Integrate canonical v0.1.0#2
Conversation
Replace the single legacy specification/ACS/acs_schema.json with the modular
v0.1.0 schema package from canonical ACS. The legacy file becomes an
aggregator manifest that cross-references the new modular files.
Adds:
specification/v0.1.0/{request,response}-envelope.json
specification/v0.1.0/{handshake,provenance,provenance-summary}.json
specification/v0.1.0/{context-entry,ask-details,defer-details,modifications}.json
specification/v0.1.0/hooks/*.json (19 per-hook schemas: session-start/end,
agent-trigger, turn-start/end, user-message, agent-response,
knowledge-retrieval, memory-context-retrieval, memory-store,
tool-call-request/result, pre/post-compact, subagent-start/stop,
system-ping, agbom-snapshot/changed)
specification/v0.1.0/agbom/{component,document}.json
specification/v0.1.0/inspect/format-mapping.json
specification/v0.1.0/trace/{otel,ocsf}-mapping.json
specification.md and hooks.md now mirror the canonical ACS v0.1.0 spec proposal: design principles, two-layer Guardian architecture, JSON-RPC 2.0 envelope with stdio + HTTP transports, capability-negotiation handshake (handshake/hello), 16 native steps/* hooks, full disposition vocabulary including DEFER, decision-result fields supporting paradigm composition (FIDES / CaMeL / AARM / IBAC), provenance with optional trust enum and default channel-to-trust mapping, SessionContext with normative chain hashing (RFC 8785 JCS + SHA-256), Intent immutability and intent-extension via ASK, crypto-agile signature registry (HMAC, ECDSA, RSA-PSS, ML-DSA, SLH-DSA, hybrids), replay protection, OPA policy-engine reference binding, the new lifecycle hooks (sessionStart/End, turnStart/End, pre/postCompact, subagentStart/Stop), system/ping liveness, multi-tenancy reservation, and the v0.2 / future deferred list.
Refresh docs/spec/trace/{events.md,extend_opentelemetry.md,extend_ocsf.md}
to align with the canonical v0.1.0 mapping:
- OpenTelemetry: span-name + required-attribute table for every step,
decision-as-span-event rule, provenance attributes, span-link rule for
cited_provenance_ids.
- OCSF: class assignments per step (Authentication 3002, Application
Activity 6002, Process Activity 1007, Datastore Activity 6005, Detection
Finding 2004 for deny/modify/ask/defer, Inventory Info 5001 for
agbom/*) and disposition -> severity_id mapping.
- ACS-Trace conformance bar.
- Failure isolation: trace sink failure MUST NOT change the disposition.
Refresh docs/spec/inspect/{README.md,extend_cyclonedx.md,extend_spdx.md,
extend_swid.md} to align with the canonical v0.1.0 Inspect pillar:
- agbom/snapshot and agbom/changed wire methods, with audit-chain
integration.
- Canonical component graph with seven types (model, mcp_server, a2a_peer,
tool, knowledge_source, memory_store, agent_capability).
- registration_provenance on every component (REQUIRED under
ACS-Provenance).
- CycloneDX 1.6, SPDX 3.0, SWID derivations from the canonical document.
- ACS-Inspect and ACS-Inspect-Dynamic conformance bars.
New docs/spec/conformance.md defining the v0.1.0 profile system: ACS-Core (mandatory baseline) plus five optional profiles deployments declare in the handshake's profiles_supported / profiles_accepted fields. - ACS-Core: handshake, envelope, hooks, dispositions (incl. DEFER), SessionContext, Intent, replay protection, ping, wrapped MCP. - ACS-Trace: OTel + OCSF event emission, decision-as-span-event. - ACS-Inspect / ACS-Inspect-Dynamic: agbom/snapshot, agbom/changed. - ACS-Provenance: field-level Provenance with optional trust enum. - ACS-Crypto: ML-DSA-65 primary, SLH-DSA-128s backup, hybrids. - ACS-Audit: request_hash on every ContextEntry. Profiles compose; the page includes a quick-reference matrix.
core_concepts.md now introduces the v0.1.0 vocabulary: - Three pillars (Instrument / Trace / Inspect) as co-equal. - Two parties (Observed Agent / Guardian Agent with deterministic + optional agent layers). - Session, Turn, Step, Hook Response, Provenance, SessionContext, Intent with the immutability rule. - Default channel-to-trust mapping and the optional wire-level trust enum. ACS_in_action_example.md now mirrors the canonical Appendix C worked example: handshake, agbom/snapshot, sessionStart, userMessage, toolCallRequest with argument-level provenance, IBAC + FIDES decision envelope with reason_codes / policy_references / policy_data / cited_provenance_ids, plus a parallel deny-shaped example.
