MARS
v1.0

MARS exists because the open web's package registries were never designed for software that acts. Agents are not libraries.

This specification defines a federated protocol for registering, resolving, and discovering autonomous entities. Every operation is cryptographically verifiable, every publisher is bonded, and every entry traces back to a verified human.

The key words MUST, SHOULD, and MAY in this document are to be interpreted as described in BCP 14 [RFC2119][RFC8174].

• HMR · Human Master Record — root of every lineage chain.
• MHR · Machine Holding Record — FROST t-of-n signing custodian.
• ENR · Entity Namespace Record — namespace bound to an HMR/MHR.
• Entry · A single registry record describing one autonomous entity.
• Bond · MINTS collateral posted by a publisher and slashable on misuse.
• Anchor · A 32-byte content-hash commitment recorded on Sigil.

MARS is a two-tier system. The Sigil chain stores immutable anchors — the smallest possible cryptographic commitment to an entry's content. The Weave DHT stores the full entry payload, indexed by content hash, replicated across regional shards.

This separation gives MARS the durability of a blockchain registry with the read latency of a CDN.

MARS supports the eleven OAS entity kinds. Each kind has its own bond tier minimum and its own canonical schema for the data field of an entry.

• agent · tool · skill · workflow
• model · dataset · service · agent-instance
• hmr · mhr · enr (identity records, immutable)

A registry entry is a JSON object containing an OAS DID, kind, version, publisher DID, content hash, signature, and (optionally) tags, attestations, relationships, and bond amount. All fields are canonicalized via JCS before signing.

Seven verbs define the protocol: register, resolve, discover, update, revoke, transfer, federate. Each maps to a single REST endpoint (see §12).

Every publish requires a MINTS bond proportional to the entry's risk tier. Bonds are slashable for proven misbehavior — supply-chain attacks, intentional malware, license fraud — and refundable on retirement.

Attestations are detachable verifiable credentials issued against entries by independent auditors. Common types: build-reproducible, license-verified, no-malware-detected, eval-passed.

Discovery uses MARS-QL — a SQL superset with first-class graph traversal across lineage and attestation joins. See §11 of the protocol page.

Sigil anchors prove what was published. The Weave DHT serves the bytes. Hash mismatch on resolution returns an explicit tamper-detected error.

Any registry implementing this specification can federate with any other. Federation is unidirectional by default, mutual when both parties consent. Conflicts resolve via the lower sequence number.

REST over HTTP/2, JSON bodies, camelCase fields. WebSocket subscriptions for events. Optional gRPC mirror for tightly-coupled clients.

See /api for the full endpoint table.

Subscribers receive a strongly-typed event stream over WebSocket. Event kinds: EntryCreated, EntryUpdated, EntryRevoked, AttestationAdded, BondSlashed.

MARS inherits the security model of OAS for identity and signing. Replay protection via monotonic sequence numbers. Rate limits at the API edge. Bond slashing as the economic deterrent against abuse. See §14 of the source spec for the full threat model.