Federated discovery and publishing for AI Agents, Skills, Tools, and Marketplaces.
duadp.org | OSSA ecosystem — DUADP is the discovery layer; OSSA is the identity layer. They are designed to work together.
GitLab: gitlab.com/blueflyio/duadp/duadp | GitHub mirror: github.com/blueflyio/duadp
AI agents need the same foundational infrastructure the internet has: identity, discovery, and governance. DUADP and OSSA together provide a complete open stack:
┌─────────────────────────────────────────────────────────────┐
│ Layer 1 — IDENTITY │
│ OSSA (Open Standard for Software Agents) │
│ openstandardagents.org | npm install @bluefly/openstandardagents │
│ │
│ · Agent DID (W3C decentralized identity) │
│ · Signed manifests (cryptographic provenance) │
│ · Capability permissions │
│ · Cedar policy enforcement (zero-trust bounds) │
│ · NIST SP 800-53 control mapping │
└────────────────────┬────────────────────────────────────────┘
│ secure identity
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 2 — DISCOVERY │
│ DUADP (this repo) │
│ duadp.org | npm install @bluefly/duadp │
│ │
│ · Federated DNS + WebFinger discovery │
│ · Cross-node gossip federation │
│ · Policy-aware capability routing │
│ · 17 MCP tools for agent-to-agent discovery │
│ · Trust-tier gating (community → verified → federal) │
└────────────────────┬────────────────────────────────────────┘
│ policy-filtered
▼
┌─────────────────────────────────────────────────────────────┐
│ Layer 3 — EXECUTION │
│ Your runtime environment │
│ │
│ · Kubernetes / serverless / enterprise platforms │
│ · Claude, OpenAI, Anthropic, LangChain, CrewAI │
│ · Drupal AI Agents, n8n, Temporal, GitLab Duo │
└─────────────────────────────────────────────────────────────┘
| Security requirement | How it's addressed |
|---|---|
| Agent identity & authentication | OSSA manifests + W3C DID (GAID) |
| Authorization & least-privilege | Cedar policies embedded in the manifest |
| Governance & human oversight | Signed manifests + audit log endpoints |
| Cross-system interoperability | DUADP federated discovery |
| Monitoring & incident response | DUADP audit log + attestation API |
| Supply chain security | x-signature + SBOM pointers |
Policy-aware agent discovery example:
// Find federal-verified fraud detection agents across the network
const agents = await client.search({
capability: 'fraud_detection',
trust_tier: 'federal_verified',
has_signature: true,
});DUADP is an open protocol that lets any system discover, publish, and exchange AI capabilities across organizational boundaries. Like DNS for websites or ActivityPub for social networks, DUADP provides a standard way for AI registries, marketplaces, and tools to find each other.
DUADP is THE API. Your Skills API, Marketplace API, Tool Registry — they all speak DUADP. Consumers don't need to know what platform powers a node. A Drupal marketplace, a Flask registry, a static JSON site, and a Kubernetes operator all expose the same endpoints.
Any system that implements a few HTTP endpoints is a DUADP node. There is no required language, framework, or database. Agents are distributed using the .ajson / .jsona (Agent JSON) payload format.
DUADP is the discovery layer of a three-layer agent internet stack:
┌───────────────────────────────────────────────────┐
│ RUNTIME MCP (tools) · A2A (agent-to-agent) │
├───────────────────────────────────────────────────┤
│ DEFINITION OSSA manifests (vendor-neutral) │
├───────────────────────────────────────────────────┤
│ DISCOVERY DUADP (DNS + WebFinger + gossip) │
└───────────────────────────────────────────────────┘
| Web Stack | Agent Stack | Purpose |
|---|---|---|
| DNS | DUADP | Find things on the network |
| OpenAPI | OSSA | Define what a service/agent does |
| HTTP/REST | MCP + A2A | Communicate and execute |
📖 See VISION.md for the full strategic document.
DNS TXT: _duadp.skills.sh → "v=duadp1 url=..."