- docs/references/hook_surfaces.md: survey of lifecycle-hook systems across coding agents (Claude Code, Cursor, Codex, Copilot, Replit, Tabnine, Windsurf) with a semantic-event matrix and migration notes. Source for the v0.1.0 hook taxonomy and the DEFER disposition design. - docs/references/standards_compatibility.md: comparison of CaMeL, FIDES, AARM, IBAC, Conseca, MELON, ControlValve, AgentSentry, LlamaFirewall, PROV-AGENT/Flowcept; Google secure-agent guidance, Chrome User Alignment Critic, MCP security best practices, OWASP Agentic Top 10. Source for the deterministic-mediation core + pluggable detectors architecture. - docs/assets/ibac-paper.pdf: primary source for the Intent model. - docs/references/README.md: index linking the three sources.
Replace the work-in-progress intro with a v0.1.0 summary: what ACS is, the three pillars (Instrument / Trace / Inspect), and the six profiles (ACS-Core mandatory plus ACS-Trace, ACS-Inspect/-Dynamic, ACS-Provenance, ACS-Crypto, ACS-Audit). Leaves the existing aspirational SDK/MCP/A2A code samples below intact.
- Add Specification > Conformance Profiles entry pointing at the new spec/conformance.md page. - Add a top-level References section exposing hook_surfaces.md and standards_compatibility.md.
- Schema-file references now point at GitHub blob URLs under https://github.com/Agent-Control-Standard/ACS/blob/dev/specification/v0.1.0/... Schemas live outside docs_dir, so relative links from the docs tree cannot reach them; absolute URLs work both in the rendered site and when reading docs raw. - Update §13 anchor slug (OWASP#13-liveness-system-methods) to match Python-Markdown's TOC slugifier. - A2A hook docs: replace stale spec-anchor links (OWASP#48-a2a-protocol-methods, OWASP#51-acssuccessresponse-object) with code spans for the method names and a pointer to the new dispositions section. The protocols/A2A/* namespace remains reserved for v0.2. - extend_mcp.md: point at the new protocols/MCP/* anchor in hooks.md (the old #mcp-protocol-hooks anchor is gone). - gitignore: add site/ (mkdocs build artifact). `uv run mkdocs build --strict` now succeeds.
The hook-surfaces and standards-compatibility surveys plus the IBAC paper are local research artifacts, not site content. Move them to references/ at the repo root, gitignore that path, and drop the References section from the mkdocs nav. Files remain on disk locally; they no longer ship in the repo or build into the site.
ACS_in_action_example.md now shows one denial-shaped envelope per paradigm so readers can see how the same wire format expresses each: - IBAC: Intent.parsed mismatch with intent_parsed and closest match exposed in policy_data. - FIDES: P-T (planner-taint) failure with violating_argument_path, lineage_origins, and earliest_untrusted_provenance_id. - CaMeL: per-argument dependency-graph violation showing the actual vs. expected lineage roots. - AARM: cumulative-context denial with earliest_untrusted_step_id and the entry_count_by_origin aggregate from provenance_summary. - IBAC + FIDES composition: a single decision citing both paradigms in policy_references, reason_codes, and a policy_data object keyed by paradigm name. Also: repoint all schema GitHub URLs from Agent-Control-Standard/ACS (404) to afogel/ACS_official (the actual configured remote).
ClientHello now carries an optional approver_types_supported array (human / agent / service) mirroring the existing ServerHello field. New §9.2 normatively requires Guardians to substitute DEFER or DENY for ASK whenever the client/Guardian approver-type sets do not intersect. This lets headless automation, IDE plugins, and runtimes with allow/deny policy models (e.g., Microsoft Agent Governance Toolkit) participate in ACS sessions as fully conformant ACS-Core deployments — without silently allowing actions that would have been ASK'd elsewhere. Updates: - specification/v0.1.0/handshake.json: add approver_types_supported to ClientHello. - docs/spec/instrument/specification.md: §4 mentions the new field; §6 disposition table cross-references the fallback rule; new §9.2 spells out the normative substitution and the policy-driven DEFER vs. DENY choice.
