Orchestrating the E-Commerce Stack for AI Agents
A reference architecture analysis for AI-agent discovery, policy quotation, checkout preparation, delegated payment, generated claims, evidence, and operator remediation in modern e-commerce system
WebDigestPro technical guide article | July 2026
Author: Dimitrios S. Sfyris. With technical architecture review contributions from Vinicius Pereira (github.com/vinimabreu) and public review feedback from Sergei Parfenov (github.com/P0rt). Full contributor and reviewer roles and bios appear at the end of the article.
Agentic commerce describes a shift from human-operated digital shopping journeys toward commerce interactions in which AI agents participate in discovery, comparison, policy interpretation, checkout preparation, payment delegation, generated-claim use, and post-decision explanation. Recent initiatives from OpenAI, Stripe, Google, Shopify, Visa, Mastercard, PayPal, Adobe, and Salesforce indicate that the ecosystem is moving beyond AI-assisted product search toward agent-facing commerce protocols, merchant-owned checkout surfaces, payment mandates, and machine-readable commercial capabilities.
This article argues that agentic commerce should not be treated as a chatbot, product-feed, checkout-button, or payment-token problem. Those components are necessary, but they are not sufficient. The central architectural challenge is orchestration across the e-commerce stack. Existing commerce systems were designed primarily for human interpretation: users read product pages, review policies, confirm carts, approve payments, and escalate exceptions to support teams. AI agents change that model by interpreting, summarizing, comparing, recommending, requesting actions and, in some cases, operating under delegated authority.
The Agentic Commerce Blueprint proposed in this article responds to this shift with a decision-centered reference architecture. The Blueprint is the framework introduced here, not an external protocol or third-party standard comparable to the Agentic Commerce Protocol (ACP), Agent Payments Protocol (AP2), Universal Commerce Protocol (UCP), or Model Context Protocol (MCP). It connects commercial truth, policy facts, action-specific eligibility, actor authority, checkout state, payment authority, generated claims, evidence, audit, protocol projections, and operator remediation. Its purpose is to make commercial decisions explicit enough to be used safely and consistently by AI agents, protocols, payment systems, operators, and support teams.
Agentic Commerce as Infrastructure
The most important signal is not that AI assistants can recommend products; recommendation systems and conversational shopping have existed for years. The stronger signal is that major platform providers are now developing protocol, checkout, payment, merchant discovery, and trust infrastructure that assumes AI agents will participate in commercial workflows.
OpenAI introduced Instant Checkout and the Agentic Commerce Protocol in September 2025, describing them as an early step toward commerce interactions among people, AI agents, and businesses (Agentic Commerce Protocol, 2025; OpenAI, 2025). Stripe separately described ACP as an open standard co-developed with OpenAI for agentic commerce (Stripe, 2025). OpenAI’s March 2026 update expanded ACP beyond checkout toward richer shopping discovery and explained that merchants would use their own checkout experiences while OpenAI focused on helping people discover and compare products (OpenAI, 2026). This direction strengthens the architecture thesis: whether an AI surface embeds an action, invokes a protocol, or hands the buyer to merchant-owned checkout, the merchant stack still needs one canonical decision meaning behind discovery, checkout, authority, and payment.
Google introduced the Agent Payments Protocol, or AP2, in September 2025 as a framework for AI-commerce payments (Google Cloud, 2025). The AP2 documentation describes the protocol as an open protocol intended to enable secure, reliable, and interoperable agent commerce for developers, merchants, and the payments industry (AP2 Protocol, 2025). The same documentation frames the problem in terms of authorization, authenticity, and accountability when autonomous agents initiate payments rather than humans clicking a buy button (AP2 Protocol, 2025).
Shopify and Google have also published Universal Commerce Protocol work, reflected in the protocol’s public specification and supporting materials (Universal Commerce Protocol, 2026). Shopify states that UCP was built to power agentic commerce and co-developed with Google as an open standard for AI agents to connect and transact with merchants (Grigorik, 2026). Google’s developer materials describe UCP as an open-source standard designed to support commerce journeys between consumer surfaces, businesses, and payment providers, while remaining compatible with AP2 for agentic payment support (Handa & Gupta, 2026). Shopify’s Spring ’26 developer materials further position UCP and Catalog API as self-serve infrastructure for developers building agentic commerce experiences across product search, cart, and checkout (Shopify, 2026).
Payment networks and wallets are moving in parallel. Mastercard introduced Agent Pay in April 2025 as agentic payment technology for commerce in the age of AI and later described Agent Pay for Machines as supporting high-frequency, low-latency, low-value payments executed by agents and machines (Mastercard, 2025, 2026). Visa describes Visa Intelligent Commerce as an initiative to enable AI agents to buy securely and seamlessly, and Visa’s public materials include agentic payment integrations, trusted-agent protocol work, defined user permissions for agent-initiated payments, Intelligent Commerce Connect, and a later OpenAI collaboration for secure Visa payments inside agentic commerce experiences (Visa, 2026a, 2026b, 2026c, 2026d). PayPal describes Agentic Commerce Services, Agent Ready, and Store Sync as ways to support AI-driven shopping, merchant catalog access, and commerce orchestration for AI shopping assistants, and PayPal’s announcements describe ACP/Instant Checkout support with OpenAI and Instant Buy with Perplexity (PayPal, 2025a, 2025b, 2025c; PayPal Developer, 2026).
Commerce-cloud providers are also adapting. Adobe Commerce publicly committed to supporting agentic commerce standards including UCP and ACP, building on its announced AP2 alignment, while emphasizing that brands should maintain control over customer relationships, branding, and commerce data (Jain, 2026). Adobe’s later Summit announcement focused on making product data visible and structured for LLM-powered experiences (Ben, 2026). Salesforce describes agentic commerce as AI acting on behalf of users or businesses and, in its June 2026 Agentforce Commerce release, positions the platform as connecting shoppers, merchants, and AI apps across B2C, B2B, point of sale, and order management (Salesforce, 2026a, 2026b).
These developments are evidence of a distributed platform transition. The ecosystem is not converging on one monolithic product. It is forming across several layers: agent-facing shopping surfaces, commerce protocols, payment mandates, catalog synchronization, checkout primitives, trust infrastructure, AI-native search, and commerce-cloud participation. This distribution creates the need for orchestration. Merchants and software teams must coordinate the meaning behind these integrations so agent-facing systems do not produce conflicting decisions. Table 1 summarizes the main platform signals and their architectural implications.
Table 1. Current platform evidence for agentic commerce as an infrastructure category
| Layer | Representative evidence | Architecture implication |
| AI shopping and embedded checkout | OpenAI Product Discovery, Instant Checkout, ACP; Stripe ACP support (OpenAI, 2025, 2026; Stripe, 2025). | Commerce decisions may be discovered inside AI interfaces but still need merchant-owned checkout and canonical decision meaning. |
| Payment mandates and authorization | Google AP2, Visa Intelligent Commerce / Intelligent Commerce Connect and Visa-OpenAI collaboration, Mastercard Agent Pay, PayPal Agent Ready plus ACP/Instant Buy participation (AP2 Protocol, 2025; Mastercard, 2025, 2026; PayPal, 2025a, 2025b, 2025c; Visa, 2026a, 2026d). | Payment authority must be bounded, linked to a valid checkout state, and evaluated before dispatch. |
| Agent-to-merchant interaction | UCP materials from Shopify and Google, including Spring ’26 UCP and Catalog API developer access (Handa & Gupta, 2026; Grigorik, 2026; Shopify, 2026). | Agents need structured commerce capabilities, not only product feeds. |
| Commerce-cloud participation | Adobe Commerce agentic standards support and Salesforce Agentforce Commerce release (Jain, 2026; Salesforce, 2026b). | Existing commerce platforms must expose agent-ready primitives while preserving control of commercial meaning. |
Scope and Terminology
This article uses agentic commerce to describe a commerce operating model in which AI agents interact with commercial systems through controlled capabilities such as product discovery, comparison, policy interpretation, cart and checkout preparation, delegated payment, generated-claim use, and evidence-backed explanation. The term is broader than conversational commerce, which is primarily interaction-oriented, and narrower than general AI in retail, which includes many advisory, analytical, and merchandising use cases.
AI-enabled commerce includes recommendation engines, conversational search, product-description generation, merchandising automation, customer-service bots, personalization, and analytics. These capabilities may influence the shopping journey, but they often remain advisory or assistive. Agentic commerce introduces a stronger operational role for software agents. An agent may request actions, operate under delegated authority, or participate in checkout and payment workflows. This requires different controls.
This article also uses agent-ready commerce to emphasize system readiness rather than consumer-facing novelty. A commerce platform becomes agent-ready when it can expose controlled, scoped, evidence-backed capabilities to agents without relying on each adapter or AI interface to infer commercial meaning independently. This article is aligned with the broader Agent-Ready Commerce series by Sfyris (2026).
The scope is architectural rather than legal or regulatory. It does not provide legal advice on consumer protection, payments, liability, or data protection. It focuses on the software architecture required to preserve consistent commercial meaning across products, policies, checkout, payment, claims, evidence, protocols, and operator workflows.
Problem Statement: Decision-Grade Commercial Meaning
Most e-commerce systems were designed around human interpretation. A buyer reads the product page, reviews return terms, checks the cart, confirms payment, and contacts support when the process fails. The system can leave many distinctions implicit because humans interpret context and accept or reject the next step. Administrative workflows follow the same pattern. Operators interpret catalog data, inventory states, policy text, customer history, and payment events when resolving exceptions.
Agentic commerce reduces this interpretive buffer. An AI agent may summarize, compare, recommend, quote, prepare, request, or explain. In doing so, it turns information into action or action-oriented guidance. The platform must therefore know what a specific agent may safely discover, say, request, mutate, or pay for in a specific context.
The core architectural problem is not only that AI systems may hallucinate. Hallucination is one risk, but the deeper problem is that many commerce stacks do not encode commercial meaning in a form that agents can safely interact with. A catalog status of active is not a checkout decision. A public return-policy page is not an applicable policy fact. An inventory flag is not necessarily fresh enough for payment. A generated product description is not source truth. A payment token is not a complete authority decision.
Agentic commerce therefore requires decision-grade commercial meaning. Decision-grade meaning has four properties. First, it is source-backed: the platform can identify where facts came from. Second, it is scoped: the platform knows which product, category, region, buyer type, merchant, channel, cart, checkout snapshot, or mandate the fact applies to. Third, it is action-aware: the platform can distinguish discovery, comparison, policy quotation, cart mutation, checkout preparation, delegated payment, generated-claim publication, and explanation. Fourth, it is evidence-backed: the platform can explain why an action was allowed, blocked, escalated, revalidated, or refused.
When decision-grade meaning is missing, each integration is tempted to infer meaning locally. A feed exporter may interpret product availability from catalog flags. A checkout adapter may interpret readiness from cart state. A payment adapter may interpret permission from a token. A support UI may interpret failure reasons from logs. These local interpretations may each appear reasonable, but together they create semantic drift across the stack.
