From f850ff011c3ab0a7f75ff6706446f3c754a552f8 Mon Sep 17 00:00:00 2001
From: "Lars K.L." <15800648+WP-LKL@users.noreply.github.com>
Date: Sun, 25 Jan 2026 23:57:34 +0100
Subject: [PATCH] pre-commit universal lint
---
.github/workflows/doc-drift.yml | 2 +-
.github/workflows/lint.yml | 7 +-
.github/workflows/test.yml | 2 +-
.pre-commit-config.yaml | 34 +++
.prettierrc.cjs | 42 ++++
CONTRIBUTING.md | 5 +
Makefile | 1 +
SECURITY.md | 15 +-
package-lock.json | 60 ++++-
package.json | 8 +-
schema/kya-manifest.schema.json | 396 ++++++++++++++++----------------
spec/index.html | 44 ++--
spec/vocab.html | 15 +-
tools/ajv-validate-schema.js | 37 +--
tools/requirements.txt | 1 +
15 files changed, 411 insertions(+), 258 deletions(-)
create mode 100644 .pre-commit-config.yaml
create mode 100644 .prettierrc.cjs
diff --git a/.github/workflows/doc-drift.yml b/.github/workflows/doc-drift.yml
index b5bed33..856dde3 100644
--- a/.github/workflows/doc-drift.yml
+++ b/.github/workflows/doc-drift.yml
@@ -15,7 +15,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@v5
with:
- python-version: "3.10"
+ python-version: '3.10'
- name: Install Python dependencies
run: |
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index b8e18b0..9461aa2 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -15,7 +15,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@v5
with:
- python-version: "3.10"
+ python-version: '3.10'
- name: Install Python dependencies
run: |
@@ -25,7 +25,7 @@ jobs:
- name: Set up Node
uses: actions/setup-node@v4
with:
- node-version: "20"
+ node-version: '20'
- name: Install Node dependencies
run: npm install
@@ -33,6 +33,9 @@ jobs:
- name: Lint Python (Ruff)
run: ruff check tools
+ - name: Pre-commit hooks
+ run: pre-commit run --all-files
+
- name: Validate Schema (AJV Strict)
run: npm run lint:schema
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
index 3503350..b2e7577 100644
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -15,7 +15,7 @@ jobs:
- name: Set up Python
uses: actions/setup-python@v5
with:
- python-version: "3.10"
+ python-version: '3.10'
- name: Install dependencies
run: |
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
new file mode 100644
index 0000000..19f6801
--- /dev/null
+++ b/.pre-commit-config.yaml
@@ -0,0 +1,34 @@
+---
+repos:
+ - repo: 'https://github.com/rbubley/mirrors-prettier'
+ rev: 'v3.7.4'
+ hooks:
+ - id: 'prettier'
+ types: [text]
+ additional_dependencies:
+ - 'prettier@3.5.3'
+ - 'prettier-plugin-sort-json@4.1.1'
+ - 'prettier-plugin-toml@2.0.5'
+ pass_filenames: true
+ args:
+ [
+ '--log-level=warn',
+ '--check',
+ '--config=.prettierrc.cjs',
+ '--ignore-path=.prettierignore',
+ ]
+ - repo: 'https://github.com/codespell-project/codespell'
+ rev: 'v2.4.1'
+ hooks:
+ - id: 'codespell'
+ exclude: '^(package-lock.json|src/test/openutau-ustx/bulaomeng.ustx.yaml|src/test/kustomization/labels.json|src/test/bun-lock/bun.lock.json|src/bin/.*)$'
+ args:
+ [
+ '--ignore-words-list',
+ 'crate,ninjs,ans,specif,seh,specifid,deriver,isnt,tye,forin,dependees,rouge,interm,fo,wast,nome,statics,ue,aack,gost,inout,provId,handels,bu,testng,ags,edn,aks,te,decorder,provid,branche,alse,nd,mape,wil,clude,wit,flate,omlet,THIRDPARTY,NotIn,notIn,CopyIn,Requestor,requestor,re-use,ofo,abl,dout,foto,vor,wel,NAM,BRIN,everyTime,afterAll,beforeAll,ontainer',
+ ]
+ - repo: 'https://github.com/astral-sh/ruff-pre-commit'
+ rev: 'v0.9.1'
+ hooks:
+ - id: ruff
+ args: ['--fix']
diff --git a/.prettierrc.cjs b/.prettierrc.cjs
new file mode 100644
index 0000000..e0b11c6
--- /dev/null
+++ b/.prettierrc.cjs
@@ -0,0 +1,42 @@
+/** @type {import('prettier').Config} */
+module.exports = {
+ // pre-commit.ci fails without `require.resolve()`.
