docs: design v0.5.0 signed manifests

AGENTS.md

@@ -22,26 +22,33 @@ The repo ships:
 ## Current state
 
 - npm scope: **`@marmarlabs`** (do not change).
-- Latest published release: **v0.3.0** on npm and on GitHub
+- Latest published release: **v0.4.0** on npm and on GitHub
   (Latest, stable; published via npm Trusted Publishing with SLSA
   build provenance).
-- **v0.4.0 is release-prepared on the `release/v0.4.0-http-polish`
-  branch** — all packages bumped to `0.4.0`, opt-in HTTP MCP
-  transport implemented (PR #27 landed), docs/examples updated,
-  HTTP smoke wired. **Not yet on npm**; publishing happens through
-  the Trusted Publishing workflow only after maintainer approval.
-  Predecessor PRs:
-  [#23](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/23) (design),
+- **v0.5.0 is in design** — Signed manifests. Design doc:
+  [docs/designs/signed-manifests.md](docs/designs/signed-manifests.md);
+  ADR: [docs/adr/0002-signed-manifests.md](docs/adr/0002-signed-manifests.md);
+  tracking issue: [#31](https://github.com/marmar9615-cloud/agentbridge-protocol/issues/31)
+  /
+  [docs/issues/v0.5.0-signed-manifests.md](docs/issues/v0.5.0-signed-manifests.md).
+  No runtime change yet; implementation lands in subsequent PRs.
+- v0.4.0 predecessor PRs:
+  [#23](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/23) (HTTP transport design),
   [#24](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/24) (transport abstraction),
   [#25](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/25) (adopter docs/examples),
   [#26](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/26) (OpenAPI regression fixtures),
-  [#27](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/27) (HTTP transport + bearer auth).
+  [#27](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/27) (HTTP transport + bearer auth),
+  [#29](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/29) (release prep),
+  [#30](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/30) (post-release notes),
+  [#28](https://github.com/marmar9615-cloud/agentbridge-protocol/pull/28) (SDK public API contract coverage).
 - Stdio remains the default and only-when-unset transport. HTTP is
   **opt-in** via `AGENTBRIDGE_TRANSPORT=http`. Design in
   [docs/designs/http-mcp-transport-auth.md](docs/designs/http-mcp-transport-auth.md);
   ADR in [docs/adr/0001-http-mcp-transport.md](docs/adr/0001-http-mcp-transport.md).
 - Manifest schema: v0.1, stable for the v0.x line. Will be frozen
-  for v1.x per [docs/v1-readiness.md](docs/v1-readiness.md).
+  for v1.x per [docs/v1-readiness.md](docs/v1-readiness.md). v0.5.0
+  adds an optional `signature` block; unsigned manifests still
+  validate.
 
 ## Layout
 
@@ -181,7 +188,11 @@ If a change weakens any of these, stop and ask before continuing.
   — v0.4.0 HTTP MCP transport + auth design.
 - [docs/adr/0001-http-mcp-transport.md](docs/adr/0001-http-mcp-transport.md)
   — ADR for the HTTP transport decision.
-- [docs/roadmap.md](docs/roadmap.md) — what's planned beyond v0.3.x
-  (HTTP MCP transport, signed manifests, OAuth scope enforcement,
-  distributed audit storage, …).
+- [docs/designs/signed-manifests.md](docs/designs/signed-manifests.md)
+  — v0.5.0 signed-manifest design (in progress).
+- [docs/adr/0002-signed-manifests.md](docs/adr/0002-signed-manifests.md)
+  — ADR for the signed-manifest decision.
+- [docs/roadmap.md](docs/roadmap.md) — what's planned beyond v0.4.x
+  (signed manifests, OAuth scope enforcement, distributed audit
+  storage, …).
 - [SECURITY.md](SECURITY.md) — how to report security issues.