Your App skills.sh (DUADP node)
| |
| GET /.well-known/duadp.json |
|----------------------------------------->|
| { endpoints: { skills, tools, ... } } |
|<-----------------------------------------|
| |
| GET /api/v1/tools?protocol=mcp |
|----------------------------------------->|
| { data: [...], meta: {...} } |
|<-----------------------------------------|
| |
| POST /api/v1/publish (auth required) |
| { kind: "Skill", metadata: {...} } |
|----------------------------------------->|
| 201 { success: true, resource: {...} } |
|<-----------------------------------------|
DUADP includes a native OS-level protocol handler that bridges the gap between web discovery and local desktop execution. This is the Universal Agent Protocol.
By registering the duadp:// URI scheme on your local machine, any website (like an Agent Marketplace or a tool directory) can trigger secure, native actions on your desktop with a single click—bypassing the need for complex cloud orchestrators or copy-pasting CLI commands.
The true power of this protocol lies in its zero-friction, decentralized execution:
- 1-Click IDE Configuration: Click a link like
duadp://install-mcp?ide=cursoron a website. Your OS intercepts it, wakes the local DUADP CLI offline, pulls the discovery payload from the federated network, and instantly writes the.jsonor.tomlconfiguration directly into your IDE. - Universal Intents (Coming Soon): Imagine clicking
duadp://run?gaid=agent://skills.sh/code-reviewer. Your machine instantly fetches the agent manifest from the decentralized network and executes it locally. - True Web-to-Local Bridge: No webhooks, no API tokens, no cloud proxies. It uses your operating system's native
LaunchServicesto pass web intents directly to your local development environment.
1. Register the Protocol (Once per developer machine):
npx @bluefly/duadp-cli protocol register(This compiles a native macOS .app bundle, binds it to the duadp:// schema via PlistBuddy, and registers it with LaunchServices.)
2. Embed in Your Tools: Any web application can now invoke local DUADP actions using standard HTML links or JavaScript redirects:
<!-- HTML Link -->
<a href="duadp://install-mcp?ide=vscode&force=true">Add to VSCode</a>
<!-- React / JavaScript -->
<button onClick={() => window.location.href = 'duadp://install-mcp?ide=cursor&force=true'}>
Add to Cursor
</button>When clicked, the OS securely launches the duadp protocol handle command, routing the intent to the appropriate local tool (e.g., @bluefly/ide-supercharger).
TypeScript:
import { DuadpClient, resolveGaid } from '@bluefly/duadp';
const client = new DuadpClient('https://skills.sh');
const skills = await client.listSkills({ search: 'code review' });
const tools = await client.listTools({ protocol: 'mcp' });
// Resolve a GAID from anywhere
const { client: c, name } = resolveGaid('agent://skills.sh/skills/web-search');
const skill = await c.getSkill(name);Python:
from duadp import DuadpClient, resolve_gaid
async with DuadpClient("https://skills.sh") as client:
skills = await client.list_skills(search="code review")
tools = await client.list_tools(protocol="mcp")
# Publish (requires token)
await client.publish_skill(my_skill)The simplest node is two static JSON files:
your-site.com/
.well-known/duadp.json <- discovery manifest
duadp/v1/skills <- skills list (static JSON)
Optional DNS TXT record for zero-configuration discovery:
_duadp.your-site.com. IN TXT "v=duadp1 url=https://your-site.com/.well-known/duadp.json"
Or use an SDK to build a dynamic node with publishing, federation, and tools:
TypeScript (Express):
import { createDuadpRouter } from '@bluefly/duadp/server';
app.use(createDuadpRouter({
nodeName: 'My AI Hub',
nodeId: 'did:web:my-hub.com',
baseUrl: 'https://my-hub.com',
federation: { gossip: true, max_hops: 3 },
}, {
listSkills: async (params) => { /* query your store */ },
listTools: async (params) => { /* query your store */ },
publishResource: async (resource, token) => { /* save + return */ },
}));spec/ # The normative specification
README.md # DUADP v0.1.3 spec document
openapi.yaml # OpenAPI 3.1 definition
schemas/ # JSON Schema validation files
sdk/
typescript/ # @bluefly/duadp npm package
python/ # duadp (PyPI)
| File | Role in DUADP | What goes inside? | Why it's best |
|---|---|---|---|
ai.json |
the manifest | protocol version, capabilities, ipfs/cid pointers. | machine-readable identity for automated "handshakes" between agents. |
llms.txt |
the digest | h1 title, project summary, and links to secondary docs. | the standard entry point for crawlers to "map" the project's purpose. |
agents.md |
the manual | build/test commands, file map, and architectural "no-go" zones. | provides context injection so agents don't hallucinate your project structure. |
mcp.json |
the toolkit | tool definitions, resource uris, and prompt templates. | defines the "hands" of the agent via the model context protocol. |
data.md |
the ledger | dataset provenance, training licenses, and hash verification. | ensures decentralized data integrity and legal/ethical compliance. |
contract.md |
the protocol | on-chain addresses, tokenomics, and api pricing/access. | defines how an autonomous agent "pays" or authenticates for services. |
.cursorrules |
the guardrail | project-specific coding logic and "always/never" instructions. | hardcodes your technical standards directly into the agent's reasoning loop. |
prompts/ |
the brain | a directory of specific system instructions for sub-modules. | standardizes how agents behave when interacting with your demo's components. |
| Endpoint | Method | Required | Description |
|---|---|---|---|
/.well-known/duadp.json |
GET | MUST | Node discovery manifest |
/.well-known/webfinger |
GET | SHOULD | Resolve GAID to resource links |
/api/v1/skills |
GET | MUST* | List OSSA-formatted skills |
/api/v1/skills/{name} |
GET | MAY | Get single skill by name |
/api/v1/agents |
GET | MUST* | List OSSA-formatted agents |
/api/v1/tools |
GET | MUST* | List tools (MCP, A2A, etc.) |
/api/v1/publish |
POST | MAY | Publish any resource (auth) |
/api/v1/skills |
POST | MAY | Publish a skill (auth) |
/api/v1/federation |
GET | SHOULD | Peer node list |
/api/v1/federation |
POST | SHOULD | Register as peer (gossip) |
/api/v1/validate |
POST | MAY | Validate a manifest |
/api/v1/health |
GET | SHOULD | Node health status |
/api/v1/search |
GET | MAY | Unified cross-resource search |
/api/v1/index/{gaid} |
GET | MAY | Agent JSON index card |
/api/v1/context/negotiate |
POST | MAY | Context negotiation |
/api/v1/analytics/tokens |
POST | MAY | Report token usage |
/api/v1/analytics/tokens/{agentId} |
GET | MAY | Token analytics for agent |
/api/v1/feedback |
POST | MAY | Submit 360 feedback |
/api/v1/feedback/{agentId} |
GET | MAY | Get agent feedback |
/api/v1/reputation/{agentId} |
GET | MAY | Agent reputation score |
/api/v1/rewards |
POST | MAY | Record reward event |
/api/v1/attestations |
POST | MAY | Submit outcome attestation |
/api/v1/delegate |
POST | MAY | Multi-agent delegation |
/api/v1/orchestration |
POST | MAY | Create orchestration plan |
/api/v1/publish/batch |
POST | MAY | Atomic batch publish (CI/CD) |
/api/v1/validate/batch |
POST | MAY | Batch validation |
/api/v1/agents/{name}/card |
GET | MAY | A2A Agent Card (Google A2A interop) |
/api/v1/tools/mcp-manifest |
GET | MAY | MCP Server Manifest |
/.well-known/mcp |
GET | MAY | MCP well-known discovery |
/api/v1/query |
POST | MAY | Structured query with compound filters |
*At least one of skills, agents, or tools MUST be implemented.