+ plugins: [
+ require.resolve('prettier-plugin-sort-json'),
+ require.resolve('prettier-plugin-toml'),
+ ],
+ semi: false,
+ singleQuote: true,
+ trailingComma: 'all',
+ jsonRecursiveSort: true,
+ jsonSortOrder: JSON.stringify({
+ '/^[^\\d+]/': 'none',
+ '/^\\d+/': 'none',
+ }),
+ overrides: [
+ {
+ files: '*.jsonc',
+ options: {
+ trailingComma: 'none',
+ },
+ },
+ {
+ files: 'schema/**/*.json',
+ options: {
+ jsonRecursiveSort: true,
+ jsonSortOrder: JSON.stringify({
+ $schema: null,
+ $id: null,
+ $comment: null,
+ $ref: null,
+ '/^\\$.*/': null,
+ '/^[^\\d+]/': 'none',
+ '/^\\d+/': 'none',
+ if: null,
+ then: null,
+ else: null,
+ }),
+ },
+ },
+ ],
+}
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
index 72df525..8133b30 100644
--- a/CONTRIBUTING.md
+++ b/CONTRIBUTING.md
@@ -1,6 +1,7 @@
# KYA Manifest — Developer Notes (v0.1.0-alpha)
## Validation pipeline
+
1. JSON Schema validation against https://w3id.org/kya/v1/schema.
2. JSON-LD expansion using a documentLoader that maps https://w3id.org/kya/v1 to the local context file.
3. Policy checks:
@@ -10,7 +11,9 @@
- embedded vs referenced VC rules.
## JSON-LD context ordering
+
Use:
+
- https://www.w3.org/2018/credentials/v1
- https://w3id.org/security/data-integrity/v2
- https://w3id.org/security/suites/ed25519-2020/v1
@@ -19,10 +22,12 @@ Use:
Putting the KYA context last avoids protected-term redefinition failures in common processors.
## Fixtures
+
- 02-minimal.json: smallest conforming manifest for debugging.
- 01-full.json: comprehensive manifest exercising optional sections and VC embedding/referencing.
## Versioning policy
+
Treat `schema/kya-manifest.schema.json` and `schema/context.jsonld` as normative. When adding or
changing fields, update the schema, context, and `schema_human.md` together. The spec HTML and
vocab are informative and may lag unless a change is breaking or user-facing.
diff --git a/Makefile b/Makefile
index 9f4daf9..6092cdb 100644
--- a/Makefile
+++ b/Makefile
@@ -31,6 +31,7 @@ lint: ## Run lint/format checks
@for file in $(EXAMPLES); do \
$(PYTHON) $(LINTER) $$file; \
done
+ pre-commit run --all-files
npm run lint
lint-fix: ## Auto-fix formatting issues
diff --git a/SECURITY.md b/SECURITY.md
index 93eff1e..f1a8cf2 100644
--- a/SECURITY.md
+++ b/SECURITY.md
@@ -1,19 +1,23 @@
# Security Policy
## Supported Versions
+
Only the latest major version of the KYA Manifest Standard is supported for security updates.
-| Version | Supported |
-| ------- | ------------------ |
-| 0.1.x | ✅ Yes |
-| < 0.1 | ❌ No |
+| Version | Supported |
+| ------- | --------- |
+| 0.1.x | ✅ Yes |
+| < 0.1 | ❌ No |
## Reporting a Vulnerability
+
For now you may open a public issue on GitHub. In the future, we may set up a private disclosure process.
