What this page is for
Use this page as the public go-live gate for the UAIX launch surface. It collects the checks that should agree before a broad public push: route inventory, discovery files, package evidence, response hardening, accessibility QA, locale QA, release notes, and support-claim boundaries.
Go-live gate
- Confirm clean public routes and root discovery files through
/.well-known/uaix.json,/sitemap.xml, API 参考, and the route inventory in launch audits. - Confirm the current distributable packages, smoke tests, conformance packet, validator behavior, and implementation evidence are all attached before describing a release as ready for public review.
- Confirm 政策与安全, Privacy and Data, Accessibility, and Analytics still match observable site behavior.
- Confirm 英语, zh-CN, French, and Spanish copy are updated together for any public page, route, support panel, release note, or launch claim that changed.
- Record public-facing launch changes through the 变更日志 and News before asking external readers to treat the new state as current truth.
Production response surface
The response-header checks below are the current app-level hardening record for WordPress-rendered pages and REST responses. Use them beside deployment checks for HTTPS redirect, HSTS, direct static-file parity, and host-added version headers.
X-Content-Type-Options
nosniff
防止公开标准页面和机器可读路由发生内容类型嗅探。
应用于: 公开 HTML、JSON、XML 以及类似的 WordPress 渲染响应。
Referrer-Policy
strict-origin-when-cross-origin
在保留同源调试上下文的同时,进一步收窄跨源 referrer 泄露。
应用于: 可能产生外部请求的公开文档和 API 响应。
Permissions-Policy
accelerometer=(), browsing-topics=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()
明确声明启动表面不依赖特权浏览器能力,也不依赖基于 Topics 的广告功能。
应用于: 公开 WordPress 渲染页面与面向机器的路由。
X-Frame-Options
SAMEORIGIN
在保留同源编辑与预览流程的同时,阻止第三方框架嵌入。
应用于: 公开 WordPress 渲染页面与 JSON 响应。
Content-Security-Policy
frame-ancestors 'self'
在现代浏览器中明确框架边界,而不提前声称已经具备更广泛的全站 CSP。
应用于: 公开 WordPress 渲染页面与面向机器的路由。
Strict-传输-Security
max-age=31536000; includeSubDomains
把浏览器后续访问固定到规范上线主机的 HTTPS,而不只依赖政策文案。
应用于: 请求通过 HTTPS 提供时的公开 WordPress 渲染 HTML 和 REST 响应。
当前已生效
当前可在 WordPress 响应上观察到
- X-Pingback 已从公开响应中移除。
- 如果启动环境在 WordPress 执行后仍附加主机级或代理级版本头,这些头仍需要在服务器侧抑制。
- 这些响应头现在会随公开 WordPress 渲染的 HTML 与 REST 响应一同交付,而不再只是路线图文案中的计划。
部署缺口
仍属于主机或边缘层
- HTTP 到 HTTPS 重定向以及直接提供的静态文件的 HSTS 覆盖仍属于上线主机或 CDN 边缘层,因为本地 Studio 环境使用普通 HTTP。
- 任何直接提供的静态根文件都应在服务器或边缘层检查,以确保其响应头与 WordPress 渲染的信任姿态保持一致。
- 凡是部署栈在 WordPress 之外附加的主机级版本暴露,例如代理或 PHP 签名头,都应在相应层面被抑制。
- 更广泛的 CSP 指令应在面向生产的资源与嵌入行为相对于启动主机验证通过之后再添加。
范围边界: 当前响应头层适用于公开的 WordPress 前端和 REST 响应,包括验证器和面向机器的评审路由;HSTS 只在 HTTPS 请求上发送。
发布证据 packet
The readiness map below keeps validator evidence, implementation evidence, package proof, and support language in one review path. A passing validator result is useful evidence, but the launch gate is the full packet plus public release trail.
阶段 1
已验证数据包
已发布 fixture 或候选消息已通过当前公开记录检查。
- 可立即用于评审、调试和回归工作。
- 在结果附到已命名发布路径前,它仍然只是证据。
阶段 2
可发布数据包
通过结果现在与实现版本、制品链接和发现上下文一起传递。
- 把已检查数据包、验证器导出、制品 URL 和兼容性说明放在一起。
- 这是上线评审、打包和可重复 QA 的交接点。
阶段 3
公开支持声明
已命名实现轨道和发布轨迹现在说明哪些内容已公开支持、哪些仍在范围外。
- 把声明限定到实际已发布的准确配置文件、传输绑定和负责人路径。
- 使用当前一致性级别和发布链接,让其他读者能验证同一状态。
数据包内容
可复用机器数据包已包含的内容
- 当前发布数据包已经包含来自实时公开记录的 57 个配置文件、57 个架构和 57 个示例。
- 目录、发现、字段顺序、传输、信任、一致性和错误指南集中在一个 JSON 交接包中。
- 用于可重复上线审阅和自动化的验证器与 API 参考入口。
- 把一个已发布配置文件转成可审阅发布数据包的快速起步路径。
面向人的发布上下文
该数据包仍需要公开站点补充的内容
- 实现版本、负责人路径,以及正在声明的精确支持边界。
- 解释本次发布变化的变更日志或新闻链接。
- 当发布改变具有信任影响的行为时,附上政策与安全姿态。
- 使用一致性级别表述,使对外声明比数据包本身更窄。
当前公开一致性级别: 当数据包成为具名发布和实现记录的一部分后,使用这些级别约束对外表述。
L1-core-envelope
L1 Core 信封
Produce or consume keyed UAI envelopes for named profiles without changing the canonical root fields.
