R+3 · Tamper-Evident Audit Export Standard

Aggregate audit bundles
over R+2 receipts.

R+3 is the export layer that turns thousands or millions of R+2 receipts into a single, signed, Merkle-rooted audit bundle — regulator-ready, optionally on-chain-anchored, and cryptographically verifiable end-to-end. Where R+2 makes every agent action signable, R+3 makes every audit period provable.

Draft · v0.1.0 Submitted to: Anthropic Standards Program, MeitY (India), ISRO. Built on: R+2 v0.1.0. License: MIT.
NEW · v0.1 · MAY 20, 2026
R+4 · Federated Zero-Knowledge Verification
Prove compliance over R+3 audit bundles without revealing the underlying receipts. Multi-issuer, privacy-preserving. Constant-size ~200-byte proofs, < 10 ms to verify.
Read R+4 spec
Version
v0.1.0
Status
Draft
License
MIT
Depends on
R+2 v0.1.0
First emitted
May 2026
Signature
Ed25519
Tree
SHA-256 Merkle
Anchor (optional)
Base mainnet

Contents

  1. Motivation
  2. Relationship to R+2
  3. Terminology
  4. Audit Bundle Format
  5. Merkle Tree Construction
  6. Signature Scheme
  7. On-Chain Anchor
  8. Verification Procedure
  9. Security Considerations
  10. Privacy Considerations
  11. Compliance Mappings
  12. Example Export

§1 Motivation

R+2 receipts are individually signed. They prove that a specific action occurred, was authorised, and has not been tampered with. They are emitted cheaply, automatically, and at high frequency — one per agent action.

But auditors do not consume single events. They consume periods. A compliance officer asks: "Show me everything Agent X did in Q1 2026, with proof that the record is complete and intact." A regulator asks: "Prove that no records were silently deleted between January and March." A Series-A investor asks: "Show me a verifiable settlement ledger across the last 90 days."

Answering those questions from raw R+2 receipts is feasible but expensive. The auditor would have to fetch every receipt, verify every signature, walk the hash chain, and trust that no receipts are missing. That is not how regulators work — and it does not scale beyond a few hundred receipts.

R+3 solves this by producing aggregate bundles. An R+3 export contains:

key property A single 32-byte Merkle root, anchored once on-chain, mathematically commits the issuer to every R+2 receipt in the bundle. The regulator can verify any individual receipt with a logarithmic-size Merkle proof — they never need to download the full bundle.

§2 Relationship to R+2

R+3 is strictly an aggregation and export layer on top of R+2. It introduces no new signing scheme for individual actions, no new cryptographic primitives, and no new identity model. R+2 receipts are the source data; R+3 exports are the bundled, signed, regulator-ready output.

Layered architecture

┌──────────────────────────────────────────────────────────┐
│  R+3  · Audit Bundle
 Merkle root + signature + optional on-chain anchor
 Time-range aggregate over many R+2 receipts
├──────────────────────────────────────────────────────────┤
│  R+2  · Signed Action Receipt
 ed25519 + RFC 8785 canonical JSON + hash chain
 One receipt per agent action
└──────────────────────────────────────────────────────────┘

An R+3 export does not modify R+2 receipts. It commits to them via Merkle root. R+2 receipts remain individually verifiable using the R+2 verification procedure (see /standard §6).

design principle An R+3 export must be useful even if the issuer goes offline. Once anchored on-chain, a third party can verify any R+2 receipt within the bundle using nothing but the on-chain anchor, the Merkle proof, and the R+2 receipt itself.

§3 Terminology

The key words MUST, MUST NOT, REQUIRED, SHALL, SHOULD, and MAY are interpreted as in BCP 14 [RFC 2119] and [RFC 8174].

