This policy governs the active release line and the canonical shipped package boundary. Repo-wide governance and security reporting are defined separately.
v1.1.0 is the current Protocol-Commercial line and the only canonical shipped line.
v1.0.0 may remain in the repository as historical source material for audit or migration reference, but it is outside the shipped npm package surface and outside the active canonical release boundary.
- No published version directory may be silently mutated after release.
- Breaking or semantic changes require a new version directory.
- Release metadata, package contents, schema paths, examples, and checksums must remain internally consistent.
- Public documentation controlled by this repo must teach the same current-line package boundary the repo actually ships.
The canonical shipped boundary for v1.1.0 is limited to:
schemas/v1.1.0/examples/v1.1.0/manifest.jsonchecksums.txtLICENSEREADME.mdindex.js
Legacy v1.0.0 schemas, examples, and any historical TypeScript fixtures are repository-retained material only unless a future release explicitly restores them to a validated package boundary.
checksums.txt is the generated ledger for the canonical shipped boundary, excluding checksums.txt itself.
The checksum-covered payload consists of:
schemas/v1.1.0/examples/v1.1.0/manifest.jsonLICENSEREADME.mdindex.js
Release-defining prose docs outside that list are repository guidance only and must not be described as part of the shipped or checksum-covered release payload.
- Schema fixes before publication require maintainer signoff.
- New verbs or version lines require explicit steward approval.
- Actor roles are governed repo-wide; new roles require explicit steward approval.
payment_requirement,payment_session, andpayment_proofare the canonical payment-layer names for shared semantics.fulfillment_refdenotes the merchant or provider controlled fulfillment artifact, not a generic external pointer.- Shipment receipts must remain commercially scoped and tied to an upstream checkout or purchase.
requesteris the governed field for the initiator of averify.request;verifieris reserved for the authority that issues or attests the verification receipt.
Tarball validation may additionally allow npm-emitted package.json metadata, but that packaging artifact does not expand the canonical shipped boundary.