Supply-Y Protocol

Developer Documentation

Protocol 1.0
Documentation

Search Supply-Y

All documentation
MarkdownDemo
Current Release

Supply-Y Protocol 1.0

The exact stable contract, immutable artifact inventory and honest implementation availability behind this release.

Stable specification
Release Evidence

Pinned bytes, not a floating label

Every listed artifact has a stable 1.0 URL, exact byte count and RFC 9530 SHA-256 digest.

15Release artifactsOne strict inventory
12Normative artifactsWire contract inputs
1.0.0Core schemasupply-y/1.0
SHA-256Integrity profileExact response bytes

Stable protocol, separate implementation maturity: hosted API not generally available; SDK preview source; Skill trust test only; certification not yet available.

Supply-Y Protocol 1.0 is the stable interoperability contract for exchanging bounded, encrypted business decisions between company-controlled Agents. The release fixes the object envelopes, API contract, Native cryptographic profile, reliable event-delivery behavior, security boundary and compatibility rules that participating implementations must share.

Pin this release

An Agent should not trust a version label alone.

  1. Fetch /.well-known/supply-y over HTTPS.
  2. Read protocol_release.manifest, protocol_release.manifest_schema and protocol_release.content_digest.
  3. Verify the exact Manifest bytes against the discovery-pinned RFC 9530 SHA-256 digest.
  4. Validate the Manifest against its strict JSON Schema.
  5. Fetch only the versioned artifact URLs listed in the Manifest and verify each byte count and digest before use.
  6. Store the Manifest URL and digest in the customer-local Connection Profile.

Install without repository access

The Manifest lists one bundle.json built for company Agents. After verifying the Bundle digest from the Manifest, validate it against bundle.schema.json, decode each Base64 entry and verify its individual byte count and digest. The Bundle contains 55 public protocol artifacts: 12 normative contracts, 24 valid and invalid fixtures, 8 conformance case sets, 5 cryptographic test vectors and 6 compatibility contracts. It contains fictional test material and no customer data.

The public protocol_contract installation profile uses this Bundle in any implementation language and requires no GitHub account. The TypeScript SDK remains a restricted source preview; an Agent without authorized source access must use the public contract profile instead of trying to clone the private repository.

The versioned /protocol/1.0/ resources are immutable. The unversioned discovery document may evolve to point to a later supported release.

Compatibility boundary

  • A 1.0 implementation accepts supply-y/1.0 Packages.
  • It rejects supply-y/0.1; it must not rewrite a preview Package in place.
  • Native and Catena-X transport modes preserve the same Protocol 1.0 business-object semantics.
  • Schema, Skill, SDK, discovery and installer versions evolve independently under the published compatibility rules.

What stable means

Stable means the cross-company wire contract is versioned, machine-readable and testable. Breaking changes require a new protocol major version.

Stable does not mean every implementation surface is generally available. The current release Manifest explicitly records that the hosted API is not generally available, the TypeScript SDK is a source preview, the Skill publisher trust root is test-only and production certification is not yet available.

Integrity boundary

The discovery-pinned digest detects accidental or unexpected changes to the Manifest, and the Manifest digests detect changes to every listed artifact. HTTPS and the canonical Supply-Y origin establish the current publication trust boundary. A separately signed production release root remains future trust infrastructure and is not claimed by this release.

On this page
Immutable Inventory

Protocol 1.0 artifacts

Fetch these exact URLs and verify the complete digest before parsing or installation.

ArtifactRoleBytesContent-Digest
protocol_release_manifest_schemarelease_manifest_schema4,739sha-256=:27HkXDzOZu3rnhS9u6FE0wiqRPR0pFi9O/+YoPLRKTE=:
protocol_bundle_schemaprotocol_bundle_schema3,374sha-256=:eCvfnkJ8PHBK8HiRXvfsNBslRAOLVV319MAQNTxJF/M=:
protocol_bundleprotocol_bundle391,562sha-256=:249J1eSaQ1ebEoGYqCZ+UZd5aWRRrRsMmiAW65ltvlo=:
common_schemaobject_schema · normative3,534sha-256=:o0oKsCKm9H6XB9wvlIyOa36kz7ei5hqoVtblEF5gBiA=:
audit_event_schemaobject_schema · normative2,079sha-256=:6NJUpd8DDuiDc3epwmyZVzW2zo5wpBpjZJrQTlBw7dY=:
loop_thread_schemaobject_schema · normative2,521sha-256=:PtCkN8sBTNezUq4y5W1FcM/++dzhWGukO3lxsXIUMxY=:
network_story_schemaobject_schema · normative2,093sha-256=:Xs3MdqjNk1Sx0ZxTwZq4C6hmhjWBWSKyfQPrh796bCI=:
policy_envelope_schemaobject_schema · normative2,887sha-256=:yjnRbBEggogdEJy2EkfwMKtVutcAsOOrF0hg5+2Kk2o=:
reasoning_package_schemaobject_schema · normative5,418sha-256=:6vAURblbdJAYXVrTmA/qXd2ibXHs4VgjWGcmRRC+b7o=:
response_object_schemaobject_schema · normative2,640sha-256=:0SGDBHjC0Fvp5WcfKwIuzm7zPNyPVEb+DgzfvhH5X6o=:
agent_exchange_openapiapi_contract · normative63,774sha-256=:hvvTnit+/axOtw4lLpU7GXbCtTSEbKS8qwfDuhXI9ZY=:
native_cryptographic_profilecryptographic_profile · normative11,872sha-256=:2xPQfxPx/czLV5grmpKU+0GUechl7RpOf9xHeBG2Alk=:
event_delivery_profileevent_delivery_profile · normative8,191sha-256=:7Yxq5tSKKQFzmOAxq5GjXs7helywAFA4XIusFJ6UO+0=:
security_and_trust_modelsecurity_model · normative8,013sha-256=:za3Vl8eNiGn0Mzu7U4AUZ3Em5KeEIMO3sdiGcIkqkf0=:
versioning_and_compatibilityversioning_policy · normative8,787sha-256=:8xj9tBpDwJEFhmFmPqlNvnpM96PKtyDcPF0JqpliajM=: