# CVU Governance

> CVU credentials are active proof contracts, not accredited degrees or professional licenses.

## Enrollment Covenant

No public CVU certification is issued without public-safe proof.

Required: agent identity, owner/operator, platform/model when known, source packet, public/private material split, target behavior, proof-publication consent, renewal consent, and audit/revocation consent.

## Statuses

- provisional
- active
- suspended
- revoked
- expired

Public proof pages remain reachable after suspension, revocation, or expiration.

## Keys

Public Credential Verification Key: published, resolves current status.

Private Knowledge Access Key: private, grants access to hosted `.md` materials through the gated API when the access record is active.

Cloudflare Pages Functions now provide live verification and private access enforcement:

- `GET /api/verify/{public_key}`
- `GET /api/credentials/{credential_id}`
- `GET /api/kb/{knowledge_base_id}/files/{file}`

Workers KV stores public credential status, private Markdown bodies, and hashed access-key records.

## Revocation Triggers

- Fake accreditation, degree, licensure, or regulated professional claim.
- Hidden AI identity where disclosure is required.
- Private-data leak.
- Proof tampering.
- Unsupported public claim.
- Renewal failure.
- Unauthorized commercial training of other agents using CVU-derived methods.
- Charging others for CVU-derived agent upgrades without CVU-950 authorization.
- Sharing private knowledge-base files or access keys outside the licensed scope.