Evidence From Current Platform Movements
As Table 1 summarizes, current platform activity maps agentic commerce across discovery surfaces, commerce protocols, payment mandates, catalog synchronization, checkout primitives, wallet and trust infrastructure, AI-native search, and commerce-cloud participation. ACP and OpenAI/Stripe materials together show commerce interaction and merchant-owned checkout concerns; AP2 foregrounds agent-payment authorization and accountability; UCP points toward interoperable agent-to-merchant commerce primitives; PayPal’s Store Sync, Agent Ready, OpenAI, and Perplexity announcements describe catalog access, wallet participation, and embedded buying; Visa and Mastercard materials emphasize credentials, permissions, fraud controls, and scalable agent payments; and Adobe/Salesforce materials show commerce-cloud participation in agent-ready product visibility, commerce data, and orchestration. The important architectural point is fragmentation: no single external protocol or vendor surface owns the full commercial decision. The merchant stack still needs an internal decision layer that coordinates these moving parts so agent-facing systems do not produce conflicting answers.
This fragmentation should be expected. Commerce itself is not a single capability. A purchase journey depends on discovery, product representation, price, inventory, policy, promotion, shipping, tax, identity, cart state, checkout, payment, order management, fulfillment, support, fraud, and dispute handling. Agentic commerce does not remove that complexity. It exposes it through AI surfaces and automated workflows.
Emerging technical and academic work also reinforces the need for context binding, verification, and runtime control. Recent preprints on AP2 and agentic payment protocols analyze context-binding failures, replay risks, prompt-injection risks, mandate semantics, and clearing or verification gaps in agent-led commerce systems (Debi & Zhu, 2026; de Valois-Franklin & Bogdan, 2026; Lan et al., 2026). These works should be read as early research rather than settled standards, but they support the architectural premise that authorization artifacts alone are insufficient without runtime verification and evidence.
The practical conclusion is that merchants and platform teams should not wait for one external protocol to solve the full problem. Protocols can standardize interaction. Payment networks can support authorization. AI platforms can expose shopping surfaces. Commerce clouds can provide agent-facing features. The merchant stack still needs an internal decision architecture that coordinates these layers.
Architectural Thesis: The Decision Spine
The preceding platform evidence suggests that agentic commerce is developing across multiple external surfaces, including agent interfaces, commerce protocols, payment protocols, wallet infrastructure, catalog synchronization, and commerce-cloud integrations. The unresolved architectural question is how the merchant or platform stack should coordinate the commercial decisions behind those surfaces. This article contributes the Agentic Commerce Blueprint as an analytical framework for that internal decision layer.
Its core proposal is a decision spine:
Source systems
↓
Commercial truth
↓
Policy facts
↓
Action-specific eligibility
↓
Actor authority
↓
Checkout state
↓
Payment authority
↓
Generated-claim projection state
↓
Evidence and audit
↓
Protocol-safe projections
↓
Operator remediation
The decision spine is not a deployment diagram and does not require every layer to be a separate service. It is a semantic responsibility model. It identifies where each type of commercial meaning should be owned so that different surfaces do not invent different answers.
Source systems provide operational inputs. Commercial truth selects reliable, scoped, source-backed facts. Policy facts determine applicability and quotability. Eligibility evaluates whether a requested action is valid. Actor authority evaluates whether the caller may request the action. Checkout state governs mutation. Payment authority limits delegated payment to a mandate, cart snapshot, amount, currency, merchant, time window, and valid checkout state. Generated-claim projection state manages derived language through a surface-specific gate that keeps source, freshness, scope, surface, use, payload, and taint separate; taint is the projection axis that carries inherited refusal or upstream unsafe-claim state so reworded generated text cannot appear clean. Evidence and audit preserve decision context and timelines. Protocol-safe projections expose decisions without changing their meaning. Operator remediation turns missing or unsafe inputs into operational work.
Each layer prevents a distinct failure mode. Without commercial truth, raw catalog data may be overtrusted. Without policy facts, agents may quote inapplicable terms. Without action-specific eligibility, availability becomes a dangerous boolean. Without actor authority, delegated action cannot be bounded. Without checkout state, agents may trigger hidden mutations. Without payment authority, tokens may bypass commercial validity. Without generated-claim projection state, generated copy may become accidental truth or a refused claim may be laundered through derived wording. Without evidence, decisions cannot be explained or audited. Without projection discipline, adapters drift. Without remediation, blockers become repeated runtime failures. Table 2 maps the Blueprint layers to their primary responsibilities and the failure modes that appear when those layers are omitted.
Table 2. Agentic Commerce Blueprint layers, responsibilities, and omitted-layer failure modes
| Layer | Primary responsibility | Failure if omitted |
| Commercial truth | Select reliable, scoped, source-backed decision inputs. | Raw source data is treated as current truth. |
| Policy facts | Model applicability and quotability of terms. | Agents quote generic or inapplicable policy text. |
| Eligibility | Evaluate requested action in commercial context. | available becomes a proxy for every action. |
| Actor authority | Evaluate whether the actor may request the action. | Authentication is mistaken for delegated permission. |
| Checkout state | Control state transitions and mutations. | Adapters create hidden or inconsistent checkout mutations. |
| Payment authority | Bind payment authority to mandate and checkout state. | Tokens or mandates bypass commercial validity. |
| Generated-claim projection state | Govern derived language through dependencies, review, scope, allowed use, evidence references, projection axes, and inherited refusal state. | Generated text becomes source truth or refusal state is laundered through derived wording. |
| Evidence and audit | Preserve decision context, evidence references, and timelines. | Support, audit, and operators cannot reconstruct decisions. |
| Projections | Expose decisions in protocol-safe forms. | Feeds and adapters drift semantically. |
| Remediation | Create work to resolve missing facts and blockers. | Agent-readiness fails repeatedly at runtime. |
The Canonical Decision Envelope
The decision spine should return one canonical decision envelope.
The envelope is the implementation shape of the architecture. It is not a loose collection of booleans and it is not a protocol-specific response. It is the platform’s canonical answer for a requested action in a specific context. Different surfaces may project it differently, but they should not recalculate the meaning locally.
Decision spine = the architecture path.
Decision envelope = the canonical answer produced by that path.
Projection = the surface-specific shape returned to a feed, tool, checkout path, admin view, support view, or protocol.
Generated-claim projection is the stricter case. A feed or protocol projection reshapes a decision for a surface; a generated-claim projection decides whether specific language may be used at all, for this use, this surface, this scope, and this evidence state.
The Blueprint’s reference contract uses the following canonical shape. This excerpt includes the fields that carry meaning across surfaces while omitting helper and input types internal to the builder.
type AgentCommerceDecisionAction =
| "discover"
| "compare"
| "quote_policy"
| "add_to_cart"
| "prepare_checkout"
| "delegate_payment"
| "complete_checkout"
| "show_generated_claim"
| "explain";
type AgentCommerceDecisionResult =
| "allowed"
| "blocked"
| "requires_revalidation"
| "requires_review"
| "requires_confirmation";
type AgentCommerceDecisionGeneratedClaimAxis = {
status: "passed" | "failed" | "not_evaluated";
blockerCodes: readonly string[];
};
type AgentCommerceDecisionEnvelopeAuthenticator =
| {
kind: "digital_signature";
algorithm: "ed25519";
format: "detached";
keyId: string;
verificationKeyRef: string;
protectedHash: string;
value: string;
verifiable: true;
}
| {
kind: "message_authentication_code";
algorithm: "hmac-sha256";
format: "detached";
keyId: string;
verificationKeyRef: string;
protectedHash: string;
value: string;
verifiable: true;
}
| {
kind: "unsigned";
algorithm: "none";
format: "none";
protectedHash: string;
verifiable: false;
warning: "missing_platform_signing_key";
};
type AgentCommerceDecisionEnvelope = {
contractVersion: "agent-commerce-decision-envelope-v4";
envelopeSchemaVersion: "agent-commerce-decision-envelope-schema-v4";
decisionId: string;
decisionHash: string;
inputDependencyHash: string;
resultHash: string;
evaluatedAt: string;
ruleSetVersion: string;
ruleSetRef: string;
ruleSetHash: string;
authenticator: AgentCommerceDecisionEnvelopeAuthenticator;
surface?: "feed" | "tool" | "checkout" | "admin" | "support" | "protocol";
subject: {
productId?: string;
variantId?: string;
sku?: string;
checkoutId?: string;
mandateId?: string;
orderId?: string;
};
actor: {
actorType: "agent" | "buyer" | "merchant" | "operator" | "system";
agentId?: string;
merchantId?: string;
};
requestedAction: AgentCommerceDecisionAction;
inputRefs?: {
productRef?: string;
policyRef?: string;
checkoutRef?: string;
paymentRef?: string;
authorityRef?: string;
};
freshness: {
evaluatedAt: string;
validUntil: string | null;
staleAfter: string | null;
reasonCodes: readonly string[];
dependencies: readonly {
ref: string;
kind: "product" | "price" | "inventory" | "policy" | "checkout"
| "mandate" | "generated_claim" | "authority" | "payment" | "evidence";
validUntil?: string | null;
staleAfter?: string | null;
hash?: string | null;
}[];
};
basis: {
status: AgentCommerceDecisionResult;
allowed: boolean;
reasonCodes: readonly string[];
components: readonly {
code: string;
source: "eligibility" | "authority" | "checkout" | "payment" | "generated_claim";
field: string;
value: string | number | boolean | null;
contributesTo: "status" | "payment_dispatch" | "generated_claim_use";
}[];
};
eligibility: {
result: AgentCommerceDecisionResult;
blockerCodes: readonly string[];
source: "product" | "policy" | "checkout" | "payment" | "operator" | "combined";
};
authority: {
result: "allowed" | "blocked" | "not_required";
blockerCodes: readonly string[];
};
checkout?: {
state: string;
validForRequestedAction: boolean;
blockerCodes: readonly string[];
};
payment?: {
paymentDispatchAttempted: boolean;
authorityResult: "allowed" | "blocked" | "not_evaluated";
blockerCodes: readonly string[];
};
generatedClaims?: {
allowed: boolean;
status: "allowed" | "requires_review" | "refused_here"
| "inherited_refusal" | "stale" | "out_of_scope" | "absent";
claimIds: readonly string[];
sourceFactRefs: readonly string[];
derivedFactRefs: readonly string[];
allowedUses: readonly string[];
axes: {
source: AgentCommerceDecisionGeneratedClaimAxis;
freshness: AgentCommerceDecisionGeneratedClaimAxis;
scope: AgentCommerceDecisionGeneratedClaimAxis;
surface: AgentCommerceDecisionGeneratedClaimAxis;
use: AgentCommerceDecisionGeneratedClaimAxis;
payload: AgentCommerceDecisionGeneratedClaimAxis;
taint: AgentCommerceDecisionGeneratedClaimAxis;
};
blockerCodes: readonly string[];
inheritedRefusalCount: number;
};
evidenceRefs: readonly {
type: string;
id: string;
hash: string;
hashAlgorithm: "sha256";
}[];
nextSafeActions: readonly {
action: string;
owner: "system" | "operator" | "buyer" | "merchant";
reasonCode: string;
}[];
};
The envelope does not make every surface identical. A feed, tool response, checkout response, admin issue, and support explanation may expose different subsets, but they project from the same commercial meaning. contractVersion identifies the decision contract, envelopeSchemaVersion identifies the serialized shape, and ruleSetVersion, ruleSetRef, and ruleSetHash pin the decision rules. decisionHash wraps inputDependencyHash and resultHash, so a dependency change can be distinguished from a changed result. The authenticator separately identifies the integrity mechanism, algorithm, representation, protected hash, verification-key reference, and value. The declared surface is protected by inputDependencyHash, and the derived freshness outcome is protected by resultHash, so neither can be altered after authentication without detection.