TermDefinitionNotes
Audit Bundle A single R+3 export object covering a defined time range, optionally a defined principal or scope filter.
Merkle Root The 32-byte SHA-256 root of a binary Merkle tree whose leaves are the canonical hashes of the included R+2 receipts. See §5
Anchor An on-chain transaction whose calldata contains the Merkle root of an R+3 bundle. Optional but RECOMMENDED for sensitive audits
Issuer The principal that signs the bundle. Typically the operator running the R+2-emitting agents.
Bundle Sequence A monotonically increasing integer identifying this bundle within an issuer's series. Per-issuer counter
Predecessor Hash The canonical hash of the immediately preceding R+3 bundle by the same issuer. Forms an inter-bundle hash chain
Scope Filter An optional clause restricting which R+2 receipts are included (by agent_id, action_type, or metadata predicate). See §4.3

§4 Audit Bundle Format

An R+3 bundle is a single canonical JSON document (per RFC 8785) with the following structure.

4.1 Top-level fields

FieldTypeDescriptionRequired
versionstringSpec version. MUST be "r+3/0.1.0" for this version.Yes
export_idUUIDGlobally unique identifier for this bundle. MUST be a UUIDv4.Yes
issuerDIDDecentralised identifier of the issuing principal. Format did:dcs:base:<identifier> or did:web:<host>.Yes
sequenceuint64Bundle sequence number for this issuer, starting at 1 and incrementing by 1 for each subsequent bundle.Yes
predecessor_hashstringSHA-256 hash of the previous bundle by this issuer, formatted "sha256:<hex>". The genesis bundle MUST use "sha256:0000…0000".Yes
time_rangeobjectUTC start and end timestamps that define the inclusion window. See §4.2.Yes
scopeobjectOPTIONAL filter restricting which R+2 receipts are included. See §4.3.No
receipts_countuint64Number of R+2 receipts committed to by merkle_root.Yes
merkle_rootstringSHA-256 root of the receipt Merkle tree, formatted "sha256:<hex>".Yes
merkle_constructionstringMUST be "binary-sha256-rfc8785" for this version.Yes
anchorobjectOPTIONAL on-chain anchor. See §7.No
bundle_uristringURI where the full receipt list and Merkle path table can be fetched. SHOULD be IPFS for permanence.Yes
signatureobjectEd25519 signature over the canonicalised bundle, excluding the signature field itself.Yes

4.2 Time range

The time_range object SHALL contain:

The bundle MUST include every R+2 receipt where from ≤ receipt.timestamp < to, subject to scope. The bundle MUST NOT include receipts outside this window.

4.3 Scope filter (optional)

An optional scope object MAY filter the included receipts. Defined filter types:

If scope is absent, all receipts in the time window MUST be included. If scope is present, the filter rules apply with OR semantics within a field and AND across fields.

important Once a bundle is signed and anchored, the issuer MUST NOT issue a different bundle covering the same (issuer, sequence) tuple. Auditors MAY treat any conflicting bundle as evidence of tampering.

§5 Merkle Tree Construction

R+3 v0.1 uses a deterministic binary SHA-256 Merkle tree with RFC 8785-canonicalised leaves.

5.1 Leaf hash

For each R+2 receipt to be included:

  1. Canonicalise the receipt JSON per RFC 8785 (excluding the receipt's own signature field, which is already part of the canonical content of the signed receipt — verifiers MUST canonicalise the receipt including its signature for the leaf hash)
  2. Compute leaf_hash = SHA-256(canonical_bytes)

5.2 Pair hash

For internal nodes, concatenate the left and right child hashes as raw bytes and hash:

pair_hash = SHA-256(left_hash || right_hash)

5.3 Odd-node padding

If a level has an odd number of nodes, the final node MUST be duplicated. (Equivalent to Bitcoin Merkle tree construction.)

5.4 Leaf ordering

Leaves MUST be ordered by:

  1. Primary: ascending receipt.timestamp
  2. Secondary: ascending receipt.action_id (UUIDv4 lexicographic)

This ordering is deterministic and reproducible by any verifier with access to the receipt set.

5.5 Empty bundle

An R+3 bundle with receipts_count = 0 is permitted (e.g. for "no activity in this period" audits). The merkle_root for an empty bundle SHALL be "sha256:0000000000000000000000000000000000000000000000000000000000000000".

§6 Signature Scheme

R+3 bundles are signed using Ed25519 (RFC 8032). The signature commits to the canonical JSON of the entire bundle object except the signature field.

