{"generated_at":"2026-03-17T18:25:47.150Z","examples":["agent://discover.duadp.org/agents/code-reviewer","agent://openstandardagents.org/worker/pipeline-fixer","agent://discover.duadp.org/skills/web-search","tool://duadp.org/mcp/duadp-search"],"data":[{"gaid":"agent://discover.duadp.org/agents/orchestrator","did":"did:web:discover.duadp.org:agents:orchestrator","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"orchestrator","version":"2.0.0","description":"Multi-agent orchestrator that coordinates complex tasks across specialized agents","category":"orchestration","trust_tier":"official","tags":["orchestrator","multi-agent","coordination","planning"],"created":"2025-09-01T06:00:00Z","updated":"2026-03-05T10:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/agents/orchestrator","did":"did:web:discover.duadp.org:agents:orchestrator"},"spec":{"agent_type":"orchestrator","model":"claude-opus-4-6","max_context_tokens":200000,"skills":["web-search","code-review","text-summarizer"],"delegation_strategy":"adaptive"},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/agents/orchestrator","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:discover.duadp.org:agents:orchestrator","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:discover.duadp.org:agents:orchestrator#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:agents:orchestrator#key-1","verification_method":"did:web:discover.duadp.org:agents:orchestrator#key-1","signed_at":"2026-03-05T10:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/agents","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:e50e4e9dd29e8850ba3186024720ca37ca6f38876178c07f7768d04be81650da","signed_payload_hash":"sha256:e50e4e9dd29e8850ba3186024720ca37ca6f38876178c07f7768d04be81650da","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"orchestrator","version":"2.0.0","description":"Multi-agent orchestrator that coordinates complex tasks across specialized agents","category":"orchestration","trust_tier":"official","tags":["orchestrator","multi-agent","coordination","planning"],"created":"2025-09-01T06:00:00Z","updated":"2026-03-05T10:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/agents/orchestrator","did":"did:web:discover.duadp.org:agents:orchestrator"},"spec":{"agent_type":"orchestrator","model":"claude-opus-4-6","max_context_tokens":200000,"skills":["web-search","code-review","text-summarizer"],"delegation_strategy":"adaptive"},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:agents:orchestrator","verificationMethod":[{"id":"did:web:discover.duadp.org:agents:orchestrator#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:agents:orchestrator","publicKeyMultibase":"z7e1761e52abe6d69b4060318f79f"}],"assertionMethod":["did:web:discover.duadp.org:agents:orchestrator#key-1"],"service":[{"id":"did:web:discover.duadp.org:agents:orchestrator#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:agents:orchestrator#key-1","verification_method":"did:web:discover.duadp.org:agents:orchestrator#key-1","signed_at":"2026-03-05T10:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://discover.duadp.org/agents/code-reviewer","did":"did:web:discover.duadp.org:agents:code-reviewer","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"code-reviewer","version":"1.3.0","description":"Specialized code review agent with deep understanding of security patterns and best practices","category":"development","trust_tier":"verified-signature","tags":["code-review","security","best-practices","worker"],"created":"2025-10-15T11:00:00Z","updated":"2026-02-25T15:30:00Z"},"identity":{"gaid":"agent://discover.duadp.org/agents/code-reviewer","did":"did:web:discover.duadp.org:agents:code-reviewer"},"spec":{"agent_type":"worker","model":"claude-sonnet-4-6","max_context_tokens":100000,"skills":["code-review"],"supported_languages":["typescript","python","go","rust"]},"risk":{"level":"low","autonomy_level":"human-in-the-loop","data_sensitivity":"internal"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/agents/code-reviewer","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:discover.duadp.org:agents:code-reviewer","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:discover.duadp.org:agents:code-reviewer#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:agents:code-reviewer#key-1","verification_method":"did:web:discover.duadp.org:agents:code-reviewer#key-1","signed_at":"2026-02-25T15:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"partial","note":"Witness resolves the resource but with a lower confidence tier."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/agents","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:92b081842f3d30586a8a19c12cda7748e991c0c6b879742ca6939b531392516c","signed_payload_hash":"sha256:92b081842f3d30586a8a19c12cda7748e991c0c6b879742ca6939b531392516c","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"code-reviewer","version":"1.3.0","description":"Specialized code review agent with deep understanding of security patterns and best practices","category":"development","trust_tier":"verified-signature","tags":["code-review","security","best-practices","worker"],"created":"2025-10-15T11:00:00Z","updated":"2026-02-25T15:30:00Z"},"identity":{"gaid":"agent://discover.duadp.org/agents/code-reviewer","did":"did:web:discover.duadp.org:agents:code-reviewer"},"spec":{"agent_type":"worker","model":"claude-sonnet-4-6","max_context_tokens":100000,"skills":["code-review"],"supported_languages":["typescript","python","go","rust"]},"risk":{"level":"low","autonomy_level":"human-in-the-loop","data_sensitivity":"internal"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:agents:code-reviewer","verificationMethod":[{"id":"did:web:discover.duadp.org:agents:code-reviewer#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:agents:code-reviewer","publicKeyMultibase":"z6572fde2e6f68733d144f2559bab"}],"assertionMethod":["did:web:discover.duadp.org:agents:code-reviewer#key-1"],"service":[{"id":"did:web:discover.duadp.org:agents:code-reviewer#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:agents:code-reviewer#key-1","verification_method":"did:web:discover.duadp.org:agents:code-reviewer#key-1","signed_at":"2026-02-25T15:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://discover.duadp.org/agents/security-auditor","did":"did:web:discover.duadp.org:agents:security-auditor","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"security-auditor","version":"1.1.0","description":"Security audit agent — vulnerability scanning, dependency analysis, and compliance checks","category":"security","trust_tier":"official","tags":["security","audit","vulnerability","compliance","specialist"],"created":"2025-11-20T14:00:00Z","updated":"2026-03-04T08:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/agents/security-auditor","did":"did:web:discover.duadp.org:agents:security-auditor"},"spec":{"agent_type":"specialist","model":"claude-opus-4-6","capabilities":["sast","dependency-scan","secret-detection","compliance-check"],"frameworks":["NIST AI RMF 1.0","OWASP Top 10","CWE Top 25"]},"risk":{"level":"moderate","autonomy_level":"human-in-the-loop","data_sensitivity":"confidential"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/agents/security-auditor","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:discover.duadp.org:agents:security-auditor","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:discover.duadp.org:agents:security-auditor#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:agents:security-auditor#key-1","verification_method":"did:web:discover.duadp.org:agents:security-auditor#key-1","signed_at":"2026-03-04T08:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"data-access-control","version":"1.0.0","description":"Governs agent access to data resources based on classification and sensitivity labels.","tags":["authorization","data-access","classification"],"complianceFrameworks":["NIST AI RMF 1.0","ISO/IEC 42001"],"classification":"restricted","authors":["ossa-core-team"],"approvers":["security-review-board","data-governance"],"dependsOn":["agent-execution-boundary"],"createdAt":"2025-12-15T08:00:00Z","updatedAt":"2026-02-28T14:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"read\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification != \"restricted\" ||\n  principal.clearance_level >= resource.sensitivity_level\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"write\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification == \"immutable\"\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/agents","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:18520414f445da0df4ea5177f0f7151d6747ec19c3e37d991dedef5c4adde3c5","signed_payload_hash":"sha256:18520414f445da0df4ea5177f0f7151d6747ec19c3e37d991dedef5c4adde3c5","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"security-auditor","version":"1.1.0","description":"Security audit agent — vulnerability scanning, dependency analysis, and compliance checks","category":"security","trust_tier":"official","tags":["security","audit","vulnerability","compliance","specialist"],"created":"2025-11-20T14:00:00Z","updated":"2026-03-04T08:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/agents/security-auditor","did":"did:web:discover.duadp.org:agents:security-auditor"},"spec":{"agent_type":"specialist","model":"claude-opus-4-6","capabilities":["sast","dependency-scan","secret-detection","compliance-check"],"frameworks":["NIST AI RMF 1.0","OWASP Top 10","CWE Top 25"]},"risk":{"level":"moderate","autonomy_level":"human-in-the-loop","data_sensitivity":"confidential"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:agents:security-auditor","verificationMethod":[{"id":"did:web:discover.duadp.org:agents:security-auditor#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:agents:security-auditor","publicKeyMultibase":"z6949819a52feeebd028caca44eaa"}],"assertionMethod":["did:web:discover.duadp.org:agents:security-auditor#key-1"],"service":[{"id":"did:web:discover.duadp.org:agents:security-auditor#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:agents:security-auditor#key-1","verification_method":"did:web:discover.duadp.org:agents:security-auditor#key-1","signed_at":"2026-03-04T08:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://openstandardagents.org/worker/mr-reviewer","did":"did:web:openstandardagents.org:worker:mr-reviewer","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"mr-reviewer","version":"0.4.0","description":"AI-powered merge request analysis with code quality assessment and automated feedback","category":"development","trust_tier":"verified-signature","tags":["merge-request","code-review","auto-feedback"],"created":"2025-12-01T08:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/mr-reviewer","did":"did:web:openstandardagents.org:worker:mr-reviewer"},"spec":{"agent_type":"worker","model":"claude-sonnet-4-6","skills":["code-review","manifest-validation"]},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/worker/mr-reviewer","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:worker:mr-reviewer","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:worker:mr-reviewer#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:mr-reviewer#key-1","verification_method":"did:web:openstandardagents.org:worker:mr-reviewer#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"partial","note":"Witness resolves the resource but with a lower confidence tier."