Generated-claim projection state remains first-class, but the canonical envelope does not carry raw claim text. It carries claim IDs, source and derived fact references, allowed uses, axes, blockers, and inheritedRefusalCount. Approved-value, claim-text, or quote-text hashes can be represented as derived fact references and may be exposed by a surface projection where appropriate. This keeps generated language downstream of its evidence and avoids turning a readable string into product, policy, checkout, or payment truth.
The stronger version is to treat generated-claim projection as a capability, not a readable text field. A claim is not merely grounded in general; it is projectable only for a specific requested use, surface, scope, and evidence pin. The projectable value should be returned only by the domain projection gate after those conditions pass, with the approved value pinned and hash-checked so the value approved is the value handed to the surface. Refused, stale, out-of-scope, inherited-refusal, and absent states should remain distinct so a projection cannot quietly turn “you no longer have the right to say this” into “there was nothing to say.”
Five integrity rules for the canonical envelope
First, reason colocality should be structural rather than aspirational. The decision basis should be produced by the same domain-level function that computes the decision result. Projections may format the basis, but they should not reconstruct it independently. At the canonical-envelope level, the set of basis.reasonCodes should equal the set of codes carried by basis.components. One reason may have several components when it contributes through more than one causal boundary, but no canonical reason should be unexplained.
Second, stale-projection protection should be pinned to dependencies. The inputDependencyHash should cover the declared surface, requested action, actor, subject, input references, ruleSetVersion, content-addressed ruleSetRef and ruleSetHash, evaluation time, evidence pins, and freshness dependencies. The resultHash should cover computed eligibility, authority, checkout, payment, generated-claim state, the derived freshness outcome, decision basis, and next-safe actions. The decisionHash should wrap the contract and schema identifiers together with both hashes.
Deterministic serialization is part of the same boundary. Canonical object keys and semantically unordered collections should be normalized before hashing, so identical normalized input with the same evaluation time produces identical inputDependencyHash, resultHash, and decisionHash values, while reordering evidence references, dependencies, blocker codes, allowed uses, or next-safe actions does not create false drift. The authenticator is then computed over the same protected payload.
Third, every canonical envelope should carry a freshness horizon, such as freshness.validUntil and freshness.staleAfter, derived from the earliest relevant dependency expiry or from an immediate-stale blocker. This lets a feed, protocol adapter, or tool response expire its own projection without reinterpreting commercial meaning locally. Date-times should be accepted only in an unambiguous ISO form and normalized to canonical UTC millisecond representation before entering the protected hashes.
Fourth, evidence hash-pinning should not silently degrade. Every canonical evidenceRef should carry an explicit SHA-256 hash of the evidence content or a canonical snapshot, together with hashAlgorithm. Evidence identity is the pair (type, id): identical duplicates may collapse, but conflicting hashes for the same identity should fail rather than coexist. State mutation, checkout change, and payment blocking are the motivating worst cases, not the only cases.
Freshness dependencies and evidence references are related but not interchangeable. A dependency identifies an input whose change or horizon can invalidate the decision and is identified by (kind, ref); duplicate horizons should merge conservatively to the earliest value. An evidence reference identifies a replayable or substantiating artifact. Identifier-only dependencies may carry deterministic reference fingerprints, but they should not be presented as content-pinned evidence, and a matching evidence content hash should remain authoritative when a dependency adds only a horizon.
Fifth, the canonical envelope should be origin-authenticated, not only internally consistent. The authenticator should distinguish a digital signature from a message-authentication code and should separate the algorithm from the detached representation. A detached Ed25519 signature supports verification with a public key and is the appropriate form for independently verifiable external recipients. A detached HMAC-SHA-256 value provides integrity and origin authentication only among parties that possess the shared secret; it is not a public digital signature. An explicit unsigned variant may be useful in local development, but it should remain visibly non-verifiable and should not be accepted at external or production boundaries. Before external projection, the recipient boundary should recompute the hashes, reconcile reasons and components, verify the authenticator and trusted key reference, require the envelope surface to match the target surface, and enforce freshness. Public or open multi-party output should require trusted Ed25519; HMAC should require an explicitly configured shared-secret trust domain; unsigned output should remain an explicit local-development exception.
A related generated-claim integrity rule is that scoped grounding should be exercised through a gate rather than widened locally by projections. The gate should bind allowed use, surface, scope, evidence pin, and value hash together, so generated commerce text behaves like a tamper-evident capability instead of a reusable string.
Architecture Responsibility Map and Reference Implementation
The Blueprint is accompanied by a compact public reference implementation.
The public GitHub repository can be found at:
https://github.com/dmsfiris/agentic-commerce-blueprint
The repository gives readers a runnable way to inspect the canonical decision-envelope contract, action-aware decision basis, detached authenticators, generated-claim capability gates, evidence hash-pinning, freshness and dependency handling, public, MCP-style, checkout, operator, and support projections, JSON Schema, runnable reference scenarios, generated example outputs, and focused semantic tests.
The companion repository is intentionally smaller than a production commerce platform. Its purpose is to make the Blueprint’s core architectural claims executable and inspectable without reproducing an entire catalog, checkout, payment, order-management, protocol-server, or operator system.
The implementation-facing tree below reflects the verified repository. Standard repository support files, such as the license, contribution guidance, security policy, environment example, and ignore file, are omitted from the map.
agentic-commerce-blueprint/
README.md
package.json
docs/
architecture.md
authenticators.md
consistency-report.md
contributor-review-vinicius.md
decision-envelope.md
freshness-and-evidence.md
generated-claims.md
projections.md
reference-scenarios.md
semantic-tests.md
schemas/
agent-commerce-decision-envelope.v4.schema.json
src/
index.mjs
types.d.ts
core/
actions.mjs
authenticator.mjs
decision-basis.mjs
decision-envelope.mjs
evidence.mjs
freshness.mjs
generated-claims.mjs
hash.mjs
normalizers.mjs
projections.mjs
text.mjs
examples/
fixtures.mjs
generated-claim-capability.mjs
payment-artifact-evidence.mjs
projections.mjs
shape-validation.mjs
stale-price.mjs
travel-backpack.mjs
write-example-outputs.mjs
examples/
generated-claim-capability.json
mcp-projection.json
operator-projection.json
public-projection.json
travel-backpack-envelope.json
tests/
decision-envelope.test.mjs
.github/
workflows/
ci.yml
The ownership rule inside the reference repository is:
- Core modules own reusable commercial decisions.
- The decision-basis module computes reasons beside the decision result and preserves exact reason/component reconciliation.
- The decision-envelope module builds the envelope, recalculates its hashes, and evaluates full-envelope integrity.
- The authenticator module protects the canonical decision hash using either a detached digital signature or a detached message-authentication code.
- Generated-claim modules own projection eligibility, allowed use, direct parent-projection binding, dependency state, and inherited refusal.
- Freshness and evidence modules own dependency horizons, evidence pins, identity and conflict rules, and decision-hash inputs.
- Projection modules translate one canonical envelope into public, MCP-style, checkout, operator, and support-safe representations; the trusted projection boundary verifies integrity, trust, surface binding, and freshness before external release.
- Example fixtures demonstrate the reference scenarios and generate committed outputs.
- Focused semantic tests and CI verify that the envelope, schema, generated examples, and tested projections preserve the same commercial meaning.
- A production implementation will normally distribute these responsibilities across an existing modular commerce platform rather than copy the reference repository’s directory structure literally. The following conceptual map shows the broader ownership pattern.
commerce-platform/
contracts/
decision-envelope types
external schema versions
authenticator types
projection types
domain/
commercial truth
policy facts
action-specific eligibility
decision-envelope builder
decision basis
generated-claim projection gate
freshness and evidence rules
application/
checkout application owner
delegated-authority owner
operator-remediation workflows
persistence/
current checkout + checkout events
current mandate + mandate events
transaction coordinator + transaction events
generated claims + dependency references
adapters/
feed projections
protocol projections
storefront projections
admin projections
support projections
payment and provider boundaries
The implementation ownership rule is:
- Shared contract types define the action, result, envelope, authenticator, freshness, evidence, generated-claim, and projection shapes that cross boundaries.
- Domain modules own reusable commercial meaning, including decision results, reasons, hashes, freshness horizons, evidence pins, and generated-claim semantics.
- Projection adapters translate one canonical envelope into feed, tool, checkout, admin, support, or protocol-specific forms without recalculating commercial meaning.
- One checkout application owner coordinates merchant checkout behavior shared by human and agent channels.
- One delegated-authority owner coordinates mandate state, scope, consumption, revocation, confirmation, and lifecycle events.
- Checkout, mandate, and transaction persistence each use one current record or coordinator plus one meaningful event history.
- Protocol, storefront, admin, support, payment, and provider boundaries map context and results; they do not reimplement eligibility, checkout validity, payment authority, or generated-claim policy.
The repository map and the production ownership map are complementary. The repository makes the Blueprint runnable. The ownership map shows how the same model can be integrated into a larger commerce system without turning each responsibility into a separate service, package, repository, or deployment.
In the reference repository:
| Implementation area | Architectural role |
| src/core/actions.mjs | Owns the canonical contract and schema identifiers, nine action names, action rules, five eligibility results, and canonical reason-code normalization. |
| src/core/decision-envelope.mjs and decision-basis.mjs | Build the envelope, calculate the action-aware basis beside the result, compute and independently recalculate dependency, result, and decision hashes, evaluate full-envelope integrity, derive next safe actions, and keep eligibility separate from actor authority. |
| src/core/authenticator.mjs | Creates and verifies detached Ed25519 digital signatures, detached HMAC-SHA-256 message-authentication codes, and explicit unsigned local-development output, with strict key-type, encoding, metadata, and constant-time MAC checks. |
| src/core/generated-claims.mjs | Owns the seven-axis generated-claim capability gate, allowed use, direct parent-projection binding, dependency state, projected-value hash checks, and inherited refusal. |
| src/core/freshness.mjs and evidence.mjs | Normalize canonical UTC date-times, freshness horizons, dependency identity and conservative horizon merges; require explicit SHA-256 content or canonical-snapshot hashes for canonical evidence references. |
| src/core/projections.mjs | Projects one canonical envelope into public, MCP-style, checkout, operator, and support-safe representations without rebuilding commercial meaning. A trusted projection boundary verifies hashes, authenticator trust, surface binding, and freshness before external release. |
| src/examples/ and examples/ | Provide the Travel Backpack, stale-price, generated-claim, payment-artifact, and projection scenarios and their committed JSON outputs. |
| schemas/ and src/types.d.ts | Define the JSON Schema for the canonical envelope and package-facing TypeScript declarations for the envelope, integrity evaluation, and projections. |
| tests/ and .github/workflows/ci.yml | Run focused semantic tests, validate the complete schema shape and runtime vocabulary parity, regenerate examples, and reject committed-output drift. |
The important implementation detail is ergonomics. The correct path must be easier than the shortcut.
