Context
MPP (Stripe Sessions, June 2026) defines the credential exchange and settlement cycle cleanly.
An agent presents a payment credential, settlement is confirmed, access is granted.
The gap that remains: a third party — regulator, auditor, counterparty — cannot independently
verify what the agent did with that access after settlement without trusting the operator's
infrastructure.
The same gap was documented for x402 in x402-foundation/x402#2332,
where payment_hash proves settlement but not post-settlement agent behavior. MPP has an
equivalent gap at the Payment-Receipt boundary.
The problem
An MPP Payment-Receipt proves the payment completed. It does not prove:
- What action the agent took after receiving the session grant
- That the action record wasn't modified after the fact
- That the agent acted within its authorized scope
For regulated deployments (EU AI Act Art. 12 enforcement August 2, 2026; FCA SYSC 9.1;
SOC 2 CC7.x), this gap is the compliance blocker. Logs can be rewritten. An external
anchor cannot.
Proposed pattern
A `TrailRecord` anchored externally after agent action completes, keyed by a deterministic
`action_ref` derived from the session grant:
```
MPP Payment-Receipt (payment proof)
└── action_ref = SHA-256(JCS({agent_id, action_type, scope, timestamp}))
└── TrailRecord (tamper-evident, external anchor)
└── anchor_id (Sigstore Rekor / on-chain tx / content-addressed store)
```
The audit property: a verifier with the `Payment-Receipt` can follow the chain to the
`TrailRecord` and confirm the action record hasn't been modified — without access to the
operator's infrastructure.
`action_ref` is a content-addressed identifier: deterministic, reproducible, and
operator-independent. Any party with the preimage inputs can recompute and verify it.
Implementation
We've built this as Mycelium Trails — an
external anchoring layer where `action_ref` is the cross-surface key between the payment
receipt and post-execution evidence.
Happy to contribute a reference spec extension for MPP or a fixture if the maintainers want
to document this accountability layer alongside the settlement and credential specs.
Context
MPP (Stripe Sessions, June 2026) defines the credential exchange and settlement cycle cleanly.
An agent presents a payment credential, settlement is confirmed, access is granted.
The gap that remains: a third party — regulator, auditor, counterparty — cannot independently
verify what the agent did with that access after settlement without trusting the operator's
infrastructure.
The same gap was documented for x402 in x402-foundation/x402#2332,
where
payment_hashproves settlement but not post-settlement agent behavior. MPP has anequivalent gap at the Payment-Receipt boundary.
The problem
An MPP
Payment-Receiptproves the payment completed. It does not prove:For regulated deployments (EU AI Act Art. 12 enforcement August 2, 2026; FCA SYSC 9.1;
SOC 2 CC7.x), this gap is the compliance blocker. Logs can be rewritten. An external
anchor cannot.
Proposed pattern
A `TrailRecord` anchored externally after agent action completes, keyed by a deterministic
`action_ref` derived from the session grant:
```
MPP Payment-Receipt (payment proof)
└── action_ref = SHA-256(JCS({agent_id, action_type, scope, timestamp}))
└── TrailRecord (tamper-evident, external anchor)
└── anchor_id (Sigstore Rekor / on-chain tx / content-addressed store)
```
The audit property: a verifier with the `Payment-Receipt` can follow the chain to the
`TrailRecord` and confirm the action record hasn't been modified — without access to the
operator's infrastructure.
`action_ref` is a content-addressed identifier: deterministic, reproducible, and
operator-independent. Any party with the preimage inputs can recompute and verify it.
Implementation
We've built this as Mycelium Trails — an
external anchoring layer where `action_ref` is the cross-surface key between the payment
receipt and post-execution evidence.
Happy to contribute a reference spec extension for MPP or a fixture if the maintainers want
to document this accountability layer alongside the settlement and credential specs.