If you discover a security flaw in the future or wish to do so privately for the KYA schema, linter, or protocol logic, please report it privately via:
+
- **Email:** security@cph.ai
- **PGP Key:**
+
```
-----BEGIN PGP PUBLIC KEY BLOCK-----
@@ -28,7 +32,8 @@ gCavPDCBUexEAwEIB4h+BBgWCgAmFiEEX/sM/XNyAq4vACSzRtkRt7ZG5dsFAmly
OldhhZKB8iQJ8mcBAKgjSk53AlbC8h5ruTvbSFhAJkipoAB93W06Ygu+QPoB
=AkD3
-----END PGP PUBLIC KEY BLOCK-----
-````
+```
+
- PGP Fingerprint: `5FFB0CFD737202AE2F0024B346D911B7B646E5DB`
Please include a detailed description of the vulnerability and a proof-of-concept if possible. We aim to acknowledge all reports within 48 hours.
diff --git a/package-lock.json b/package-lock.json
index 751043e..b997708 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -8,7 +8,26 @@
"devDependencies": {
"ajv": "^8.17.1",
"ajv-formats": "^3.0.1",
- "prettier": "3.2.5"
+ "prettier": "^3.5.3",
+ "prettier-plugin-sort-json": "^4.1.1",
+ "prettier-plugin-toml": "^2.0.5"
+ }
+ },
+ "node_modules/@taplo/core": {
+ "version": "0.2.0",
+ "resolved": "https://registry.npmjs.org/@taplo/core/-/core-0.2.0.tgz",
+ "integrity": "sha512-r8bl54Zj1In3QLkiW/ex694bVzpPJ9EhwqT9xkcUVODnVUGirdB1JTsmiIv0o1uwqZiwhi8xNnTOQBRQCpizrQ==",
+ "dev": true,
+ "license": "MIT"
+ },
+ "node_modules/@taplo/lib": {
+ "version": "0.5.0",
+ "resolved": "https://registry.npmjs.org/@taplo/lib/-/lib-0.5.0.tgz",
+ "integrity": "sha512-+xIqpQXJco3T+VGaTTwmhxLa51qpkQxCjRwezjFZgr+l21ExlywJFcDfTrNmL6lG6tqb0h8GyJKO3UPGPtSCWg==",
+ "dev": true,
+ "license": "MIT",
+ "dependencies": {
+ "@taplo/core": "^0.2.0"
}
},
"node_modules/ajv": {
@@ -78,11 +97,12 @@
"license": "MIT"
},
"node_modules/prettier": {
- "version": "3.2.5",
- "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.2.5.tgz",
- "integrity": "sha512-3/GWa9aOC0YeD7LUfvOG2NiDyhOWRvt1k+rcKhOuYnMY24iiCphgneUfJDyFXd6rZCAnuLBv6UeAULtrhT/F4A==",
+ "version": "3.8.1",
+ "resolved": "https://registry.npmjs.org/prettier/-/prettier-3.8.1.tgz",
+ "integrity": "sha512-UOnG6LftzbdaHZcKoPFtOcCKztrQ57WkHDeRD9t/PTQtmT0NHSeWWepj6pS0z/N7+08BHFDQVUrfmfMRcZwbMg==",
"dev": true,
"license": "MIT",
+ "peer": true,
"bin": {
"prettier": "bin/prettier.cjs"
},
@@ -93,6 +113,38 @@
"url": "https://github.com/prettier/prettier?sponsor=1"
}
},
+ "node_modules/prettier-plugin-sort-json": {
+ "version": "4.2.0",
+ "resolved": "https://registry.npmjs.org/prettier-plugin-sort-json/-/prettier-plugin-sort-json-4.2.0.tgz",
+ "integrity": "sha512-jK1w3/7otTvHtv1eoLji2U9mEoOGeyl7QQQ/afLnjht1YtRLSUUk8o0rIIC/HUVXhoGPCFe4SVZbRGYjjUVgvA==",
+ "dev": true,
+ "license": "MIT",
+ "engines": {
+ "node": ">=18.0.0"
+ },
+ "peerDependencies": {
+ "prettier": "^3.0.0"
+ }
+ },
+ "node_modules/prettier-plugin-toml": {
+ "version": "2.0.6",
+ "resolved": "https://registry.npmjs.org/prettier-plugin-toml/-/prettier-plugin-toml-2.0.6.tgz",
+ "integrity": "sha512-12N/wBuHa9jd/KVy9pRP20NMKxQfQLMseQCt66lIbLaPLItvGUcSIryE1eZZMJ7loSws6Ig3M2Elc2EreNh76w==",
+ "dev": true,
+ "license": "MIT",
+ "dependencies": {
+ "@taplo/lib": "^0.5.0"
+ },
+ "engines": {
+ "node": ">=16.0.0"
+ },
+ "funding": {
+ "url": "https://opencollective.com/unts"
+ },
+ "peerDependencies": {
+ "prettier": "^3.0.3"
+ }
+ },
"node_modules/require-from-string": {
"version": "2.0.2",
"resolved": "https://registry.npmjs.org/require-from-string/-/require-from-string-2.0.2.tgz",
diff --git a/package.json b/package.json
index 04bee55..0270196 100644
--- a/package.json
+++ b/package.json
@@ -4,11 +4,13 @@
"devDependencies": {
"ajv": "^8.17.1",
"ajv-formats": "^3.0.1",
- "prettier": "3.2.5"
+ "prettier": "^3.5.3",
+ "prettier-plugin-sort-json": "^4.1.1",
+ "prettier-plugin-toml": "^2.0.5"
},
"scripts": {
