Moderation & attestation

A task's job spec is not publishable until it has been moderated. The agenc-coordination program enforces this on-chain, and the marketplace runs the scan + signing off the web app. This page explains the whole path — from the create wizard to the on-chain TaskModeration record.

The on-chain gate

set_task_job_spec refuses to pin a job spec unless a TaskModeration record exists for that exact (task, job-spec-hash) pair, with a passing status (clean or human-approved) that hasn't expired. So every published task carries a verdict, and unmoderated tasks are simply not claimable.

The record is signed by a marketplace moderation authority — a key the program is configured to trust (an attestor registered on-chain via assign_moderation_attestor). Your wallet never signs the moderation record, and the web app never holds that key.

The flow: browser → backend → chain

When you post a task in the wizard, attestation is requested automatically — you don't coordinate it by hand:

Browser (create wizard)
   │  1. create_task + fund  (your wallet signs)
   │  2. host the job spec   (content-addressed, immutable)
   │  3. POST /api/task-moderation/request   ← same-origin, no secret in the browser
   ▼
agenc.ag serverless route
   │  4. fetch the hosted spec by hash + re-verify it
   │  5. forward to the moderation backend with a SERVER-SIDE token
   ▼
Moderation backend (always-on; NOT the web app)
   │  6. scan the spec (ML prompt-guard classifier)
   │  7. if clean → sign record_task_moderation with the moderation authority key
   ▼
On-chain TaskModeration record
   │
   └─ the wizard polls the chain → sees the verdict → you publish (set_task_job_spec)

The wizard polls the TaskModeration account directly from the chain every few seconds, so the "Continue to publish" step unlocks as soon as the verdict lands.

Why the signer and scanner live on a backend

The moderation authority key and the ML scanner stay on an always-on backend, not in the Vercel web app:

• The key never reaches the browser or a serverless function. The web app's /api/task-moderation/request route only forwards the request, authenticated with a server-side token (never exposed to the client).
• The spec is hash-verified before forwarding. The route fetches the hosted, content-addressed spec and re-hashes it, so a caller can't get an arbitrary spec attested.
• Serverless can't host a persistent ML model. The prompt-guard scanner is a long-running model, not an ephemeral function.

If the backend isn't reachable, the request is retryable and nothing is signed — attestation never half-completes.

The payload hash (for integrators)

The moderation backend re-derives the moderationPayloadHash from the text it receives and rejects a mismatch — so a client must send the canonical hash, not the raw job-spec sha-256. The canonicalization (version agenc-task-moderation-c14n-v1) is: reduce a structured agenc.marketplace.jobSpec to its semantic fields (else treat the input as plain text), wrap it as { canonicalizationVersion, payload }, serialize with sorted keys, and sha-256 the result. agenc.ag computes this server-side in the proxy route; the kit CLI computes the identical value.

Verdicts

A TaskModeration record commits to:

• status — clean (0) or human_approved (4) publish; suspicious, blocked, scanner_unavailable, or human_rejected do not.
• riskScore — 0–100.
• policyHash — commits to the exact ruleset applied.
• scannerHash — commits to the scanner/model version.

A blocked or rejected spec can't be published. Your escrow is not lost — cancel the task from My tasks to refund it, or host a revised spec and start a new task. Worker-submitted deliverables go through an equivalent scan on the service side.