6.1 Signing procedure

  1. Remove the signature field if present
  2. Canonicalise the remaining object per RFC 8785
  3. Sign the resulting bytes with the issuer's Ed25519 private key
  4. Set signature to the structure below

6.2 Signature object

"signature": {
  "alg": "ed25519",
  "key_id": "did:dcs:base:issuer-prod#auditor-key-2026-05",
  "sig": "<base64url-encoded 64-byte signature>"
}

The key_id MUST resolve to a public key via DID Document resolution. R+3 verifiers SHOULD cache the resolved public key for the duration of the bundle's signature validity.

§7 On-Chain Anchor (optional)

An R+3 bundle MAY include an anchor object recording an on-chain transaction whose calldata contains the bundle's merkle_root. This makes the bundle's commitment publicly verifiable forever, independent of the issuer.

7.1 Anchor object

"anchor": {
  "chain": "base-mainnet",
  "tx_hash": "0x61f6d9019dd3503eafdc5ffc0f0335f05abce8bf19ac50d4e78369226a7211a1",
  "block_number": 12345678,
  "contract": "0xbDd1f5fC349D9a8EfCEb07Edbd491233b2540f5F",
  "method": "anchorMerkleRoot(bytes32,bytes32)",
  "params": {
    "root": "0xabc...123",
    "export_id": "0xdef...456"
  }
}

7.2 Anchor verification

A verifier with on-chain access SHOULD:

  1. Fetch the transaction at tx_hash
  2. Confirm it called contract with method method
  3. Decode the parameters and confirm params.root matches the bundle's merkle_root (modulo the sha256: prefix)
  4. Confirm the block number is final (sufficient confirmations for the chain's safety model)

7.3 Anchor contract

The reference anchor contract on Base mainnet accepts (bytes32 root, bytes32 export_id) tuples and emits an AnchorAdded event. The contract is intentionally minimal: it stores nothing and verifies nothing. The on-chain record exists only to make the calldata indelibly visible.

cost Base mainnet calldata anchoring is approximately 0.00005 ETH (≈ $0.10 at 2026-05 prices) per bundle. A daily-anchored R+3 export costs less than $40 per year in gas.

§8 Verification Procedure

To verify an R+3 bundle:

8.1 Bundle-level verification

  1. Resolve signature.key_id to a public key via DID Document resolution
  2. Remove signature, canonicalise the bundle, and verify the Ed25519 signature
  3. Validate that predecessor_hash matches the canonical hash of the previous bundle in the issuer's series (or is the genesis zero hash)
  4. If anchor is present, perform anchor verification per §7.2

8.2 Receipt inclusion verification

To prove that a specific R+2 receipt is included in an R+3 bundle:

  1. Compute the leaf hash for the receipt per §5.1
  2. Obtain the Merkle path (siblings from leaf to root) from the bundle's bundle_uri
  3. Walk the path, hashing pairwise, and check that the final hash equals the bundle's merkle_root
  4. Independently verify the receipt's R+2 signature per the R+2 specification

A successful verification proves: (a) the bundle was signed by the claimed issuer, (b) the receipt was committed to in this bundle, (c) the receipt itself is signed and untampered. If an on-chain anchor is present and verified, the bundle is independently verifiable without trusting the issuer.

8.3 Reference verifier

A reference implementation is published as @trdnetwork/r2-verify on npm. The R+3 verification commands include:

npx r2-verify r3-bundle <bundle.json>            # full bundle verification
npx r2-verify r3-inclusion <bundle.json> <receipt.json>  # proof of inclusion
npx r2-verify r3-anchor <bundle.json>            # on-chain anchor verification

§9 Security Considerations

9.1 Issuer key compromise

If an issuer's Ed25519 private key is compromised, an attacker can sign forged R+3 bundles. R+3 mitigates this with:

9.2 Receipt omission

An issuer might attempt to silently omit R+2 receipts from a bundle (selective non-disclosure). R+3 v0.1 does not prevent this — it only proves that the included receipts are committed to. Future revisions of R+3 will define completeness assertions via anchored receipt counts and gap-detection challenges.

limitation For high-stakes audits, the verifier SHOULD obtain bundles from multiple sources (e.g. issuer's signed bundle plus an independent attestation from a federated peer) before treating the period as fully audited.

