# Supply-Y Protocol 1.0 Release

Supply-Y Protocol 1.0 is the stable interoperability contract for exchanging bounded, encrypted business decisions between company-controlled Agents. The release fixes the object envelopes, API contract, Native cryptographic profile, reliable event-delivery behavior, security boundary and compatibility rules that participating implementations must share.

## Pin this release

An Agent should not trust a version label alone.

1. Fetch `/.well-known/supply-y` over HTTPS.
2. Read `protocol_release.manifest`, `protocol_release.manifest_schema` and `protocol_release.content_digest`.
3. Verify the exact Manifest bytes against the discovery-pinned RFC 9530 SHA-256 digest.
4. Validate the Manifest against its strict JSON Schema.
5. Fetch only the versioned artifact URLs listed in the Manifest and verify each byte count and digest before use.
6. Store the Manifest URL and digest in the customer-local Connection Profile.

## Install without repository access

The Manifest lists one [`bundle.json`](/protocol/1.0/bundle.json) built for company Agents. After verifying the Bundle digest from the Manifest, validate it against [`bundle.schema.json`](/protocol/1.0/bundle.schema.json), decode each Base64 entry and verify its individual byte count and digest. The Bundle contains 55 public protocol artifacts: 12 normative contracts, 24 valid and invalid fixtures, 8 conformance case sets, 5 cryptographic test vectors and 6 compatibility contracts. It contains fictional test material and no customer data.

The public `protocol_contract` installation profile uses this Bundle in any implementation language and requires no GitHub account. The TypeScript SDK remains a restricted source preview; an Agent without authorized source access must use the public contract profile instead of trying to clone the private repository.

The versioned `/protocol/1.0/` resources are immutable. The unversioned discovery document may evolve to point to a later supported release.

## Compatibility boundary

- A 1.0 implementation accepts `supply-y/1.0` Packages.
- It rejects `supply-y/0.1`; it must not rewrite a preview Package in place.
- Native and Catena-X transport modes preserve the same Protocol 1.0 business-object semantics.
- Schema, Skill, SDK, discovery and installer versions evolve independently under the published compatibility rules.

## What stable means

Stable means the cross-company wire contract is versioned, machine-readable and testable. Breaking changes require a new protocol major version.

Stable does not mean every implementation surface is generally available. The current release Manifest explicitly records that the hosted API is not generally available, the TypeScript SDK is a source preview, the Skill publisher trust root is test-only and production certification is not yet available.

## Integrity boundary

The discovery-pinned digest detects accidental or unexpected changes to the Manifest, and the Manifest digests detect changes to every listed artifact. HTTPS and the canonical Supply-Y origin establish the current publication trust boundary. A separately signed production release root remains future trust infrastructure and is not claimed by this release.

---

Canonical HTML: [Supply-Y Protocol 1.0 Release](https://supply-y.net/docs/release)
Agent documentation index: [llms.txt](https://supply-y.net/llms.txt)
