uaaps
diff --git a/‎docs/spec/02-manifest.md‎
Lines changed: 46 additions & 4 deletions b/‎docs/spec/02-manifest.md‎
Lines changed: 46 additions & 4 deletions
diff --git a/‎docs/spec/10-migration.md‎
Lines changed: 72 additions & 0 deletions b/‎docs/spec/10-migration.md‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎docs/spec/11-packaging.md‎
Lines changed: 213 additions & 9 deletions b/‎docs/spec/11-packaging.md‎
Lines changed: 213 additions & 9 deletions
@@ -74,9 +74,18 @@ The manifest is the **single required file**. It identifies the package and decl
 
   // === PERMISSIONS (optional) ===
   "permissions": {                              // Requested agent capabilities
-    "fs": ["read", "write"],                    // Filesystem access scope
-    "network": ["api.github.com"],              // Allowed network hosts
-    "shell": false                              // Allow arbitrary shell execution
+    "fs": {                                     // Filesystem access — path-scoped
+      "read":  ["src/**", "docs/**"],           //   Glob patterns the package may read
+      "write": ["output/**", ".cache/**"]       //   Glob patterns the package may write/delete
+    },
+    "network": {                                // Network access
+      "hosts": ["api.github.com", "*.npmjs.org"], // Exact host or wildcard subdomain
+      "schemes": ["https"]                      // Allowed URI schemes (https | http | wss)
+    },
+    "shell": {                                  // Shell execution
+      "allow": true,                            //   false = no shell; true = allow listed binaries
+      "binaries": ["git", "npm", "python3"]     //   Explicit allow-list (ignored when allow=false)
+    }
   },
 
   // === QUALITY (optional) ===
@@ -104,7 +113,17 @@ The manifest is the **single required file**. It identifies the package and decl
   "hooks": "./hooks/hooks.json",                // Default: ./hooks/hooks.json
   "mcp": "./mcp/servers.json",                  // Default: ./mcp/servers.json
 
+  // === INSTALL MODE (optional, for adoption transitioning) ===
+  "installMode": {                              // Default: "uaaps" for all platforms
+    "default": "uaaps",                         // "uaaps" | "plugin"
+    "claude-code": "plugin",                    // Per-platform override
+    "cursor": "uaaps"
+  },
+
   // === VENDOR EXTENSIONS (optional) ===
+  // Keys MUST be "x-<vendor-id>" where vendor-id matches [a-z0-9-], max 32 chars.
+  // Values MUST be JSON objects (not scalars or arrays).
+  // Tools MUST silently ignore unrecognised x-* keys.
   "x-claude": {
     "marketplace": "anthropics/skills"
   },
@@ -135,7 +154,7 @@ dependencies:
   code-review: "^1.0.0"
 
 x-claude:
-  marketplace: anthropics/skills
+  marketplace: anthropics/skills   # x-<vendor-id>, value MUST be an object
 
 x-cursor:
   category: Developer Tools
@@ -146,6 +165,29 @@ x-cursor:
 - CLI tools (`aam install`, etc.) generate `package.agent.json` as the canonical output.
 - Lock files (`package.agent.lock`) are always JSON.
 
+### Vendor Extensions
+
+Vendor extensions allow platforms and tools to attach platform-specific metadata to a package manifest without conflicting with the core schema.
+
+#### Naming Rules
+
+- Keys MUST use the prefix `x-<vendor-id>`, where `vendor-id` is a lowercase alphanumeric slug matching `[a-z0-9-]+`, maximum 32 characters (e.g. `x-claude`, `x-cursor`, `x-copilot`).
+- The `vendor-id` SHOULD match either a registered platform identifier from the [compatibility matrix](09-compatibility.md) or the package's own scope identifier (e.g. `x-myorg` for `@myorg/` scoped packages).
+- Extension values MUST be JSON objects. Scalar values (strings, booleans, numbers) and arrays MUST NOT be used as the top-level value of an `x-*` key.
+- Packages SHOULD NOT declare more than **5** `x-*` keys. `aam validate` MUST warn when more than 5 are present (see §16 Validation).
+
+#### Interoperability Rules
+
+- Tools and runtimes MUST silently ignore unrecognised `x-*` keys. Tools MUST NOT error or refuse to install a package solely because of an unknown `x-*` key.
+- Registry indexing: only `x-<known-platform>` keys (those matching a registered platform) are indexed and searchable. Unknown `x-*` keys are stored but not indexed.
+- Registry validation SHOULD produce a `WARN`-level diagnostic for `x-*` keys that do not match any registered platform identifier, to alert the author that the key will not be indexed.
+
+#### Conflict Avoidance
+
+- Two packages MUST NOT declare the same `x-*` key with structurally incompatible schemas. The registry MAY enforce a canonical JSON Schema per registered `x-<vendor>` key.
+- Authors MUST NOT use another vendor's registered `x-*` key to override or shadow that vendor's metadata.
+- Private extensions for in-house tooling SHOULD use the package owner's scope as the vendor-id (e.g. `x-myorg`) to avoid collisions with future registered platforms.
+
 ### Vendor Mapping
 