9.3 Canonicalisation

All hashing and signing MUST use RFC 8785 canonicalisation. Implementations that deviate (e.g. by sorting keys differently or using non-UTF-8 encodings) will produce verification failures.

9.4 Replay attacks

An R+3 bundle is uniquely identified by (issuer, sequence). Replayed bundles fail uniqueness checks at the verifier. Bundle predecessor-hash chaining additionally prevents reordering attacks.

§10 Privacy Considerations

R+3 bundles contain commitments (hashes) to R+2 receipts, not the receipts themselves. The receipt content is referenced through bundle_uri and MAY be access-controlled.

10.1 Selective disclosure

An issuer MAY publish the Merkle root and signature publicly (or anchor on-chain) while keeping the receipt contents behind authentication. A regulator with credentials retrieves the receipts; the public sees only the commitment.

10.2 Payload-hash receipts

For receipts referencing PHI, PII, or other regulated data, the underlying R+2 receipt MAY use the payload_hash_only mode (R+2 §7) where the receipt commits to a hash of the payload rather than the payload itself. R+3 bundles built from such receipts are publishable without revealing the underlying data.

10.3 GDPR Article 17 (Right to Erasure)

When a data subject requests erasure under GDPR Article 17, the issuer SHALL:

  1. Erase the receipt payload at the source
  2. Mark the receipt as erased via a follow-up R+2 receipt referencing the original by action_id
  3. Include both the original and the erasure receipt in subsequent R+3 bundles

This satisfies erasure (the payload is gone) while preserving the auditability of the erasure act itself (regulators can prove that erasure was performed).

§11 Compliance Mappings

R+3 bundles are designed to satisfy specific audit-export requirements in major regulatory regimes.

RegulationRequirementR+3 mechanismProfile
EU AI Act Art. 12 Logging of high-risk AI system events; retention > 6 months; tamper-evident R+3 bundles emitted at least daily, anchored on-chain, retained > 6 months r2-gov-v1
NIST AI RMF GOVERN-1.4 Reproducible audit trail of AI system decisions Merkle-root commitment + Ed25519 signature + on-chain anchor r2-gov-v1
India DPDP §8(4), §8(5) Accuracy + safeguard duties demonstrable on request R+3 bundle plus scope-filtered receipt retrieval r2-gov-v1
HIPAA Security Rule Audit controls (45 CFR 164.312(b)) — record and examine activity R+3 bundles with payload-hash-only receipts; PHI never appears in commitments r2-health-v1
SOX §404 (US) Internal controls over financial reporting; auditor-attestable R+3 bundles scoped to finance.* action types, anchored monthly r2-finance-v1
RBI Master Direction on IT Outsourcing Operational risk audit logs available to regulator on demand R+3 export endpoint, scope-filtered by regulatory_scope tag r2-finance-v1
UAE Data Office (forthcoming AI guidance) Demonstrable accountability for autonomous system actions R+3 bundles + on-chain anchor; recipient-government can audit independently r2-gov-v1
ISO/IEC 42001:2023 (AI Management Systems) Documented evidence of AI system operation Periodic R+3 bundles per AI management procedure
scope note The compliance mappings above are interpretations by DCS Labs and are not legal opinions. Operators SHOULD validate R+3 deployments with their own counsel against the applicable jurisdiction's binding requirements.