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/agents","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:7aad2f3b0a9d66c82ea1bde00e767e2703b24c287c3d65b567a83d486417b2ac","signed_payload_hash":"sha256:7aad2f3b0a9d66c82ea1bde00e767e2703b24c287c3d65b567a83d486417b2ac","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"mr-reviewer","version":"0.4.0","description":"AI-powered merge request analysis with code quality assessment and automated feedback","category":"development","trust_tier":"verified-signature","tags":["merge-request","code-review","auto-feedback"],"created":"2025-12-01T08:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/mr-reviewer","did":"did:web:openstandardagents.org:worker:mr-reviewer"},"spec":{"agent_type":"worker","model":"claude-sonnet-4-6","skills":["code-review","manifest-validation"]},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:worker:mr-reviewer","verificationMethod":[{"id":"did:web:openstandardagents.org:worker:mr-reviewer#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:worker:mr-reviewer","publicKeyMultibase":"z269f1a89880a94c0ea272615512e"}],"assertionMethod":["did:web:openstandardagents.org:worker:mr-reviewer#key-1"],"service":[{"id":"did:web:openstandardagents.org:worker:mr-reviewer#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:mr-reviewer#key-1","verification_method":"did:web:openstandardagents.org:worker:mr-reviewer#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://openstandardagents.org/worker/ossa-validator","did":"did:web:openstandardagents.org:worker:ossa-validator","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"ossa-validator","version":"0.3.2","description":"Validates OSSA agent manifests against v0.3.2+ specification with full schema checking","category":"validation","trust_tier":"official","tags":["validation","schema-check","manifest-lint","ossa"],"created":"2025-10-01T10:00:00Z","updated":"2026-02-20T14:30:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/ossa-validator","did":"did:web:openstandardagents.org:worker:ossa-validator"},"spec":{"agent_type":"worker","model":"claude-haiku-4-5","skills":["manifest-validation"]},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/worker/ossa-validator","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:worker:ossa-validator","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:worker:ossa-validator#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:ossa-validator#key-1","verification_method":"did:web:openstandardagents.org:worker:ossa-validator#key-1","signed_at":"2026-02-20T14:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/agents","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:dca4f6506a28251a5591956604ab4bd8f8085eba2f3c7590de7de4cd1c5ace1d","signed_payload_hash":"sha256:dca4f6506a28251a5591956604ab4bd8f8085eba2f3c7590de7de4cd1c5ace1d","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"ossa-validator","version":"0.3.2","description":"Validates OSSA agent manifests against v0.3.2+ specification with full schema checking","category":"validation","trust_tier":"official","tags":["validation","schema-check","manifest-lint","ossa"],"created":"2025-10-01T10:00:00Z","updated":"2026-02-20T14:30:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/ossa-validator","did":"did:web:openstandardagents.org:worker:ossa-validator"},"spec":{"agent_type":"worker","model":"claude-haiku-4-5","skills":["manifest-validation"]},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:worker:ossa-validator","verificationMethod":[{"id":"did:web:openstandardagents.org:worker:ossa-validator#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:worker:ossa-validator","publicKeyMultibase":"z3fb96e004c4c2e0d024f727b447a"}],"assertionMethod":["did:web:openstandardagents.org:worker:ossa-validator#key-1"],"service":[{"id":"did:web:openstandardagents.org:worker:ossa-validator#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:ossa-validator#key-1","verification_method":"did:web:openstandardagents.org:worker:ossa-validator#key-1","signed_at":"2026-02-20T14:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://openstandardagents.org/worker/pipeline-fixer","did":"did:web:openstandardagents.org:worker:pipeline-fixer","verdict":{"label":"Revoked","summary":"This identity has an active revocation and should be treated as denied.","badges":["revoked","policy denied","federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"pipeline-fixer","version":"0.3.0","description":"Monitors and automatically fixes failing CI/CD pipelines with root cause analysis","category":"devops","trust_tier":"verified-signature","tags":["ci-cd","auto-fix","root-cause-analysis","devops"],"created":"2025-11-01T09:00:00Z","updated":"2026-02-15T16:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/pipeline-fixer","did":"did:web:openstandardagents.org:worker:pipeline-fixer"},"spec":{"agent_type":"worker","model":"claude-sonnet-4-6","skills":["git-workflow","code-review"]},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/worker/pipeline-fixer","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:worker:pipeline-fixer","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:worker:pipeline-fixer#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation","label":"Revocation","status":"fail","artifact":"did:web:registry.openstandardagents.org","detail":"Publisher rotated keys without updating federation attestations"}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:pipeline-fixer#key-1","verification_method":"did:web:openstandardagents.org:worker:pipeline-fixer#key-1","signed_at":"2026-02-15T16:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":true,"reason":"Publisher rotated keys without updating federation attestations","revoked_at":"2026-03-08T12:14:00Z","revoked_by":"did:web:openstandardagents.org:governance:security-board","source_node":"did:web:registry.openstandardagents.org"},"policy":{"verdict":"deny","summary":"The current evidence does not justify trust-sensitive actions.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"fail","reason":"Revoked by did:web:openstandardagents.org:governance:security-board from did:web:registry.openstandardagents.org."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"verified-signature","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":true,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"revoked","signature_state":"verified","agreement":"agree","note":"Witness sees the same revocation record."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"revoked","signature_state":"verified","agreement":"agree","note":"Witness sees the same revocation record."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":false,"trust_tier":"stale","signature_state":"verified","agreement":"partial","note":"Witness still has an older cached view."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/agents","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:481a889e09228e90e1c4a14d99044e6a5647fda042dab384c80246343453910b","signed_payload_hash":"sha256:481a889e09228e90e1c4a14d99044e6a5647fda042dab384c80246343453910b","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"pipeline-fixer","version":"0.3.0","description":"Monitors and automatically fixes failing CI/CD pipelines with root cause analysis","category":"devops","trust_tier":"verified-signature","tags":["ci-cd","auto-fix","root-cause-analysis","devops"],"created":"2025-11-01T09:00:00Z","updated":"2026-02-15T16:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/pipeline-fixer","did":"did:web:openstandardagents.org:worker:pipeline-fixer"},"spec":{"agent_type":"worker","model":"claude-sonnet-4-6","skills":["git-workflow","code-review"]},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:worker:pipeline-fixer","verificationMethod":[{"id":"did:web:openstandardagents.org:worker:pipeline-fixer#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:worker:pipeline-fixer","publicKeyMultibase":"z5c3f0b16c14f022a3e22ec9eeb3e"}],"assertionMethod":["did:web:openstandardagents.org:worker:pipeline-fixer#key-1"],"service":[{"id":"did:web:openstandardagents.org:worker:pipeline-fixer#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"verified-signature","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":true,"federation_consensus":"partial"},"verification_result":{"verdict":"deny","verdict_label":"Revoked","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:pipeline-fixer#key-1","verification_method":"did:web:openstandardagents.org:worker:pipeline-fixer#key-1","signed_at":"2026-02-15T16:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":true,"reason":"Publisher rotated keys without updating federation attestations","revoked_at":"2026-03-08T12:14:00Z","revoked_by":"did:web:openstandardagents.org:governance:security-board","source_node":"did:web:registry.openstandardagents.org"},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"fail","reason":"Revoked by did:web:openstandardagents.org:governance:security-board from did:web:registry.openstandardagents.org."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://openstandardagents.org/worker/content-guardian","did":"did:web:openstandardagents.org:worker:content-guardian","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"content-guardian","version":"0.5.0","description":"Content moderation and safety analysis for AI-generated outputs with configurable policy enforcement","category":"safety","trust_tier":"official","tags":["content-moderation","safety","policy-enforcement"],"created":"2026-01-10T07:00:00Z","updated":"2026-03-06T12:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/content-guardian","did":"did:web:openstandardagents.org:worker:content-guardian"},"spec":{"agent_type":"worker","model":"claude-opus-4-6","skills":["text-summarizer"]},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"confidential"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/worker/content-guardian","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:worker:content-guardian","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:worker:content-guardian#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:content-guardian#key-1","verification_method":"did:web:openstandardagents.org:worker:content-guardian#key-1","signed_at":"2026-03-06T12:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"data-access-control","version":"1.0.0","description":"Governs agent access to data resources based on classification and sensitivity labels.","tags":["authorization","data-access","classification"],"complianceFrameworks":["NIST AI RMF 1.0","ISO/IEC 42001"],"classification":"restricted","authors":["ossa-core-team"],"approvers":["security-review-board","data-governance"],"dependsOn":["agent-execution-boundary"],"createdAt":"2025-12-15T08:00:00Z","updatedAt":"2026-02-28T14:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"read\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification != \"restricted\" ||\n  principal.clearance_level >= resource.sensitivity_level\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"write\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification == \"immutable\"\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/agents","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:e7b8c6c7bc9ad6a7973cd9b072f98e516e3a88eb13509a00d86ac550c6b830db","signed_payload_hash":"sha256:e7b8c6c7bc9ad6a7973cd9b072f98e516e3a88eb13509a00d86ac550c6b830db","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"content-guardian","version":"0.5.0","description":"Content moderation and safety analysis for AI-generated outputs with configurable policy enforcement","category":"safety","trust_tier":"official","tags":["content-moderation","safety","policy-enforcement"],"created":"2026-01-10T07:00:00Z","updated":"2026-03-06T12:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/worker/content-guardian","did":"did:web:openstandardagents.org:worker:content-guardian"},"spec":{"agent_type":"worker","model":"claude-opus-4-6","skills":["text-summarizer"]},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"confidential"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:worker:content-guardian","verificationMethod":[{"id":"did:web:openstandardagents.org:worker:content-guardian#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:worker:content-guardian","publicKeyMultibase":"z8f30344707f015a79c2875a6fd27"}],"assertionMethod":["did:web:openstandardagents.org:worker:content-guardian#key-1"],"service":[{"id":"did:web:openstandardagents.org:worker:content-guardian#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:worker:content-guardian#key-1","verification_method":"did:web:openstandardagents.org:worker:content-guardian#key-1","signed_at":"2026-03-06T12:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://openstandardagents.org/orchestrator/compliance-auditor","did":"did:web:openstandardagents.org:orchestrator:compliance-auditor","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"compliance-auditor","version":"0.6.0","description":"Automated compliance checks against NIST AI RMF, ISO 42001, EU AI Act, and SOC2 frameworks","category":"compliance","trust_tier":"official","tags":["nist-rmf","iso-42001","eu-ai-act","soc2","compliance"],"created":"2026-01-20T08:00:00Z","updated":"2026-03-05T14:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/orchestrator/compliance-auditor","did":"did:web:openstandardagents.org:orchestrator:compliance-auditor"},"spec":{"agent_type":"orchestrator","model":"claude-opus-4-6","capabilities":["nist-rmf","iso-42001","eu-ai-act","soc2"]},"risk":{"level":"moderate","autonomy_level":"human-in-the-loop","data_sensitivity":"confidential"},"_type":"agent"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/orchestrator/compliance-auditor","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:orchestrator:compliance-auditor","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:orchestrator:compliance-auditor#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:orchestrator:compliance-auditor#key-1","verification_method":"did:web:openstandardagents.org:orchestrator:compliance-auditor#key-1","signed_at":"2026-03-05T14:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"data-access-control","version":"1.0.0","description":"Governs agent access to data resources based on classification and sensitivity labels.","tags":["authorization","data-access","classification"],"complianceFrameworks":["NIST AI RMF 1.0","ISO/IEC 42001"],"classification":"restricted","authors":["ossa-core-team"],"approvers":["security-review-board","data-governance"],"dependsOn":["agent-execution-boundary"],"createdAt":"2025-12-15T08:00:00Z","updatedAt":"2026-02-28T14:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"read\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification != \"restricted\" ||\n  principal.clearance_level >= resource.sensitivity_level\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"write\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification == \"immutable\"\n};"}},{"kind":"Policy","metadata":{"name":"cross-domain-delegation","version":"0.3.0","description":"Controls agent delegation across domain boundaries. DNS-verified domains can grant cross-origin permissions.","tags":["delegation","cross-domain","dns-verification"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":["federation-trust","agent-execution-boundary"],"createdAt":"2026-02-01T09:00:00Z","updatedAt":"2026-03-04T08:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  principal.domain == resource.domain ||\n  principal.domain in resource.allowed_delegation_origins\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"delegate\",\n  resource is OSSA::Agent\n) when {\n  resource.delegation_locked == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/agents","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:9f834d3fd840cb8b244da0190f85318020db55af6ef490d55535e158ddda9bfc","signed_payload_hash":"sha256:9f834d3fd840cb8b244da0190f85318020db55af6ef490d55535e158ddda9bfc","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Agent","metadata":{"name":"compliance-auditor","version":"0.6.0","description":"Automated compliance checks against NIST AI RMF, ISO 42001, EU AI Act, and SOC2 frameworks","category":"compliance","trust_tier":"official","tags":["nist-rmf","iso-42001","eu-ai-act","soc2","compliance"],"created":"2026-01-20T08:00:00Z","updated":"2026-03-05T14:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/orchestrator/compliance-auditor","did":"did:web:openstandardagents.org:orchestrator:compliance-auditor"},"spec":{"agent_type":"orchestrator","model":"claude-opus-4-6","capabilities":["nist-rmf","iso-42001","eu-ai-act","soc2"]},"risk":{"level":"moderate","autonomy_level":"human-in-the-loop","data_sensitivity":"confidential"},"_type":"agent"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:orchestrator:compliance-auditor","verificationMethod":[{"id":"did:web:openstandardagents.org:orchestrator:compliance-auditor#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:orchestrator:compliance-auditor","publicKeyMultibase":"zcb32e73477376e94efc00b122aff"}],"assertionMethod":["did:web:openstandardagents.org:orchestrator:compliance-auditor#key-1"],"service":[{"id":"did:web:openstandardagents.org:orchestrator:compliance-auditor#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:orchestrator:compliance-auditor#key-1","verification_method":"did:web:openstandardagents.org:orchestrator:compliance-auditor#key-1","signed_at":"2026-03-05T14:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://discover.duadp.org/skills/web-search","did":"did:web:discover.duadp.org:skills:web-search","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"web-search","version":"1.2.0","description":"Search the web for real-time information using multiple search engines","category":"information-retrieval","trust_tier":"verified-signature","tags":["search","web","real-time","information"],"created":"2026-01-15T10:00:00Z","updated":"2026-02-20T14:30:00Z"},"identity":{"gaid":"agent://discover.duadp.org/skills/web-search","did":"did:web:discover.duadp.org:skills:web-search"},"spec":{"execution_model":"stateless","avg_latency_ms":1200},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/skills/web-search","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:discover.duadp.org:skills:web-search","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:discover.duadp.org:skills:web-search#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:skills:web-search#key-1","verification_method":"did:web:discover.duadp.org:skills:web-search#key-1","signed_at":"2026-02-20T14:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"partial","note":"Witness resolves the resource but with a lower confidence tier."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/skills","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:b2b4699ea776b46726f8514f6075465057914dd9fff260b0cd9e0b031fac0d44","signed_payload_hash":"sha256:b2b4699ea776b46726f8514f6075465057914dd9fff260b0cd9e0b031fac0d44","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"web-search","version":"1.2.0","description":"Search the web for real-time information using multiple search engines","category":"information-retrieval","trust_tier":"verified-signature","tags":["search","web","real-time","information"],"created":"2026-01-15T10:00:00Z","updated":"2026-02-20T14:30:00Z"},"identity":{"gaid":"agent://discover.duadp.org/skills/web-search","did":"did:web:discover.duadp.org:skills:web-search"},"spec":{"execution_model":"stateless","avg_latency_ms":1200},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:skills:web-search","verificationMethod":[{"id":"did:web:discover.duadp.org:skills:web-search#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:skills:web-search","publicKeyMultibase":"zd6484287966e0080e746e7b5abcf"}],"assertionMethod":["did:web:discover.duadp.org:skills:web-search#key-1"],"service":[{"id":"did:web:discover.duadp.org:skills:web-search#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:skills:web-search#key-1","verification_method":"did:web:discover.duadp.org:skills:web-search#key-1","signed_at":"2026-02-20T14:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://discover.duadp.org/skills/code-review","did":"did:web:discover.duadp.org:skills:code-review","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"code-review","version":"2.0.1","description":"Automated code review with security vulnerability detection and style analysis","category":"development","trust_tier":"official","tags":["code","review","security","quality","static-analysis"],"created":"2025-11-01T08:00:00Z","updated":"2026-03-01T09:15:00Z"},"identity":{"gaid":"agent://discover.duadp.org/skills/code-review","did":"did:web:discover.duadp.org:skills:code-review"},"spec":{"execution_model":"stateless","supported_languages":["typescript","python","go","rust","java","php"]},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/skills/code-review","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:discover.duadp.org:skills:code-review","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:discover.duadp.org:skills:code-review#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:skills:code-review#key-1","verification_method":"did:web:discover.duadp.org:skills:code-review#key-1","signed_at":"2026-03-01T09:15:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/skills","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:e12c5045764d088898bd42a466e9bbe8c05ea9afec880595ce04caf1706d53f0","signed_payload_hash":"sha256:e12c5045764d088898bd42a466e9bbe8c05ea9afec880595ce04caf1706d53f0","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"code-review","version":"2.0.1","description":"Automated code review with security vulnerability detection and style