diff --git a/consent-aware-http/README.adoc b/consent-aware-http/README.adoc index 2470f54..3ec07d9 100644 --- a/consent-aware-http/README.adoc +++ b/consent-aware-http/README.adoc @@ -1,547 +1,143 @@ -= Consent-Aware HTTP: Declarative Boundaries for AI Usage - -image:https://img.shields.io/badge/License-PMPL--1.0-blue.svg[License: PMPL-1.0,link="https://github.com/hyperpolymath/palimpsest-license"] -image:https://img.shields.io/badge/Philosophy-Palimpsest-indigo.svg[Palimpsest,link="https://github.com/hyperpolymath/palimpsest-license"] - - -Jonathan D.A. Jewell -v0.2.0, 2025-07-20 -:toc: left += Consent-Aware HTTP Framework +Jonathan D. A. Jewell +:toc: :toclevels: 3 -:sectnums: -:icons: font -:source-highlighter: rouge -:experimental: -:imagesdir: assets/images -:homepage: https://consent-aware-http.org -:license-type: Dual: MIT + CC BY-SA 4.0 (Palimpsest-0.8 encouraged) -:reproducible: - -[quote, Virginia Woolf, The Waves] -____ -You have not the freedom of the house. -____ - -[.lead] -This repository hosts formal proposals, implementation materials, and ethical guidance for consent-aware architecture in the age of generative systems. At its heart are two interlinked Internet-Drafts designed to enforce procedural refusals when AI usage boundaries are unmet or ignored. == Overview -=== HTTP Status Code 430: Consent Required - -๐Ÿšฆ *draft-jewell-http-430-consent-required* - -Defines HTTP Status Code 430 (Consent Required), enabling servers to reject access when AI-specific consent declarations are invalid, missing, or violated. It empowers refusal not as punishment, but as principled perimeter enforcement. - -**Status**: Internet-Draft 00 (IETF submission ready) + -**Specification**: link:draft-jewell-http-430-consent-required-00.xml[XML] | link:rendered/draft-430.txt[Text] | link:rendered/draft-430.html[HTML] - -=== AI Boundary Declaration Protocol (AIBDP) - -๐Ÿงญ *draft-jewell-aibdp* - -Introduces the AI Boundary Declaration Protocol (AIBDP) - a machine-readable manifest (`/.well-known/aibdp.json`) for signaling what forms of AI engagement are permitted. It formalizes intent, fosters transparency, and restores agency to originators. - -**Status**: Internet-Draft 00 (IETF submission ready) + -**Specification**: link:drafts/draft-jewell-aibdp-00.xml[XML] | link:rendered/draft-aibdp.txt[Text] | link:rendered/draft-aibdp.html[HTML] - -[IMPORTANT] -==== -Together, these protocols establish declarative boundaries that resist unauthorized training, indexing, or generative reuse - compatible with federated infrastructure and public web publishing alike. -==== - -== Quick Links - -[cols="2,3,1",options="header"] -|=== -|Resource |Description |Format - -|link:draft-jewell-http-430-consent-required-00.xml[HTTP 430 Draft] -|Status code specification -|RFC XML - -|link:drafts/draft-jewell-aibdp-00.xml[AIBDP Draft] -|Manifest protocol specification -|RFC XML +The Consent-Aware HTTP Framework is a multi-protocol architecture for ethical AI governance on the web. It provides a unified, standards-oriented approach to declaring, enforcing, auditing, and verifying AI interactions with digital content. -|link:docs/technical.md[Developer Guide] -|Implementation guidance -|Markdown +Originally conceived as a technical extension similar to `robots.txt`, the framework has evolved into a complete system addressing consent, identity, provenance, enforcement, and accountability. -|link:docs/explainer.md[Philosophical Overview] -|Cultural and ethical context -|Markdown +This repository contains a set of complementary Internet-Drafts that together define a consent-based model for AI-web interaction. -|link:docs/start-here.md[Quick Start] -|Templates and examples -|Markdown +== Problem Statement -|link:docs/faq.md[FAQ] -|60+ questions answered -|Markdown +The modern web lacks: -|link:examples/reference-implementations/[Reference Implementations] -|Node.js, Python, Rust -|Code +* Machine-readable AI usage boundaries +* Transparent identification of AI agents +* Enforceable consent mechanisms +* Verifiable content provenance +* Standardised compliance reporting -|link:docs/server-configurations.md[Server Configs] -|nginx, Apache, Caddy, Cloudflare, etc. -|Markdown -|=== - -== Why This Matters - -[.lead] -AI systems often ingest, embed, and regenerate content without consent - erasing boundary, authorship, and intent. - -These protocols restore **procedural clarity** to web interactions, allowing creators to: - -* โœ… **Refuse generative reuse** without legal escalation -* โœ… **Declare acceptable AI uses** in a standardized way -* โœ… **Signal denial** with structured protocol, not vague error codes -* โœ… **Collaborate** on infrastructure that respects ethical constraints - -[quote, bell hooks] -____ -Boundary is where meaning begins. -____ - -== Getting Started - -=== Quick Implementation (4 Steps) - -. **Create AIBDP Manifest** + - Add `/.well-known/aibdp.json` with your declared boundaries -+ -[source,json] ----- -{ - "aibdp_version": "0.2", - "contact": "mailto:policy@example.org", - "policies": { - "training": { "status": "refused" }, - "indexing": { "status": "allowed" } - } -} ----- - -. **Configure Server** + - Update server logic to respond with HTTP 430 when violations occur -+ -[source,nginx] ----- -location = /.well-known/aibdp.json { - add_header Content-Type application/aibdp+json; -} ----- - -. **Use Templates** + - See link:docs/start-here.md[start-here.md] for templates, examples, and server configs - -. **Join Community** + - Engage in IndieWeb, Fediverse, or IETF circles to promote shared adoption - -[TIP] -==== -These standards can be implemented independently of platform, license, or scale - ideal for personal blogs, union archives, CDN layers, or federated identity services. -==== - -=== Comprehensive Documentation - -[horizontal] -link:docs/technical.md[Technical Guide]:: Implementation details for developers -link:docs/explainer.md[Explainer]:: Architectural overview and philosophy -link:docs/ethics.md[Ethics]:: Cultural and theoretical foundations -link:docs/governance.md[Governance]:: Organizational implications -link:docs/conformance.md[Conformance]:: Implementation requirements -link:docs/references.md[References]:: Citations and influences -link:examples/manifest-scenarios/[Manifest Examples]:: 12 real-world scenarios -link:docs/server-configurations.md[Server Configs]:: 8 platform guides - -== Ethics and Governance - -[.lead] -This project draws on traditions of ethical journalism, federated systems, and authorship dignity. - -=== Core Values - -[quote] -____ -*Declarative refusal* as a form of care + -*Boundary* as the place where meaning begins + -*Transparent infrastructure* over implied permissions + -*Sanctuary work* as both cultural and procedural -____ - -=== Philosophical Foundations - -* **bell hooks**: Boundary-setting as dignity and care -* **Virginia Woolf**: Architectural refusal as self-determination -* **Journalism Ethics**: Right to decline co-option (NUJ, SPJ) -* **IndieWeb**: Self-sovereignty and federated control - -[NOTE] -==== -Explore more in link:docs/ethics.md[ethics.md] and link:docs/governance.md[governance.md]. -==== - -== Contributing - -[.lead] -We welcome developers, ethicists, teachers, organizers, and critics. - -See link:.github/CONTRIBUTING.md[CONTRIBUTING.md] for guidelines. - -=== Contribution Types - -* ๐Ÿ“ **Draft improvements** - Technical feedback on Internet-Drafts -* ๐Ÿ”ง **Schema extensions** - AIBDP manifest enhancements -* ๐Ÿ“š **Educational modules** - Teaching materials and tutorials -* โœ๏ธ **Narrative essays** - Ethical and cultural perspectives -* ๐ŸŒ **Adoption stories** - Implementation case studies -* ๐Ÿค **Outreach coordination** - Community engagement - -=== Tri-Perimeter Contribution Framework (TPCF) - -This project uses the TPCF governance model: - -[cols="1,2,2",options="header"] -|=== -|Perimeter |Access Level |Description - -|**Perimeter 1** + -(Core) -|Maintainers only -|Internet-Draft authoring, protocol design decisions, security-critical changes - -|**Perimeter 2** + -(Expert) -|Trusted contributors -|Reference implementations, comprehensive documentation, schema validation - -|**Perimeter 3** + -(Community) -|Open contribution -|Examples, translations, outreach materials, issue reporting -|=== - -See link:GOVERNANCE.adoc[GOVERNANCE.adoc] for complete decision-making framework. - -== Licensing +This results in: -[.lead] -**Dual-licensed for maximum flexibility with ethical encouragement** +* Unauthorised data harvesting +* Lack of accountability for AI systems +* Erosion of trust in digital content -=== License Options +== Solution Architecture -This project offers **three licensing options**: +The framework consists of six integrated protocols: -[cols="2,3,2",options="header"] +[cols="1,2,3"] |=== -|License |Applies To |SPDX Identifier - -|**MIT** + -(Permissive) -|Code, specifications, reference implementations -|`MIT` - -|**GPL-3.0-or-later** + -(Copyleft) -|Code, specifications (alternative to MIT) -|`GPL-3.0-or-later` - -|**CC BY-SA 4.0** + -(ShareAlike) -|Documentation, narrative, educational materials -|`CC-BY-SA-4.0` -|=== - -[IMPORTANT] -.Palimpsest License (Philosophically Encouraged) -==== -We **philosophically encourage** dual-licensing under the **Palimpsest License v0.8** alongside MIT or GPL-3.0+. - -**Why Palimpsest?** - -* Preserves **attribution** through edit history -* Embeds **ethical provenance** in creative work -* Supports **solidarity economics** -* Aligns with **consent-aware** philosophy - -**Learn more**: https://palimpsest.license + -**Full text**: link:LICENSE-PALIMPSEST.txt[LICENSE-PALIMPSEST.txt] - -_Palimpsest is optional but reflects our values. Choose the license that works for you._ -==== - -=== SPDX Headers - -All source files include SPDX license identifiers: +|Layer |Protocol |Purpose -[source,javascript] ----- -// SPDX-License-Identifier: PMPL-1.0-or-later -// SPDX-FileCopyrightText: 2025 Jonathan D.A. Jewell ----- +|Declaration +|AI Boundary Declaration Protocol (AIBDP) +|Defines permitted and prohibited AI uses of content -Run `just audit-licence` to verify compliance. +|Identity +|AI Agent Identification Protocol +|Ensures AI systems declare who they are and what they do -=== License Files +|Consent Flow +|Web Consent Management Protocol +|Defines how consent is requested, granted, and tokenised -* link:LICENSE.txt[LICENSE.txt] - Primary license (MIT) -* link:LICENSE-MIT.txt[LICENSE-MIT.txt] - MIT full text -* link:LICENSE-GPL-3.0.txt[LICENSE-GPL-3.0.txt] - GPL-3.0 full text -* link:LICENSE-PALIMPSEST.txt[LICENSE-PALIMPSEST.txt] - Palimpsest v0.8 -* link:LICENSE-CC-BY-SA-4.0.txt[LICENSE-CC-BY-SA-4.0.txt] - Creative Commons (docs) +|Enforcement +|HTTP Status Code 430 +|Provides runtime enforcement of consent requirements -== Project Information +|Provenance +|Content Provenance Protocol +|Tracks origin and AI involvement in content -=== Built By - -**Jonathan D.A. Jewell** + -NEC PRC Representative ยท NUJ Ethics Council ยท AI & Data Working Group (Convenor) - -**Contact**: jonathan@metadatastician.art + -**GitHub**: @Hyperpolymath - -=== Community - -[horizontal] -GitHub:: https://github.com/Hyperpolymath/consent-aware-http -Discussions:: https://github.com/Hyperpolymath/consent-aware-http/discussions -Issues:: https://github.com/Hyperpolymath/consent-aware-http/issues -Email:: jonathan@metadatastician.art - -=== Funding - -This project is sustained through: - -* Individual donations (link:FUNDING.yml[FUNDING.yml]) -* Solidarity economics framework -* Volunteer contributions - -See link:FUNDING.yml[FUNDING.yml] for support options. - -=== Standards Track - -[cols="2,2,2",options="header"] +|Accountability +|AI Compliance Reporting Framework +|Monitors, audits, and reports violations |=== -|Document |Status |Target -|draft-jewell-http-430-consent-required -|Internet-Draft 00 -|IETF HTTP Working Group +Together, these form a complete governance stack. -|draft-jewell-aibdp -|Internet-Draft 00 -|IETF or W3C +== How It Works (High-Level Flow) -|JSON Schema (AIBDP) -|v0.2 stable -|Community adoption -|=== +1. A server declares AI usage boundaries via AIBDP +2. An AI agent identifies itself using standard headers +3. The server evaluates the request against declared policy +4. If consent is required, the server returns HTTP 430 +5. The agent obtains consent via the consent management protocol +6. The agent retries with a Consent-Token +7. All interactions are logged and monitored for compliance +8. Content provenance metadata ensures transparency of outputs == Repository Structure ----- -consent-aware-http/ -โ”œโ”€โ”€ draft-jewell-http-430-consent-required-00.xml # HTTP 430 spec -โ”œโ”€โ”€ drafts/ -โ”‚ โ””โ”€โ”€ draft-jewell-aibdp-00.xml # AIBDP spec -โ”œโ”€โ”€ schemas/ -โ”‚ โ””โ”€โ”€ aibdp-schema-v0.2.json # JSON Schema -โ”œโ”€โ”€ examples/ -โ”‚ โ”œโ”€โ”€ reference-implementations/ -โ”‚ โ”‚ โ”œโ”€โ”€ nodejs/ # Express middleware -โ”‚ โ”‚ โ”œโ”€โ”€ python/ # Flask middleware -โ”‚ โ”‚ โ””โ”€โ”€ rust/ # (planned) -โ”‚ โ””โ”€โ”€ manifest-scenarios/ # 12 real-world examples -โ”œโ”€โ”€ docs/ # Comprehensive guides -โ”œโ”€โ”€ assets/ # Badges, templates -โ”œโ”€โ”€ .well-known/ # RFC 9116 + AIBDP -โ”œโ”€โ”€ scripts/ # Build tools -โ””โ”€โ”€ .github/ # Community docs ----- - -See link:docs/directory-structure.md[directory-structure.md] for detailed layout. - -== Technical Specifications - -=== HTTP 430 Response Format - -[source,http] ----- -HTTP/1.1 430 Consent Required -Content-Type: application/json -Link: ; rel="blocked-by-consent" -Retry-After: 86400 - -{ - "error": "AI usage boundaries declared in AIBDP manifest not satisfied", - "manifest": "https://example.org/.well-known/aibdp.json", - "violated_policy": "training", - "policy_status": "refused", - "contact": "mailto:policy@example.org" -} ----- - -=== AIBDP Manifest Location - -[horizontal] -Location:: `/.well-known/aibdp.json` (RFC 8615 compliant) -Format:: JSON with declared permissions/prohibitions -Signature:: Optional COSE (RFC 9052) cryptographic verification -Caching:: Configured via `expires` field (recommended: 30-90 days) - -=== Reference Implementations - -[cols="1,2,2,1",options="header"] -|=== -|Language |Framework |Status |Lines - -|JavaScript/Node.js -|Express -|โœ… Production-ready -|300+ - -|Python -|Flask -|โœ… Production-ready -|400+ - -|Rust -|Axum (planned) -|๐Ÿšง Planned -|TBD -|=== - -== Validation & Testing - -=== Quick Validation - -[source,bash] ----- -# Validate all manifests and specs -just validate - -# Check RSR compliance -just check-rsr - -# Run tests -just test - -# Build Internet-Drafts -just build-drafts ----- - -=== Development Environment - -Using Nix flakes (reproducible builds): - -[source,bash] ----- -# Enter dev shell with all tools -nix develop - -# Or run specific commands -nix run .#validate -nix run .#check-rsr ----- - -=== Testing AIBDP Implementation - -[source,bash] ----- -# Test manifest accessibility -curl https://example.org/.well-known/aibdp.json - -# Test AI bot blocking (should return 430) -curl https://example.org/articles/ -H "User-Agent: GPTBot/1.0" - -# Test normal access (should return 200) -curl https://example.org/ -H "User-Agent: Mozilla/5.0" ----- - -== Security Considerations - -[WARNING] -==== -AIBDP is a **declarative protocol**, not a technical enforcement mechanism: +--- -* Non-compliant AI systems may ignore manifests -* Detection requires active monitoring -* Legal/reputational consequences provide primary enforcement -* HTTPS + COSE signatures recommended for high-value