 | Manifest Field | Claude Code (`plugin.json`) | Cursor (`.cursor-plugin/plugin.json`) |
 
@@ -58,3 +58,75 @@ alwaysApply: false                         alwaysApply: false
 ```
 
 The formats are functionally identical. Only the file extension changes.
+
+---
+
+## 11.1 Install Mode — Smooth Adoption Before Full Vendor Implementation
+
+The `installMode` field in `package.agent.json` allows a package author to declare how the package SHOULD be deployed on platforms that have not yet natively implemented the UAAPS standard. This enables smooth adoption: one package can target both UAAPS-native environments and platforms still using their own plugin system.
+
+### Mode Values
+
+| Value | Install target | When to use |
+|-------|---------------|-------------|
+| `uaaps` (default) | `.agent-packages/` — full UAAPS layout | Platform supports UAAPS natively |
+| `plugin` | Vendor-native location (see table below) | Platform uses its own plugin system |
+
+### `installMode` in `package.agent.json`
+
+```jsonc
+{
+  "name": "@myorg/code-review",
+  "version": "1.0.0",
+
+  // Omit entirely to use "uaaps" for all platforms (recommended default)
+  "installMode": {
+    "default": "uaaps",          // Fallback for any platform not listed
+    "claude-code": "plugin",     // Deploy as native Claude Code plugin
+    "cursor": "uaaps"            // Deploy via UAAPS on Cursor
+  }
+}
+```
+
+A scalar string shorthand MAY be used when the same mode applies to all platforms:
+
+```jsonc
+"installMode": "plugin"   // plugin mode on every platform
+```
+
+### Plugin Mode — Vendor-Native Deploy Targets
+
+When `installMode` resolves to `"plugin"` for a given platform, the `aam` CLI translates and deploys artifacts to the platform's native location using the same mapping logic as `aam pkg build --target <platform>` (see §12.4):
+
+| Platform | `plugin` mode install target |
+|----------|-----------------------------|
+| `claude-code` | `.claude/` (skills, commands, agents, hooks) |
+| `cursor` | `.cursor/rules/` (rules as `.mdc`), `.cursor/skills/` |
+| `copilot` | `.github/instructions/`, `.github/agents/`, `.github/skills/` |
+| `codex` | `AGENTS.md` composite inject |
+
+### CLI Override
+
+Users MAY override the manifest declaration at install time:
+
+```bash
+# Force plugin mode regardless of manifest
+aam install @myorg/code-review --install-mode plugin
+
+# Force uaaps mode regardless of manifest
+aam install @myorg/code-review --install-mode uaaps
+
+# Target a specific platform's plugin layout
+aam install @myorg/code-review --install-mode plugin --platform claude-code
+```
+
+### Deprecation Path
+
+Once a platform vendor implements UAAPS natively, `"plugin"` mode for that platform becomes a no-op — the `aam` CLI SHOULD silently promote it to `"uaaps"` and emit an informational message:
+
+```
+⚠ installMode "plugin" for claude-code is ignored — platform supports UAAPS natively.
+  Update package.agent.json to remove the per-platform override.
+```
+
+Package authors SHOULD remove per-platform `plugin` overrides once the target platform is listed as UAAPS-native in the compatibility matrix (§10).
@@ -2,31 +2,235 @@
 
 ### UAAPS Registry
 
-Packages are published to and installed from a **UAAPS registry** — an HTTP server implementing the UAAPS registry protocol. The official public registry is `registry.agentpkg.io`; organizations can self-host a private registry.
+UAAPS supports two registry types that share the same package format (`.aam` archives) but differ in transport:
+
+| Type | When to use |
+|------|-------------|
+| **Local filesystem** | Offline use, air-gapped environments, CI mirrors, monorepos |
+| **HTTP remote** | Public registry, private org registry, hosted SaaS |
+
+The `aam` CLI auto-detects the registry type from the URL scheme:
 
 ```bash
-# Install from the default registry
-aam install @myorg/code-review
+# HTTP remote registry
+aam install @myorg/code-review --registry https://aamregistry.io
 