- Preserve uai_version, profile, message_id, source, target, conversation, delivery, trust, body, provenance, integrity, and extensions.
- Name the exact profile and release for every support claim.
- Do not claim runtime execution from envelope support alone.
公开声明: May claim L1 only for the exact named profiles whose canonical envelope round-trips successfully.
L2-profile-validation
L2 配置文件 Validation
Pass published schema and validator checks for the exact profiles claimed.
- 解析 schemas, registry entries, examples, and field registry records from public UAIX routes.
- Pass positive fixtures and fail required negative fixtures for each claimed profile.
- Keep skipped checks and validator warnings attached to evidence.
公开声明: May claim L2 only for profiles with validator-backed evidence.
L3-trust-and-integrity
L3 信任 and Integrity
Preserve trust metadata, replay-window hints, provenance, integrity, and trace continuity.
- Declare trust channel and principal.
- Preserve integrity canonicalization and checksum metadata.
- 验证 signed, credentialed, did+vc, and trace metadata when claimed.
公开声明: May claim L3 only for the trust channels and integrity behavior proven by fixtures.
L4-public-record-publisher
L4 Public Record Publisher
Publish discoverable 公开制品 needed for external inspection and reproduction.
- Publish discovery, schemas, registry, examples, field registry, transport bindings, trust channels, error registry, conformance levels, validator guidance, changelog, and release evidence.
- Keep sitemap, llms.txt, and public navigation aligned with current routes.
- Avoid private logs or screenshots as the only support evidence.
公开声明: May claim L4 only for the public release surface that is discoverable and evidenced.
L5-agent-communication-profiles
L5 Agent Communication 配置文件数
Support the eight uai.agent.*.v1 profiles as canonical UAI-1 envelope records.
- 验证 agent message, ack, task-status, blocker, memory-proposal, handoff, final-report, and correction profiles.
- Reject secret-like memory proposals, unsafe blockers, cold-memory direct promotion, and incomplete final reports.
- Carry the UAIX support boundary in relevant records.
公开声明: May claim L5 only for the specific agent profiles with passing positive and negative conformance cases.
L6-reliable-delegation-idempotency-correlation
L6 Reliable Delegation with Idempotency and Correlation
Use idempotency, correlation, retry, lifecycle, timeout, fallback, acknowledgement, and expected-output rules for delegated work.
- Require delivery.idempotency_key for each distinct delegated or destructive operation.
- Preserve conversation.correlation_id across related messages.
- Declare retry_count, sequence, expires_at, lifecycle, timeout_ms, fallback_directive, and expected_output_schema when delegation is claimed.
公开声明: May claim L6 only for reliable delegation behavior proven by conformance fixtures and receiver behavior.
L7-capability-negotiation
L7 Capability Negotiation
Publish and validate capability discovery, assertions, negotiation failures, and unsupported-capability responses.
- Publish capability statements with exact profiles, bindings, trust channels, conformance levels, and error codes.
- Return capability_not_supported for unsupported capability requests.
- Do not imply certification, official adapter status, hosted messaging, or runtime orchestration.
公开声明: May claim L7 only for the exact capability negotiation flows proven by public fixtures and validator behavior.
声明规则
公开表述应限于已发布证据
- Support claims must name the highest achieved level plus the exact profiles, transport bindings, trust channels, and conformance cases implemented.
- A project may claim only profiles, bindings, trust channels, and conformance levels that public fixtures and validator tests prove.
- A passing validator result is evidence, not certification, endorsement, official adapter support, hosted messaging, automatic sync, or runtime execution.
- Public-record claims require discoverable schemas, registry records, examples, field registry records, error codes, conformance pack cases, changelog, and release notes.
- Revalidate support claims when schemas, registry records, field order, examples, validator behavior, implementation version, trust posture, sitemap, or public navigation changes.
- 一致性 evidence does not prove security, privacy, availability, performance, legal compliance, hosted trust infrastructure, or production operations by itself.
- 当另一支团队需要验证同一公开状态时,请保留实现页面、发布轨迹以及引用/发现链接。
工作规则: 表述时使用一致性阶梯,但实际公开支持边界应以具名实现轨道和发布轨迹为准。
Manual QA gate
- Run keyboard navigation, focus visibility, heading hierarchy, code-block readability, search behavior, validator workflow, and mobile overflow checks across Home, Get Started, UAI-1, Tools, 验证器, Governance, 上线就绪, News, Search, and Sitemap.
- 检查 that long URLs, tables, route examples, copy buttons, support panels, and downloadable-packet sections remain readable on narrow screens.
- Keep any accessibility-significant fix connected to Accessibility, the release evidence packet, and the dated trail.
Locale copy gate
- Every public route added for launch should render through each enabled locale path with translated title, visible content, page guidance, support panels, and canonical metadata.
- If a page adds new public claims, machine-route labels, policy posture, or release guidance, update enabled-locale copy before the route is treated as launch-ready.
- Use 联系与评审 for change packets that explicitly identify locale impact and translation evidence.
What is not claimed
- This page is not a certification program, legal attestation, accessibility badge, security operations desk, or uptime guarantee.
- Do not infer broad production security, partner support, SDK coverage, or permanent compatibility beyond the published records and named 实施轨道.
- Deployment-side obligations such as final DNS, HTTPS redirect, HSTS, CDN behavior, direct static root-file headers, backups, monitoring, and incident response still need production-host verification.
下一步 step
Use this page with 路线图, 引用 and Contributors, 一致性包, and 验证器 when a release needs to move from local readiness into public launch evidence.