{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://cdn.example.org/schemas/trstd-protocol/v1/manifest.json", "title": "#trstd Manifest", "description": "JSON Schema for the #trstd discovery manifest served at /.well-known/trstd.json", "type": "object", "required": [ "$schema", "@context", "@type", "version", "name", "entities", "capabilities" ], "properties": { "$schema": { "type": "string", "format": "uri", "description": "URL to this JSON Schema for manifest validation", "const": "https://cdn.example.org/schemas/trstd-protocol/v1/manifest.json" }, "@context": { "type": "string", "format": "uri", "description": "JSON-LD context URL for semantic interoperability", "const": "https://cdn.example.org/schemas/trstd-protocol/v1" }, "@type": { "type": "string", "description": "Fixed value identifying this as a verification provider manifest", "const": "VerificationProvider" }, "version": { "type": "string", "description": "Protocol version this manifest targets", "pattern": "^\\d+\\.\\d+\\.\\d+$", "examples": ["1.0.0"] }, "name": { "type": "string", "description": "Display name of the trust authority", "minLength": 1 }, "description": { "type": "string", "description": "Brief description of this verification provider" }, "entities": { "type": "array", "description": "Array of entity objects scoping trust-verified parts of the site", "minItems": 1, "items": { "$ref": "#/$defs/Entity" } }, "capabilities": { "type": "array", "description": "Array of capability objects describing API endpoints the trust authority supports", "minItems": 1, "items": { "$ref": "#/$defs/Capability" }, "contains": { "type": "object", "properties": { "id": { "const": "verify" } }, "required": ["id"] } } }, "additionalProperties": false, "$defs": { "Entity": { "type": "object", "description": "A distinct trust-verified scope on the host. No two entities with the same host may share an identical pathPrefixes entry.", "required": [ "entityId", "host", "pathPrefixes" ], "properties": { "entityId": { "type": "string", "description": "Opaque identifier for this entity (issued by the trust authority). The format is authority-defined; examples use UUIDs, but any string from the RFC 3986 unreserved character set is valid. The constraint exists because the entityId appears as a URL path segment on the verify endpoint.", "minLength": 1, "maxLength": 128, "pattern": "^[A-Za-z0-9._~-]+$" }, "host": { "type": "string", "description": "Exact hostname this entity applies to. Subdomain wildcards (e.g., *.example.org) are forbidden. Agents MUST validate this matches the domain serving the manifest.", "minLength": 1 }, "pathPrefixes": { "type": "array", "description": "URL path prefixes this entity covers. A prefix matches if the URL path equals the prefix or the next character in the path is '/'. The root prefix '/' matches all paths. Agents select the longest matching prefix. Matching considers only hostname and path — query strings and fragments are ignored.", "minItems": 1, "items": { "type": "string", "pattern": "^/" } } }, "additionalProperties": false }, "Capability": { "type": "object", "description": "An API endpoint the trust authority supports", "required": [ "id", "type", "endpoint", "method" ], "properties": { "id": { "type": "string", "description": "Capability identifier (e.g., \"verify\")", "minLength": 1 }, "type": { "type": "string", "description": "Capability type (e.g., \"VerifyEndpoint\")", "minLength": 1 }, "endpoint": { "type": "string", "description": "URI template (RFC 6570) for the API endpoint. MUST use HTTPS. For the verify capability, the template MUST contain a single {entityId} placeholder (e.g., https://trust-authority.example.org/v1/entities/{entityId}/trust-signals). The agent substitutes the matched entity's ID and appends ?url=...&context=... to construct the request URL.", "pattern": "^https://" }, "method": { "type": "string", "description": "HTTP method. The verify capability MUST use GET.", "enum": ["GET", "POST", "PUT", "PATCH", "DELETE"] }, "description": { "type": "string", "description": "Human-readable description of the capability" }, "extensionParameters": { "type": "array", "description": "Provider-specific parameters beyond those defined by the spec. Extension parameters MUST NOT be required.", "items": { "$ref": "#/$defs/ExtensionParameter" } } }, "allOf": [ { "if": { "properties": { "id": { "const": "verify" } }, "required": ["id"] }, "then": { "properties": { "method": { "const": "GET" } } } }, { "if": { "properties": { "id": { "const": "mcp" } }, "required": ["id"] }, "then": { "properties": { "type": { "const": "McpServer" }, "method": { "const": "POST" } } } } ], "additionalProperties": false }, "ExtensionParameter": { "type": "object", "description": "A provider-specific parameter. MUST NOT be required — agents that do not understand it must still be able to call the endpoint.", "required": [ "name", "in", "type", "required" ], "properties": { "name": { "type": "string", "description": "Parameter name", "minLength": 1 }, "in": { "type": "string", "description": "Parameter location", "enum": ["query", "header"] }, "type": { "type": "string", "description": "Parameter type", "enum": ["string", "integer", "number", "boolean"] }, "description": { "type": "string", "description": "Human-readable description" }, "required": { "type": "boolean", "description": "Extension parameters MUST NOT be required", "const": false } }, "additionalProperties": false } } }