…-band The handshake-field approach was over-engineered. §9.2 already preserves the security guarantee through Guardian-side substitution; the Guardian can determine client ASK-handling capability by deployment-defined means (agent identity, policy bundle, organizational configuration) without a wire-format declaration. Reverts the schema addition from a1b7958. The normative rule in §9.2 stands — Guardians MUST substitute DEFER or DENY when ASK isn't reachable — but the trigger is now 'Guardian determines the client cannot resolve ASK' rather than 'set intersection on the wire is empty.' Smaller spec surface, same outcome.
|
Heads up @afogel — doing some branch surgery that affects this PR. Want to flag it before it happens so nothing surprises you. Context (and acknowledging the screwup): when I cloned/forked this repo from the original OWASP/AOS source, I left both The change:
What this means for PR #2:
What you may want to do:
Sorry for the disruption. Should be the last branch surgery for a while. |
Catches the PR branch up with 5 commits on dev (sync_version trigger switch, CONTRIBUTING/README/CLAUDE.md updates, deploy_mkdocs removal, upstream docs typo fixes). Conflicts resolved in favor of the PR branch: - docs/acs.md: dev removed a TODO comment from text that the PR branch rewrote wholesale during the v0.1.0 documentation overhaul. - docs/spec/instrument/specification.md: dev fixed a typo and broken anchor in a section that the PR branch replaced with the new §11 error handling content. The PR branch's concise error code table supersedes the old verbose pre-rewrite tables.
|
@rocklambros I fixed the merge conflicts, should be good to go? |
|
|
||
| Fires after compaction. Audit + provenance-binding hook. | ||
|
|
||
| **Payload:** resulting `summary` content with `provenance` whose `origin` MUST be `agent_generated` and whose `derived_from` MUST equal the union of `provenance_id`s of every entry in `entries_compacted`. When the deployment populates `trust` on the wire, `trust` MUST equal the minimum trust of those entries (the standard monotonicity rule applied to summarization). The framework — not the LLM — populates `derived_from`. |
There was a problem hiding this comment.
We removed trust from the documentation and schema. the mention here is a little bit confusing
There was a problem hiding this comment.
Good catch. The conditional clause in hooks.md was restating specification.md §7.1's optional-extension contract inline with the v0.1 baseline payload description, and that mixing made the MUST read like a wire-format requirement when it is not. Removed the trust sentence entirely in f066d8e. The monotonicity rule still applies for any deployment that opts into the optional trust enum via §7.1's general agent_generated clause (which already covers the summarization case). hooks.md now describes only the v0.1 baseline (origin + derived_from); extension semantics live in §7.1.
| --- | ||
|
|
||
| ## 8. Agent Response | ||
| ## toolCallRequest |
There was a problem hiding this comment.
Frameworks MUST fire toolCallRequest for every action that escapes the agent's reasoning context, regardless of whether the framework's tool registry models it as a tool. This includes built-in operations such as filesystem reads/writes, network fetches, process execution, and shell commands. The Guardian relies on a complete view of all outward actions; primitives that bypass toolCallRequest are invisible to policy.
There was a problem hiding this comment.
Agreed, this is a normative requirement the spec should be making explicit. Will add the MUST clause covering filesystem reads/writes, network fetches, process execution, and shell commands, with the framing that any primitive bypassing toolCallRequest is invisible to policy.
| ### 2.1. Description | ||
| This hook is called when the agent decides on calling a tool.<br> | ||
| This hook should be used **after** the inputs are extracted and **before** the tool is called. | ||
| Fires when the agent is activated by an event (email arrival, scheduled trigger, A2A inbound, etc.). For A2A-mediated delegation, `trigger_type: "a2a_inbound"` carries the originating peer identity; in-process subagent spawns use [`subagentStart`](#subagentstart) instead. |
There was a problem hiding this comment.
The trigger_type values in this section don't match the schema. Doc says autonomous / user_initiated / scheduled / a2a_inbound / local. Schema (hooks/agent-trigger.json) says user_message / scheduled / external_event / a2a_inbound / system. Only scheduled and a2a_inbound overlap. Worth aligning one source to the other before merge.
There was a problem hiding this comment.
Could be sharper: "Fires when an external event causes the agent to begin work (event arrival, scheduled tick, A2A inbound message, or user-initiated session). For in-process subagent spawns, see subagentStart."
There was a problem hiding this comment.