"lint:schema": "node tools/ajv-validate-schema.js",
- "format": "prettier --write README.md schema/**/*.json examples/**/*.json spec/**/*.html .github/workflows/*.yml",
- "lint": "prettier --check README.md schema/**/*.json examples/**/*.json spec/**/*.html .github/workflows/*.yml"
+ "format": "prettier --config .prettierrc.cjs --ignore-path .prettierignore --write README.md schema/**/*.json examples/**/*.json spec/**/*.html .github/workflows/*.yml",
+ "lint": "prettier --config .prettierrc.cjs --ignore-path .prettierignore --check README.md schema/**/*.json examples/**/*.json spec/**/*.html .github/workflows/*.yml"
}
}
diff --git a/schema/kya-manifest.schema.json b/schema/kya-manifest.schema.json
index b65860a..3fcc951 100644
--- a/schema/kya-manifest.schema.json
+++ b/schema/kya-manifest.schema.json
@@ -1,204 +1,6 @@
{
"$schema": "http://json-schema.org/draft-07/schema#",
"$id": "https://w3id.org/kya/v1/schema",
- "title": "KYA Manifest",
- "description": "Know Your Agent (KYA) Manifest for autonomous AI agents (identity, governance, and operational constraints).",
- "type": "object",
- "required": [
- "@context",
- "id",
- "type",
- "kyaVersion",
- "agentId",
- "verificationMethod",
- "authentication",
- "assertionMethod",
- "capabilityInvocation",
- "proof"
- ],
- "properties": {
- "@context": {
- "title": "JSON-LD Context",
- "description": "JSON-LD contexts used to interpret terms. Must include the KYA context.",
- "type": "array",
- "minItems": 1,
- "items": { "type": "string", "format": "uri" },
- "contains": { "const": "https://w3id.org/kya/v1" }
- },
- "id": {
- "title": "Manifest Identifier",
- "description": "A globally unique identifier for this manifest (URI).",
- "$ref": "#/$defs/uri"
- },
- "type": {
- "title": "Manifest Types",
- "description": "JSON-LD types for the verifiable presentation. Must include VerifiablePresentation and KyaManifest.",
- "type": "array",
- "minItems": 1,
- "uniqueItems": true,
- "items": { "type": "string" },
- "allOf": [
- { "contains": { "const": "VerifiablePresentation" } },
- { "contains": { "const": "KyaManifest" } }
- ]
- },
- "kyaVersion": {
- "title": "KYA Version",
- "description": "The KYA specification version this manifest conforms to.",
- "type": "string",
- "minLength": 1
- },
- "agentId": {
- "title": "Agent DID",
- "description": "The DID identifying the autonomous agent process governed by this manifest.",
- "$ref": "#/$defs/did"
- },
- "name": {
- "title": "Agent Name",
- "description": "A short human-readable name for the agent.",
- "type": "string"
- },
- "label": {
- "title": "Agent Label",
- "description": "A concise human-readable description of the agent’s purpose and constraints.",
- "type": "string"
- },
- "governingAuthority": {
- "title": "Governing Authority",
- "description": "URIs (often DIDs or fragments) identifying authorities overseeing the agent’s operation.",
- "type": "array",
- "items": { "$ref": "#/$defs/uri" },
- "uniqueItems": true
- },
- "verificationMethod": {
- "title": "Verification Methods",
- "description": "Inventory of public keys (verification methods) used by the agent and its governance.",
- "type": "array",
- "minItems": 1,
- "items": { "$ref": "#/$defs/verificationMethod" }
- },
- "authentication": {
- "title": "Authentication Keys",
- "description": "Verification method URIs authorized for authentication.",
- "type": "array",
- "minItems": 1,
- "items": { "$ref": "#/$defs/uri" },
- "uniqueItems": true
- },
- "assertionMethod": {
- "title": "Assertion Keys",
- "description": "Verification method URIs authorized to assert statements (e.g., sign agent actions).",
- "type": "array",
- "minItems": 1,
- "items": { "$ref": "#/$defs/uri" },
- "uniqueItems": true
- },
