A transparency log, not a certification authority.
The OAP Registry is the public, append-only Git repository that anchors every Conformance Receipt produced under RFC 0019. It lives at openagentprotocol-OAP/oap-registry. Its history is the canonical transparency log. Anyone may operate a mirror.
What the Registry stores
implementations/<slug>.json: one file per implementation, listing its DID, Manifest URI, claimed Conformance Level, Receipt URI, Receipt SHA-256, and validity window.revocations/<slug>-<hash>.json: one file per revocation event, signed by the implementation\'s DID or by three peer witnesses (forced revocation).peer-witnesses/<witness-slug>.json: optional self-attested entries used to discover potential peer witnesses for L4 and L5 candidates.
CI gate (RFC 0026 section 6)
Every Pull Request to the Registry runs the following checks. The PR is merge-able only if every check passes:
- Schema. All listings validate against the Registry schema (Ajv 2020).
- DID resolution. The listing\'s
tool_didresolves to a valid DID Document. - Manifest reachability. The Manifest URI returns 200 within 10 seconds and the Manifest\'s
tool_didmatches the listing. - Receipt fetch and hash. The Receipt URI returns 200, body SHA-256 matches the listing.
- Receipt signature. The Receipt signature verifies against the public key in the DID Document.
- Receipt validity. Current time is before
expires_at; validity window is at most 90 days. - Peer witnesses (L4+). At least one (L4) or three (L5) signatures by listed peer-witness DIDs that themselves hold valid L4+ Receipts.
- Sybil filter. The DID domain is at least 30 days old (whois). Newer implementations may be added with a
provisional: trueflag. - Append-only. The PR does not modify or delete previously merged files except the implementation\'s own current listing.
How to submit
- Generate a signed Conformance Receipt: see Certification.
- Publish the Receipt at a stable URL on your own domain.
- Fork openagentprotocol-OAP/oap-registry.
- Add
implementations/<your-slug>.json. The schema is inschemas/implementation.schema.json. - Open a Pull Request. CI runs every check above. A Maintainer reviews and merges if everything passes.
- Re-submit a new Receipt before
expires_atto remain listed.
Why a Git repository
A centralized server would meet the discovery, verification, and revocation goals but would reintroduce the central authority that the OAP community has explicitly rejected. A blockchain would meet all four (including sybil resistance) but would force every participant to operate or trust a chain. A Git repository under a public organization, with branch protection, CI-enforced validation, and standard mirroring, meets all four with tooling every developer already uses, and yields a transparency log that any verifier can re-validate from any clone in seconds.
References: RFC 0026, RFC 0019, Conformance Levels, Certification.