-# Install from a private registry
-aam install @myorg/code-review --registry https://pkg.myorg.internal/aam
+# Local filesystem registry
+aam install @myorg/code-review --registry file:///opt/aam-registry
 
-# Publish to a registry
-aam pkg publish --registry https://pkg.myorg.internal/aam
+# Default registry (HTTP, configured in ~/.aam/config.yaml)
+aam install @myorg/code-review
 ```
 
 Registry configuration is managed in `~/.aam/config.yaml` or `.aam/config.yaml`:
 
 ```yaml
 registries:
-  default: https://registry.agentpkg.io
+  default: https://aamregistry.io
   sources:
-    - name: myorg
+    - name: myorg-remote
       url: https://pkg.myorg.internal/aam
+      auth: token                          # see §12.6 for auth types
+    - name: myorg-local
+      url: file:///opt/aam-registry
 ```
 
 > Other distribution channels (Git marketplace, npm bridge, direct install, project-bundled) are supported by the `aam` CLI — see `aam_cli_new.md`.
 
+### 12.5 Local Filesystem Registry
+
+A local filesystem registry is a **directory tree** on disk following a defined layout. No server process is required. It is suitable for offline installs, CI artifact mirrors, and air-gapped enterprise environments.
+
+#### Directory Layout
+
+```
+<registry-root>/
+├── index.json                          # Full package index (all packages + versions)
+├── packages/
+│   ├── code-review/                    # Unscoped package
+│   │   ├── meta.json                   # Package metadata (all versions)
+│   │   └── versions/
+│   │       ├── 1.0.0.aam
+│   │       ├── 1.0.0.aam.sha256        # Detached SHA-256 checksum
+│   │       ├── 1.1.0.aam
+│   │       └── 1.1.0.aam.sha256
+│   └── myorg--code-review/             # Scoped package (@myorg/code-review)
+│       ├── meta.json
+│       └── versions/
+│           ├── 2.0.0.aam
+│           └── 2.0.0.aam.sha256
+└── dist-tags.json                      # Global dist-tag → version map
+```
+
+#### `index.json`
+
+A flat list of all packages in the registry. Implementations MUST regenerate this file after every publish or unpublish operation.
+
+```json
+{
+  "formatVersion": 1,
+  "updatedAt": "2026-02-22T14:00:00Z",
+  "packages": [
+    { "name": "code-review",         "latest": "1.1.0", "versions": ["1.0.0", "1.1.0"] },
+    { "name": "@myorg/code-review",  "latest": "2.0.0", "versions": ["2.0.0"] }
+  ]
+}
+```
+
+#### `packages/<name>/meta.json`
+
+Per-package metadata covering all published versions.
+
+```json
+{
+  "name": "@myorg/code-review",
+  "versions": {
+    "2.0.0": {
+      "version": "2.0.0",
+      "description": "Code review skills for myorg",
+      "author": "myorg",
+      "publishedAt": "2026-02-20T10:00:00Z",
+      "integrity": "sha256-abc123...",
+      "tarball": "versions/2.0.0.aam"
+    }
+  },
+  "dist-tags": {
+    "latest": "2.0.0",
+    "stable": "2.0.0"
+  }
+}
+```
+
+#### `dist-tags.json`
+
+Registry-wide dist-tag snapshot for fast tag resolution without reading every `meta.json`.
+
+```json
+{
+  "code-review":        { "latest": "1.1.0", "stable": "1.0.0" },
+  "@myorg/code-review": { "latest": "2.0.0" }
+}
+```
+
+#### Filesystem Registry Rules
+
+| Rule | Requirement |
+|------|-------------|
+| Package directory name MUST use the `scope--name` mapping (§12.2) | MUST |
+| Every `.aam` file MUST have a sibling `.aam.sha256` file | MUST |
+| `index.json` MUST be regenerated atomically after each mutation | MUST |
+| Symlinks outside the registry root are forbidden | MUST NOT |
+| The registry root MAY be read-only (install-only mirror) | MAY |
+
+#### CLI Commands for Local Registries
+
+```bash
+# Initialise a new local registry
+aam registry init file:///opt/aam-registry
+
+# Publish a package to a local registry
+aam pkg publish --registry file:///opt/aam-registry
+
+# Rebuild index.json after manual archive placement
+aam registry reindex file:///opt/aam-registry
+
+# List all packages in a local registry
+aam registry ls file:///opt/aam-registry
+```
+
+---
+
+### 12.6 HTTP Registry Protocol
+
+> **Status: Skeleton** — endpoint signatures and auth model are defined below. Full request/response schemas, pagination rules, rate-limit headers, and error codes will be detailed in a dedicated Registry Protocol document in a future spec revision.