analysis","category":"development","trust_tier":"official","tags":["code","review","security","quality","static-analysis"],"created":"2025-11-01T08:00:00Z","updated":"2026-03-01T09:15:00Z"},"identity":{"gaid":"agent://discover.duadp.org/skills/code-review","did":"did:web:discover.duadp.org:skills:code-review"},"spec":{"execution_model":"stateless","supported_languages":["typescript","python","go","rust","java","php"]},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:skills:code-review","verificationMethod":[{"id":"did:web:discover.duadp.org:skills:code-review#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:skills:code-review","publicKeyMultibase":"z83dae348b218d7b7519d265ee029"}],"assertionMethod":["did:web:discover.duadp.org:skills:code-review#key-1"],"service":[{"id":"did:web:discover.duadp.org:skills:code-review#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:skills:code-review#key-1","verification_method":"did:web:discover.duadp.org:skills:code-review#key-1","signed_at":"2026-03-01T09:15:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://discover.duadp.org/skills/text-summarizer","did":"did:web:discover.duadp.org:skills:text-summarizer","verdict":{"label":"Signed","summary":"Signature evidence exists, but the record remains below the stronger verified tiers.","badges":["DID unresolved","federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"text-summarizer","version":"1.5.0","description":"Summarize long documents into concise overviews with key point extraction","category":"nlp","trust_tier":"signed","tags":["nlp","summarization","text","documents"],"created":"2025-12-10T12:00:00Z","updated":"2026-02-15T16:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/skills/text-summarizer","did":"did:web:discover.duadp.org:skills:text-summarizer"},"spec":{"execution_model":"stateless","max_input_tokens":128000},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/skills/text-summarizer","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"warn","artifact":"did:web:discover.duadp.org:skills:text-summarizer","detail":"DID exists, but supporting keys or methods are incomplete."},{"key":"verification-method","label":"Verification method used","status":"warn","artifact":"did:web:discover.duadp.org:skills:text-summarizer#key-1","detail":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":["assertionMethod"],"broken_service_endpoints":[]},"signature":{"status":"present_unverified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:skills:text-summarizer#key-1","verification_method":"did:web:discover.duadp.org:skills:text-summarizer#key-1","signed_at":"2026-02-15T16:00:00Z","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"conditional","summary":"Identity resolves, but federation or signature evidence is incomplete enough to warrant tighter review.","checks":[{"key":"did-resolution","label":"DID resolution","status":"warn","reason":"DID exists, but required verification methods are incomplete."},{"key":"signature-threshold","label":"Signature threshold","status":"warn","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"signed","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"agree","note":"Witness sees the same signed record."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"community","signature_state":"missing","agreement":"partial","note":"Witness resolves the GAID but downgrades trust."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":false,"trust_tier":"unresolved","signature_state":"unknown","agreement":"partial","note":"Witness does not have enough evidence to resolve the record."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/skills","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:cc1d09ced946daa6426f8072cff03fc6cda5a47ea32638be696ba21ba84b6d6e","signed_payload_hash":"sha256:cc1d09ced946daa6426f8072cff03fc6cda5a47ea32638be696ba21ba84b6d6e","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"text-summarizer","version":"1.5.0","description":"Summarize long documents into concise overviews with key point extraction","category":"nlp","trust_tier":"signed","tags":["nlp","summarization","text","documents"],"created":"2025-12-10T12:00:00Z","updated":"2026-02-15T16:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/skills/text-summarizer","did":"did:web:discover.duadp.org:skills:text-summarizer"},"spec":{"execution_model":"stateless","max_input_tokens":128000},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:skills:text-summarizer","verificationMethod":[{"id":"did:web:discover.duadp.org:skills:text-summarizer#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:skills:text-summarizer","publicKeyMultibase":"zb22fda4b4fc0ca549caf851f390c"}],"assertionMethod":["did:web:discover.duadp.org:skills:text-summarizer#key-1"],"service":[{"id":"did:web:discover.duadp.org:skills:text-summarizer#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":["assertionMethod"],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"signed","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"conditional","verdict_label":"Signed","signature":{"status":"present_unverified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:skills:text-summarizer#key-1","verification_method":"did:web:discover.duadp.org:skills:text-summarizer#key-1","signed_at":"2026-02-15T16:00:00Z","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"warn","reason":"DID exists, but required verification methods are incomplete."},{"key":"signature-threshold","label":"Signature threshold","status":"warn","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://openstandardagents.org/skills/manifest-validation","did":"did:web:openstandardagents.org:skills:manifest-validation","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"manifest-validation","version":"0.4.0","description":"Validates OSSA agent manifests, skill definitions, and tool schemas against specification","category":"validation","trust_tier":"official","tags":["validation","ossa","schema","manifest"],"created":"2025-10-01T10:00:00Z","updated":"2026-02-20T14:30:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/manifest-validation","did":"did:web:openstandardagents.org:skills:manifest-validation"},"spec":{"execution_model":"stateless"},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/skills/manifest-validation","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:skills:manifest-validation","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:skills:manifest-validation#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:manifest-validation#key-1","verification_method":"did:web:openstandardagents.org:skills:manifest-validation#key-1","signed_at":"2026-02-20T14:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/skills","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:8d3ca42b74e168b3ad79a10e7891b66059107beac41498e9a5c026950914fe4d","signed_payload_hash":"sha256:8d3ca42b74e168b3ad79a10e7891b66059107beac41498e9a5c026950914fe4d","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"manifest-validation","version":"0.4.0","description":"Validates OSSA agent manifests, skill definitions, and tool schemas against specification","category":"validation","trust_tier":"official","tags":["validation","ossa","schema","manifest"],"created":"2025-10-01T10:00:00Z","updated":"2026-02-20T14:30:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/manifest-validation","did":"did:web:openstandardagents.org:skills:manifest-validation"},"spec":{"execution_model":"stateless"},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:skills:manifest-validation","verificationMethod":[{"id":"did:web:openstandardagents.org:skills:manifest-validation#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:skills:manifest-validation","publicKeyMultibase":"ze3e62ec1e2019a886b6bdf6f1b19"}],"assertionMethod":["did:web:openstandardagents.org:skills:manifest-validation#key-1"],"service":[{"id":"did:web:openstandardagents.org:skills:manifest-validation#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:manifest-validation#key-1","verification_method":"did:web:openstandardagents.org:skills:manifest-validation#key-1","signed_at":"2026-02-20T14:30:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://openstandardagents.org/skills/semantic-search","did":"did:web:openstandardagents.org:skills:semantic-search","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"semantic-search","version":"0.8.0","description":"Vector-based semantic search across code, documentation, and knowledge bases with RAG integration","category":"information-retrieval","trust_tier":"verified-signature","tags":["semantic","vector","rag","search","embeddings"],"created":"2026-01-05T09:00:00Z","updated":"2026-02-28T11:45:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/semantic-search","did":"did:web:openstandardagents.org:skills:semantic-search"},"spec":{"execution_model":"stateful","models":["text-embedding-3-large"]},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/skills/semantic-search","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:skills:semantic-search","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:skills:semantic-search#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:semantic-search#key-1","verification_method":"did:web:openstandardagents.org:skills:semantic-search#key-1","signed_at":"2026-02-28T11:45:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"partial","note":"Witness resolves the resource but with a lower confidence tier."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/skills","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:8ca53d17e4c23ea12b6b17b535ffb9d9a7c87beec0e6b3ae2c1fc95b02eac3c5","signed_payload_hash":"sha256:8ca53d17e4c23ea12b6b17b535ffb9d9a7c87beec0e6b3ae2c1fc95b02eac3c5","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"semantic-search","version":"0.8.0","description":"Vector-based semantic search across code, documentation, and knowledge bases with RAG integration","category":"information-retrieval","trust_tier":"verified-signature","tags":["semantic","vector","rag","search","embeddings"],"created":"2026-01-05T09:00:00Z","updated":"2026-02-28T11:45:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/semantic-search","did":"did:web:openstandardagents.org:skills:semantic-search"},"spec":{"execution_model":"stateful","models":["text-embedding-3-large"]},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:skills:semantic-search","verificationMethod":[{"id":"did:web:openstandardagents.org:skills:semantic-search#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:skills:semantic-search","publicKeyMultibase":"ze77a0be101a31fee84485ca259d7"}],"assertionMethod":["did:web:openstandardagents.org:skills:semantic-search#key-1"],"service":[{"id":"did:web:openstandardagents.org:skills:semantic-search#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:semantic-search#key-1","verification_method":"did:web:openstandardagents.org:skills:semantic-search#key-1","signed_at":"2026-02-28T11:45:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://openstandardagents.org/skills/incident-response","did":"did:web:openstandardagents.org:skills:incident-response","verdict":{"label":"Signed","summary":"Signature evidence exists, but the record remains below the stronger verified tiers.","badges":["DID unresolved","federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"incident-response","version":"0.3.0","description":"Automated incident classification, escalation routing, and runbook execution for production issues","category":"operations","trust_tier":"signed","tags":["incident","escalation","runbook","production"],"created":"2025-12-20T14:00:00Z","updated":"2026-03-02T09:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/incident-response","did":"did:web:openstandardagents.org:skills:incident-response"},"spec":{"execution_model":"stateful"},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"confidential"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/skills/incident-response","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"warn","artifact":"did:web:openstandardagents.org:skills:incident-response","detail":"DID exists, but supporting keys or methods are incomplete."