Specifications
Eight versioned spec documents. Each declares a stable v0.1 shape for the corresponding APAI object. JSON Schemas under /schemas/*.json are the machine-readable source of truth.
APAI Manifest
Declares package identity, version, dependencies, target platforms, permissions, security posture, install modes, and rollback strategy.
schema: apai.manifest.v0.1Capability Passport
Plain-English permission and risk profile. The central product object of APAI - readable by humans and machines.
schema: apai.passport.v0.1Install Receipt
Proof of what happened during install: files added/modified, permissions granted, approval state, risk score, rollback command.
schema: apai.receipt.v0.1Policy Pack
Workspace governance rules: no-secrets, no-external-send, cost ceilings, approval workflows, allowed-package lists.
schema: apai.policy.v0.1Prompt URL Install
How hosted chat apps apply an APAI package without silent installation. Defines the install card format at /packages/{slug}/llms.txt.
schema: apai.prompt-url-install.v0.1Agent Passport
Bidirectional capability description for AI agents. What an agent CAN do - paired with the package Capability Passport to compute runtime compatibility.
schema: apai.agent-passport.v0.1Honest LLM Contract
Install cards include a SHA-256 Checksum line. Agents echo it back to prove they loaded the correct card. POST /api/install/verify to validate. Catches fabrications about which card was loaded; does not enforce runtime behavior.
schema: apai.install-verify.v0.1Provenance Chain
Three-step (publish / retrieval / install) signed chain linked by prev_hash + payload_sha256. POST /api/provenance/verify returns chainIntegrity, stepsPresent, stepsVerified, warnings. v0.1 verifies LINKING; signatures are placeholder 'stub-ed25519:<hex>'. Real trust root lands in v0.2.
schema: apai.provenance.v0.1