{ "$schema": "https://json-schema.org/draft/2020-12/schema", "$id": "https://frootai.dev/schema/conformance-certificate-v1.json", "title": "FAI Orchard cross-runtime conformance certificate v1", "description": "JSON schema for the SHA-256-fingerprinted certificate uploaded as a workflow artifact on every Orchard release. Attests that the same 27 MCP contract assertions pass byte-equal against @frootai/mcp-orchard (npm), frootai-mcp-orchard (PyPI), and the VSCode-embedded MCP server.", "type": "object", "required": ["schema_version", "release_tag", "released_at", "runtimes", "contracts", "fingerprint"], "properties": { "schema_version": { "type": "string", "const": "1", "description": "Schema version this certificate conforms to." }, "release_tag": { "type": "string", "pattern": "^orchard-v[0-9]+\\.[0-9]+\\.[0-9]+(-[a-z0-9]+(\\.[a-z0-9]+)*)?(-(mcp|sdk|ops|enterprise))?$", "description": "Git tag the certificate was generated for (e.g., orchard-v1.0.0-mcp)." }, "released_at": { "type": "string", "format": "date-time", "description": "ISO 8601 UTC timestamp when the certificate was generated." }, "runtimes": { "type": "array", "minItems": 3, "items": { "type": "object", "required": ["name", "version", "sha256"], "properties": { "name": { "type": "string", "enum": ["npm", "pypi", "vscode-embedded"], "description": "The runtime under test." }, "version": { "type": "string", "description": "Package version published to this runtime (e.g., 1.0.0)." }, "sha256": { "type": "string", "pattern": "^[a-f0-9]{64}$", "description": "SHA-256 of the runtime's distribution artifact (npm tarball, PyPI wheel+sdist, VSCode bundle)." }, "provenance_url": { "type": "string", "format": "uri", "description": "Optional link to the runtime-specific provenance attestation (npm Sigstore, PyPI PEP 740, etc.)." } } }, "description": "The 3 runtimes under conformance test. Order is canonical: npm, pypi, vscode-embedded." }, "contracts": { "type": "array", "minItems": 27, "maxItems": 27, "items": { "type": "object", "required": ["id", "kind", "passed_byte_equal"], "properties": { "id": { "type": "string", "pattern": "^MCP-(TOOL|PROMPT|RESOURCE|ERROR|PAGINATION|AUTH|CROSS_REGION|SHUTDOWN)-[0-9]{2,3}$", "description": "Stable contract assertion identifier." }, "kind": { "type": "string", "enum": ["tools/call", "tools/list", "prompts/get", "prompts/list", "resources/read", "resources/list", "error_envelope", "pagination_cursor", "auth_flow", "cross_region_invariant", "graceful_shutdown"], "description": "Protocol surface the assertion exercises." }, "passed_byte_equal": { "type": "boolean", "description": "True iff all 3 runtimes produced byte-equal output for this assertion." }, "first_drift_runtime": { "type": "string", "enum": ["npm", "pypi", "vscode-embedded"], "description": "If passed_byte_equal=false, the first runtime that drifted. Absent when passed_byte_equal=true." }, "fixture_sha256": { "type": "string", "pattern": "^[a-f0-9]{64}$", "description": "SHA-256 of the canonical input fixture for this assertion." } } }, "description": "The 27 contract assertions. The full set is enumerated; this schema does not enumerate the IDs because the contract surface is allowed to evolve at minor versions (within the byte-equal-or-bust invariant)." }, "fingerprint": { "type": "string", "pattern": "^sha256:[a-f0-9]{64}$", "description": "Self-fingerprint of this certificate's canonical JSON. Lets consumers verify a downloaded copy hasn't been tampered with." }, "passing": { "type": "boolean", "description": "True iff every contract.passed_byte_equal is true. A release with passing=false MUST NOT be published." }, "notes": { "type": "string", "description": "Optional free-text notes (e.g., 'added MCP-PAGINATION-09 to cover Unicode-normalized cursor parity')." } }, "additionalProperties": false }