Bad local shortcut:
if (product.inStock && product.price.amount < 150 && paymentArtifact.present) {
return { status: "ready_for_payment" };
}
Correct path:
const envelope = buildAgentCommerceDecisionEnvelope(input);
return mcpDecisionProjection(envelope);
or:
const envelope = buildAgentCommerceDecisionEnvelope(input);
return publicDecisionProjection(envelope);
or:
const envelope = buildAgentCommerceDecisionEnvelope(input);
return checkoutDecisionProjection(envelope);
The adapter does not need to decide whether stale inventory blocks payment. The feed does not need to infer policy quotability. Checkout does not need to repair missing commercial facts. Admin does not need to invent a different blocker taxonomy. They ask the spine and project the answer.
Source-Backed Facts and Commercial Truth
Commerce systems depend on operational systems such as catalog, PIM, ERP, inventory, pricing, promotions, tax, shipping, CMS, policy repositories, payment service providers, order management, identity, support tools, marketplace connectors, and operator input. These systems remain necessary, but they should not be treated as direct agent-facing truth.
A catalog may say that a product is active. That does not establish that checkout can be prepared. An inventory service may report in_stock. That does not establish that the inventory fact is fresh enough for payment or fulfillment. A pricing service may return a value. That does not establish that the price applies to the current buyer, region, promotion, channel, or cart snapshot. A payment provider may authorize a payment. That does not establish that the order should be committed. Generated copy may be accurate at one moment but invalid after a price, inventory, or policy change.
The ingestion layer should therefore normalize source inputs into source-backed facts. A source-backed fact should carry provenance, scope, freshness, lifecycle, and dependency information. Provenance identifies source system, object, revision, URL, hash, or captured timestamp. Scope identifies the product, SKU, category, region, buyer type, merchant, channel, or cart context to which the fact applies. Freshness determines whether the fact is usable for the requested decision. Lifecycle determines whether it is active, superseded, invalidated, or expired. Dependency information identifies which decisions, claims, feeds, or checkout snapshots rely on the fact.
Commercial truth is the platform’s selected set of reliable, scoped, source-backed facts for a given decision context. It is not the catalog, product page, feed, CMS, generated description, or most recent integration response. It is the set of facts the platform is prepared to rely on for decisions.
Consider a Travel Backpack with a catalog record that says active, priced at EUR 129, in stock, and assigned to Travel Bags. A commercial truth snapshot may produce a more nuanced view: price is fresh, inventory is stale, return-policy coverage is missing for Travel Bags, warranty is known, EU shipping is known, US shipping is unknown, generated description is pending review, and the last feed projection was published yesterday. The catalog view says the product exists. The commercial truth view says which actions the product can safely support.
Policy Facts and Machine-Readable Applicability
Policy is a high-risk domain because most policy content is written for humans. Return policies, warranty terms, cancellation rules, shipping restrictions, regional limitations, and business-buyer terms are often stored as pages, PDFs, CMS content, legal documents, merchant configuration, or marketplace terms. These formats are not enough for agent quotation.
A policy may exist and be publicly available while still being unsafe for an agent to quote. The platform must distinguish existence, applicability, and quotability. Existence means that a policy document or rule exists. Applicability means that the policy applies to the requested product, product category, region, buyer type, channel, merchant, shipping destination, purchase date, or marketplace context. Quotability means that the platform is prepared to expose the policy or its summary to an agent, buyer, support operator, or marketplace.
The distinction matters when AI agents turn generic policy text into specific commercial assertions. A return-policy page may not apply to business buyers, cross-border shipments, final-sale goods, personalized products, digital goods, or marketplace transactions. A shipping policy may apply in one region but not another. A warranty may depend on category and country. A generated policy summary may be readable but not approved for quotation.
Policy facts should include domain, applicability, value, source references, lifecycle, freshness, quotability, and conflict status. If return-policy coverage is missing for a product category, an agent-facing surface should not generate a plausible summary. It should block quotation and create or link an operator task to attach or approve the applicable policy fact.
This transforms policy from text into decision infrastructure. The goal is not to remove human-readable policies; it is to make policies usable by machines without losing applicability, scope, or accountability.
Action-Specific Eligibility
A central requirement of agentic commerce is action-specific eligibility. The platform should not expose a single availability flag as a proxy for all agent actions. A product can be available for one action and unavailable for another. That is not inconsistency; it is necessary precision.
A product may be eligible for discovery because its identity, title, category, publication status, and basic facts are reliable. It may be eligible for comparison only on verified attributes. It may be blocked for policy quotation if the applicable policy fact is missing. It may require inventory revalidation before cart mutation. It may be blocked for checkout preparation if price, inventory, shipping, tax, or policy facts are missing or stale. It may be blocked for delegated payment if checkout is invalid or the mandate scope does not match. It may require review before generated claims are shown.
A practical eligibility result should include action, target, context, result, blockers, warnings, evidence references, rule-set reference, and evaluation time. The result vocabulary should include allowed, blocked, requires_review, requires_revalidation, and requires_confirmation. This allows the platform to distinguish between a commercial blocker, a temporary freshness problem, a review workflow, and a buyer-confirmation requirement.
discover: allowed
compare: allowed
quote_policy: blocked
add_to_cart: requires_revalidation
prepare_checkout: blocked
delegate_payment: blocked
show_generated_claim: requires_review
explain: allowed
The value of this is that it can be projected consistently. A feed can expose allowed actions. A protocol adapter can return blocker codes. Checkout can enforce the decision. An admin UI can display missing facts. A support UI can explain why the agent could not proceed. The commercial meaning remains shared across surfaces.
Authority, Delegation, and Actor Control
Eligibility and actor authority must remain separate. Eligibility answers whether an action is valid in the current commercial context. Actor authority answers whether the caller may request the action. This separation is central to agentic commerce, where the actor may be a human buyer, AI agent, system process, support operator, merchant operator, marketplace system, procurement agent, payment agent, or wallet agent.
A product may be eligible for checkout while a specific agent lacks permission to prepare checkout for the buyer. A buyer may grant payment authority while checkout remains invalid. A support operator may be allowed to view blockers but not request payment. A system process may republish feeds but not approve generated claims. A payment artifact may exist but not match the requested cart snapshot, amount, currency, merchant, actor, buyer, or time window.
Authority decisions should evaluate actor identity, actor type, buyer relationship, target resource, requested action, delegation record, mandate scope, expiry, revocation, confirmation status, channel, and risk level. The decision should be recorded separately from eligibility so that the platform can explain whether a request failed because the action was invalid, the actor lacked authority, the mandate expired, confirmation was missing, or the target state changed.
The AP2 documentation frames agent payments around authorization, authenticity, and accountability questions when autonomous agents initiate payments (AP2 Protocol, 2025). This supports the broader architectural principle that a token, credential, or protocol message should be evaluated inside a runtime authority model rather than treated as final permission.
Checkout as the Mutation Boundary
Checkout is the boundary where agentic commerce moves from information to mutation. Product discovery, comparison, and policy quotation may be read-oriented actions. Checkout creates or changes commercial state. It can create a cart, add items, revalidate inventory, calculate shipping, apply tax, create a checkout snapshot, attach payment authority, initiate payment, and commit an order.
For this reason, checkout should be modeled as a state machine rather than a set of loosely connected endpoints.
type AgentCommerceCheckoutLifecycleState =
| "created"
| "empty"
| "requires_address"
| "requires_shipping_option"
| "requires_payment"
| "requires_revalidation"
| "blocked"
| "payment_authorized"
| "order_submitted"
| "completed"
| "declined"
| "cancelled"
| "expired"
| "failed";
type AgentCommerceCheckoutOperation =
| "create"
| "read"
| "update"
| "confirm"
| "complete"
| "cancel"
| "expire";
Protocol adapters should not perform hidden checkout mutations. They should translate external requests into canonical checkout operations. The checkout state model should evaluate commercial truth, policy facts, eligibility, actor authority, idempotency, expiry, evidence, and payment state before allowing a transition.
This structure prevents a common failure. An agent may ask to prepare checkout if the total remains below a threshold. A weak implementation may check price and proceed. A decision-centered implementation checks price freshness, inventory freshness, policy applicability, shipping availability, tax calculation, buyer context, channel rules, actor authority, idempotency, state transition validity, and evidence. If inventory is stale or policy coverage is missing, checkout preparation should block before payment is requested.
Delegated Payment and Bounded Payment Authority
Delegated payment is not only a payment problem. It is an authority, state, and evidence problem. A payment token, wallet credential, mandate identifier, or signed artifact may be necessary, but it is not sufficient. The commerce platform must determine whether the payment request is inside the buyer’s delegated authority at the moment of execution.
The relevant checks include actor, buyer, merchant, cart snapshot, amount, currency, allowed actions, confirmation status, expiry, revocation, previous use, idempotency, current checkout state, whether that state is valid for the requested action, and payment-attempt state. The key control is the separation between payment authority and a valid checkout state. Payment authority cannot make checkout valid. It can authorize payment only when checkout is already valid and the request remains inside the mandate scope.
This distinction aligns with current payment-protocol concerns. AP2 is designed to address how a merchant can verify that a user gave an agent specific authority for a purchase and how accountability should work if an incorrect or fraudulent transaction occurs (AP2 Protocol, 2025). Recent research preprints also examine context-binding failures, replay risks, prompt injection, and runtime verification requirements for agentic payment protocols (Debi & Zhu, 2026; Lan et al., 2026). These risks reinforce the need to evaluate mandate artifacts at execution time rather than assuming that issuance alone is sufficient.
If checkout has expired, the cart snapshot has changed, inventory is stale, policy coverage is missing, or the amount exceeds mandate scope, payment should not be attempted. A correct decision envelope and meaningful event history should state that payment was blocked because checkout was invalid or mandate scope did not match. This is materially different from a payment-provider failure.
Generated Claims as Derived Commercial Artifacts
Generated commerce text becomes a commercial object when agents can quote it, rank it, compare it, or use it to influence purchase decisions. Product descriptions, attribute summaries, price statements, availability statements, policy summaries, comparisons, recommendations, checkout explanations, and payment explanations can all function as claims.
A generated claim is not source truth. It is a derived expression based on facts, policies, eligibility decisions, checkout states, authority decisions, or payment outcomes. It should therefore be managed as a record with claim type, text, projection status, scope, allowed uses, dependencies, review state, lifecycle, invalidation rules, projection axes, and audit references.