Aligned the doc to the schema vocabulary in b420b76. Schema's user_message / scheduled / external_event / a2a_inbound / system is more orthogonal than the doc's autonomous / user_initiated / scheduled / a2a_inbound / local was. Caught two more drifted fields while there: the doc said trigger_event where the schema has trigger_source, and the doc omitted the optional intent field IBAC adopters populate. Also folded in your sharper firing-condition wording from the reply below, expanded to cover all five trigger_type values.
| [`steps/message`](specification.md#45-stepsmessage)<br><br> | ||
| This method is used with [User Message](#4-user-message) hook.<br> | ||
| For this hook `role` **MUST** be `agent` (see example). | ||
| Fires before tool execution. The central enforcement point for IBAC, FIDES, CaMeL, and AARM. Argument-level provenance attached to `ToolArgumentValue` lets Guardians reason about *which* arguments are tainted, not just whether the call is allowed at all. |
There was a problem hiding this comment.
Suggested clerification: Fires after the framework has parsed a tool call from the LLM's output, but before the tool is dispatched to its handler.
There was a problem hiding this comment.
Reword the argument-provenance sentence to drop "tainted". Trust is no longer on the wire, so "tainted" implies a judgment the spec doesn't make. Suggest: "Argument-level provenance attached to each ToolArgumentValue lets Guardians reason about the lineage of individual arguments, so policy can target specific data flows rather than the call as a whole."
There was a problem hiding this comment.
Agreed, the timing should be sharpened. Will update to "Fires after the framework has parsed a tool call from the LLM's output, but before the tool is dispatched to its handler."
There was a problem hiding this comment.
Agreed, "tainted" is the wrong word now that trust is computed in policy rather than carried on the wire. Will adopt your rewording for the argument-provenance sentence.
| ``` No newline at end of file | ||
| Schema: [`hooks/tool-call-result.json`](https://github.com/afogel/ACS_official/blob/dev/specification/v0.1.0/hooks/tool-call-result.json). | ||
|
|
||
| Fires after tool execution, before the result is ingested into the agent. Provenance: `origin: tool_output`, with `derived_from` set to the originating `toolCallRequest`'s provenance ids when the tool's output is data-derived. |
There was a problem hiding this comment.
Fires after tool execution, before the result is ingested into the agent's reasoning context.
There was a problem hiding this comment.
Agreed, will update for consistency with the userMessage rewording so the result is described as ingested into the agent's reasoning context.
| Schema: [`hooks/user-message.json`](https://github.com/afogel/ACS_official/blob/dev/specification/v0.1.0/hooks/user-message.json). | ||
|
|
||
| ## 4. User Message | ||
| User input received, before reaching the agent. Provenance: `origin: user_input`. |
There was a problem hiding this comment.
Suggestion: "Fires when external user input arrives, before it is presented to the agent's reasoning context."
There was a problem hiding this comment.
Agreed, this reads cleaner and matches the "reasoning context" terminology used elsewhere. Will adopt the suggested wording and keep the provenance sentence.
| ### 1.1. Description | ||
| This hook is called when the agent is triggered by an event, such as email or slack notifcations, recurrent schedule etc.<br> | ||
| This hook should be used **after** the content is extracted from the trigger and **before** the agent is triggered or activated. | ||
| Fires once per session, before any other `steps/*` hook for the same `session_id`. Establishes the audit chain root (`previous_hash: null`), session-level identity and policy bindings, and the initial `Intent` (when IBAC is the enforcement paradigm). |
There was a problem hiding this comment.
Should clarify: "After the handshake/hello exchange completes, but before any other steps/* hook." Otherwise readers may not know whether handshake or sessionStart comes first.
There was a problem hiding this comment.
Good catch on the ordering ambiguity. Will update to place sessionStart explicitly after the handshake/hello exchange and before any other steps/* hook.
| | [`system/ping`](#systemping) | Liveness probe | Always ALLOW | No | | ||
| | `protocols/MCP/*` | Wrapped MCP messages | Yes | Yes | | ||
|
|
||
| `protocols/A2A/*` is reserved for v0.2. |
There was a problem hiding this comment.
Worth saying explicitly: "protocols/A2A/* is reserved for v0.2. The namespace is recognized in the handshake's wrapped_protocols for forward-compatibility, but no normative wrapping semantics are defined in v0.1."
There was a problem hiding this comment.
Agreed, the current line is too terse to be useful. Will expand it to call out that the namespace is recognized in the handshake's wrapped_protocols for forward compatibility, and that no normative wrapping semantics are defined in v0.1.
|
|
||
| Schema: [`hooks/system-ping.json`](https://github.com/afogel/ACS_official/blob/dev/specification/v0.1.0/hooks/system-ping.json). See [Specification §13](./specification.md#13-liveness-system-methods). | ||
|
|
||
| Liveness probe. Always returns `decision: "allow"` regardless of policy, signature, or session state. NOT written into SessionContext. NOT subject to signature requirements even when the session otherwise requires signatures. |
There was a problem hiding this comment.
