1Purpose
The Capability Passport is the central product object of APAI. It translates a package's declared permissions, security posture, and scanner results into plain-English statements that a human can read and act on before installing.
A Capability Passport is generated from a package's manifest plus scanner findings. A human or LLM should be able to answer six questions from the passport alone:
- What does this package install?
- What can it read?
- What can it write?
- What does it cost?
- What approvals does it need?
- How do I roll it back?
2Example
schema: apai.passport.v0.1 package: prompt-preflight-starter package_version: 0.1.0 publisher: apai-official publisher_verified: true risk_level: low reads: - "Current user prompt or supplied task only" writes: - "Optional local transcript or generated bounded prompt" accesses: - "No secrets required" - "No paid API required" spends: - "No direct spend by default" exposes: - "No prompt collection by default" approvals_required: - "Human approval required before destructive actions, external sends, purchases, deploys, or credential use" rollback: "Remove installed adapter files or stop using the prompt protocol in hosted chat. No persistent state." scanner: status: clean findings: [] generated_at: "2026-05-14T01:30:00Z" generated_by: "apai-passport-generator@0.1.0"
3Required fields
| Field | Type | Req | Description |
|---|---|---|---|
| schema | string | yes | Must be "apai.passport.v0.1" exactly. |
| package | string | yes | Package slug. |
| package_version | string | yes | Version this passport describes. |
| publisher | string | yes | Publisher slug. |
| publisher_verified | boolean | yes | True only for APAI-verified publishers (Phase 6+). |
| risk_level | enum | yes | low | medium | high | unknown |
| reads | string[] | yes | List of data sources the package reads. |
| writes | string[] | yes | List of artifacts the package writes. |
| accesses | string[] | yes | External systems, APIs, or services the package accesses. |
| spends | string[] | yes | Money, tokens, or credits the package may spend. |
| exposes | string[] | yes | Data the package may expose beyond the local environment. |
| approvals_required | string[] | yes | Operator approvals the package will gate on before destructive or sensitive actions. |
| rollback | string | yes | Human-readable rollback instructions. |
| scanner | object | yes | Scanner result block: status and findings. |
| generated_at | ISO 8601 datetime | yes | When the passport was generated. |
| generated_by | string | yes | Tool and version that generated this passport. |
4Risk level
Risk level is a coarse categorization. It is a starting point for a human reviewer; it is NOT a substitute for reading the passport.
- low - No secrets required, no paid API calls, no external sends, no destructive ops, no production-affecting changes. Scanner clean.
- medium- Requires connecting to external systems, may spend money, or makes writes outside the package's local scope. Scanner may have informational findings.
- high - May perform destructive operations, move credentials, ship to production, execute on remote systems, or aggregate data across users. Scanner findings are not necessarily blocking but must be reviewed.
- unknown - Risk could not be assessed (missing manifest fields, scanner unable to run, publisher unverified for a high-impact package type).
5Scanner block
scanner:
status: clean | findings | not-scanned
findings:
- severity: low | medium | high
title: "Short human-readable title"
detail: "Longer explanation. What was detected, where, why it matters."
id: "stable-finding-id"Scanner status clean means no findings on the v0.1 scanner ruleset (suspicious patterns, hidden Unicode). It does NOT mean the package has been fully audited. Real prompt-injection, OAuth-scope, and dependency scanning lands in Phase 5.
6Where passports live
- HTML rendering:
/packages/{slug}on apai.run - JSON:
/api/passports/{slug}(Day 2 stub, real in Phase 1) - LLM install card:
/packages/{slug}/llms.txt(text/plain) - Generated locally:
apai passport {slug}
What this spec is NOT
- ·A security certification. The passport reports what the package declares and what the v0.1 scanner found. It does not certify the package is safe.
- ·A legal guarantee. The passport is a declarative document, not a warranty. Use of any package is at the operator's risk.
- ·An end-state. The Capability Passport is expected to evolve through v0.2, v0.3, etc. Schema-breaking changes go to v1.0+.
- ·A substitute for human review. For high-risk packages, read the passport AND audit the source.