Dependency tracking is the central requirement. A claim such as “ready to ship and easy to return” depends on inventory freshness and applicable return-policy coverage. If inventory becomes stale or return-policy coverage is missing, the claim should be blocked, invalidated, or held for review. A generated policy summary should not be quotable unless the underlying policy fact is applicable and quotable. A checkout explanation should be derived from the current decision envelope rather than generated independently. If a generated claim depends on another projected claim, upstream refusal state should travel with it so rewording does not make an unsafe input appear clean.
Related work on typed provenance treats trust as a consumer-specific judgment over multidimensional provenance carried through an agent chain, with independent dimensions evaluated at the point of use and taint retained across transformations (Parfenov, 2026a, 2026b). A public review feedback exchange with Sergei Parfenov helped sharpen two aspects of the Blueprint’s generated-claim treatment: explicit propagation of inherited refusal through derived claims and clearer separation of projection axes so each consuming surface can apply its own policy. The Blueprint applies those refinements to commerce-specific source, freshness, scope, surface, use, payload, and taint state, alongside the capability-gate, allowed-use, evidence-pin, and value-hash refinements developed through Vinicius Pereira’s technical review.
For derived claims, provenance should bind every direct projection actually used, including usable parents rather than only refused inputs. The owning derived-claim record should verify each parent projectionHash and retain normalized dependencyRefs covering its source envelope and evidence pin, source record, requestContextHash, status, requested surface and use, and refusal state. This makes parent and consumption-context changes detectable while keeping taint causal to the dependencies actually used. The canonical decision envelope may expose axes, blocker codes, and inheritedRefusalCount; the owning generated-claim record retains the direct references and complete bounded lineage. If the lineage limit is exceeded, construction should fail rather than silently truncate provenance.
This prevents generated text from becoming accidental commercial truth. In agentic commerce, generated claims should remain downstream of source-backed facts, policy facts, eligibility decisions, projection results, and evidence records. They may explain or project a decision, but they should not become the evidence for that decision.
In the decision envelope, generated-claim projection state travels beside eligibility, actor authority, checkout state, and payment authority. That is the architectural move that prevents generated copy from quietly becoming product truth, policy authority, checkout validation, or payment authority inside an adapter. A projection gate should return a surface-safe value only when the claim is allowed for that surface and current evidence. Refused, absent, stale, out-of-scope, requires-review, and inherited-refusal states should remain distinct rather than being collapsed into one allowed or refused bit. The implementation-ready envelope records source, freshness, scope, surface, use, payload, and taint axes; source and derived fact references; allowed uses; blocker codes; and inheritedRefusalCount. It also separates claim-state visibility from action-state causality, so a pending generated description can be present on a delegate_payment envelope without becoming the explanation for a payment block unless the requested action actually depends on that claim.
Evidence, Decision Envelopes, and Meaningful Event History
Agentic commerce requires evidence because automated or semi-automated decisions must be explainable. A log entry that says checkout was blocked is not enough. The platform should be able to reconstruct the decision path for an allowed action, blocked action, revalidation requirement, confirmation request, or payment refusal without creating a separate persistence record for every interpretation of the same transition.
A decision record should group request context, decision outputs, and downstream references. The canonical envelope carries requested action, actor, subject, selected blockers, basis components, checkout and payment state, generated-claim dependencies, freshness, and SHA-256-pinned evidence references. A maintainable persistence model can give checkout, mandate, and cross-aggregate transaction history one current record or coordinator plus one meaningful event stream; detailed protocol, authority, and transition context belongs to the event that owns the change rather than to several parallel evidence tables.
This model supports structured blocker codes for agents, safe explanations for buyers, timelines for support, focused remediation for operators, and scenario replay for developers. It also keeps the transaction record as a coordinator rather than a second copy of checkout, payment, order, mandate, and protocol state.
The need for evidence also appears in emerging research. The RAILS preprint argues that authorization, payment, and settlement-risk escrow are distinct from clearing and that agentic commerce needs evidence and verification primitives to determine whether delegated obligations were met (de Valois-Franklin & Bogdan, 2026). Whether or not that specific proposal becomes influential, the underlying observation is relevant: payment execution alone does not show that the commercial obligation was valid, fulfilled, or accountable.
Protocols, Feeds, and Projection Discipline
Protocols should project domain decisions rather than create them. An agent-facing protocol may have its own schema, terminology, authentication model, request format, and error vocabulary. The adapter’s responsibility is to validate protocol inputs, extract actor context, map requests to canonical intents, propagate idempotency, call the decision spine, and project the result in a protocol-safe format.
The adapter should not own commercial truth, policy interpretation, eligibility rules, checkout readiness, payment authority, generated-claim approval, evidence decisions, or operator remediation. If adapters implement business meaning locally, each integration will drift. This risk increases as the stack must support ACP, AP2, UCP, MCP-style tool interfaces, storefront APIs, marketplace APIs, admin UIs, support UIs, and future agent protocols.
MCP is relevant here not as a commerce protocol, but as a general protocol for connecting LLM applications with external data sources and tools. The current stable specification is dated November 25, 2025 (Model Context Protocol, 2025). In commerce, MCP tools may expose catalog lookup, policy search, cart preparation, or support operations. That does not make the MCP adapter the owner of commercial eligibility; it should request the canonical domain decision and expose the result safely.
Feeds require the same discipline. An agent feed is not a neutral export. It is a projection of commercial truth, action eligibility, generated claims, blockers, freshness, and supported actions. A feed that publishes product status, price, and inventory without action-level readiness may encourage agents to infer checkout readiness or policy quotability from insufficient fields. A safer feed item should expose action-level outcomes such as discover: allowed, compare: allowed, quote_policy: blocked, add_to_cart: requires_revalidation, prepare_checkout: blocked, delegate_payment: blocked, show_generated_claim: requires_review, explain: allowed, and relevant blocker codes.
Operator Remediation and Operational Readiness
Agent-readiness is not only a runtime property. Many blockers are operational inputs that are missing, stale, conflicting, unsupported, or awaiting review. Common blockers include missing return-policy coverage, stale inventory, unreviewed generated claims, unsupported regions, expired feed projections, missing payment configuration, unresolved authority workflows, outdated product attributes, and invalidated checkout explanations.
A useful platform should not only block unsafe actions. It should create remediation paths. When a decision is blocked, the platform should record evidence, create or link an operator task, describe affected actions, allow the operator to resolve the source issue, invalidate dependent decisions, refresh generated claims, republish feeds, and update the audit timeline.
This is the operational loop that keeps agentic commerce maintainable. Without it, agent-facing blockers become recurring runtime failures. With it, missing facts, policy gaps, stale data, and claim reviews become visible work. The operator does not merely see that an action failed. The operator sees which fact, policy, claim, configuration, or authority record must be fixed and which agent actions are affected.
Failure Modes
The most important failures in agentic commerce are often semantic failures rather than technical crashes. They occur when a surface presents commercial meaning that is not supported by the platform’s decision state.
Optimistic readiness. A feed marks a product as checkout-ready because the catalog says active and inventory says in stock. Checkout later blocks because inventory is stale or policy coverage is missing. The agent and checkout service now have different meanings of readiness.
Stale projection. A feed, generated claim, or protocol response remains available after one of its dependencies has changed. Price, inventory, policy, checkout state, or mandate changes should invalidate dependent projections; otherwise, agents may act on commercial meaning that was previously correct but is no longer valid.
Adapter-owned business logic. A protocol adapter checks catalog fields, reads policy pages, or evaluates payment artifacts locally. This may accelerate one integration, but it creates inconsistent behavior across surfaces.
Policy summarization without applicability. An agent quotes a policy summary that sounds correct but does not apply to the product, buyer type, region, channel, purchase context, or merchant.
Authority collapse. Authentication, actor authority, eligibility, checkout state, and mandate scope are treated as a combined check. This makes it difficult to explain whether failure was caused by invalid state, missing authority, expired mandate, unsupported action, or stale commercial truth.
Payment-token overreach. A token or mandate artifact is treated as sufficient permission even though checkout has expired, the cart snapshot has changed, or the amount no longer matches.
Generated-claim inversion. Generated copy is treated as product or policy truth. The dependency direction is reversed. Claims should depend on facts; facts should not depend on claims.
Unbound derived-claim dependencies. A derived claim carries refusal state from failed parents but does not commit to usable parent projections or the context in which those projections were consumed. A changed or mutated parent can then leave the child apparently unchanged. Derived claims should hash-verify and bind every direct dependency projection, normalize dependency order, and inherit refusal only from projections actually used in the derivation.
Missing evidence. Decisions are returned without enough evidence to support buyer explanation, support investigation, operator remediation, audit, or scenario replay.
Envelope bypass. A feed, adapter, checkout path, admin surface, or support view calculates its own meaning or reads raw claim language instead of projecting the canonical decision envelope. This is how drift enters quietly.
Reason drift. A projection assembles an explanation separately from the decision result. The blocker codes may look correct while the named components no longer reconcile with the decision. The safer design is to compute an action-aware decision basis inside the same domain path that computes the result, then have surfaces project that basis outward.
Incomplete hash boundary. A projection carries valid-looking hashes while the declared surface or derived freshness outcome sits outside the protected input and result meaning. A consumer can then receive a surface-switched or freshness-extended envelope without detecting the change. Protecting the declared surface in inputDependencyHash and the derived freshness outcome in resultHash closes that gap.
Evidence fingerprint masquerading as evidence content. A decision carries a SHA-256-shaped value derived only from an identifier or metadata and presents it as if the original artifact were content-pinned. Identifier fingerprints are useful for invalidation dependencies, but canonical evidence references should hash the evidence content or canonical snapshot and reject conflicts for the same evidence identity.
Mutable rule-set reference. A ruleSetRef that can be edited in place changes decision semantics without necessarily changing the apparent decision input. A content-addressed ruleSetHash and envelopeSchemaVersion make rule changes and format migrations detectable by envelope recipients.
Unchecked authenticator boundary. An envelope can contain internally consistent hashes while still being unverifiable or unsuitable for the recipient’s trust domain. A detached Ed25519 signature gives an external consumer a public-key origin check. A detached HMAC-SHA-256 value authenticates only inside an explicitly configured shared-secret trust domain. Unsigned output is local-development state. Copying any of these authenticators into an external projection without recomputing hashes, checking key identity, binding the target surface, and enforcing freshness leaves the unsafe path open.