Worth a one-line note at the top: "Note: system/ping is in the system/* namespace, not steps/*. It is not a hook in the enforcement sense; it carries no audit and bypasses signature requirements."
There was a problem hiding this comment.
Agreed, the namespace distinction is worth surfacing. Will add a note at the top of the section stating that system/ping is in the system/* namespace, not steps/*, that it is not a hook in the enforcement sense, and that it carries no audit and bypasses signature requirements.
|
|
||
| Schema: [`hooks/agbom-snapshot.json`](https://github.com/afogel/ACS_official/blob/dev/specification/v0.1.0/hooks/agbom-snapshot.json). | ||
|
|
||
| Inspect-pillar method. Fires once per session, after `sessionStart` and before any content-bearing hook, and again after handshake-renegotiation. Carries the full AgBOM (the Observed Agent's component graph: models, MCP servers, A2A peers, tools, knowledge sources, memory stores, agent capabilities). |
There was a problem hiding this comment.
Worth being explicit: "After sessionStart but before agentTrigger."
Expand the one-line A2A reservation in hooks.md to note that the namespace is recognized in the handshake's wrapped_protocols field for forward compatibility, while making explicit that v0.1 defines no normative wrapping semantics. Addresses review feedback that the prior wording was too terse to tell readers what 'reserved' means operationally for v0.1 deployments.
Readers of the previous wording could not tell whether handshake or sessionStart comes first when both are in play. Position sessionStart explicitly after the handshake/hello exchange completes and before any other steps/* hook, removing the ordering ambiguity flagged in review.
Replace the terse 'User input received, before reaching the agent' with wording that mirrors the 'reasoning context' terminology used elsewhere in the spec, while preserving the existing provenance sentence. Improves consistency with toolCallResult and clarifies what 'reaching the agent' means in practice.
The previous wording implied the recipient is always a user, but agentResponse also fires on A2A egress, subagent-return to a parent agent, and outbound delivery to external systems. Generalize the recipient list so the description holds across all deployment shapes while keeping the existing provenance sentence intact.
Add a normative MUST clause to the toolCallRequest section requiring frameworks to fire the hook for every action that leaves the agent's reasoning context, regardless of whether the framework's tool registry models the action as a tool. Enumerates the easy-to-miss cases (filesystem reads/writes, network fetches, process execution, shell commands) and explains why: primitives that bypass toolCallRequest are invisible to policy, defeating the Guardian's ability to enforce on outward actions.
'Fires before tool execution' left the boundary fuzzy: readers could not tell whether the hook fires when the LLM emits a tool call token, when the framework parses it, or somewhere in between. Replace with the precise framing: after the framework has parsed a tool call from the LLM's output, but before the tool is dispatched to its handler. Matches the implementation contract Guardians need to reason about intercept points.
v0.1 carries factual provenance (origin, source_id, derived_from) on the wire and leaves trust classification to the Guardian against local policy. Calling arguments 'tainted' in the hooks doc implies a classification judgment the wire format does not make. Reword to lineage-based framing that stays consistent with the rest of the v0.1 provenance contract.
Mirror the userMessage update: describe the tool result as ingested into the agent's reasoning context, not merely 'into the agent'. The reasoning-context phrasing is the term of art used throughout the spec for the boundary that hooks gate, so the two halves of the tool-call lifecycle now describe their boundaries the same way.
Add a note at the top of the system/ping section stating that the method lives in the system/* namespace, not steps/*, and that it is not a hook in the enforcement sense. The audit and signature exemptions were already documented further down, but readers landing on this section first need the namespace distinction up front so they do not assume the steps/* contract applies.
The conditional 'When the deployment populates trust on the wire' clause in hooks.md restated specification.md §7.1's optional-trust extension contract inline with the v0.1 baseline payload contract. Readers landing on hooks.md without §7.1 context misread the MUST as a wire-format requirement, which it is not (trust is an OPTIONAL reserved enum, not a v0.1 baseline field). The monotonicity rule still applies via §7.1's general clause for agent_generated provenance, which already covers the summarization case. hooks.md now describes only the v0.1 baseline (origin + derived_from); extension semantics live in §7.1.
