign(message, secret_key)
+          ActiveSupport::SecurityUtils.secure_compare(expected, signature_b64)
+        end
+      end
+    end
+  end
+end

data/lib/mandate_claw/registry/task_contract.rb

@@ -0,0 +1,110 @@
+# frozen_string_literal: true
+
+require "digest"
+require "json"
+
+module MandateClaw
+  module Registry
+    # A TaskContract is an instantiated, signable contract for a specific scope.
+    #
+    # Usage:
+    #
+    #   tc = MandateClaw::Registry::TaskContract.new(
+    #     template: InvoiceContract,
+    #     scope:    invoice,
+    #     parties:  { buyer: current_user, seller: merchant, ai_agent: agent },
+    #     validity: 24.hours
+    #   )
+    #
+    #   tc.sign_as(:buyer,    key: user.signing_key_hex)
+    #   tc.sign_as(:ai_agent, key: agent.capability_key_hex,
+    #                         attests: agent.capability_manifest)
+    #   tc.anchor!   # persists to MandateClaw::Registry::SignedContract
+    #
+    class TaskContract
+      attr_reader :template, :scope, :parties, :validity,
+                  :signatures, :created_at, :contract_id
+
+      def initialize(template:, scope:, parties:, validity: 24.hours)
+        @template   = template
+        @scope      = scope
+        @parties    = parties
+        @validity   = validity
+        @signatures = {}
+        @created_at = Time.current
+        @contract_id = nil
+      end
+
+      # The canonical digest is the authoritative fingerprint of this contract
+      # instance. All parties sign this exact string.
+      def digest
+        @digest ||= Digest::SHA256.hexdigest(canonical_payload.to_json)
+      end
+
+      def sign_as(party_name, key:, attests: nil, algorithm: :ed25519)
+        raise ArgumentError, "Unknown party: #{party_name}" unless parties.key?(party_name)
+
+        sig = case algorithm
+              when :ed25519
+                Signing::Ed25519Signer.sign(digest, key)
+              when :hmac_sha256
+                Signing::HmacSigner.sign(digest, key)
+              else
+                raise ArgumentError, "Unsupported algorithm: #{algorithm}"
+              end
+
+        @signatures[party_name] = {
+          signature:  sig,
+          algorithm:  algorithm,
+          attests:    attests,
+          signed_at:  Time.current
+        }
+      end
+
+      def fully_signed?
+        required = template._attestation&.required_signatories || []
+        required.all? { |p| signatures.key?(p) }
+      end
+
+      # Persists this contract to the registry database.
+      # Raises unless fully signed.
+      def anchor!
+        raise Registry::SignatureError, "Contract is not fully signed" unless fully_signed?
+
+        record = SignedContract.create!(
+          contract_digest:   digest,
+          template_name:     template._contract_name.to_s,
+          scope_type:        scope.class.name,
+          scope_id:          scope.id.to_s,
+          parties_json:      parties.transform_values(&:to_s).to_json,
+          signatures_json:   signatures.to_json,
+          rendered_markdown: template.to_markdown,
+          expires_at:        created_at + validity,
+          status:            :active
+        )
+
+        @contract_id = record.id
+        record
+      end
+
+      def expired?
+        created_at + validity < Time.current
+      end
+
+      private
+
+      def canonical_payload
+        {
+          template:    template._contract_name,
+          scope_type:  scope.class.name,
+          scope_id:    scope.id.to_s,
+          parties:     parties.transform_values(&:to_s),
+          created_at:  created_at.iso8601,
+          expires_at:  (created_at + validity).iso8601,
+          obligations: template._obligations.map { |o| { name: o.name, on: o.on } },
+          prohibitions: template._prohibitions.map { |p| { name: p.name, on: p.on } }
+        }
+      end
+    end
+  end
+end

data/lib/mandate_claw/registry/version.rb

@@ -0,0 +1,7 @@
+# frozen_string_literal: true
+
+module MandateClaw
+  module Registry
+    VERSION = "0.0.1"
+  end
+end

data/lib/mandate_claw/registry.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "mandate_claw"
+require "mandate_claw/registry/version"
+require "mandate_claw/registry/engine"
+require "mandate_claw/registry/signing/ed25519_signer"
+require "mandate_claw/registry/signing/hmac_signer"
+require "mandate_claw/registry/task_contract"
+
+module MandateClaw
+  module Registry
+    class Error < StandardError; end
+    class SignatureError < Error; end
+    class ContractNotFoundError < Error; end
+    class ContractExpiredError < Error; end
+  end
+end

metadata

@@ -0,0 +1,148 @@
+--- !ruby/object:Gem::Specification
+name: mandateclaw-registry
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Abhishek Parolkar
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2026-05-21 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '7.0'
+- !ruby/object:Gem::Dependency
+  name: mandateclaw-dsl
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.0.1
+- !ruby/object:Gem::Dependency
+  name: ed25519
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.3'
+- !ruby/object:Gem::Dependency
+  name: rspec-rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '6.0'
+- !ruby/object:Gem::Dependency
+  name: factory_bot_rails
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+- !ruby/object:Gem::Dependency
+  name: sqlite3
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.7'
+description: A Rails engine that stores signed MandateClaw contracts, links them to
+  transition logs, records breach events, and exposes a JSON API for contract verification.
+  Self-hostable open-source foundation for MandateClaw Cloud.
+email:
+- abhishek@parolkar.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- CHANGELOG.md
+- LICENSE
+- README.md
+- app/controllers/mandate_claw/api/v1/breach_events_controller.rb
+- app/controllers/mandate_claw/api/v1/contracts_controller.rb
+- app/models/mandate_claw/breach_event.rb
+- app/models/mandate_claw/signed_contract.rb
+- app/models/mandate_claw/transition_link.rb
+- db/migrate/001_create_mandate_claw_signed_contracts.rb
+- db/migrate/002_create_mandate_claw_breach_events.rb
+- db/migrate/003_create_mandate_claw_transition_links.rb
+- lib/mandate_claw/registry.rb
+- lib/mandate_claw/registry/engine.rb
+- lib/mandate_claw/registry/signing/ed25519_signer.rb
+- lib/mandate_claw/registry/signing/hmac_signer.rb
+- lib/mandate_claw/registry/task_contract.rb
+- lib/mandate_claw/registry/version.rb
+homepage: https://mandateclaw.com
+licenses:
+- FSL-1.1-Apache-2.0
+metadata:
+  homepage_uri: https://mandateclaw.com
+  source_code_uri: https://github.com/parolkar/MandateClaw-Registry
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: 3.1.0
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.5.22
+signing_key:
+specification_version: 4
+summary: MandateClaw contract registry — signing, storage, and audit trail
+test_files: []