CLAUDE.md

@@ -178,5 +178,9 @@ Every new feature ships with a test. Categories of tests we currently maintain:
 - [docs/adr/0001-http-mcp-transport.md](docs/adr/0001-http-mcp-transport.md)
   — ADR for adding the opt-in HTTP MCP transport.
 - [docs/releases/v0.4.0.md](docs/releases/v0.4.0.md) — v0.4.0
-  release notes (release-prepared on
-  `release/v0.4.0-http-polish`; not yet on npm).
+  release notes. Published on npm via Trusted Publishing with SLSA
+  build provenance.
+- [docs/designs/signed-manifests.md](docs/designs/signed-manifests.md)
+  — v0.5.0 signed-manifest design (in progress; no runtime yet).
+- [docs/adr/0002-signed-manifests.md](docs/adr/0002-signed-manifests.md)
+  — ADR for adding optional signed AgentBridge manifests.

README.md

@@ -11,7 +11,7 @@
 [![TypeScript](https://img.shields.io/badge/TypeScript-5.7-3178c6?logo=typescript&logoColor=white)](https://www.typescriptlang.org/)
 [![Next.js](https://img.shields.io/badge/Next.js-15-black?logo=next.js&logoColor=white)](https://nextjs.org/)
 [![MCP](https://img.shields.io/badge/MCP-1.0-orange)](https://modelcontextprotocol.io)
-[![Status: v0.4.0-rc](https://img.shields.io/badge/Status-v0.4.0--rc-blue)]()
+[![Status: v0.4.0](https://img.shields.io/badge/Status-v0.4.0-blue)]()
 [![npm](https://img.shields.io/npm/v/@marmarlabs/agentbridge-sdk?label=%40marmarlabs%2Fagentbridge-sdk)](https://www.npmjs.com/package/@marmarlabs/agentbridge-sdk)
 
 </div>
@@ -20,18 +20,30 @@
 
 ## Status
 
-**AgentBridge v0.3.0 is live on npm under the `@marmarlabs` scope**
+**AgentBridge v0.4.0 is live on npm under the `@marmarlabs` scope**
 (published via npm Trusted Publishing with SLSA build provenance).
-**v0.4.0 is release-prepared** on the `release/v0.4.0-http-polish`
-branch — all packages bumped to `0.4.0`, the opt-in HTTP MCP
-transport implemented, docs and examples updated, and HTTP smoke
-wired into the local pre-publish flow. **Not yet on npm**;
-publishing happens through the existing Trusted Publishing
-workflow only after maintainer approval. See
+The v0.4.0 line ships the opt-in Streamable HTTP MCP transport,
+adopter quickstart, manifest-pattern catalogue, and OpenAPI
+regression fixtures. See
 [docs/releases/v0.4.0.md](docs/releases/v0.4.0.md) for the full
 release notes.
 
-The v0.4.0 line adds:
+**v0.5.0 (Signed manifests) is in design** — design-first PR
+landing now, no runtime change yet. Publishers will be able to
+sign their `/.well-known/agentbridge.json` with a key set served
+at `/.well-known/agentbridge-keys.json`; agents and the MCP
+server will verify the manifest offline before trusting any
+action. Verification is **additive** — confirmation gate, origin
+pinning, target-origin allowlist, audit redaction, stdio stdout
+hygiene, and HTTP transport auth/origin checks all continue to
+enforce on top. See
+[docs/designs/signed-manifests.md](docs/designs/signed-manifests.md)
+and
+[docs/adr/0002-signed-manifests.md](docs/adr/0002-signed-manifests.md)
+for the design and decision record. Tracking issue:
+[#31](https://github.com/marmar9615-cloud/agentbridge-protocol/issues/31).
+
+The v0.4.0 line shipped:
 - An **opt-in Streamable HTTP MCP transport** with static
   bearer-token auth, exact-origin allowlist, and loopback-by-
   default bind. **stdio remains the default** for local desktop
@@ -49,8 +61,8 @@ The v0.4.0 line adds:
   ([examples/openapi-regression](examples/openapi-regression))
   pinning stable mapping behavior.
 