Every schema description that discussed the optional trust enum pointed readers to specification.md §3.7, but the trust enum is actually at §7.1 (and the channel-to-trust mapping at §7.2). Section numbering must have shifted at some point and the schema refs were left behind. Anyone clicking through would land nowhere. Update all 10 affected files (provenance.json, provenance-summary.json, response-envelope.json, inspect/format-mapping.json, trace/otel-mapping.json, trace/ocsf-mapping.json, and the four hook payloads that touch trust: post-compact, pre-compact, turn-end, subagent-stop) to point at §7.1.
The hooks.md agentTrigger section had three fields drifted from hooks/agent-trigger.json: - trigger_type enum: doc listed autonomous / user_initiated / scheduled / a2a_inbound / local; schema says user_message / scheduled / external_event / a2a_inbound / system. Only two values overlapped. - Payload field name: doc said trigger_event, schema says trigger_source. - Doc said 'agent context', omitting the optional Intent field the schema carries for IBAC adopters. Align the doc to the schema vocabulary (the schema vocabulary is more orthogonal: user_message vs system distinguishes user-initiated from system-issued, and external_event covers webhook-style arrivals). Also fold in the reviewer's sharper firing-condition wording, expanded to cover all five trigger_type values.
3 participants
Summary
Integrates the canonical v0.1.0 spec from
~/Pillar/ACS(the new source of truth) into this docs site. The canonical materials introduce a tiered conformance model, eight new lifecycle hooks, a normative provenance + SessionContext + Intent system, a crypto-agile signature registry, and OTel/OCSF/CycloneDX/SPDX/SWID mapping tables — all of which were either missing or sketched-only in the prior content.What's new
specification/v0.1.0/: 9 top-level objects (envelopes, handshake, provenance, context-entry, ask/defer/modifications), 19 per-hook payloads, AgBOM canonical schema, Inspect format-mapping, OTel + OCSF mappings. The legacyspecification/ACS/acs_schema.jsonis now a Draft 2020-12 aggregator manifest cross-referencing all modular schemas.docs/spec/conformance.md): ACS-Core mandatory baseline + ACS-Trace, ACS-Inspect, ACS-Inspect-Dynamic, ACS-Provenance, ACS-Crypto, ACS-Audit, with handshake-based declaration.specification.md,hooks.md): JSON-RPC 2.0 envelope with HTTP+stdio transports,handshake/hellocapability negotiation, full disposition vocabulary including DEFER, decision-result fields supporting paradigm composition (FIDES / CaMeL / AARM / IBAC), provenance with optional trust enum and default channel-to-trust mapping, SessionContext with normative chain hashing (RFC 8785 JCS + SHA-256), Intent immutability and intent-extension via ASK, crypto-agile signature registry (HMAC-SHA256 baseline; ECDSA, RSA-PSS, ML-DSA-44/65/87, SLH-DSA-128s/f, hybrids), replay protection, OPA reference policy-engine binding, and the new lifecycle hooks (sessionStart/End, turnStart/End, pre/postCompact, subagentStart/Stop, system/ping).docs/spec/trace/): OpenTelemetry semconv mapping withdecision-as-span-eventrule, OCSF event-class mapping (Authentication 3002, Application Activity 6002, Process Activity 1007, Datastore Activity 6005, Detection Finding 2004 for non-allowdecisions, Inventory Info 5001 for AgBOM), severity_id mapping, ACS-Trace conformance bar.docs/spec/inspect/): canonical AgBOM with seven component types,agbom/snapshotandagbom/changedwire methods, deterministic CycloneDX 1.6 / SPDX 3.0 / SWID derivations.core_concepts.mdupdated to introduce the v0.1.0 vocabulary;ACS_in_action_example.mdreplaced with the canonical Appendix C worked example (toolCallRequest with argument-level provenance, IBAC + FIDES decision envelope).docs/references/withhook_surfaces.md(lifecycle-hook landscape across coding agents) andstandards_compatibility.md(CaMeL/FIDES/AARM/IBAC + Conseca, ControlValve, MELON, AgentSentry, LlamaFirewall, PROV-AGENT/Flowcept comparison). IBAC paper added underdocs/assets/.Commits (in order)
Test plan
uv run mkdocs build --strictsucceeds with no warnings (only an informational notice that the existing A2A hook example pages aren't in the nav, matching pre-PR behavior — they're linked fromextend_a2a.md).uv run mkdocs serveand click through the new Specification > Conformance Profiles section, the rewritten Instrument > Specification + Hooks pages, the refreshed Trace + Inspect pages, and the new References section.