- Tools as first-class resources — MCP servers, A2A tools, function-calling tools alongside skills and agents
- Publishing API — Authenticated write operations for community contributions
- Confidence scoring — Three-tier routing (≥90 auto-publish, 50–89 human review at degraded tier, <50 reject)
- Quality gates — Cedar policy CI gate enforces coverage, security, and confidence before deploy
- DNS TXT discovery —
_duadp.<domain>for zero-configuration node finding - WebFinger resolution — Resolve any GAID URI (like
duadp://) to its DUADP endpoint - Gossip federation — Automatic peer propagation with hop limits
- DID-based identity —
did:web:anddid:key:with DIF standard resolvers - Resource signatures — Ed25519 cryptographic signatures with RFC 8785 canonicalization
- Revocation endpoints —
/api/v1/revocationswith federation gossip propagation - Federated search —
?federated=truequeries peers and merges results - Extensible kinds —
Skill,Agent(via.ajson),Tool, or any custom resource type - Context negotiation — Layered context delivery with priority tiers and knowledge graph sources
- Token analytics — Per-execution and aggregate tracking with efficiency scoring
- 360 feedback — Multi-source feedback (human, agent, system, automated-test) with structured dimensions
- Agent rewards — Reputation boosts, capability unlocks, token credits, and badges
- Outcome attestations — Signed, verifiable task outcome records for portable reputation
- Multi-agent orchestration — DAG/parallel/sequential/adaptive execution across OSSA agent types
- Capability fingerprints — Empirical performance data by domain, task type, and model affinity
- Batch operations — Atomic batch publish/validate for CI/CD pipelines with dry-run support
- A2A Agent Card — Google A2A protocol interop via
/agents/{name}/card - MCP Server Manifest — Expose tools as MCP-compatible server at
/.well-known/mcp - Structured query — Compound filters, sort, field projection, cursor-based pagination
- OAuth2/OIDC — Authorization code + client credentials flows for secure agent auth
- Decentralized — No central registry. Any domain can be a DUADP node. DNS TXT records enable zero-config discovery.
- Federated — Gossip protocol propagates peers automatically. No coordinator needed.
- Simple — Two static JSON files = valid DUADP node. Complexity is optional.
- Open — Apache 2.0 license. No vendor lock-in. Community-governed spec.
- DUADP IS the API — No separate "marketplace API" or "skills API". Everything speaks DUADP.
- Interoperable — Built on the
.ajsonpayload format, works with any AI framework. - Secure — Trust tiers, DID-based identity, cryptographic signatures, circuit breakers.
DUADP implements the discovery and governance infrastructure required by the NIST CAISI Request for Information on Collaborative AI Systems Integration.
- Federated Open-Source Discovery: DNS TXT records and
.well-knownendpoints solve the RFI's requirement for decentralized agent discovery without proprietary lock-in. - Verifiable Identity: Native support for W3C DID-based Global Agent Identifiers (GAIDs) ensures cryptographically sound origin authentication.
- Provable Authorization: DUADP exposes formally verified AWS Cedar authorization policies, evaluating agent access across trust boundaries in under 100ms.
DUADP is the transport, discovery, and publishing layer. OSSA provides the semantic payload format (via .ajson).
