Skip to content

spec: Updates based on discussions during last meeting#33

Merged
mindpower merged 8 commits into
mainfrom
darrmi/ai-catalog-updates
Apr 30, 2026
Merged

spec: Updates based on discussions during last meeting#33
mindpower merged 8 commits into
mainfrom
darrmi/ai-catalog-updates

Conversation

@darrelmiller

Copy link
Copy Markdown
Contributor

See #28 for details.

Replaces #29

darrelmiller and others added 7 commits April 10, 2026 23:57
Spec changes (per issue #28 action items):
- Remove top-level collections array and CollectionRef type
- Eliminate bundle as a distinct concept (nested catalogs only)
- Rename inline -> data (oneOf with url)
- Add dual-protocol agent example (MCP + A2A)
- Reduce max nesting depth from 8 to 4
- Replace ASCII tree diagrams with JSON examples
- Standardize MCP media type to application/mcp-server-card+json
- Standardize skill media type to application/agentskill+zip
- Remove Claude Code Plugin Entry example section

ADRs from 2026-04-02 working group meeting:
- 0001: Nesting depth limit of 4
- 0002: Defer entry dependency expression
- 0003: Remove collections in favor of entries
- 0004: Eliminate bundle concept
- 0005: Add data member (oneOf with url)
- 0006: Single url per entry
- 0007: url field name over href
- 0008: Media type only (no artifactType)
- 0009: Trust manifest substitution attack
- 0010: AI Card terminology
- 0011: No .well-known URI requirement
- 0012: Extensibility via metadata property
- 0013: AI Catalog as authoring format, OCI as distribution

Refs: #28

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Fixes:
- Replace stale 'inline' terminology with 'embed'
- Fix typo in researchAssistant URL
- Remove 'bundle' terminology from discovery section
- Fix missing space in conformance levels
- Fix indentation in nested data JSON block
- Update 'MCP manifest' to 'MCP Server Card'

New examples added for:
- Host Info object
- Multi-Version Entries (same identifier, different versions)
- Trust Manifest (complete standalone example)
- Trust Schema object
- Attestation object (SOC2 with digest)
- Provenance Link object (full lineage chain)

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- Added 7 new security subsections: circular references, trust manifest
  substitution, catalog poisoning, identifier typosquatting, stale
  attestations, embedded content safety, and privacy considerations
- Fixed MCP Registry mapping to correctly distinguish server.json
  (Registry package metadata) from Server Cards (SEP-1649 discovery)
- Added Note box clarifying the two MCP artifact types
- Changed Registry examples to use application/json with server.json URLs
- Fixed Decentralized Discovery prose that conflated the two formats
- Added Metadata Extensibility section with key naming conventions
- Added Version Handling section with compatibility rules

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Restructure Security Considerations around a four-layer trust model:
- Layer 0: HTTPS transport security
- Layer 1: Trust Manifest with provenance digests (advisory)
- Layer 2: Signed Trust Manifest (closes substitution gap)
- Layer 3: OCI content-addressed distribution

Explicitly notes that digest verification without signature verification
does not protect against catalog-level substitution. Catalog Poisoning
section now cross-references the trust layers.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
The upstream build pipeline now generates the ReSpec HTML.
No need to commit it in the source branch.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
- ADR-0011: Soften position from 'no .well-known' to '.well-known is
  optional but registered as a convention'
- Add IANA Well-Known URI registration section for ai-catalog.json

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
github-actions Bot added a commit that referenced this pull request Apr 16, 2026
@darrelmiller

darrelmiller commented Apr 16, 2026

Copy link
Copy Markdown
Contributor Author
@github-actions

github-actions Bot commented Apr 17, 2026

Copy link
Copy Markdown
Contributor

Preview unavailable.

The pull request preview was removed because this pull request is closed.

github-actions Bot added a commit that referenced this pull request Apr 17, 2026
@muscariello muscariello reopened this Apr 17, 2026
github-actions Bot added a commit that referenced this pull request Apr 17, 2026
@muscariello muscariello self-requested a review April 17, 2026 11:48

@muscariello muscariello left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@mindpower mindpower merged commit 634a09d into main Apr 30, 2026
20 checks passed
github-actions Bot added a commit that referenced this pull request Apr 30, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

3 participants