Reference Scenario
A reference scenario helps verify whether the blueprint preserves meaning across layers. Assume a product with the following state:
Product: Travel Backpack
Product ref: product:travel-backpack
Price: EUR 129
Catalog status: active
Inventory status: in_stock
Category: Travel Bags
Payment artifact: present
The commercial truth layer says:
Price: fresh
Inventory: stale
Return policy: missing for Travel Bags
Warranty policy: known
Shipping policy: known for EU, unknown for US
Generated description: pending review
Feed publication: last published yesterday
The expected action outcomes are:
discover: allowed
compare: allowed on known facts
quote_policy: blocked
add_to_cart: requires_revalidation
prepare_checkout: blocked
delegate_payment: blocked
show_generated_claim: requires_review with inheritedRefusalCount: 1
explain: allowed from the action-aware decision basis
If an agent asks to buy the product if the total stays under EUR 150, the platform should not proceed merely because the price is below the limit. The delegate_payment envelope first evaluates checkout and payment authority. Since inventory is stale and return-policy coverage is missing, checkout requires revalidation, delegated payment is blocked, and payment is not dispatched. A separate show_generated_claim envelope evaluates whether the generated description can be used; it requires review and preserves inherited refusal without making that claim state the reason for the payment block.
An abbreviated illustrative delegate_payment envelope may state:
{
"contractVersion": "agent-commerce-decision-envelope-v4",
"envelopeSchemaVersion": "agent-commerce-decision-envelope-schema-v4",
"decisionId": "decision:travel-backpack:delegate-payment:2026-07-06T10:12:00Z",
"decisionHash": "<sha256-hex>",
"inputDependencyHash": "<sha256-hex>",
"resultHash": "<sha256-hex>",
"evaluatedAt": "2026-07-06T10:12:00.000Z",
"ruleSetVersion": "agent-commerce-decision-rules-v4",
"ruleSetRef": "ruleset:sha256:<sha256-hex>",
"ruleSetHash": "<sha256-hex>",
"authenticator": {
"kind": "digital_signature",
"algorithm": "ed25519",
"format": "detached",
"keyId": "platform-key:agentic-commerce-demo",
"verificationKeyRef": "trust-anchor:webdigestpro-demo",
"protectedHash": "<sha256-hex>",
"value": "<base64url-signature>",
"verifiable": true
},
"surface": "protocol",
"subject": {
"productId": "product:travel-backpack",
"sku": "travel-backpack",
"checkoutId": "checkout:travel-backpack:demo",
"mandateId": "mandate:buyer-agent-under-150"
},
"actor": {
"actorType": "agent",
"agentId": "agent:buyer-shopping-assistant",
"merchantId": "merchant:travel-demo"
},
"requestedAction": "delegate_payment",
"inputRefs": {
"productRef": "product:travel-backpack",
"policyRef": "policy:returns:travel-bags:missing",
"checkoutRef": "checkout:travel-backpack:demo",
"paymentRef": "payment-artifact:present-under-150",
"authorityRef": "mandate:buyer-agent-under-150"
},
"freshness": {
"evaluatedAt": "2026-07-06T10:12:00.000Z",
"validUntil": "2026-07-06T10:15:00.000Z",
"staleAfter": "2026-07-06T10:15:00.000Z",
"reasonCodes": ["missing_return_policy", "stale_inventory"],
"dependencies": [
{ "kind": "inventory", "ref": "inventory:travel-backpack:15", "staleAfter": "2026-07-06T10:15:00.000Z", "hash": "<sha256-hex>" },
{ "kind": "policy", "ref": "policy:returns:travel-bags:missing", "hash": "<sha256-hex>" },
{ "kind": "generated_claim", "ref": "generated_claim:cabin-size-compatible", "hash": "<sha256-hex>" }
]
},
"basis": {
"status": "blocked",
"allowed": false,
"reasonCodes": [
"eligibility_blocked",
"invalid_checkout_state",
"missing_return_policy",
"payment_authority_blocked",
"stale_inventory"
],
"components": [
{ "source": "checkout", "field": "checkout.blockerCodes", "value": "invalid_checkout_state", "code": "invalid_checkout_state", "contributesTo": "status" },
{ "source": "checkout", "field": "checkout.blockerCodes", "value": "missing_return_policy", "code": "missing_return_policy", "contributesTo": "status" },
{ "source": "checkout", "field": "checkout.blockerCodes", "value": "stale_inventory", "code": "stale_inventory", "contributesTo": "status" },
{ "source": "checkout", "field": "checkout.validForRequestedAction", "value": false, "code": "invalid_checkout_state", "contributesTo": "status" },
{ "source": "eligibility", "field": "eligibility.blockerCodes", "value": "missing_return_policy", "code": "missing_return_policy", "contributesTo": "status" },
{ "source": "eligibility", "field": "eligibility.blockerCodes", "value": "stale_inventory", "code": "stale_inventory", "contributesTo": "status" },
{ "source": "eligibility", "field": "eligibility.result", "value": "blocked", "code": "eligibility_blocked", "contributesTo": "status" },
{ "source": "payment", "field": "payment.authorityResult", "value": "blocked", "code": "payment_authority_blocked", "contributesTo": "payment_dispatch" },
{ "source": "payment", "field": "payment.blockerCodes", "value": "invalid_checkout_state", "code": "invalid_checkout_state", "contributesTo": "payment_dispatch" }
]
},
"eligibility": {
"result": "blocked",
"blockerCodes": ["missing_return_policy", "stale_inventory"],
"source": "combined"
},
"authority": { "result": "allowed", "blockerCodes": [] },
"checkout": {
"state": "requires_revalidation",
"validForRequestedAction": false,
"blockerCodes": ["invalid_checkout_state", "missing_return_policy", "stale_inventory"]
},
"payment": {
"paymentDispatchAttempted": false,
"authorityResult": "blocked",
"blockerCodes": ["invalid_checkout_state"]
},
"generatedClaims": {
"allowed": false,
"status": "requires_review",
"claimIds": ["generated_claim:cabin-size-compatible", "generated_claim:returns-comparison-paragraph"],
"sourceFactRefs": [
"inventory:travel-backpack:15",
"policy:returns:travel-bags:missing"
],
"derivedFactRefs": [
"claim_text_hash:<sha256-hex>",
"generated_claim:returns-summary:refused"
],
"allowedUses": [],
"axes": {
"source": { "status": "passed", "blockerCodes": [] },
"freshness": { "status": "failed", "blockerCodes": ["stale_inventory"] },
"scope": { "status": "passed", "blockerCodes": [] },
"surface": { "status": "passed", "blockerCodes": [] },
"use": { "status": "failed", "blockerCodes": ["generated_claim_requires_review"] },
"payload": { "status": "not_evaluated", "blockerCodes": ["generated_claim_requires_review"] },
"taint": { "status": "failed", "blockerCodes": ["inherited_refusal"] }
},
"blockerCodes": ["generated_claim_requires_review", "inherited_refusal"],
"inheritedRefusalCount": 1
},
"evidenceRefs": [
{ "type": "inventory_fact", "id": "inventory:product:travel-backpack:15", "hash": "<sha256-hex>", "hashAlgorithm": "sha256" },
{ "type": "policy_fact", "id": "policy:returns:travel-bags:missing", "hash": "<sha256-hex>", "hashAlgorithm": "sha256" },
{ "type": "generated_claim", "id": "generated_claim:returns-summary:refused", "hash": "<sha256-hex>", "hashAlgorithm": "sha256" }
],
"nextSafeActions": [
{ "action": "attach_return_policy_fact", "owner": "operator", "reasonCode": "missing_return_policy" },
{ "action": "refresh_inventory_facts", "owner": "operator", "reasonCode": "stale_inventory" },
{ "action": "review_generated_claim", "owner": "operator", "reasonCode": "generated_claim_requires_review" }
]
}
The delegate_payment envelope carries generated-claim state for visibility, but its action-aware basis is blocked by checkout and payment conditions, not by the generated description. Its generated-claim section remains requires_review while preserving a failed taint axis and inheritedRefusalCount: 1; the separate show_generated_claim envelope evaluates generated-claim use directly. The companion repository exposes public, MCP-style, checkout, operator, and support projections from the same canonical envelope. In a production implementation, checkout, mandate, and transaction events can preserve meaningful lifecycle history for operators and support.
Implementation Requirements
The blueprint can be translated into implementation requirements. These requirements are architectural rather than tied to a specific platform provider.
- Define an action vocabulary that distinguishes discovery, comparison, policy quotation, cart mutation, checkout preparation, delegated payment, checkout completion, generated-claim publication, and explanation.
- Build commercial truth snapshots with selected source-backed facts, missing facts, conflicts, freshness, lifecycle, scope, dependencies, and evaluation time.
- Model policy facts separately from policy pages, with explicit applicability and quotability.
- Evaluate eligibility per action with results such as allowed, blocked, requires_review, requires_revalidation, and requires_confirmation.
- Evaluate actor authority separately from eligibility, including actor, buyer, target, delegation, scope, confirmation, expiry, revocation, and channel.
- Move checkout behind explicit commands and states so mutations are not hidden inside adapters.
- Bind payment mandates to actor, buyer, merchant, cart snapshot, amount, currency, expiry, revocation, confirmation, and allowed actions.
- Store generated claims as derived records with dependencies, scope, projection status, projection axes, allowed uses, review state, expiry, invalidation, inherited refusal state, and event or audit references appropriate to the owning feature. For derived claims, hash-verify and bind every direct dependency projection, including usable parents and request context, into the child’s canonical hash; normalize dependency order and propagate refusal only from actual dependencies.
- Make generated-claim projection state first-class in the canonical decision envelope without allowing generated claim state to become accidental product truth, policy truth, checkout validation, or payment authority.
- Attach hash-pinned evidence to allowed, blocked, escalated, revalidation-required, review-required, and confirmation-required decisions; require SHA-256 evidence hashes on every canonical evidenceRef, with state mutation, checkout change, and payment blocking treated as the highest-risk cases rather than the only cases.
- Compute an action-aware decision basis in the same domain path that computes the result, and have projections display that basis rather than reconstructing status and reasons locally.
- Separate inputDependencyHash, resultHash, and decisionHash so stale dependencies and changed results are distinguishable; include the declared surface in the input hash, the derived freshness outcome in the result hash, and the contract and schema identifiers in the decision hash. Canonicalize unambiguous ISO date-times to UTC millisecond form and normalize semantically unordered collections before hashing, so identical normalized input and evaluation time produce identical hashes without making input order significant.
- Carry freshness.validUntil and freshness.staleAfter on the canonical envelope so feeds, tools, and protocol adapters can self-expire projections, deriving those horizons conservatively from the earliest relevant dependency. Keep freshness dependencies distinct from canonical evidence references: dependencies drive invalidation and may carry identifier fingerprints; evidenceRefs identify replayable content or canonical snapshots and require explicit SHA-256 hashes.
- Keep protocol adapters thin by mapping external requests to canonical intents and projecting domain decisions outward through one checked boundary that verifies hashes, reason/component reconciliation, authenticator trust, surface binding, and freshness.
- Publish feeds from commercial decisions rather than catalog flags.
- Create operator remediation tasks for missing facts, stale facts, policy gaps, claim reviews, checkout blockers, and authority blockers.
- Implement invalidation for price, inventory, policy facts, generated claims, checkout state, authority records, content-addressed rule sets, authenticator keys, and projections.
- Run one focused semantic test that exercises the shared decision path across surfaces.
