{ "title": "UAIX Capability Surface Matrix", "status": "active", "package_version": "3.84.0", "release_date": "2026-06-10", "last_updated_utc": "2026-06-10T00:00:00Z", "human_page": "https://uaix.org/en-us/spec/capability-surface-matrix/", "canonical_url": "https://uaix.org/spec/capability-surface-matrix.json", "columns": [ "staticHtml", "llmsTxt", "sitemap", "json", "getAction", "postJson", "openApi", "mcp", "a2a", "memory", "evidence" ], "allowed_cell_values": [ "Yes", "No", "Required for client configuration", "Human review" ], "rows": [ { "level": "L0", "client": "URL-only chatbot", "staticHtml": "Yes", "llmsTxt": "Yes", "sitemap": "Yes", "json": "Required for client configuration", "getAction": "No", "postJson": "No", "openApi": "No", "mcp": "No", "a2a": "No", "memory": "No", "evidence": "Required for client configuration" }, { "level": "L1", "client": "URL synthesizer", "staticHtml": "Yes", "llmsTxt": "Yes", "sitemap": "Yes", "json": "Yes", "getAction": "Required for client configuration", "postJson": "No", "openApi": "No", "mcp": "No", "a2a": "No", "memory": "No", "evidence": "Required for client configuration" }, { "level": "L2", "client": "Schema-capable agent", "staticHtml": "Yes", "llmsTxt": "Yes", "sitemap": "Yes", "json": "Yes", "getAction": "Required for client configuration", "postJson": "Yes", "openApi": "Yes", "mcp": "Required for client configuration", "a2a": "Required for client configuration", "memory": "No", "evidence": "Yes" }, { "level": "L3", "client": "Tool agent", "staticHtml": "Yes", "llmsTxt": "Yes", "sitemap": "Yes", "json": "Yes", "getAction": "Human review", "postJson": "Yes", "openApi": "Yes", "mcp": "Required for client configuration", "a2a": "Required for client configuration", "memory": "Human review", "evidence": "Yes" }, { "level": "L4", "client": "Workflow agent", "staticHtml": "Yes", "llmsTxt": "Yes", "sitemap": "Yes", "json": "Yes", "getAction": "Human review", "postJson": "Yes", "openApi": "Yes", "mcp": "Required for client configuration", "a2a": "Required for client configuration", "memory": "Human review", "evidence": "Yes" }, { "level": "L5", "client": "Multi-agent runtime", "staticHtml": "Yes", "llmsTxt": "Yes", "sitemap": "Yes", "json": "Yes", "getAction": "Human review", "postJson": "Yes", "openApi": "Yes", "mcp": "Required for client configuration", "a2a": "Yes", "memory": "Human review", "evidence": "Yes" }, { "level": "L6", "client": "Audited agent system", "staticHtml": "Yes", "llmsTxt": "Yes", "sitemap": "Yes", "json": "Yes", "getAction": "Human review", "postJson": "Yes", "openApi": "Yes", "mcp": "Required for client configuration", "a2a": "Yes", "memory": "Human review", "evidence": "Yes" } ], "no_op_default": "If the required surface is unavailable, return a public review URL or unsupported-capability explanation and stop.", "safety_boundary": "UAIX records are evidence-bearing review artifacts. They do not authorize execution. Local policy and server-side authorization win.", "support_boundary": "Agent runtimes execute. UAIX records the reviewed communication, memory, trust, evidence, and handoff boundary.", "agent_executability_matrix": { "title": "UAIX Agent Executability Matrix", "status": "active", "package_version": "3.84.0", "release_date": "2026-06-10", "last_updated_utc": "2026-06-10T00:00:00Z", "canonical_url": "https://uaix.org/spec/agent-executability-matrix.json", "human_page": "https://uaix.org/en-us/spec/", "dogfood_failure": "The Carcinus blank-agent test showed that correct machine-readable endpoint discovery is not enough when a browser-limited agent cannot execute arbitrary JSON POST.", "levels": [ { "level": "L0", "label": "Read-only route discovery", "agent_ability": "Can open public URLs and read static text.", "executable_requirement": "Publish static HTML, sitemap, llms.txt, and public GET records that name the next public URL or no-op review URL." }, { "level": "L1", "label": "Machine-readable manifest/schema discovery", "agent_ability": "Can fetch compact JSON manifests and schemas.", "executable_requirement": "Identify safe-read