+
+An HTTP registry is an HTTPS server implementing the UAAPS Registry Protocol. The official public registry is `https://aamregistry.io`. Organizations MAY self-host a private registry.
+
+#### Base URL
+
+All endpoints are relative to the registry base URL. Implementations MUST serve the API over HTTPS. Plain HTTP MUST NOT be used for registries handling private packages or authentication tokens.
+
+#### Endpoint Index
+
+> **TODO**: This is a preliminary endpoint list and is not final. Additional endpoints (e.g. search, package transfer, org management, audit log) will be added in the Registry Protocol document.
+
+| Method | Path | Purpose | Auth required |
+|--------|------|---------|--------------|
+| `GET` | `/` | Registry metadata & capabilities | No |
+| `GET` | `/packages` | List all packages (paginated) | No (public) / Yes (private) |
+| `GET` | `/packages/:name` | Package metadata (all versions) | No (public) / Yes (private) |
+| `GET` | `/packages/:name/:version` | Single version metadata | No (public) / Yes (private) |
+| `GET` | `/packages/:name/:version/tarball` | Download `.aam` archive | No (public) / Yes (private) |
+| `GET` | `/packages/:name/:version/signature` | Fetch signature bundle | No |
+| `GET` | `/packages/:name/dist-tags` | List dist-tags for package | No |
+| `PUT` | `/packages/:name/dist-tags/:tag` | Set a dist-tag | Yes |
+| `DELETE` | `/packages/:name/dist-tags/:tag` | Remove a dist-tag | Yes |
+| `POST` | `/packages` | Publish a new package version | Yes |
+| `DELETE` | `/packages/:name/:version` | Unpublish a version | Yes |
+| `GET` | `/approvals` | List pending approval requests | Yes |
+| `POST` | `/approvals/:id/approve` | Approve a publish request | Yes |
+| `POST` | `/approvals/:id/reject` | Reject a publish request | Yes |
+
+#### Authentication
+
+HTTP registries MAY require authentication. The `aam` CLI supports the following auth types, configured per registry in `~/.aam/config.yaml`:
+
+| Auth type | Config value | Transport |
+|-----------|-------------|-----------|
+| No auth (public) | `auth: none` | — |
+| Static token | `auth: token` | `Authorization: Bearer <token>` header |
+| OIDC / Sigstore keyless | `auth: oidc` | Short-lived token via OIDC provider |
+| Basic (legacy, not recommended) | `auth: basic` | `Authorization: Basic <base64>` header |
+
+```yaml
+# ~/.aam/config.yaml
+registries:
+  sources:
+    - name: myorg
+      url: https://pkg.myorg.internal/aam
+      auth: token
+      token: "${MYORG_AAM_TOKEN}"       # resolved from environment variable
+```
+
+Tokens MUST be stored in environment variables or a secrets manager. Tokens MUST NOT be committed to version control. The `aam login` command handles interactive token acquisition and secure local storage.
+
+```bash
+aam login --registry https://pkg.myorg.internal/aam   # interactive login
+aam logout --registry https://pkg.myorg.internal/aam  # remove stored credential
+aam whoami --registry https://pkg.myorg.internal/aam  # show current identity
+```
+
+#### Error Response Format
+
+All error responses MUST use `application/json` with this structure:
+
+```json
+{
+  "error": {
+    "code": "PACKAGE_NOT_FOUND",
+    "message": "Package @myorg/code-review@3.0.0 does not exist.",
+    "docs": "https://aamregistry.io/errors/PACKAGE_NOT_FOUND"
+  }
+}
+```
+
+#### Standard Status Codes
+
+| Code | Meaning |
+|------|---------|
+| `200` | Success |
+| `201` | Published successfully |
+| `400` | Malformed request |
+| `401` | Authentication required |
+| `403` | Insufficient permissions |
+| `404` | Package or version not found |
+| `409` | Version already exists (publish conflict) |
+| `422` | Validation failed (manifest schema error) |
+| `429` | Rate limit exceeded |
+| `503` | Registry temporarily unavailable |
+
+> Full pagination headers, rate-limit headers, conditional request support (`ETag`, `If-None-Match`), and approval workflow request/response bodies will be defined in the Registry Protocol document.
+
 ### 12.1 Archive Distribution Format
 
 Packages are distributed as **`.aam` archives** (gzipped tar), providing a binary-safe, single-file distribution unit.