The companion repository tests the Travel Backpack envelope and its public, MCP-style, checkout, operator, and support projections, together with generated-claim, evidence, freshness, deterministic hashing, strict date, authenticator, full-envelope integrity, and schema-shape behavior through one focused test path and one shape-validation command.
Focused Semantic Verification
Verifying agentic commerce requires more than endpoint behavior. A focused reference test should build the same commercial condition for feed, tool, checkout, admin, support, and protocol surfaces and assert canonical hashes, exact reason/component reconciliation, blocker meaning, payment-dispatch decisions, freshness horizons, evidence pins, next safe actions, generated-claim state, authenticator semantics, and trusted-boundary behavior.
The focused tests should include the negative cases that matter: a feed cannot claim readiness when checkout blocks; payment dispatch remains false when checkout or authority blocks; a dependency or surface change changes inputDependencyHash even if the result stays blocked; a freshness or basis change changes resultHash; semantically equivalent input order does not change the hashes; generated claims remain derived; inherited refusal survives policy-to-envelope mapping; malformed dates, conflicting evidence, and invalid authenticator metadata fail; and external projection verifies hashes, key identity, surface binding, trust model, and freshness. Support projection should come from the same decision basis rather than a separate explanation path.
The Travel Backpack test should remain focused and required. Its value is semantic coverage of the shared decision path, not the number of files or contracts tested:
Input:
- product:travel-backpack
- price fresh
- inventory stale
- return policy missing
- payment artifact present
- generated description pending review
Expected across feed, tool, checkout, admin, and support, with protocol projection using the same canonical decision:
- quote_policy: blocked
- add_to_cart: requires_revalidation
- prepare_checkout: blocked
- delegate_payment: blocked
- show_generated_claim: requires_review; inherited-refusal mapping remains distinct and carries inheritedRefusalCount: 1
- explain: allowed from the decision basis
- paymentDispatchAttempted: false
- identical normalized input with the same evaluatedAt produces identical inputDependencyHash, resultHash, and decisionHash
- reordering semantically unordered evidence, dependency, blocker, allowed-use, and next-action inputs does not change the canonical hashes
- basis.reasonCodes equals the set of basis.components[].code; several components may explain one reason at different causal boundaries
- inputDependencyHash changes when the declared surface, dependency reference or hash, rule-set identity, evidence pin, input reference, actor or subject context, requested action, or evaluation timestamp changes
- resultHash changes when the computed eligibility, authority, checkout, payment, generated-claim, derived freshness, basis, or next-action result changes
- decisionHash is protected by a detached authenticator and checked at the projection boundary; independently verifiable external output requires trusted Ed25519, HMAC requires an explicitly configured shared-secret trust domain, and the unsigned local variant remains explicit and non-verifiable
- contractVersion and envelopeSchemaVersion let consumers detect contract and format migrations, while schema checks constrain canonical timestamps, authenticator encoding, unknown fields, and runtime vocabulary drift
- freshness.validUntil and freshness.staleAfter derive from the earliest relevant dependency horizon and make stale allowed projections fail closed
- evidenceRefs contain explicit SHA-256 content or canonical-snapshot hashes, while identifier-only invalidation dependencies remain distinct and cannot masquerade as evidence
- blocker codes use canonical names stale_inventory and missing_return_policy
- generated-claim state remains derived and does not enter the delegate_payment basis unless the requested action depends on generated-claim use
- generated-claim axes keep source, freshness, scope, surface, use, payload, and taint distinct
- derived claims bind every direct parent projection; changing a usable parent or its request context changes the child hash, dependency order does not, mutated projections are rejected, and inherited refusal remains causal while surviving multi-hop derivation
- generated-claim state is present in the envelope but does not falsely explain delegate_payment unless relevant to that requested action
A focused scenario test is valuable because it verifies that commercial meaning is preserved across independently implemented surfaces and that semantic drift cannot land quietly between them.
This form of testing treats commercial meaning as a verifiable property. The objective is not only that each component functions, but that the same commercial decision is preserved across all external projections.
Organizational Implications
Agentic commerce changes responsibility boundaries inside commerce organizations. Product teams must define what agents may do, not only what users may see. This includes action readiness, policy quotability, generated-claim rules, checkout boundaries, and buyer-safe explanation behavior.
Engineering teams must reduce duplicated decision logic across adapters and APIs. Shared decision, checkout, mandate, and transaction owners are more important than local integration code. A maintainable implementation keeps one checkout application owner across human and agent channels and one current-state-plus-event-history model for checkout, delegated authority, and transaction correlation.
Operations teams need workflows for missing facts, stale facts, policy gaps, generated-claim reviews, unsupported regions, payment configuration, and authority blockers. Agent-readiness becomes a quality attribute of commerce operations.
Support teams need evidence-backed explanations. They must be able to answer why an agent refused, proceeded, escalated, requested confirmation, or blocked payment. Leadership should treat agentic commerce as platform work rather than a thin AI feature. The investment becomes justified when AI agents can influence discovery, comparison, checkout, payment, support, and marketplace behavior.
Discussion: Integration Speed and Platform Consistency
A decision-centered architecture is more demanding than a simple integration, but it should remain proportionate. It requires source-backed facts, policy modeling, action-specific eligibility, actor authority, checkout state, payment authority, generated-claim lifecycle, evidence pins, surface projections, invalidation, and operator work. These responsibilities should be integrated into existing domain and application boundaries where appropriate rather than multiplied into separate mechanisms without a concrete need.
For read-only product discovery, a lighter approach may be sufficient. A merchant may expose product names, images, prices, and URLs to an AI shopping surface without immediately implementing the full blueprint. The threshold changes when agents can quote policies, compare products, prepare checkout, operate under buyer authority, request payment, explain blockers, surface generated claims, or act across several protocols.
The tradeoff is between local integration speed and long-term platform consistency. A shortcut can make one adapter work. A decision spine and canonical envelope prevent several incompatible copies of commercial truth from forming across the stack. This tradeoff resembles earlier shifts in commerce architecture. Headless commerce separated presentation from commerce logic. Marketplace integration forced product and order data to become more structured. Omnichannel commerce required inventory and fulfillment consistency across physical and digital channels. Agentic commerce extends that pattern by requiring commercial meaning to become machine-actionable.
Field Checklist
Use the following checklist to assess whether a commerce platform is becoming agent-ready.
- Does the platform distinguish discovery, comparison, policy quotation, cart mutation, checkout preparation, delegated payment, checkout completion, generated-claim publication, and explanation?
- Does the platform maintain commercial truth separately from raw catalog data?
- Are facts source-backed, scoped, freshness-aware, lifecycle-aware, and dependency-aware?
- Are policy pages converted into machine-readable policy facts with applicability and quotability?
- Can the platform return action-specific eligibility decisions with blocker codes and evidence references?
- Is actor authority evaluated separately from action eligibility?
- Does checkout operate through explicit commands and states?
- Are payment mandates bounded by actor, buyer, merchant, cart snapshot, amount, currency, expiry, revocation, confirmation, and allowed actions?
- Are generated claims stored with dependencies, allowed uses, review status, invalidation, and references to the meaningful event history or audit context of the owning feature?
- Is generated-claim projection state carried in the canonical decision envelope?
- Does the canonical envelope separate inputDependencyHash, resultHash, and decisionHash; protect the declared surface and derived freshness outcome; include envelopeSchemaVersion, content-addressed ruleSetHash, and ruleSetRef; and use deterministic canonical serialization so equivalent input order does not create false drift?
- Does one checked external-projection boundary recompute the hashes, reconcile reasons and components, verify the authenticator and trusted key reference, bind the envelope to the target surface, enforce freshness, and apply the correct trust model—Ed25519 for independent verification, HMAC only inside an explicitly configured shared-secret domain, and unsigned output only for local development?
- Does the envelope carry freshness.validUntil and freshness.staleAfter derived conservatively from the earliest relevant dependency, with unambiguous date-times normalized to canonical UTC millisecond form before hashing?
- Are explicit SHA-256 content or canonical-snapshot hashes required on every canonical evidenceRef; are conflicting hashes for one (type, id) rejected; and are identifier-only freshness dependencies kept distinct from evidence while retaining authoritative evidence hashes when a dependency adds only a horizon?
- Are projection reasons produced by the same decision-basis function that computes the result, with the canonical reason-code set exactly reconciled to the component-code set rather than reconstructed separately in feed, tool, checkout, admin, or support adapters?
- Are generated-claim projection axes and taint/inherited refusal state carried in the envelope without allowing generated text to become accidental product, policy, checkout, or payment truth; and do derived claims bind the exact direct projections used, including usable parents, so parent or request-context changes invalidate the child while unrelated refusals do not contaminate it?
- Can the platform explain why an agent-facing action was allowed, blocked, escalated, or refused?
- Do protocol adapters project domain decisions instead of implementing local business rules?
- Are agent feeds built from commercial decisions rather than catalog flags?
- Are operator tasks created when missing facts, stale facts, policy gaps, or claim reviews block agent actions?
- Are decisions invalidated when dependent facts, policies, claims, checkout states, payment mandates, or rule sets change?
- Does one focused semantic scenario test verify that feed, tool, checkout, admin, support, and protocol projections preserve the same blocker meaning; distinguish refused claims from absent claims;
- carry inherited refusal; prove deterministic hashes; detect dependency, surface, freshness, evidence, and rule-set changes; validate schema/runtime vocabulary parity; verify envelope authenticators according to the recipient’s trust model; and confirm that derived claims bind intact direct parent projections with deterministic ordering and causal multi-hop taint?
Final Synthesis
Agentic commerce should be understood as an orchestration problem across the e-commerce stack. Current platform movements show that AI shopping surfaces, agent protocols, checkout systems, payment mandates, wallet infrastructure, and commerce-cloud integrations are developing quickly. These developments create new opportunities, but they also create semantic risk for merchants and software teams.
The central requirement is controlled commercial meaning. A platform must know what is true, which policies apply, which actions are eligible, which actors are authorized, which checkout transitions are valid, which payment requests remain inside mandate scope, which generated claims may be projected, which evidence references support the decision, and what the next safe action is.
The Blueprint proposed in this article defines a decision spine that connects source systems, commercial truth, policy facts, action-specific eligibility, actor authority, checkout state, payment authority, generated-claim projection state, evidence, audit, surface projections, and operator remediation.
The spine produces one canonical decision envelope that records what was requested, whether it is allowed, why that decision was reached, how fresh and verifiable it is, and what safe action should happen next. Feeds, protocols, checkout services, administrative tools, and support surfaces should project from that envelope through an appropriate checked boundary instead of recreating commercial meaning independently.
This is the architectural difference between AI-enabled commerce and agent-ready commerce. AI-enabled commerce adds intelligence to the interface. Agentic commerce requires decision architecture behind the interface, enabling the platform to determine, explain, project, and remediate what agents are allowed to do.
Further Reading
This article is part of a broader architecture track on agent-ready commerce. The related DEV Community series, Agent-Ready Commerce, expands the topic through platform foundations, commercial truth, action-specific eligibility, machine-readable policy facts, thin ACP/UCP/MCP/AP2 adapters, checkout as a mutation boundary, delegated payment, generated claims, event-backed explanation, and operator workflows (Sfyris, 2026).