},{"key":"verification-method","label":"Verification method used","status":"warn","artifact":"did:web:openstandardagents.org:skills:incident-response#key-1","detail":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":["assertionMethod"],"broken_service_endpoints":[]},"signature":{"status":"present_unverified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:incident-response#key-1","verification_method":"did:web:openstandardagents.org:skills:incident-response#key-1","signed_at":"2026-03-02T09:00:00Z","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"conditional","summary":"Identity resolves, but federation or signature evidence is incomplete enough to warrant tighter review.","checks":[{"key":"did-resolution","label":"DID resolution","status":"warn","reason":"DID exists, but required verification methods are incomplete."},{"key":"signature-threshold","label":"Signature threshold","status":"warn","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"signed","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"data-access-control","version":"1.0.0","description":"Governs agent access to data resources based on classification and sensitivity labels.","tags":["authorization","data-access","classification"],"complianceFrameworks":["NIST AI RMF 1.0","ISO/IEC 42001"],"classification":"restricted","authors":["ossa-core-team"],"approvers":["security-review-board","data-governance"],"dependsOn":["agent-execution-boundary"],"createdAt":"2025-12-15T08:00:00Z","updatedAt":"2026-02-28T14:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"read\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification != \"restricted\" ||\n  principal.clearance_level >= resource.sensitivity_level\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"write\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification == \"immutable\"\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"agree","note":"Witness sees the same signed record."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"community","signature_state":"missing","agreement":"partial","note":"Witness resolves the GAID but downgrades trust."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":false,"trust_tier":"unresolved","signature_state":"unknown","agreement":"partial","note":"Witness does not have enough evidence to resolve the record."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/skills","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:068d43521d3c29ba5989349d587cd5e571d24e2540e7c9d7a8d5e9294d22767b","signed_payload_hash":"sha256:068d43521d3c29ba5989349d587cd5e571d24e2540e7c9d7a8d5e9294d22767b","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"incident-response","version":"0.3.0","description":"Automated incident classification, escalation routing, and runbook execution for production issues","category":"operations","trust_tier":"signed","tags":["incident","escalation","runbook","production"],"created":"2025-12-20T14:00:00Z","updated":"2026-03-02T09:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/incident-response","did":"did:web:openstandardagents.org:skills:incident-response"},"spec":{"execution_model":"stateful"},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"confidential"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:skills:incident-response","verificationMethod":[{"id":"did:web:openstandardagents.org:skills:incident-response#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:skills:incident-response","publicKeyMultibase":"z340dbe774fb11c8438caaf5c1eb0"}],"assertionMethod":["did:web:openstandardagents.org:skills:incident-response#key-1"],"service":[{"id":"did:web:openstandardagents.org:skills:incident-response#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":["assertionMethod"],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"signed","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"conditional","verdict_label":"Signed","signature":{"status":"present_unverified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:incident-response#key-1","verification_method":"did:web:openstandardagents.org:skills:incident-response#key-1","signed_at":"2026-03-02T09:00:00Z","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"warn","reason":"DID exists, but required verification methods are incomplete."},{"key":"signature-threshold","label":"Signature threshold","status":"warn","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://openstandardagents.org/skills/api-spec-generation","did":"did:web:openstandardagents.org:skills:api-spec-generation","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"api-spec-generation","version":"1.2.0","description":"Generates OpenAPI 3.1 specs from code analysis, with Zod schema extraction and endpoint discovery","category":"development","trust_tier":"verified-signature","tags":["openapi","zod","api","spec","codegen"],"created":"2025-11-15T08:00:00Z","updated":"2026-02-25T12:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/api-spec-generation","did":"did:web:openstandardagents.org:skills:api-spec-generation"},"spec":{"execution_model":"stateless"},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/skills/api-spec-generation","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:skills:api-spec-generation","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:skills:api-spec-generation#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:api-spec-generation#key-1","verification_method":"did:web:openstandardagents.org:skills:api-spec-generation#key-1","signed_at":"2026-02-25T12:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"partial","note":"Witness resolves the resource but with a lower confidence tier."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/skills","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:e953f11fb9c4359c0441f79882f3c70f131a439a1c1c0990e85ba3e124e7ff21","signed_payload_hash":"sha256:e953f11fb9c4359c0441f79882f3c70f131a439a1c1c0990e85ba3e124e7ff21","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"api-spec-generation","version":"1.2.0","description":"Generates OpenAPI 3.1 specs from code analysis, with Zod schema extraction and endpoint discovery","category":"development","trust_tier":"verified-signature","tags":["openapi","zod","api","spec","codegen"],"created":"2025-11-15T08:00:00Z","updated":"2026-02-25T12:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/api-spec-generation","did":"did:web:openstandardagents.org:skills:api-spec-generation"},"spec":{"execution_model":"stateless"},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:skills:api-spec-generation","verificationMethod":[{"id":"did:web:openstandardagents.org:skills:api-spec-generation#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:skills:api-spec-generation","publicKeyMultibase":"z22c4e4a3872a7d301954230fb886"}],"assertionMethod":["did:web:openstandardagents.org:skills:api-spec-generation#key-1"],"service":[{"id":"did:web:openstandardagents.org:skills:api-spec-generation#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:api-spec-generation#key-1","verification_method":"did:web:openstandardagents.org:skills:api-spec-generation#key-1","signed_at":"2026-02-25T12:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"agent://openstandardagents.org/skills/git-workflow","did":"did:web:openstandardagents.org:skills:git-workflow","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["stale record"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"git-workflow","version":"1.1.0","description":"Git operations skill: branching strategies, conflict resolution, rebase/merge, cherry-pick workflows","category":"development","trust_tier":"official","tags":["git","branching","merge","workflow"],"created":"2025-10-20T11:00:00Z","updated":"2026-01-30T10:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/git-workflow","did":"did:web:openstandardagents.org:skills:git-workflow"},"spec":{"execution_model":"stateless"},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"skill"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://openstandardagents.org/skills/git-workflow","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:skills:git-workflow","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:skills:git-workflow#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"stale","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:git-workflow#key-1","verification_method":"did:web:openstandardagents.org:skills:git-workflow#key-1","signed_at":"2026-01-30T10:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"agent-execution-boundary","version":"1.0.0","description":"Restricts which agents can execute actions on which resource types. Enforces least-privilege for agent operations.","tags":["authorization","least-privilege","agent-execution"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":[],"createdAt":"2025-12-01T10:00:00Z","updatedAt":"2026-03-01T09:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"execute\",\n  resource is OSSA::Skill\n) when {\n  principal.trust_tier == \"verified\" ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/skills","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:0d956ad7c6a7ea2147ebc371dd91342370837667a6ede41224853f7b5a968e94","signed_payload_hash":"sha256:0d956ad7c6a7ea2147ebc371dd91342370837667a6ede41224853f7b5a968e94","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"git-workflow","version":"1.1.0","description":"Git operations skill: branching strategies, conflict resolution, rebase/merge, cherry-pick workflows","category":"development","trust_tier":"official","tags":["git","branching","merge","workflow"],"created":"2025-10-20T11:00:00Z","updated":"2026-01-30T10:00:00Z"},"identity":{"gaid":"agent://openstandardagents.org/skills/git-workflow","did":"did:web:openstandardagents.org:skills:git-workflow"},"spec":{"execution_model":"stateless"},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"skill"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:skills:git-workflow","verificationMethod":[{"id":"did:web:openstandardagents.org:skills:git-workflow#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:skills:git-workflow","publicKeyMultibase":"zab20a000fa61537e87c9f60744d4"}],"assertionMethod":["did:web:openstandardagents.org:skills:git-workflow#key-1"],"service":[{"id":"did:web:openstandardagents.org:skills:git-workflow#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"stale","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:skills:git-workflow#key-1","verification_method":"did:web:openstandardagents.org:skills:git-workflow#key-1","signed_at":"2026-01-30T10:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://discover.duadp.org/tools/mcp-filesystem","did":"did:web:discover.duadp.org:tools:mcp-filesystem","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["stale