-Neither v0.3.0 nor v0.4.0 alone is v1.0 production readiness;
-both are steps toward it. The HTTP transport is **experimental**
+No published v0.x release alone is v1.0 production readiness;
+each is a step toward it. The HTTP transport is **experimental**
 in v0.4.0.
 
 ```bash
@@ -62,15 +74,16 @@ npx @marmarlabs/agentbridge-mcp-server
 AgentBridge is usable today for local development, app prototyping,
 manifest authoring, scanner workflows, OpenAPI import, and MCP
 experiments. It is **not yet production security infrastructure** —
-signed manifests, OAuth scope enforcement, HTTP MCP transport, and
+signed manifests (v0.5.0, in design), OAuth scope enforcement, and
 distributed audit storage are roadmap items (see
 [docs/roadmap.md](docs/roadmap.md)). Destructive demo actions remain
 simulated.
 
-For release notes, see [docs/releases/v0.4.0.md](docs/releases/v0.4.0.md)
-for the in-flight release,
-[docs/releases/v0.3.0.md](docs/releases/v0.3.0.md) for the latest
+For release notes, see
+[docs/releases/v0.4.0.md](docs/releases/v0.4.0.md) for the latest
 shipped release,
+[docs/releases/v0.3.0.md](docs/releases/v0.3.0.md) for the
+production-foundations release,
 [docs/releases/v0.2.2.md](docs/releases/v0.2.2.md) for the Codex
 onboarding release,
 [docs/releases/v0.2.1.md](docs/releases/v0.2.1.md) for the docs
@@ -889,6 +902,8 @@ CI runs `npm install`, typecheck, all tests, and Next.js builds on Node 20.x and
 | [docs/trusted-publishing.md](docs/trusted-publishing.md) | npm Trusted Publishing plan and the draft `release-publish.yml` workflow. |
 | [docs/designs/http-mcp-transport-auth.md](docs/designs/http-mcp-transport-auth.md) | v0.4.0 HTTP MCP transport + auth design. |
 | [docs/adr/0001-http-mcp-transport.md](docs/adr/0001-http-mcp-transport.md) | ADR for adding the opt-in HTTP MCP transport. |
+| [docs/designs/signed-manifests.md](docs/designs/signed-manifests.md) | v0.5.0 signed-manifest design (in progress). |
+| [docs/adr/0002-signed-manifests.md](docs/adr/0002-signed-manifests.md) | ADR for adding optional signed AgentBridge manifests. |
 | [docs/roadmap.md](docs/roadmap.md) | What's shipped, what's next. |
 | [spec/agentbridge-manifest.v0.1.md](spec/agentbridge-manifest.v0.1.md) | The manifest specification. |
 | [AGENTS.md](AGENTS.md) | Short, model-neutral working notes for any AI coding agent (Codex, Claude, Cursor, custom). |
@@ -902,7 +917,7 @@ CI runs `npm install`, typecheck, all tests, and Next.js builds on Node 20.x and
 
 Near-term, in rough priority order:
 
-- **Signed manifests.** A published manifest carries a publisher signature an agent can verify offline. Removes the need to trust the host you're talking to.
+- **Signed manifests (v0.5.0, in design).** A published manifest carries an inline publisher signature (Ed25519 by default, RFC 8785 canonicalization) an agent can verify offline against the publisher's key set at `/.well-known/agentbridge-keys.json`. Optional in v0.5.0; mandatory at v1.0 after a documented migration. Design: [docs/designs/signed-manifests.md](docs/designs/signed-manifests.md). ADR: [docs/adr/0002-signed-manifests.md](docs/adr/0002-signed-manifests.md). Tracking: [#31](https://github.com/marmar9615-cloud/agentbridge-protocol/issues/31).
 - **Standardized risk taxonomy.** Move from `low | medium | high` to a richer model: `read`, `write-self`, `write-others`, `financial`, `irreversible`. Lets agents reason about action consequences more precisely.
 - **Policy primitives.** First-class support for cost caps, rate limits, business-hours gating, and N-of-M approver workflows declared *in the manifest*.
 - **HTTP MCP transport.** Stdio works for desktop clients; hosted/centralized agents need an authenticated HTTP transport. **Implemented as opt-in in v0.4.0** behind `AGENTBRIDGE_TRANSPORT=http` with bearer-token auth, exact-origin allowlist, and loopback-by-default bind. Design: [docs/designs/http-mcp-transport-auth.md](docs/designs/http-mcp-transport-auth.md). Recipe: [examples/http-client-config](examples/http-client-config).