Preprint: https://zenodo.org/records/20710512
Repository: https://github.com/RudsonCarvalho/bpr
A vendor-neutral, machine-checkable traceability contract for AI-assisted software development. Not a matrix format and not tied to any tool, notation, or vendor. The atomic unit is the provenance record; a traceability graph is just a set of records, and a classic RTM is one projection of that graph.
Provenance-or-reject. Every derived node MUST cite the upstream node(s)
it derives from and MUST carry a justification. Nodes that resolve to nothing
upstream are rejected. Human-authored roots (origin: authored) are exempt —
this is what keeps rationale and decisions honest instead of forcing fake links.
| Level | Name | Enforced here | Checks |
|---|---|---|---|
| L0 | Structural | ✅ | required fields, unique ids, valid node types, derived↔derived_from consistency, all references resolve |
| L1 | Coverage | ✅ | every scenario is verified by ≥1 test; every test verifies ≥1 scenario |
| L2 | Bidirectional closure | ✅ | every derived node reaches an authored root upstream; every approved need reaches a test downstream (gated on status) |
| L3a | Claim citation | ✅ | every behavioral/operational claim of a derived node cites a valid upstream claim (no invented behavior) |
| L3b | Attested support | ✅ | every citation carries an attestation with verdict supported (unchecked/unsupported fail) |
| L3c | Policy-bound support | ✅ | every attesting checker is authorized by the bound profile (--authorized-checkers); requires a profile |
L1 is the viable MVP. L2 is deterministic graph reachability, gated on lifecycle status so deferred/rejected/informational needs are not forced to have tests. L3 is the real differentiator and is split into three sub-levels so incremental adoption never silently dilutes its meaning.
Read levels honestly. L1/L2 deliver immediate, deterministic value today; L3 is a longer-term frontier whose strength depends on the (out-of-scope) quality of claim checkers. A conformance level is a statement about structure, not correctness: "L3b conformant" means every behavioral/operational claim is cited and attested
supported— it does not mean the attestations are correct, and must not be read as proof that nothing was invented.
You cannot prove an agent invented nothing. So L3 inverts the burden:
- Claims become first-class, in three kinds. Each claim is
behavioral(changes observable functional contract — must trace to a functional claim),operational(changes observable non-functional behavior: latency, retries, logging, metrics, security, ordering — must trace to a non-functional/quality claim or be attested policy-compliant), orimplementation(strictly internal, no observable footprint). Theimplementationexemption is default-deny: it holds only if non-observability is attested (kind_attestation: supported); otherwise the claim is treated as behavioral. This closes the laundering hole and gives non-functional-but-observable changes (cache→latency, retry→duplicate events, log→data exposure) a home instead of a semantic dispute. - The obligation is graded so incremental adoption never dilutes "L3": L3a every behavioral/operational claim cites a valid upstream claim; L3b every citation is attested
supported(unchecked/unsupportedfail); L3c every checker is authorized by the bound profile. - The checker is substitutable (human, NLI model, LLM-judge, proof). The standard mandates that the verdict exists, is recorded, and at L3c comes from an authorized source — never how it is produced.
Propagation rule (discovered while building): L3 only applies through the sub-chain where claims are declared on both ends. Where an upstream node is claim-less, the node's behavioral claims are origin-level at claim granularity and need no citation — the node-level trace (L0) still holds. This makes L3 incrementally adoptable, claim-bearing subchain by claim-bearing subchain.
- Fixed (the standard): the record schema, the node/edge vocabulary, the invariants, the conformance levels, and the serialization.
- Substitutable (not the standard): the id format (must only be stable and lineage-preserving), the authoring tool, the scenario notation, and the validator engine itself. A tool using a different stack must be able to reach L1 conformance without depending on this reference implementation.
schema/provenance-record.schema.json— the atomic record (JSON Schema 2020-12)examples/profile-retrieval.records.json— neutral end-to-end example (need → example → scenario → contract → code → test), plain text, no proprietary notationexamples/profile-retrieval.broken.json— same example with 3 planted L0/L1 violationsexamples/profile-retrieval.l3.records.json— same chain with first-class claims, L3-conformantexamples/profile-retrieval.l3-broken.json— code invents a behavior (uncited) and cites one claim a checker attested as unsupportedvalidator/validate.py— L0/L1/L2/L3a/L3b/L3c conformance checker (the substitutable engine)
pip install jsonschema # optional: enables full schema validation
python validator/validate.py examples/profile-retrieval.records.json --level L2 # -> CONFORMANT
python validator/validate.py examples/profile-retrieval.l3.records.json --level L3b # -> CONFORMANT
python validator/validate.py examples/profile-retrieval.l3.records.json --level L3c \
--authorized-checkers "human:reviewer" # -> CONFORMANT
python validator/validate.py examples/profile-retrieval.l3-broken.json --level L3b # -> NON-CONFORMANT, exit 1Re-express the same example with a different id scheme and a different source notation, and confirm the schema and validator still hold. Two independent encodings converging on the same conformance verdict is the embryo of "two independent implementations converge" — the line between a standard and a private API.