record"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"mcp-filesystem","version":"1.0.0","description":"MCP-compatible filesystem tool for reading, writing, and searching files","category":"filesystem","trust_tier":"official","tags":["mcp","filesystem","read","write","search"],"created":"2025-12-01T10:00:00Z","updated":"2026-02-10T12:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/tools/mcp-filesystem","did":"did:web:discover.duadp.org:tools:mcp-filesystem"},"spec":{"protocol":"mcp","transport":"stdio"},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"tool"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/tools/mcp-filesystem","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:discover.duadp.org:tools:mcp-filesystem","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:discover.duadp.org:tools:mcp-filesystem#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"stale","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:tools:mcp-filesystem#key-1","verification_method":"did:web:discover.duadp.org:tools:mcp-filesystem#key-1","signed_at":"2026-02-10T12:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"tool-invocation-contract","version":"0.6.0","description":"Contracts governing which agents can invoke which tools, with capability-based authorization.","tags":["contract","tool-invocation","capabilities"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary"],"createdAt":"2026-01-15T11:00:00Z","updatedAt":"2026-03-02T15:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"invoke\",\n  resource is OSSA::Tool\n) when {\n  resource.required_capabilities.containsAll(\n    principal.capabilities\n  ) ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/tools","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:97bbbf52845dcc637e460ee1b95c56efb474bfd15edddf54b1eea2540cdfdfdb","signed_payload_hash":"sha256:97bbbf52845dcc637e460ee1b95c56efb474bfd15edddf54b1eea2540cdfdfdb","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"mcp-filesystem","version":"1.0.0","description":"MCP-compatible filesystem tool for reading, writing, and searching files","category":"filesystem","trust_tier":"official","tags":["mcp","filesystem","read","write","search"],"created":"2025-12-01T10:00:00Z","updated":"2026-02-10T12:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/tools/mcp-filesystem","did":"did:web:discover.duadp.org:tools:mcp-filesystem"},"spec":{"protocol":"mcp","transport":"stdio"},"risk":{"level":"moderate","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"tool"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:tools:mcp-filesystem","verificationMethod":[{"id":"did:web:discover.duadp.org:tools:mcp-filesystem#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:tools:mcp-filesystem","publicKeyMultibase":"zda0a82bc2494b0c08482c55a789d"}],"assertionMethod":["did:web:discover.duadp.org:tools:mcp-filesystem#key-1"],"service":[{"id":"did:web:discover.duadp.org:tools:mcp-filesystem#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"stale","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"moderate","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:tools:mcp-filesystem#key-1","verification_method":"did:web:discover.duadp.org:tools:mcp-filesystem#key-1","signed_at":"2026-02-10T12:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"agent://discover.duadp.org/tools/a2a-email","did":"did:web:discover.duadp.org:tools:a2a-email","verdict":{"label":"Signed","summary":"Signature evidence exists, but the record remains below the stronger verified tiers.","badges":["DID unresolved","federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"a2a-email","version":"1.1.0","description":"Agent-to-agent email composition and sending tool using the A2A protocol","category":"communication","trust_tier":"signed","tags":["a2a","email","communication","messaging"],"created":"2026-01-05T09:00:00Z","updated":"2026-02-28T14:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/tools/a2a-email","did":"did:web:discover.duadp.org:tools:a2a-email"},"spec":{"protocol":"a2a","transport":"https"},"risk":{"level":"moderate","autonomy_level":"human-in-the-loop","data_sensitivity":"confidential"},"_type":"tool"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"agent://discover.duadp.org/tools/a2a-email","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://discover.duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://discover.duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"warn","artifact":"did:web:discover.duadp.org:tools:a2a-email","detail":"DID exists, but supporting keys or methods are incomplete."},{"key":"verification-method","label":"Verification method used","status":"warn","artifact":"did:web:discover.duadp.org:tools:a2a-email#key-1","detail":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":["assertionMethod"],"broken_service_endpoints":[]},"signature":{"status":"present_unverified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:tools:a2a-email#key-1","verification_method":"did:web:discover.duadp.org:tools:a2a-email#key-1","signed_at":"2026-02-28T14:00:00Z","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"conditional","summary":"Identity resolves, but federation or signature evidence is incomplete enough to warrant tighter review.","checks":[{"key":"did-resolution","label":"DID resolution","status":"warn","reason":"DID exists, but required verification methods are incomplete."},{"key":"signature-threshold","label":"Signature threshold","status":"warn","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"signed","risk_level":"moderate","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"tool-invocation-contract","version":"0.6.0","description":"Contracts governing which agents can invoke which tools, with capability-based authorization.","tags":["contract","tool-invocation","capabilities"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary"],"createdAt":"2026-01-15T11:00:00Z","updatedAt":"2026-03-02T15:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"invoke\",\n  resource is OSSA::Tool\n) when {\n  resource.required_capabilities.containsAll(\n    principal.capabilities\n  ) ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}},{"kind":"Policy","metadata":{"name":"data-access-control","version":"1.0.0","description":"Governs agent access to data resources based on classification and sensitivity labels.","tags":["authorization","data-access","classification"],"complianceFrameworks":["NIST AI RMF 1.0","ISO/IEC 42001"],"classification":"restricted","authors":["ossa-core-team"],"approvers":["security-review-board","data-governance"],"dependsOn":["agent-execution-boundary"],"createdAt":"2025-12-15T08:00:00Z","updatedAt":"2026-02-28T14:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"read\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification != \"restricted\" ||\n  principal.clearance_level >= resource.sensitivity_level\n};\n\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"write\",\n  resource is OSSA::DataSource\n) when {\n  resource.classification == \"immutable\"\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"agree","note":"Witness sees the same signed record."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"community","signature_state":"missing","agreement":"partial","note":"Witness resolves the GAID but downgrades trust."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":false,"trust_tier":"unresolved","signature_state":"unknown","agreement":"partial","note":"Witness does not have enough evidence to resolve the record."}]},"provenance":{"publisher":"discover.duadp.org","source_url":"https://discover.duadp.org/api/v1/tools","manifest_url":"https://discover.duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:ea59d0cdcd694f738aba297828fd2bc666136329b2102a0397339cbedf76e9aa","signed_payload_hash":"sha256:ea59d0cdcd694f738aba297828fd2bc666136329b2102a0397339cbedf76e9aa","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"a2a-email","version":"1.1.0","description":"Agent-to-agent email composition and sending tool using the A2A protocol","category":"communication","trust_tier":"signed","tags":["a2a","email","communication","messaging"],"created":"2026-01-05T09:00:00Z","updated":"2026-02-28T14:00:00Z"},"identity":{"gaid":"agent://discover.duadp.org/tools/a2a-email","did":"did:web:discover.duadp.org:tools:a2a-email"},"spec":{"protocol":"a2a","transport":"https"},"risk":{"level":"moderate","autonomy_level":"human-in-the-loop","data_sensitivity":"confidential"},"_type":"tool"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:discover.duadp.org:tools:a2a-email","verificationMethod":[{"id":"did:web:discover.duadp.org:tools:a2a-email#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:discover.duadp.org:tools:a2a-email","publicKeyMultibase":"z4123b1c8c1b14826d2733da4a268"}],"assertionMethod":["did:web:discover.duadp.org:tools:a2a-email#key-1"],"service":[{"id":"did:web:discover.duadp.org:tools:a2a-email#duadp","type":"DUADPNode","serviceEndpoint":"https://discover.duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":["assertionMethod"],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"signed","risk_level":"moderate","autonomy_level":"human-in-the-loop","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"conditional","verdict_label":"Signed","signature":{"status":"present_unverified","algorithm":"Ed25519","key_id":"did:web:discover.duadp.org:tools:a2a-email#key-1","verification_method":"did:web:discover.duadp.org:tools:a2a-email#key-1","signed_at":"2026-02-28T14:00:00Z","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"warn","reason":"DID exists, but required verification methods are incomplete."},{"key":"signature-threshold","label":"Signature threshold","status":"warn","reason":"Signature evidence exists, but the record does not satisfy the stronger verified-signature checks in the local model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level moderate with autonomy human-in-the-loop."