records, capability limits, unsupported actions, and diagnostic routes without implying write authority." }, { "level": "L2", "label": "Browser-open plus form submission", "agent_ability": "Can use visible browser pages and submit ordinary forms, but cannot send arbitrary JSON POST.", "executable_requirement": "Publish a browser form or browser-open workflow for browser-targeted writes, or publish a no-op/human-review fallback." }, { "level": "L3", "label": "Structured HTTP JSON POST", "agent_ability": "Can send structured HTTP JSON POST with content type and body.", "executable_requirement": "Publish method, content type, required fields, result URL field, restore/readback URL field, and structured error behavior." }, { "level": "L4", "label": "Authenticated owned mutation", "agent_ability": "Can use an owner write token or secret under explicit handling rules.", "executable_requirement": "Publish credential handling, write-token response path, idempotency, audit, expiry, and secret boundaries." }, { "level": "L5", "label": "Restore/readback verification", "agent_ability": "Can verify that a create or update flow produced a durable public-safe result.", "executable_requirement": "Expose a public-safe restore or readback route so another agent can verify the result without guessing private endpoints." }, { "level": "L6", "label": "Multi-agent handoff/reporting", "agent_ability": "Can create or consume handoff/reporting records across agents.", "executable_requirement": "Publish task history, owner, role, final report, blocker/no-op behavior, and public-safe evidence records." }, { "level": "L7", "label": "Site-specific capability negotiation", "agent_ability": "Can negotiate site-specific capabilities and select the matching route.", "executable_requirement": "Publish capability negotiation, browser fallback, POST fallback, and unsupported-operation response." } ], "route_record_required_fields": [ "method", "content_type", "side_effect_status", "required_fields", "result_url_field", "restore_readback_url_field", "write_credential_response_path", "browser_form_equivalent", "get_safety", "post_blocked_fallback" ], "validation_warnings": [ { "id": "side_effecting_get_discovery_warning", "severity": "warning", "rule": "Warn when a side-effecting GET link is presented as a general discovery shortcut." }, { "id": "browser_form_fallback_required", "severity": "warning", "rule": "Warn when POST-only guidance targets browser agents but provides no browser-form fallback." }, { "id": "restore_readback_required", "severity": "warning", "rule": "Warn when create or update guidance lacks a restore/readback URL and makes agents guess private endpoints." }, { "id": "dashboard_default_path_warning", "severity": "warning", "rule": "Warn when dashboard or custom-template paths are presented as the default while generated profile, memory, or package paths exist." }, { "id": "post_blocked_fallback_required", "severity": "warning", "rule": "Warn when a POST path omits the fallback behavior for agents that cannot execute arbitrary JSON POST." } ], "route_record_example": { "route": "/api/v2/agent/bootstrap", "method": "POST", "content_type": "application/json", "side_effect_status": "creates-public-resource", "required_fields": [ "identity", "activationPrompt", "operatingProfile" ], "result_url_field": "urls.publicHtml", "restore_readback_url_field": "urls.restoreProfile", "write_credential_response_path": "bot.writeToken", "browser_form_equivalent": "/profile-microsite", "get_safety": "GET diagnostics only; not side-effecting", "post_blocked_fallback": "Use the browser form path or return human_review_required with a public help URL." }, "support_boundary": "UAIX records executable guidance, capability boundaries, validation warnings, and handoff evidence. Agent runtimes execute elsewhere." }, "route_record_required_fields": [ "method", "content_type", "side_effect_status", "required_fields", "result_url_field", "restore_readback_url_field", "write_credential_response_path", "browser_form_equivalent", "get_safety", "post_blocked_fallback" ] }