Ajar Protocol
Reference

GLOSSARY — Canonical Terminology

One name per concept, used identically across spec, docs, code, and UI. If you need a new term, add it here in the same PR.

One name per concept, used identically across spec, docs, code, and UI. If you need a new term, add it here in the same PR.

TermDefinition
AjarAjar Protocol — the semantic layer over HTTPS defined in docs/03-PROTOCOL-SPEC.md. Not a new wire protocol.
ProfileA named conformance subset of Ajar: CORE (read), ACT (actions), PAY (metering), FED (transparency/discovery).
Manifest (Capability Manifest)The signed declaration at /.well-known/ajar.json: site identity, keys, Views, Actions, policy summary, metering, federation refs.
OwnerThe party with authority over a site. Root of all site-side authority.
Owner KeyThe site's root Ed25519 keypair; signs the Manifest and certifies Operational Keys. Kept offline where possible.
Operational KeyOwner-certified, scoped, expiring key for day-to-day signing (content, offers).
GatewaySelf-hosted site-side software: converts, serves, enforces Owner Policy, signs, meters, and logs.
ViewThe semantic representation of a content URL, served via content negotiation from the same URL as the human HTML. Composed of Chunks.
ChunkAddressable unit of a View with a stable ID and content hash; unit of diff sync and provenance tagging.
View IndexMachine sitemap: chunk map + hashes + change hints, for full/incremental sync planning.
ActionA typed, owner-published operation: schemas, risk class, effects, endpoint, execution mode.
AEPAjar Enhancement Proposal — the change process for the spec, schemas, and registries; see AEPs/README.md.
Risk class (R0–R3)Normative effect taxonomy: R0 read, R1 reversible write, R2 irreversible write, R3 financial/legal. Sets protocol floors.
EffectsMachine-readable consequence declaration on an Action (and resolved concretely in SIMULATE/Offers).
SIMULATEDry-run mode supported for R1+ Actions; mandatory for clients before R2/R3.
Two-phase executionPropose → Commit ceremony required for R2/R3.
OfferSite-signed frozen proposal produced by Propose: resolved effects, total cost, expiry. Single-use.
CommitAgent's countersigned acceptance of an Offer (over offer_hash ‖ mandate_hash), triggering execution.
ReceiptDual-signed record binding Mandate + Offer + result. The atom of accountability and dispute resolution.
PrincipalThe human/organization on whose behalf an agent acts; issues Mandates.
AgentThe acting software system: model + Kernel + operator infrastructure.
Agent operatorThe party running the agent (may equal the Principal). Identified via signed requests.
Kernel (Client/Kernel)Agent-side runtime: Resolver, Taint Boundary, Policy Monitor, Simulator, Executor, Mandate Store, Receipt Vault, Fallback Engine. The model is outside its trust boundary.
MandatePrincipal-signed, scoped, time-boxed, capped authorization carried by an agent. UCAN-compatible delegation chains.
Standing MandateA Mandate with recurrence caps and long validity — the org↔org contract primitive (e.g., recurring invoices).
ScopeDotted permission name from the registry (e.g., commerce.purchase.transport).
Policy MonitorThe Kernel's deterministic pre-action enforcement: proposal × mandate × simulation → allow/deny/escalate. Not bypassable by model output.
Taint BoundaryKernel mechanism ensuring site content enters the model as provenance-tagged inert data.
Receipt VaultKernel's append-only local store of verdicts, artifacts, and receipts — the agent-side audit trail.
Fallback EngineKernel module for manifest-less sites: consensual headless rendering + extraction, output flagged unverified.
Trust listOperator list an owner subscribes to (or self-curates) for the verified tier. Format and cross-Gateway interop semantics are undefined in v0.1 (deferred).
Owner PolicyThe owner's declarative configuration across five axes: exposure, audience, economics, risk gates, observability.
TierAudience level: anonymous, signed, verified, allowlist, contracted.
GateExecution ceremony setting per action: auto, mandate, human_site, threshold(x), deny.
ConsoleThe Gateway's owner UI: coverage, policy, approval queue, audit, kill switches, revenue.
Harvester / Extractor / Inducer / Action DrafterConversion pipeline tiers: source tapping / deterministic extraction (template clustering) / build-time LLM rule induction / action candidate drafting.
Template clusteringGrouping pages by DOM structural signature so extraction rules scale with templates (~5–20/site), not pages.
Drift detectionContinuous comparison of rendered pages vs. Views; triggers re-induction and owner alerts.
Transparency LogAppend-only Merkle log of manifest publications/updates/revocations (CT-style).
Monitor (federation)Service watching logs for impersonation/anomalies; alerts owners. (Distinct from Policy Monitor.)
Index / Search NodeFederated service crawling logs and serving semantic capability search; discovery-only, never trusted for content.
Inclusion proof / STHMerkle proof of a manifest's log membership / Signed Tree Head.
Late bindingThe connection model: discover → verify → bind → act → disconnect, per task. No pre-integration.
Settlement adapterPluggable payment-rail binding (x402, AP2-card, ...) referenced from metering and receipts.
Conformance suiteThe executable tests + vectors that define what "implements Ajar" means. Claims are valid only against it.
TOFUTrust-on-first-use — the accepted first-contact window for non-FED sites, hardened by log history.