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}},{"gaid":"tool://duadp.org/mcp/duadp-discover","did":"did:web:duadp.org:mcp:duadp-discover","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"duadp-discover","version":"0.2.0","description":"Get node capabilities and version info via DUADP protocol","category":"discovery","trust_tier":"official","tags":["duadp","discovery","mcp"],"created":"2025-09-15T10:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"tool://duadp.org/mcp/duadp-discover","did":"did:web:duadp.org:mcp:duadp-discover"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"tool"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"tool://duadp.org/mcp/duadp-discover","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:duadp.org:mcp:duadp-discover","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:duadp.org:mcp:duadp-discover#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:duadp.org:mcp:duadp-discover#key-1","verification_method":"did:web:duadp.org:mcp:duadp-discover#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"tool-invocation-contract","version":"0.6.0","description":"Contracts governing which agents can invoke which tools, with capability-based authorization.","tags":["contract","tool-invocation","capabilities"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary"],"createdAt":"2026-01-15T11:00:00Z","updatedAt":"2026-03-02T15:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"invoke\",\n  resource is OSSA::Tool\n) when {\n  resource.required_capabilities.containsAll(\n    principal.capabilities\n  ) ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"duadp.org","source_url":"https://duadp.org/api/v1/tools","manifest_url":"https://duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:6b2f3dd78642437dbcb92ca33346681e9ab4b174f9a6b08b35d97ecc935dd9e6","signed_payload_hash":"sha256:6b2f3dd78642437dbcb92ca33346681e9ab4b174f9a6b08b35d97ecc935dd9e6","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"duadp-discover","version":"0.2.0","description":"Get node capabilities and version info via DUADP protocol","category":"discovery","trust_tier":"official","tags":["duadp","discovery","mcp"],"created":"2025-09-15T10:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"tool://duadp.org/mcp/duadp-discover","did":"did:web:duadp.org:mcp:duadp-discover"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"tool"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:duadp.org:mcp:duadp-discover","verificationMethod":[{"id":"did:web:duadp.org:mcp:duadp-discover#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:duadp.org:mcp:duadp-discover","publicKeyMultibase":"z01a1891326c26a4fea3349c4f795"}],"assertionMethod":["did:web:duadp.org:mcp:duadp-discover#key-1"],"service":[{"id":"did:web:duadp.org:mcp:duadp-discover#duadp","type":"DUADPNode","serviceEndpoint":"https://duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:duadp.org:mcp:duadp-discover#key-1","verification_method":"did:web:duadp.org:mcp:duadp-discover#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"tool://duadp.org/mcp/duadp-search","did":"did:web:duadp.org:mcp:duadp-search","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"duadp-search","version":"0.2.0","description":"Full-text search across all resource types in the DUADP network","category":"discovery","trust_tier":"official","tags":["duadp","search","mcp"],"created":"2025-09-15T10:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"tool://duadp.org/mcp/duadp-search","did":"did:web:duadp.org:mcp:duadp-search"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"tool"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"tool://duadp.org/mcp/duadp-search","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:duadp.org:mcp:duadp-search","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:duadp.org:mcp:duadp-search#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:duadp.org:mcp:duadp-search#key-1","verification_method":"did:web:duadp.org:mcp:duadp-search#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"tool-invocation-contract","version":"0.6.0","description":"Contracts governing which agents can invoke which tools, with capability-based authorization.","tags":["contract","tool-invocation","capabilities"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary"],"createdAt":"2026-01-15T11:00:00Z","updatedAt":"2026-03-02T15:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"invoke\",\n  resource is OSSA::Tool\n) when {\n  resource.required_capabilities.containsAll(\n    principal.capabilities\n  ) ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"duadp.org","source_url":"https://duadp.org/api/v1/tools","manifest_url":"https://duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:6b05101dea9ccbd2603e77f187c36737f7dc785be7d6c8ad7c47e1728707e4ac","signed_payload_hash":"sha256:6b05101dea9ccbd2603e77f187c36737f7dc785be7d6c8ad7c47e1728707e4ac","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"duadp-search","version":"0.2.0","description":"Full-text search across all resource types in the DUADP network","category":"discovery","trust_tier":"official","tags":["duadp","search","mcp"],"created":"2025-09-15T10:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"tool://duadp.org/mcp/duadp-search","did":"did:web:duadp.org:mcp:duadp-search"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"minimal","autonomy_level":"advisory","data_sensitivity":"public"},"_type":"tool"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:duadp.org:mcp:duadp-search","verificationMethod":[{"id":"did:web:duadp.org:mcp:duadp-search#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:duadp.org:mcp:duadp-search","publicKeyMultibase":"z1479ab981866329825d13958c7f8"}],"assertionMethod":["did:web:duadp.org:mcp:duadp-search#key-1"],"service":[{"id":"did:web:duadp.org:mcp:duadp-search#duadp","type":"DUADPNode","serviceEndpoint":"https://duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"minimal","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:duadp.org:mcp:duadp-search#key-1","verification_method":"did:web:duadp.org:mcp:duadp-search#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level minimal with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"tool://duadp.org/mcp/duadp-publish-agent","did":"did:web:duadp.org:mcp:duadp-publish-agent","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"duadp-publish-agent","version":"0.2.0","description":"Publish an OSSA agent manifest to the DUADP network","category":"publishing","trust_tier":"official","tags":["duadp","publish","mcp"],"created":"2025-09-15T10:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"tool://duadp.org/mcp/duadp-publish-agent","did":"did:web:duadp.org:mcp:duadp-publish-agent"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"tool"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"tool://duadp.org/mcp/duadp-publish-agent","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://duadp.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://duadp.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:duadp.org:mcp:duadp-publish-agent","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:duadp.org:mcp:duadp-publish-agent#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:duadp.org:mcp:duadp-publish-agent#key-1","verification_method":"did:web:duadp.org:mcp:duadp-publish-agent#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"tool-invocation-contract","version":"0.6.0","description":"Contracts governing which agents can invoke which tools, with capability-based authorization.","tags":["contract","tool-invocation","capabilities"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary"],"createdAt":"2026-01-15T11:00:00Z","updatedAt":"2026-03-02T15:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"invoke\",\n  resource is OSSA::Tool\n) when {\n  resource.required_capabilities.containsAll(\n    principal.capabilities\n  ) ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"duadp.org","source_url":"https://duadp.org/api/v1/tools","manifest_url":"https://duadp.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:82ea3f9d63788b8003b30cd0071f86adeeea564b8b2713312d60225afccfc304","signed_payload_hash":"sha256:82ea3f9d63788b8003b30cd0071f86adeeea564b8b2713312d60225afccfc304","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"duadp-publish-agent","version":"0.2.0","description":"Publish an OSSA agent manifest to the DUADP network","category":"publishing","trust_tier":"official","tags":["duadp","publish","mcp"],"created":"2025-09-15T10:00:00Z","updated":"2026-03-01T09:00:00Z"},"identity":{"gaid":"tool://duadp.org/mcp/duadp-publish-agent","did":"did:web:duadp.org:mcp:duadp-publish-agent"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"low","autonomy_level":"supervised","data_sensitivity":"internal"},"_type":"tool"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:duadp.org:mcp:duadp-publish-agent","verificationMethod":[{"id":"did:web:duadp.org:mcp:duadp-publish-agent#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:duadp.org:mcp:duadp-publish-agent","publicKeyMultibase":"z2c32116918c543958976cff2f51f"}],"assertionMethod":["did:web:duadp.org:mcp:duadp-publish-agent#key-1"],"service":[{"id":"did:web:duadp.org:mcp:duadp-publish-agent#duadp","type":"DUADPNode","serviceEndpoint":"https://duadp.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"aging","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"low","autonomy_level":"supervised","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:duadp.org:mcp:duadp-publish-agent#key-1","verification_method":"did:web:duadp.org:mcp:duadp-publish-agent#key-1","signed_at":"2026-03-01T09:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy supervised."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"tool://openstandardagents.org/mcp/cedar-evaluate","did":"did:web:openstandardagents.org:mcp:cedar-evaluate","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":[]},"resource":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"cedar-evaluate","version":"0.5.0","description":"Evaluate a Cedar authorization policy against a request context and return permit/deny decision","category":"authorization","trust_tier":"official","tags":["cedar","authorization","policy","mcp"],"created":"2026-01-20T08:00:00Z","updated":"2026-03-05T14:00:00Z"},"identity":{"gaid":"tool://openstandardagents.org/mcp/cedar-evaluate","did":"did:web:openstandardagents.org:mcp:cedar-evaluate"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"tool"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"tool://openstandardagents.org/mcp/cedar-evaluate","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://openstandardagents.org/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://openstandardagents.org/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:openstandardagents.org:mcp:cedar-evaluate","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:openstandardagents.org:mcp:cedar-evaluate#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:mcp:cedar-evaluate#key-1","verification_method":"did:web:openstandardagents.org:mcp:cedar-evaluate#key-1","signed_at":"2026-03-05T14:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}],"context":{"trust_tier":"official","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"tool-invocation-contract","version":"0.6.0","description":"Contracts governing which agents can invoke which tools, with capability-based authorization.","tags":["contract","tool-invocation","capabilities"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary"],"createdAt":"2026-01-15T11:00:00Z","updatedAt":"2026-03-02T15:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"invoke\",\n  resource is OSSA::Tool\n) when {\n  resource.required_capabilities.containsAll(\n    principal.capabilities\n  ) ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"agree","summary":"Witness nodes agree on identity and trust state.