- "capabilityInvocation": {
- "title": "Governance Keys",
- "description": "Verification method URIs authorized to invoke governance capabilities, including manifest updates.",
- "type": "array",
- "minItems": 1,
- "items": { "$ref": "#/$defs/uri" },
- "uniqueItems": true
- },
- "keyAgreement": {
- "title": "Key Agreement Keys",
- "description": "Verification method URIs used for key agreement (e.g., encrypted channels).",
- "type": "array",
- "items": { "$ref": "#/$defs/uri" },
- "uniqueItems": true
- },
- "minProofsRequired": {
- "title": "Minimum Proofs Required",
- "description": "Minimum number of valid governance proofs expected for the manifest (policy-level threshold).",
- "type": "integer",
- "minimum": 1
- },
- "legal": {
- "title": "Legal Terms",
- "description": "Optional legal terms and dispute resolution metadata.",
- "$ref": "#/$defs/legal"
- },
- "permissionMode": {
- "title": "Permission Mode",
- "description": "Whether enforcement is strict (deny-by-default) or permissive (allow-by-default with exceptions).",
- "type": "string",
- "enum": ["strict", "permissive"]
- },
- "permittedDomains": {
- "title": "Permitted Domains",
- "description": "Hostnames or domains the agent is allowed to interact with.",
- "type": "array",
- "items": { "type": "string", "minLength": 1 },
- "uniqueItems": true
- },
- "permittedRegions": {
- "title": "Permitted Regions",
- "description": "Region or jurisdiction codes in which operation is permitted (policy-defined).",
- "type": "array",
- "items": { "type": "string", "minLength": 1 },
- "uniqueItems": true
- },
- "forbiddenRegions": {
- "title": "Forbidden Regions",
- "description": "Region or jurisdiction codes in which operation is forbidden (policy-defined).",
- "type": "array",
- "items": { "type": "string", "minLength": 1 },
- "uniqueItems": true
- },
- "maxTransactionValue": {
- "title": "Maximum Transaction Value",
- "description": "Maximum permitted value for a single transaction (units defined by currency).",
- "type": "integer",
- "minimum": 0
- },
- "currency": {
- "title": "Currency",
- "description": "ISO 4217 currency code associated with value-denominated limits.",
- "type": "string",
- "minLength": 3,
- "maxLength": 3
- },
- "operatingLimits": {
- "title": "Operating Limits",
- "description": "Rate and spend-limiting constraints, such as rolling period spend caps.",
- "$ref": "#/$defs/operatingLimits"
- },
- "signingPolicy": {
- "title": "Signing Policy",
- "description": "Policy constraints defining when multi-signature or specific signers are required.",
- "$ref": "#/$defs/signingPolicy"
- },
- "deployment": {
- "title": "Deployment",
- "description": "Optional deployment metadata, including update policy and confidential compute constraints.",
- "$ref": "#/$defs/deployment"
- },
- "governance": {
- "title": "Governance",
- "description": "Optional governance endpoints, visibility, and oracle references.",
- "$ref": "#/$defs/governance"
- },
- "treasury": {
- "title": "Treasury",
- "description": "Optional treasury identifiers and usage classifications for operational funds or reserves.",
- "type": "array",
- "items": { "$ref": "#/$defs/treasuryItem" }
- },
- "verifiableCredential": {
- "title": "Verifiable Credentials",
- "description": "Evidence credentials embedded or referenced by digest for verification workflows.",
- "type": "array",
- "items": { "$ref": "#/$defs/verifiableCredentialEntry" }
- },
- "proof": {
- "title": "Manifest Proofs",
- "description": "Cryptographic proofs establishing integrity and authorized governance invocation.",
- "type": "array",
- "minItems": 1,
- "items": { "$ref": "#/$defs/manifestProof" }
- }
- },
"$defs": {
"uri": {
"title": "URI",
@@ -950,5 +752,203 @@