content -==== +/aibdp/ AI Boundary Declaration Protocol +/http-430/ HTTP 430 Consent Required +/agent-identification/ AI Agent Identification Protocol +/content-provenance/ Content Provenance Protocol +/compliance-reporting/ AI Compliance Reporting Framework +/consent-management/ Web Consent Management Protocol (planned / draft) +---------------------------------------------------------------------------- -See link:docs/security-analysis.md[security-analysis.md] for comprehensive threat model. +== Design Principles -== Acknowledgments +* Declarative first: Policies are explicitly defined and machine-readable +* Composability: Each protocol is independent but interoperable +* Backward compatibility: Works alongside existing web standards +* Transparency: All actors and actions are visible and auditable +* Enforceability: Policies can be technically enforced, not just stated -=== Theoretical Foundations +== Relationship to Existing Standards -* **bell hooks** - Cultural criticism, boundary theory -* **Virginia Woolf** - Architecture of refusal -* **National Union of Journalists** (NUJ) - Ethics framework -* **Society of Professional Journalists** (SPJ) - Code of ethics +The framework builds on: -=== Technical Influences +* RFC 9110 (HTTP Semantics) +* RFC 9309 (robots.txt) +* RFC 9116 (security.txt) +* JSON, HTTP headers, and DNS mechanisms -* **RFC 7231** - HTTP/1.1 Semantics -* **RFC 8615** - Well-Known URIs -* **RFC 9052** - COSE (Cryptographic signatures) -* **RFC 9116** - security.txt -* **IndieWeb** - Federated publishing standards +It does not replace these standards, but extends them for AI-era requirements. -=== Community +== Status -* IndieWeb participants -* Federated web advocates -* Ethical AI practitioners -* IETF working groups -* Journalism ethics communities +All components are currently Internet-Drafts (Work in Progress). -[quote, bell hooks] -____ -The act of naming is the act of creating boundaries. And boundary is where meaning begins. -____ +They are designed for: -[quote] -____ -*Without refusal, permission is meaningless.* -____ +* IETF discussion and standardisation +* Experimental implementation +* Policy and regulatory alignment -== Appendices +== Why This Matters -=== Appendix A: Glossary +The framework enables: -[glossary] -AIBDP:: AI Boundary Declaration Protocol - manifest format for declaring AI usage boundaries -HTTP 430:: Consent Required - proposed HTTP status code for consent violations -Manifest:: JSON document at `/.well-known/aibdp.json` declaring AI usage policies -COSE:: CBOR Object Signing and Encryption (RFC 9052) -TPCF:: Tri-Perimeter Contribution Framework - graduated trust model +* Creators to retain control over their work +* AI developers to operate transparently and ethically +* Platforms to enforce clear rules +* Regulators to access verifiable evidence of compliance -=== Appendix B: Related Standards +== Next Steps -* RFC 2119 - Key words for RFCs (MUST, SHOULD, etc.) -* RFC 7231 - HTTP/1.1 Semantics -* RFC 7725 - HTTP 451 (Legal Obstacles) -* RFC 8259 - JSON format -* RFC 8615 - Well-Known URIs -* RFC 9052 - COSE -* RFC 9116 - security.txt +* Finalise Web Consent Management Protocol +* Align terminology across drafts +* Submit drafts to relevant IETF working groups +* Develop reference implementations -=== Appendix C: Compliance Checklist +== License -See link:RSR-COMPLIANCE.md[RSR-COMPLIANCE.md] for Rhodium Standard Repository compliance status. +See IETF Trust Legal Provisions (BCP 78 and BCP 79). ---- +== Authors -**Repository**: https://github.com/Hyperpolymath/consent-aware-http + -**Website**: https://consent-aware-http.org + -**License**: MIT OR GPL-3.0-or-later + CC BY-SA 4.0 (Palimpsest encouraged) + -**Version**: 0.2.0 + -**Last Updated**: 2025-07-20 +Jonathan D. A. Jewell +The Open University -// vim: set syntax=asciidoc: +Joshua B. Jewell +Royal Veterinary College