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"official","signature_state":"verified","agreement":"agree","note":"Witness resolves the same GAID and agrees on trust posture."}]},"provenance":{"publisher":"openstandardagents.org","source_url":"https://openstandardagents.org/api/v1/tools","manifest_url":"https://openstandardagents.org/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:2106c6e23f840dcea96078cdbeaf34e5e218a05fa3b8f5a05cd682d6dbc63629","signed_payload_hash":"sha256:2106c6e23f840dcea96078cdbeaf34e5e218a05fa3b8f5a05cd682d6dbc63629","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"cedar-evaluate","version":"0.5.0","description":"Evaluate a Cedar authorization policy against a request context and return permit/deny decision","category":"authorization","trust_tier":"official","tags":["cedar","authorization","policy","mcp"],"created":"2026-01-20T08:00:00Z","updated":"2026-03-05T14:00:00Z"},"identity":{"gaid":"tool://openstandardagents.org/mcp/cedar-evaluate","did":"did:web:openstandardagents.org:mcp:cedar-evaluate"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"tool"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:openstandardagents.org:mcp:cedar-evaluate","verificationMethod":[{"id":"did:web:openstandardagents.org:mcp:cedar-evaluate#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:openstandardagents.org:mcp:cedar-evaluate","publicKeyMultibase":"z845bb3f5ffae933009e632fa09f7"}],"assertionMethod":["did:web:openstandardagents.org:mcp:cedar-evaluate#key-1"],"service":[{"id":"did:web:openstandardagents.org:mcp:cedar-evaluate#duadp","type":"DUADPNode","serviceEndpoint":"https://openstandardagents.org/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"official","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"agree"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:openstandardagents.org:mcp:cedar-evaluate#key-1","verification_method":"did:web:openstandardagents.org:mcp:cedar-evaluate#key-1","signed_at":"2026-03-05T14:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"agree","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"pass","reason":"Witness nodes resolve the same identity and trust posture."}]}}},{"gaid":"tool://blueflyagents.com/mcp/gkg-query","did":"did:web:blueflyagents.com:mcp:gkg-query","verdict":{"label":"Verified","summary":"Cryptographic identity is consistent enough for high-trust discovery, subject to runtime policy gates.","badges":["federation disagreement"]},"resource":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"gkg-query","version":"0.3.0","description":"Query the Global Knowledge Graph for code definitions, references, and cross-repo relationships","category":"knowledge","trust_tier":"verified-signature","tags":["gkg","knowledge-graph","code","mcp"],"created":"2026-01-10T07:00:00Z","updated":"2026-03-04T11:00:00Z"},"identity":{"gaid":"tool://blueflyagents.com/mcp/gkg-query","did":"did:web:blueflyagents.com:mcp:gkg-query"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"tool"},"resolution_trace":[{"key":"gaid","label":"GAID input","status":"pass","artifact":"tool://blueflyagents.com/mcp/gkg-query","detail":"Portable identifier accepted."},{"key":"dns-webfinger","label":"WebFinger / DNS discovery","status":"pass","artifact":"https://blueflyagents.com/.well-known/webfinger","detail":"Resource host can advertise DUADP discovery metadata."},{"key":"node","label":"Node manifest","status":"pass","artifact":"https://blueflyagents.com/.well-known/duadp.json","detail":"Node-level discovery manifest is derivable from the GAID host."},{"key":"did-document","label":"DID document","status":"pass","artifact":"did:web:blueflyagents.com:mcp:gkg-query","detail":"DID health checks found usable verification methods."},{"key":"verification-method","label":"Verification method used","status":"pass","artifact":"did:web:blueflyagents.com:mcp:gkg-query#key-1","detail":"Signature verifies against the resolved DID verification method in the local DUADP trust model."}],"did_health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]},"signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:blueflyagents.com:mcp:gkg-query#key-1","verification_method":"did:web:blueflyagents.com:mcp:gkg-query#key-1","signed_at":"2026-03-04T11:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"policy":{"verdict":"allow","summary":"Evidence is strong enough for high-trust discovery with normal runtime risk gating.","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}],"context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"relevant_policies":[{"kind":"Policy","metadata":{"name":"tool-invocation-contract","version":"0.6.0","description":"Contracts governing which agents can invoke which tools, with capability-based authorization.","tags":["contract","tool-invocation","capabilities"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-core-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary"],"createdAt":"2026-01-15T11:00:00Z","updatedAt":"2026-03-02T15:00:00Z"},"spec":{"format":"cedar","statementCount":1,"cedarSource":"permit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"invoke\",\n  resource is OSSA::Tool\n) when {\n  resource.required_capabilities.containsAll(\n    principal.capabilities\n  ) ||\n  principal.trust_tier == \"enterprise\"\n};"}},{"kind":"Policy","metadata":{"name":"federation-trust","version":"0.8.0","description":"Defines trust relationships between DUADP federation peers. Controls which nodes can publish and replicate resources.","tags":["federation","trust","replication"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["duadp-federation-wg"],"approvers":["ossa-core-team"],"dependsOn":[],"createdAt":"2026-01-10T07:00:00Z","updatedAt":"2026-03-04T11:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"permit(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"replicate\",\n  resource is OSSA::Manifest\n) when {\n  principal.federation_status == \"active\" &&\n  principal.trust_score >= 0.7\n};\n\nforbid(\n  principal is DUADP::Node,\n  action == DUADP::Action::\"publish\",\n  resource is OSSA::Manifest\n) unless {\n  principal.verified == true\n};"}},{"kind":"Policy","metadata":{"name":"nist-rmf-governance","version":"1.0.0","description":"NIST AI RMF compliance policy. Maps Cedar authorization to NIST Govern, Map, Measure, Manage functions.","tags":["compliance","nist","governance","risk-management"],"complianceFrameworks":["NIST AI RMF 1.0"],"classification":"standard","authors":["ossa-compliance-team"],"approvers":["security-review-board"],"dependsOn":["agent-execution-boundary","data-access-control"],"createdAt":"2025-11-01T06:00:00Z","updatedAt":"2026-03-06T10:00:00Z"},"spec":{"format":"cedar","statementCount":2,"cedarSource":"// GOVERN: Require risk assessment before deployment\nforbid(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"deploy\",\n  resource is OSSA::Environment\n) unless {\n  principal.risk_assessment_complete == true &&\n  principal.risk_level in [\"low\", \"moderate\"]\n};\n\n// MEASURE: Require metrics collection\npermit(\n  principal is OSSA::Agent,\n  action == OSSA::Action::\"operate\",\n  resource is OSSA::Environment\n) when {\n  principal.metrics_enabled == true &&\n  principal.audit_logging == true\n};"}}]},"federation":{"consensus":"partial","summary":"Witness nodes resolve the record but disagree on confidence or freshness.","witnesses":[{"node":"discover.duadp.org","node_did":"did:web:discover.duadp.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"registry.openstandardagents.org","node_did":"did:web:registry.openstandardagents.org","resolved":true,"trust_tier":"verified-signature","signature_state":"verified","agreement":"agree","note":"Witness agrees on DID and signature state."},{"node":"marketplace.drupl.ai","node_did":"did:web:marketplace.drupl.ai","resolved":true,"trust_tier":"signed","signature_state":"present_unverified","agreement":"partial","note":"Witness resolves the resource but with a lower confidence tier."}]},"provenance":{"publisher":"blueflyagents.com","source_url":"https://blueflyagents.com/api/v1/tools","manifest_url":"https://blueflyagents.com/.well-known/duadp.json","license":"Apache-2.0","content_hash":"sha256:b373fd3b73b18699f4301197c021a601df1c1b8109a1b3863d0286ac7761deef","signed_payload_hash":"sha256:b373fd3b73b18699f4301197c021a601df1c1b8109a1b3863d0286ac7761deef","manifest_matches_signed_payload":true},"raw":{"manifest":{"apiVersion":"ossa/v0.5","kind":"Tool","metadata":{"name":"gkg-query","version":"0.3.0","description":"Query the Global Knowledge Graph for code definitions, references, and cross-repo relationships","category":"knowledge","trust_tier":"verified-signature","tags":["gkg","knowledge-graph","code","mcp"],"created":"2026-01-10T07:00:00Z","updated":"2026-03-04T11:00:00Z"},"identity":{"gaid":"tool://blueflyagents.com/mcp/gkg-query","did":"did:web:blueflyagents.com:mcp:gkg-query"},"spec":{"protocol":"mcp","transport":"sse"},"risk":{"level":"low","autonomy_level":"advisory","data_sensitivity":"internal"},"_type":"tool"},"did_document":{"@context":["https://www.w3.org/ns/did/v1"],"id":"did:web:blueflyagents.com:mcp:gkg-query","verificationMethod":[{"id":"did:web:blueflyagents.com:mcp:gkg-query#key-1","type":"Ed25519VerificationKey2020","controller":"did:web:blueflyagents.com:mcp:gkg-query","publicKeyMultibase":"z15cbc07f22987d2b58c6ecf97467"}],"assertionMethod":["did:web:blueflyagents.com:mcp:gkg-query#key-1"],"service":[{"id":"did:web:blueflyagents.com:mcp:gkg-query#duadp","type":"DUADPNode","serviceEndpoint":"https://blueflyagents.com/.well-known/duadp.json"}],"health":{"method":"web","resolution_latency_ms":52,"freshness":"fresh","domain_match":true,"missing_keys":[],"broken_service_endpoints":[]}},"policy_context":{"trust_tier":"verified-signature","risk_level":"low","autonomy_level":"advisory","did_method":"web","domain_match":true,"revoked":false,"federation_consensus":"partial"},"verification_result":{"verdict":"allow","verdict_label":"Verified","signature":{"status":"verified","algorithm":"Ed25519","key_id":"did:web:blueflyagents.com:mcp:gkg-query#key-1","verification_method":"did:web:blueflyagents.com:mcp:gkg-query#key-1","signed_at":"2026-03-04T11:00:00Z","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},"revocation":{"revoked":false,"reason":null,"revoked_at":null,"revoked_by":null,"source_node":null},"federation_consensus":"partial","checks":[{"key":"did-resolution","label":"DID resolution","status":"pass","reason":"Verification methods are available to evaluate trust."},{"key":"signature-threshold","label":"Signature threshold","status":"pass","reason":"Signature verifies against the resolved DID verification method in the local DUADP trust model."},{"key":"revocation-check","label":"Revocation check","status":"pass","reason":"No active revocation record present in the local evidence store."},{"key":"risk-controls","label":"Risk control fit","status":"pass","reason":"Risk level low with autonomy advisory."},{"key":"federation-consensus","label":"Federation consensus","status":"warn","reason":"Some witnesses downgrade or partially resolve the record."}]}}}],"meta":{"total":23,"returned":23,"filtered":false,"mode":"static-export-catalog"}}