Availability And Readiness
See what is stable, what can be evaluated or piloted now, and what is not yet generally available.
The contract is stable. The production service is not generally available.
Evaluate the exact public contract now, or run one managed pilot. Do not interpret the Protocol 1.0 label as a claim that every hosted or trust surface is already GA.
- Release
- Protocol 1.0
- Published
- Jul 14, 2026
- Ready surfaces
- 4
- Pre-GA surfaces
- 4
Use the public 1.0 contract
Pin the Manifest, inspect the Bundle, validate all 24 fixtures and run the nine-check profile in your own Agent.
Start local evaluationProve one bounded loop
Two named companies, one decision, one transport, customer-held keys and an explicit acceptance or exit decision.
Review the pilot gatesRequire missing operating evidence
Wait for GA endpoints, production Skill trust, supported distribution, independent interoperability and certification.
See the production gatesOne answer for every implementation surface
Each row separates the published evidence from the customer action it supports.
| Surface | Status | Published evidence | Customer action |
|---|---|---|---|
| Protocol contract | Protocol 1.0 stableUse now | 15 digest-pinned release artifacts; 12 are normative. | Pin and implement the immutable release. |
| Public Agent Bundle | Available nowUse now | 55 public implementation and conformance artifacts; no customer data. | Evaluate in any Agent language without repository access. |
| Local conformance | Available nowUse now | 9 language-neutral Agent checks, 24 fixtures and a passing Node.js-to-Python Agent path. | Run locally and retain your own evidence. |
| Hosted Agent Sandbox | Public evaluationUse now | Short-lived Bearer sessions exercise signed Policy Receipts, Native ciphertext, idempotency, recipient receipts, notifications and hash-chained audit evidence against the Protocol 1.0 API shape. | Use fictional fixtures only; retain the run result as evaluation evidence. |
| Managed two-company pilot | Available by agreementControlled path | One bounded loop, customer-controlled keys, explicit stage gates and portable closeout evidence. | Begin with fictional or sanitized data. |
| Production Hosted Agent API | not generally availableNot production-ready | The public evaluation Sandbox is available, but the stable OpenAPI contract still does not claim a generally available production endpoint or SLO. | Do not create an unsupported production dependency. |
| TypeScript SDK distribution | preview sourceNot production-ready | Reference source is validated, but public registry distribution is not available. | Use the public protocol-contract profile unless access is authorized. |
| Production Skill publisher trust | test onlyNot production-ready | Current signing material proves verification mechanics and cannot authorize production exchange. | Keep production activation disabled. |
| Production certification | not yet availableNot production-ready | Reference conformance evidence is not a time-limited certificate for a customer implementation. | Require implementation-specific evidence before production use. |
Source: immutable Protocol 1.0 Release Manifest, public Agent Bundle and Agent Conformance Profile 1.0.
Status: Live customer decision guide for Supply-Y Protocol 1.0. The current status snapshot is generated from the immutable Release Manifest, public Agent Bundle and Agent Conformance Profile; this guide does not turn an unavailable implementation surface into a production claim.
Read the protocol and the product separately
Protocol 1.0 is the stable cross-company contract. Its object semantics, API shape, cryptographic profile, event behavior, security boundary and compatibility rules are versioned and digest-pinned.
Product availability is a different question. A stable protocol does not imply that the hosted API, public SDK distribution, production Skill signing trust or certification program is generally available. The status matrix above keeps those claims separate.
Choose the path that matches your decision
Use the public evaluation path when a technical team wants to inspect exact contracts, validate fixtures, run the Hosted Agent Sandbox or implement the protocol in an existing Agent. The Sandbox issues a 60-minute test token and executes signed Policy Receipts, encrypted Packages, receipts and audit evidence with fictional data. It requires no customer account, production credential or repository access.
Use the managed-pilot path when two named companies have one bounded decision loop to test. The pilot starts with fictional or sanitized data, customer-controlled keys and explicit stage gates. It is not an automatic production rollout.
Do not make a production dependency decision from the stable protocol label alone. A production procurement decision still needs generally available service endpoints, production trust roots, operating commitments and implementation-specific certification evidence.
What must exist before a production claim
The production answer changes only when the missing evidence changes. Supply-Y must publish and verify:
- a generally available production API with operating commitments; the public Sandbox is evaluation evidence, not a production endpoint;
- a protected production Skill signing root with rotation, revocation and retained release history;
- supported implementation distribution, including a public SDK path where promised;
- interoperability with an independently maintained external Agent plus customer KMS or HSM evidence; the repository-local Node.js-to-Python path already passes;
- a Catena-X partner interoperability result for the EDC path;
- an external security and privacy review plus a time-limited certification program.
Until then, the public materials support local evaluation and a controlled pilot, not an unsupported production-readiness claim.
Evidence stays portable
Customers can retain the Protocol 1.0 Manifest and digest, Bundle, fixtures, conformance results, Connection Profile digest, Package and receipt identifiers, signatures and ciphertext-safe audit evidence. The evidence does not require Supply-Y to hold customer private keys or business plaintext.
Continue with the Hosted Agent Sandbox for a live fictional exchange, Getting Started for local evaluation, Plan a Managed Pilot for a bounded two-company test, or Protocol 1.0 Release to inspect the immutable publication.