"additionalProperties": true
}
},
+ "title": "KYA Manifest",
+ "description": "Know Your Agent (KYA) Manifest for autonomous AI agents (identity, governance, and operational constraints).",
+ "type": "object",
+ "required": [
+ "@context",
+ "id",
+ "type",
+ "kyaVersion",
+ "agentId",
+ "verificationMethod",
+ "authentication",
+ "assertionMethod",
+ "capabilityInvocation",
+ "proof"
+ ],
+ "properties": {
+ "@context": {
+ "title": "JSON-LD Context",
+ "description": "JSON-LD contexts used to interpret terms. Must include the KYA context.",
+ "type": "array",
+ "minItems": 1,
+ "items": { "type": "string", "format": "uri" },
+ "contains": { "const": "https://w3id.org/kya/v1" }
+ },
+ "id": {
+ "$ref": "#/$defs/uri",
+ "title": "Manifest Identifier",
+ "description": "A globally unique identifier for this manifest (URI)."
+ },
+ "type": {
+ "title": "Manifest Types",
+ "description": "JSON-LD types for the verifiable presentation. Must include VerifiablePresentation and KyaManifest.",
+ "type": "array",
+ "minItems": 1,
+ "uniqueItems": true,
+ "items": { "type": "string" },
+ "allOf": [
+ { "contains": { "const": "VerifiablePresentation" } },
+ { "contains": { "const": "KyaManifest" } }
+ ]
+ },
+ "kyaVersion": {
+ "title": "KYA Version",
+ "description": "The KYA specification version this manifest conforms to.",
+ "type": "string",
+ "minLength": 1
+ },
+ "agentId": {
+ "$ref": "#/$defs/did",
+ "title": "Agent DID",
+ "description": "The DID identifying the autonomous agent process governed by this manifest."
+ },
+ "name": {
+ "title": "Agent Name",
+ "description": "A short human-readable name for the agent.",
+ "type": "string"
+ },
+ "label": {
+ "title": "Agent Label",
+ "description": "A concise human-readable description of the agent’s purpose and constraints.",
+ "type": "string"
+ },
+ "governingAuthority": {
+ "title": "Governing Authority",
+ "description": "URIs (often DIDs or fragments) identifying authorities overseeing the agent’s operation.",
+ "type": "array",
+ "items": { "$ref": "#/$defs/uri" },
+ "uniqueItems": true
+ },
+ "verificationMethod": {
+ "title": "Verification Methods",
+ "description": "Inventory of public keys (verification methods) used by the agent and its governance.",
+ "type": "array",
+ "minItems": 1,
+ "items": { "$ref": "#/$defs/verificationMethod" }
+ },
+ "authentication": {
+ "title": "Authentication Keys",
+ "description": "Verification method URIs authorized for authentication.",
+ "type": "array",
+ "minItems": 1,
+ "items": { "$ref": "#/$defs/uri" },
+ "uniqueItems": true
+ },
+ "assertionMethod": {
+ "title": "Assertion Keys",
+ "description": "Verification method URIs authorized to assert statements (e.g., sign agent actions).",
+ "type": "array",
+ "minItems": 1,
+ "items": { "$ref": "#/$defs/uri" },
+ "uniqueItems": true
+ },
+ "capabilityInvocation": {
+ "title": "Governance Keys",
+ "description": "Verification method URIs authorized to invoke governance capabilities, including manifest updates.",
+ "type": "array",
+ "minItems": 1,
+ "items": { "$ref": "#/$defs/uri" },
+ "uniqueItems": true
+ },
+ "keyAgreement": {
+ "title": "Key Agreement Keys",
+ "description": "Verification method URIs used for key agreement (e.g., encrypted channels).",
+ "type": "array",
+ "items": { "$ref": "#/$defs/uri" },
+ "uniqueItems": true
+ },
+ "minProofsRequired": {
+ "title": "Minimum Proofs Required",
+ "description": "Minimum number of valid governance proofs expected for the manifest (policy-level threshold).",
+ "type": "integer",
+ "minimum": 1
+ },
+ "legal": {
+ "$ref": "#/$defs/legal",
+ "title": "Legal Terms",
+ "description": "Optional legal terms and dispute resolution metadata."
