From 3734811eca24b2aa838929a52135564b58c230a6 Mon Sep 17 00:00:00 2001 From: Greg Soucy Date: Fri, 20 Mar 2026 02:13:29 -0400 Subject: [PATCH] Clarify x402 references and security policy --- README.md | 2 +- SECURITY.md | 25 +++++++++++++++++++------ SPEC.md | 2 +- 3 files changed, 21 insertions(+), 8 deletions(-) diff --git a/README.md b/README.md index 4d48c3f..e1b8120 100644 --- a/README.md +++ b/README.md @@ -2,7 +2,7 @@ Agent Cards are CommandLayer's canonical discovery and binding artifacts. They bind ENS names to a single verb, the authoritative request/receipt schemas for that verb, the public schema mirrors, and the semver-pinned x402 entrypoint. They do not act as product pages, feature summaries, or semantic substitutes for the linked protocol schemas. -In these cards, `x402://...` is the protocol-form entry identifier for the bound verb route. For the external x402 protocol definition, see `https://docs.x402.org/`. +In these cards, `x402://...` is the protocol-form entry identifier used by CommandLayer agents. It represents a standardized action endpoint (`` + route + version). See `https://docs.x402.org/` for the external protocol definition. See `CHANGELOG.md` for version differences. diff --git a/SECURITY.md b/SECURITY.md index 4d5e710..73a23b2 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,9 +1,22 @@ # Security Policy — Agent Cards -Report issues that could break discovery or routing, including: +## Scope -- stale or mismatched card schema bindings -- stale `_shared` references in the current line -- incorrect `entry` URIs -- manifest / discovery drift -- checksum mismatches +This repository publishes Agent Cards, discovery descriptors, manifest metadata, schemas, and release integrity files. +Security issues here include anything that could misroute discovery, change a published binding, break checksum verification, or misstate the canonical release contents. + +## Reporting + +Please report suspected security issues to `dev@commandlayer.org`. +If email is unavailable, open a private or minimally detailed issue in this repository and avoid posting exploit details publicly. +Include the affected file path, commit or tag if known, and a short reproduction note. + +## Disclosure + +Please use responsible disclosure. +Do not publish proof-of-concept exploits, checksum bypasses, or binding-takeover details before maintainers have a chance to review and coordinate a fix. + +## Response + +Reports are reviewed on a best-effort basis. +This repository does not provide formal SLA commitments, but maintainers will try to confirm valid reports, clarify impact, and publish a fix or mitigation when warranted. diff --git a/SPEC.md b/SPEC.md index 5ef4f7a..b41e5b8 100644 --- a/SPEC.md +++ b/SPEC.md @@ -65,7 +65,7 @@ The schema also requires `schemas.request`, `schemas.receipt`, `schemas_mirror.r - `$schema` MUST equal `https://commandlayer.org/agent-cards/schemas/v1.1.0/agent.card.schema.json` - `$id` MUST match the card's canonical HTTPS path - `entry` MUST be `x402:////v1.1.0` -- `x402://` is the protocol-form entry identifier used by these cards; see the x402 protocol docs at `https://docs.x402.org/` for the external protocol reference +- `x402://` is the protocol-form entry identifier used by CommandLayer agents; it represents a standardized action endpoint (verb + route + version). See `https://docs.x402.org/` for the external protocol reference - v1.0.0 MAY remain in the repository only as a legacy archival compatibility surface ## 6. Binding rules