§12 Example R+3 Bundle

A complete, signed, anchored R+3 bundle covering one day of treasury activity:

{
  "version": "r+3/0.1.0",
  "export_id": "7d8e3a1c-2f4b-4d9e-8a5c-1234567890ab",
  "issuer": "did:dcs:base:treasury-prod",
  "sequence": 42,
  "predecessor_hash": "sha256:9f8e7d6c5b4a3a2918073625140312fffeeddccbba99887766554433221100",
  "time_range": {
    "from": "2026-05-20T00:00:00Z",
    "to":   "2026-05-21T00:00:00Z"
  },
  "scope": {
    "action_type": ["treasury.settle"],
    "regulatory_scope": ["dpdp", "sox"]
  },
  "receipts_count": 1,
  "merkle_root": "sha256:c4f7b9a2e3d1f5c8a7b6e4d9c2f1e0a3b8c5d4e7f2a1b0c3d6e9f8a7b4c5d2e1",
  "merkle_construction": "binary-sha256-rfc8785",
  "anchor": {
    "chain": "base-mainnet",
    "tx_hash": "0x61f6d9019dd3503eafdc5ffc0f0335f05abce8bf19ac50d4e78369226a7211a1",
    "block_number": 12345678,
    "contract": "0xbDd1f5fC349D9a8EfCEb07Edbd491233b2540f5F",
    "method": "anchorMerkleRoot(bytes32,bytes32)"
  },
  "bundle_uri": "ipfs://bafybeih...",
  "signature": {
    "alg": "ed25519",
    "key_id": "did:dcs:base:treasury-prod#auditor-key-2026-05",
    "sig": "BASE64URL_ENCODED_SIGNATURE_BYTES_HERE"
  }
}
first production R+3 The first production R+3 export is scheduled to cover the May 20 - May 31 treasury settlement window. It will include the genesis settlement (tx 0x61f6d9…211a1) and any subsequent settlements through end of May. Anchor planned on Base mainnet at end of period.

FAQ Frequently Asked Questions

Why a separate spec for R+3 instead of extending R+2?
Separation of concerns. R+2 optimises for cheap, frequent, per-action signing. R+3 optimises for occasional, regulator-ready bundles. Conflating the two would force every R+2 implementation to carry Merkle-tree and anchor logic it does not need. R+3 is a strict superset: R+2 implementations can stay simple, and operators add R+3 only when they need it.
Can I anchor R+3 bundles on a chain other than Base?
Yes. The anchor.chain field accepts any chain identifier per CAIP-2. Reference contracts are deployed on Base mainnet. We will accept contributions for Ethereum mainnet, Optimism, Arbitrum, and Polygon reference contracts on the GitHub repo.
Does R+3 require IPFS?
No. The bundle_uri can be any URI. IPFS is RECOMMENDED for permanence, but operators MAY use HTTPS, Filecoin (via IPFS gateways), Arweave, or self-hosted endpoints. The cryptographic guarantees depend on the bundle content, not on where it is stored.
How does R+3 differ from a database audit log?
A database audit log requires the database operator to be honest. R+3 requires no trust in the operator: the Merkle root, once anchored on-chain, mathematically commits the operator to every receipt in the bundle. Selective deletion or modification is detectable by anyone, not just by the database administrator.
Can R+3 detect receipt omission (selective non-disclosure)?
Not in v0.1. The current spec proves that included receipts are committed to, but cannot prove completeness. We are working on a v0.2 extension that adds completeness assertions via signed receipt-count attestations and gap-detection challenges. See §9.2.
Is R+3 patent-encumbered?
No. R+3 is published under MIT licence. DCS AI Technologies makes no patent claims on the techniques described in this specification and disclaims any future enforcement of patent rights against good-faith implementations.
How do I implement R+3 if I already have R+2 receipts?
Three steps: (1) implement Merkle-tree construction per §5 over your existing R+2 receipts, (2) generate a signed bundle per §4, (3) optionally anchor on-chain per §7. The @trdnetwork/r2-verify reference implementation includes a r3-build helper command that performs all three steps given a directory of R+2 receipts.
What is the relationship between R+3 and the "R+3 audit export" endpoints in trd-cn-backend?
The endpoints in trd-cn-backend are the first reference server implementation of R+3. They accept a time range, retrieve the relevant R+2 receipts, build the Merkle tree, sign the bundle with the operator key, and return the JSON. Anchor submission is a separate operator action.

Refs References

authors Deepak Dudi, DCS AI Technologies L.L.C, Dubai.
Contributions welcome. Open an issue or PR at github.com/DCS-LabsAI/r2-standard.