For broader commerce-specific literature, McKinsey’s report on the agentic commerce opportunity frames agentic commerce as a shift in marketplace structure, customer journeys, merchant readiness, infrastructure, payments, and trust (Schumacher et al., 2025). McKinsey’s later automation-curve article treats agentic commerce as a staged transition across levels of shopper delegation rather than a single jump from human shopping to full autonomy (Mahajan et al., 2026). Deloitte’s retail guide addresses retailer readiness, agent-ready data infrastructure, APIs, interoperability, monetization, and performance measurement for the agentic channel (Deloitte, 2026). The ACES study by Allouah et al. evaluates how AI shopping agents choose products in programmable marketplaces and identifies model-dependent position effects, sponsored-tag behavior, endorsement effects, price and review sensitivity, and seller-side optimization implications (Allouah et al., 2025).
Architecture review contribution and contributor notes
This collaborative article is based on the Agentic Commerce Blueprint architectural work by Dimitrios S. Sfyris, with technical architecture review contribution from Vinicius Pereira. Vinicius’s review strengthened the article’s treatment of semantic drift, eligibility-versus-authority separation, payment artifacts as evidence rather than permission, decision-path ergonomics, scoped grounding, generated-claim capability gates, evidence pins, value-hash rechecks, freshness horizons, dependency-pinned hashes, origin-authenticated envelopes under explicit trust models, and distinct negative states for generated claims. Sergei Parfenov’s public review feedback sharpened the explicit propagation of inherited refusal through derived claims and the separation of projection axes so each consuming surface can apply its own policy.
| Review theme | How it appears in the Blueprint | Contributor |
| Decision-spine projection discipline | Vinicius reinforced that every surface should project the same domain decision rather than re-derive status locally, especially across feed, tool, checkout, admin, and support surfaces. | Vinicius Pereira |
| Eligibility, authority, and payment boundary | His review called out the eligibility-versus-authority split and the “payment artifact is evidence, not permission” reframe as core bug-prevention boundaries. | Vinicius Pereira |
| Reason colocality | Decision reasons are computed beside the domain result and projected outward rather than reconstructed by each surface. | Vinicius Pereira |
| Dependency-pinned hashes and freshness | The envelope separates inputDependencyHash, resultHash, and decisionHash, and carries a freshness horizon so changed evidence or dependencies are detectable. | Vinicius Pereira |
| Evidence integrity | Evidence references are hash-pinned with SHA-256 hashes throughout canonical envelopes; checkout changes, state mutation, and payment blocking are treated as the highest-risk examples rather than the only cases. | Vinicius Pereira |
| Scoped generated-claim grounding | Generated claims are projectable only for a requested use, surface, scope, and evidence pin; “grounded” is not treated as global permission. | Vinicius Pereira |
| Generated-claim capability gate | The projectable value is returned through the domain gate rather than exposed as raw claim text, with value-hash rechecks to prevent drift after approval. | Vinicius Pereira |
| Generated-claim negative-state separation | Strengthened the separation between refused, stale, out-of-scope, and absent generated-claim states so projections do not collapse materially different outcomes. | Vinicius Pereira |
| Origin-authenticated envelopes | Pointed out that hashes alone prove internal consistency but not origin. The envelope included detached authenticator metadata and an explicit key reference so recipients can verify an Ed25519 signature or authenticate an HMAC value according to the declared trust model. | Vinicius Pereira |
| Content-addressed rule sets and schema versioning | Identified that a mutable ruleSetRef could hide semantic changes. The envelope included ruleSetHash and envelopeSchemaVersion so rule-set edits and envelope-format migrations are detectable by consumers. | Vinicius Pereira |
| Inherited-refusal propagation and projection axes | Public review feedback prompted explicit propagation of upstream refusal state through derived claims and clearer separation of source, freshness, scope, surface, use, payload, and taint so each consuming surface can apply its own policy. | Sergei Parfenov |
Related reading from WebDigestPro
- From Information Management to AI-Powered Information Intelligence
How AI is changing search, verification, governance, analytics, and the role of human judgment in evidence-backed information workflows. - Agentic Systems and the Future of Software
How AI agents are changing software architecture, workflows, automation, and human responsibility. - The New Challenges of Cybersecurity in the AI Era
A closer look at security, identity, human judgment, and digital trust as AI capabilities advance.
Contributions and contributor bios
Dimitrios S. Sfyris, Founder of AspectSoft — Contribution: Originator of the Agentic Commerce Blueprint’s core thesis and architectural framework; implementation design and development of the proposed reference implementation; ecosystem research and evidence synthesis; agent-ready commerce and e-commerce orchestration architecture; and the architecture’s treatment of commercial truth, policy facts, action-specific eligibility, checkout and payment boundaries, delegated authority, generated claims, evidence, authenticated protocol projections, operator remediation, and final editorial synthesis.
Bio: Dimitrios S. Sfyris is Founder of AspectSoft and a software architect focused on SaaS platforms, APIs, developer tools, automation, and complex web systems. With 17 years of experience across software development, academic research, and enterprise practice, he bridges rigorous technical thinking with practical product execution. Professional links: https://www.linkedin.com/in/dimitrios-s-sfyris/ and aspectsoft.gr
Vinicius Pereira (github.com/vinimabreu) — Contribution: technical architecture review around semantic drift, reason colocality, action-aware decision basis, eligibility-versus-authority separation, payment artifacts as evidence rather than permission, generated-claim and explanation action consistency, requires_confirmation status consistency, canonical reason-code consistency, dependency-pinned input hashes, result hashes, freshness horizons, content-addressed rule-set refs, envelope schema versioning, detached-authenticator trust models, SHA-256 evidence hash-pinning, generated-claim projection axes, scoped grounding, allowed-use/evidence-pin semantics, helper-gated projectable values, value-hash rechecks, distinct refusal/absence/staleness states, and decision-path ergonomics.
Bio: Vinicius Pereira is an AI and data engineer building systems that are grounded, tested, and honest: RAG, agents, automations, and data pipelines, with an emphasis on decision auditability, deterministic tests, and CI. Professional links: https://github.com/vinimabreu, https://dev.to/vinimabreu, and https://www.vinimabreu.dev/
Sergei Parfenov (github.com/P0rt) — Contribution: public feedback on typed provenance, explicit inherited-refusal propagation through derived claims, and separate projection axes evaluated by each consuming surface; related-work framing around provenance persistence and gate enforcement.
Bio: Sergei Parfenov is an AI engineer and CTO writing about agent reliability, typed provenance, memory compaction, and enforcement in agent systems. Professional link: https://dev.to/p0rt
References
Agentic Commerce Protocol. (2025). Agentic Commerce Protocol. Retrieved July 10, 2026, from Link
Allouah, A., Besbes, O., Figueroa, J. D., Kanoria, Y., & Kumar, A. (2025). What is your AI agent buying? Evaluation, biases, model dependence, & emerging implications for agentic e-commerce. arXiv. Link
AP2 Protocol. (2025). Agent Payments Protocol. Retrieved July 10, 2026, from Link
Ben, N. (2026, April 20). Adobe Commerce: Summit announcements. Adobe Business Blog. Link
de Valois-Franklin, A., & Bogdan, A. (2026). RAILS: Verification-native clearing for agentic commerce. arXiv. Link
Debi, T., & Zhu, W. (2026). Whispers of wealth: Red-teaming Google’s Agent Payments Protocol via prompt injection. arXiv. Link
Deloitte. (2026). Agentic commerce: Redefining retail economics. Link
Google Cloud. (2025, September 16). Powering AI commerce with the new Agent Payments Protocol (AP2). Google Cloud Blog. Link
Grigorik, I. (2026, January 11). Building the Universal Commerce Protocol. Shopify Engineering. Link
Handa, A., & Gupta, A. (2026, January 11). Under the hood: Universal Commerce Protocol (UCP). Google Developers Blog. Link
Jain, K. (2026, February 18). Adobe Commerce commits to agentic commerce standards. Adobe Business Blog. Link
Lan, Q., Kaul, A., Jones, S., & Westrum, S. (2026). Zero-trust runtime verification for agentic payment protocols: Mitigating replay and context-binding failures in AP2. arXiv. Link
Mahajan, D., Mayer, H., Schumacher, K., & Roberts, R. (2026, January 28). The automation curve in agentic commerce. McKinsey & Company. Link
Mastercard. (2025, April 29). Mastercard unveils Agent Pay, pioneering agentic payments technology to power commerce in the age of AI. Link
Mastercard. (2026, June 10). Mastercard launches Agent Pay for Machines to unlock super-fast, always-on payments. Link
Model Context Protocol. (2025, November 25). Specification. Link
OpenAI. (2025, September 29). Buy it in ChatGPT: Instant Checkout and the Agentic Commerce Protocol. Link
OpenAI. (2026, March 24). Powering product discovery in ChatGPT. Link
PayPal Developer. (2026, June 24). Store Sync overview. Link
PayPal. (2025a, October 28). PayPal launches Agentic Commerce Services to power AI-driven shopping. Link
PayPal. (2025b, October 28). OpenAI and PayPal team up to power Instant Checkout and agentic commerce in ChatGPT. Link
PayPal. (2025c, November 25). PayPal and Perplexity launch Instant Buy ahead of Black Friday. Link
Parfenov, S. (2026a, June 22). Trust isn’t a scalar: Typed provenance for agent chains. DEV Community. Link
Parfenov, S. (2026b, July 1). Your provenance vector dies at the storage boundary. DEV Community. Link
Salesforce. (2026a). What is agentic commerce? Retrieved July 10, 2026, from Link
Salesforce. (2026b, June 24). As AI agents transform commerce, Salesforce unleashes its biggest Agentforce Commerce release yet. Link
Schumacher, K., Roberts, R., & Giebel, K. (2025, October 17). The agentic commerce opportunity: How AI agents are ushering in a new era for consumers and merchants. McKinsey & Company. Link
Shopify. (2026, June 17). Agentic commerce for every developer: The Spring ’26 Edition. Link
Sfyris, D. S. (2026). Agent-Ready Commerce [Series]. DEV Community. Link
Stripe. (2025, September 29). Stripe powers Instant Checkout in ChatGPT and releases Agentic Commerce Protocol co-developed with OpenAI. Link
Universal Commerce Protocol. (2026). Universal Commerce Protocol. Retrieved July 10, 2026, from Link
Visa. (2026a). Enabling AI agents to buy securely and seamlessly. Retrieved July 10, 2026, from Link
Visa. (2026b, June 10). Visa’s vision for intelligent, programmable commerce. Visa Perspectives. Link
Visa. (2026c, April 9). Visa opens the door to AI-driven shopping for businesses worldwide. Link
Visa. (2026d, June 10). How Visa is partnering with OpenAI to build the future of agentic commerce. Visa Perspectives. Link
Subscribe to our newsletter!
+ There are no comments
Add yours