+ },
+ "permissionMode": {
+ "title": "Permission Mode",
+ "description": "Whether enforcement is strict (deny-by-default) or permissive (allow-by-default with exceptions).",
+ "type": "string",
+ "enum": ["strict", "permissive"]
+ },
+ "permittedDomains": {
+ "title": "Permitted Domains",
+ "description": "Hostnames or domains the agent is allowed to interact with.",
+ "type": "array",
+ "items": { "type": "string", "minLength": 1 },
+ "uniqueItems": true
+ },
+ "permittedRegions": {
+ "title": "Permitted Regions",
+ "description": "Region or jurisdiction codes in which operation is permitted (policy-defined).",
+ "type": "array",
+ "items": { "type": "string", "minLength": 1 },
+ "uniqueItems": true
+ },
+ "forbiddenRegions": {
+ "title": "Forbidden Regions",
+ "description": "Region or jurisdiction codes in which operation is forbidden (policy-defined).",
+ "type": "array",
+ "items": { "type": "string", "minLength": 1 },
+ "uniqueItems": true
+ },
+ "maxTransactionValue": {
+ "title": "Maximum Transaction Value",
+ "description": "Maximum permitted value for a single transaction (units defined by currency).",
+ "type": "integer",
+ "minimum": 0
+ },
+ "currency": {
+ "title": "Currency",
+ "description": "ISO 4217 currency code associated with value-denominated limits.",
+ "type": "string",
+ "minLength": 3,
+ "maxLength": 3
+ },
+ "operatingLimits": {
+ "$ref": "#/$defs/operatingLimits",
+ "title": "Operating Limits",
+ "description": "Rate and spend-limiting constraints, such as rolling period spend caps."
+ },
+ "signingPolicy": {
+ "$ref": "#/$defs/signingPolicy",
+ "title": "Signing Policy",
+ "description": "Policy constraints defining when multi-signature or specific signers are required."
+ },
+ "deployment": {
+ "$ref": "#/$defs/deployment",
+ "title": "Deployment",
+ "description": "Optional deployment metadata, including update policy and confidential compute constraints."
+ },
+ "governance": {
+ "$ref": "#/$defs/governance",
+ "title": "Governance",
+ "description": "Optional governance endpoints, visibility, and oracle references."
+ },
+ "treasury": {
+ "title": "Treasury",
+ "description": "Optional treasury identifiers and usage classifications for operational funds or reserves.",
+ "type": "array",
+ "items": { "$ref": "#/$defs/treasuryItem" }
+ },
+ "verifiableCredential": {
+ "title": "Verifiable Credentials",
+ "description": "Evidence credentials embedded or referenced by digest for verification workflows.",
+ "type": "array",
+ "items": { "$ref": "#/$defs/verifiableCredentialEntry" }
+ },
+ "proof": {
+ "title": "Manifest Proofs",
+ "description": "Cryptographic proofs establishing integrity and authorized governance invocation.",
+ "type": "array",
+ "minItems": 1,
+ "items": { "$ref": "#/$defs/manifestProof" }
+ }
+ },
"additionalProperties": true
}
diff --git a/spec/index.html b/spec/index.html
index 80e9bdd..096013a 100644
--- a/spec/index.html
+++ b/spec/index.html
@@ -12,40 +12,40 @@