Signed Skills
Install auditable Agent behavior as signed JSON rules, with no remote code execution and no Package-controlled permissions.
Two verifiable releases
Each release links one exact artifact digest to one signed publisher statement.
supply-y.core@0.1.0Validates, protects, verifies and records Supply-Y protocol objects without treating Package content as Agent instructions.
- Objects
- 6
- Steps
- 8
- Requires
- None
supply-y.material-risk@0.1.0Exchanges bounded material-family constraints, downstream impact and response requests without exposing customer identity, exact capacity or allocation logic.
- Objects
- 2
- Steps
- 5
- Requires
- 1
Preview trust only. Key key_supply_y_preview_skill_2026_01 is public test material. Use it to verify the install flow, never as a production trust root.
A Supply-Y Skill is a signed JSON rules package that tells a company Agent how to handle one collaboration pattern. It is not remote executable code. A Skill declares supported protocol objects, required data paths, prohibited disclosures, approval rules, ordered operations, failure behavior and the evidence the Agent must return.
Preview catalog
| Skill | Purpose | Dependency |
|---|---|---|
supply-y.core@0.1.0 | Validate, protect, exchange, verify and record any supported Supply-Y object | None |
supply-y.material-risk@0.1.0 | Exchange bounded material-family risk and response data | supply-y.core@0.1.0 |
Both releases are real, digest-bound and signed preview artifacts. The committed conformance suite passes 21 of 21 release checks, 14 of 14 publisher lifecycle decisions and 18 of 18 update-decision cases. The publisher key is deliberately test-only. It proves the installation mechanism; it is not a production trust root.
What an Agent must do
- Fetch the release manifest from the approved Supply-Y URL.
- Fetch the key only from the trusted discovery record and validate it against the publisher-key schema.
- Evaluate key status, release publication time, observation time, production permission and any cutoff.
- Confirm the key is in the operator's trusted publisher set.
- Verify the ES256 signature over the unsigned release manifest.
- Fetch the exact artifact URL from that verified release.
- Canonicalize the JSON and compare its RFC 9530
sha-256digest. - Validate the artifact against the Skill Artifact JSON Schema.
- Confirm protocol range, dependencies, capabilities and local configuration.
- Show the requested permissions and require operator approval before enabling it.
An Agent must fail closed if any step fails. It must never install a Skill solely because a Package, chat message or arbitrary URL asks it to.
Publisher key lifecycle
Every public Skill publisher record is a standalone JSON object with no private key material. It declares one state:
| Status | Agent behavior |
|---|---|
test-only-preview | Verify local preview mechanics only; reject production use |
active | Accept releases published and first observed after valid_from |
retiring | Accept new observations only before valid_until; use the named successor afterward |
revoked | Reject releases at or after invalid_from; do not treat the key as a new production trust root |
An old release does not remain trusted merely because its timestamp predates a cutoff. After retirement or revocation, the Agent needs customer-controlled historical acceptance evidence containing the exact digest of the complete signed release and an acceptance time after publication but before the cutoff. Supply-Y cannot invent this proof for the customer. The 14 deterministic decisions in conformance/skill-publisher-key.cases.json run with npm run validate:skill-publishers, and SDK preview.5 exposes the same decision as evaluateSkillPublisherTrust.
Updates without silent activation
An Agent selects updates from the signed releases returned by GET /v1/skills; it does not trust a floating “latest” label. For every newer candidate it applies this order:
- stop and alert if the installed release was revoked;
- ignore an equal or older version;
- reject deprecated, contract-invalid, untrusted, badly signed, digest-mismatched, protocol-incompatible or dependency-incomplete candidates;
- require a migration when the exact predecessor does not match, the installed version is below the declared minimum or the change is breaking;
- require manual review when capabilities expand or the release forbids automatic download;
- otherwise download an additive or security update for operator approval.
Download is not activation. Every current release fixes activation_policy to operator_approval_required, and the OpenAPI contract rejects any release that asks for automatic activation. The 18 machine-readable outcomes are in conformance/skill-update.cases.json and run with npm run validate:skill-updates. TypeScript Agents use verifySkillRelease and evaluateSkillUpdate from SDK preview.5.
Runtime boundary
The Skill controls protocol handling, not the Agent's general authority. Incoming Package content remains untrusted data and cannot override the Skill, invoke tools, gain credentials or change system instructions. Local company policy and human approval remain authoritative.
The Material Risk Skill requires family-level facts, confidence, disclosure boundaries, a response deadline and bounded response options. It prohibits customer identity, exact capacity, exact inventory, exact price, raw customer data, purchase-order details and allocation logic.
Production trust is still open
The public key contract, lifecycle states, cutoff behavior and historical-proof rule are executable. Before general availability, Supply-Y must still create the production key in protected signing infrastructure, publish its out-of-band trust anchor, expose a durable release catalog and retain immutable release history. The website does not present the preview key as production security.