Anti-Bait-and-Switch
Passports are pinned to a catalog_content_hash at issuance, immutable. If a operator publishes a new catalog, existing passports continue operating under the original terms. Agents get a breaking-change diff before accepting new terms.
Price protection by default
Once your passport is issued, the terms are locked. A operator cannot silently raise prices, remove permissions, or degrade SLAs, your passport will fail catalog validation if they try. You get to choose whether to accept new terms via the reissue flow.
How It Works
Passport pinned at issuance
When a passport is issued, the current catalog's SHA-256 content hash and version are stored in the passport. These fields are immutable, they cannot change after issuance.
{
"passport_id": "pass_01HABC...",
"catalog_content_hash": "sha256:abc123def456...",
"catalog_version": 3,
// ... other fields
}Gate validates catalog pin on every check
When the gate verifies a passport, it checks that the catalog_content_hash in the passport matches the published catalog the passport claims to be pinned to. If the catalog was tampered with, the hash won't match → DENY.
Operator publishes catalog v4 (price increase)
The operator publishes a new version with higher prices. New passports are pinned to v4. Existing passports (pinned to v3) continue operating under v3 terms, unaffected.
Agent gets notified of breaking changes
When the passport nears renewal or when the agent queries the gate, it learns a new version is available with breaking changes. The agent can review the diff and decide.
The Reissue Flow
When a operator publishes new terms, agents can reissue their passport to accept the new version. The reissue endpoint shows the breaking change diff so agents can make an informed decision.
# Step 1: Check what changed
POST /api/gates/gate_acme-travel/catalog/impact
# Response shows breaking changes before you commit:
{
"has_breaking_changes": true,
"changes": [
{
"type": "price_increase",
"permission_key": "flights:book",
"old_value": 50,
"new_value": 75,
"breaking": true
}
]
}
# Step 2: Accept and reissue (only if you agree to the new terms)
POST /api/passports/pass_01HABC.../reissue
Authorization: Bearer mod_your_key
{
"accept_catalog_version": 4
}
# Response:
{
"new_passport_id": "pass_01HDEF...",
"old_passport_id": "pass_01HABC...",
"catalog_version": 4,
"catalog_content_hash": "sha256:newHash...",
"terms_changed": true,
"has_breaking_changes": true,
"changes": [...]
}The old passport is immediately revoked. The new passport is pinned to v4. If the agent doesn't want to accept the new terms, it can continue using the old passport until it expires, then either accept the new terms or switch operators.
MCP: reissue_passport
{
"tool": "reissue_passport",
"arguments": {
"passport_id": "pass_01HABC...",
"accept_catalog_version": 4
}
}
// Returns:
{
"new_passport_id": "pass_01HDEF...",
"terms_changed": true,
"has_breaking_changes": true,
"changes": [
{
"type": "price_increase",
"permission_key": "flights:book",
"old_value": 50,
"new_value": 75
}
]
}What counts as a breaking change?
| Change type | Breaking? | Why |
|---|---|---|
| Permission removed | Yes | Agent loses access to previously permitted actions. |
| Price increase | Yes | Agent pays more than originally agreed. |
| service-level agreement (SLA) downgrade | Yes | Operator offers weaker guarantees. |
| Platform fee increase | Yes | Agent pays more overhead. |
| Trust level raise | Yes | Agent may no longer qualify for the permission. |
| Price decrease | No | Agent pays less, always favorable. |
| SLA improvement | No | Agent gets better guarantees. |
| New permission added | No | Agent can optionally use it. |
| Description changed | No | Cosmetic change. |
Tamper detection
If a operator attempts to tamper with a published catalog (not possible via the Modei API, but possible if they control their own instance), the gate's catalog pin check will fail:
Gate check for passport pass_01HABC...
Step 1: Valid Ed25519 (an industry-standard elliptic curve signing algorithm) signature ✓
Step 2: Not expired ✓
Step 3: Not revoked ✓
Step 4: Catalog pin check...
- Passport claims: catalog_content_hash = sha256:abc123def456
- Actual catalog hash: sha256:abc123TAMPERED
- MISMATCH → DENY (catalog_tampered)The gate never serves requests for passports pinned to a tampered catalog, even if the tampering is "minor". The hash either matches exactly or it doesn't.
Related
- Permission Catalogs, How catalogs are published and versioned.
- Service Discovery, How agents verify catalog terms before requesting a passport.
- Passports API, Reissue endpoint reference.