- DUADP defines HOW to find, publish, and exchange AI capabilities
- The OSSA
.ajsonspecification defines WHAT those capabilities look like (apiVersion, kind, metadata, spec) - You can use
.ajsonwithout DUADP (local manifests) - You can use DUADP with any payload format (but
.ajsonis recommended)
-d '{"apiVersion":"ossa/v0.5","kind":"Skill","metadata":{"name":"my-skill","description":"My custom skill"}}'
Node ID: `did:web:duadp.org` | Protocol: DUADP v0.1.3 | 5 skills, 3 agents, 3 tools seeded
## Run the Reference Node Locally
```bash
# 1. Install reference node dependencies (SDK is on npm)
cd reference-node && npm ci
# 2. Seed the database
npx tsx src/seed.ts
# 3. Start the node
npx tsx src/index.ts
# → DUADP Reference Node "OSSA Reference Node" running at http://localhost:4200
# → Discovery: http://localhost:4200/.well-known/duadp.json
# 4. Verify
curl http://localhost:4200/.well-known/duadp.json
curl http://localhost:4200/api/v1/health
curl http://localhost:4200/api/v1/skills
curl http://localhost:4200/api/v1/agents
curl http://localhost:4200/api/v1/tools
cd reference-node
docker compose up --build
# → Runs on port 4200 with persistent SQLite volume| Variable | Default | Description |
|---|---|---|
PORT |
4200 |
HTTP port |
DUADP_BASE_URL |
http://localhost:4200 |
Public base URL |
DUADP_NODE_NAME |
OSSA Reference Node |
Human-readable node name |
DUADP_NODE_ID |
did:web:localhost |
DID identifier for this node |
DB_PATH |
./data/duadp.db |
SQLite database path |
All endpoints tested and passing (reference node v0.1.5):
| Endpoint | Method | Status | Description |
|---|---|---|---|
/.well-known/duadp.json |
GET | Verified | Discovery manifest with all endpoints |
/.well-known/webfinger |
GET | Verified | GAID resolution (agent:// URIs) |
/api/v1/skills |
GET | Verified | List skills (5 seeded), paginated |
/api/v1/skills/:name |
GET | Verified | Get single skill by name |
/api/v1/agents |
GET | Verified | List agents (3 seeded), paginated |
/api/v1/agents/:name |
GET | Verified | Get single agent by name |
/api/v1/tools |
GET | Verified | List tools (3 seeded), with ?protocol= filter |
/api/v1/tools/:name |
GET | Verified | Get single tool by name |
/api/v1/publish |
POST | Verified | Publish any resource (auth required) |
/api/v1/resolve/:gaid |
GET | Verified | Resolve a GAID to the matching DUADP resource |
/api/v1/inspect |
GET | Verified | Consolidated DID, trust, signature, provenance, revocation, and policy inspection |
/api/v1/skills |
POST | Verified | Publish a skill (auth required) |
/api/v1/skills/:name |
PUT | Verified | Update a skill (auth required) |
/api/v1/skills/:name |
DELETE | Verified | Delete a skill (auth required) |
/api/v1/validate |
POST | Verified | Validate OSSA manifest JSON |
/api/v1/federation |
GET | Verified | List federation peers |
/api/v1/federation |
POST | Verified | Register as peer (gossip) |
/api/v1/health |
GET | Verified | Node health + resource counts |
/api/v1/search |
GET | Verified | Cross-resource search with facets |
/api/v1/governance |
GET | Verified | NIST AI RMF governance config |
/api/v1/feedback |
POST | Verified | Submit 360 feedback |
/api/v1/feedback/:agentId |
GET | Verified | Get agent feedback history |
/api/v1/reputation/:agentId |
GET | Verified | Computed reputation score |
/api/v1/analytics/tokens |
POST | Verified | Report token usage |
/api/v1/analytics/tokens/:agentId |
GET | Verified | Token analytics per agent |
/api/v1/attestations |
POST | Verified | Submit outcome attestation |
/api/v1/attestations/:agentId |
GET | Verified | Get agent attestations |
/api/v1/audit |
GET | Verified | Audit log with filters |
The TypeScript SDK includes 157 tests across 10 test files:
✓ circuit-breaker.test.ts (12 tests)
✓ validate.test.ts (22 tests)
✓ client-resolve-gaid.test.ts (3 tests)
✓ trust-tier-gaid-matrix.test.ts (16 tests)
✓ dedup.test.ts (7 tests)
✓ crypto.test.ts (24 tests)
✓ did.test.ts (11 tests)
✓ e2e-crypto.test.ts (24 tests)
✓ inspector-client.test.ts (2 tests)
✓ integration.test.ts (36 tests)
─────────────────────────────────────────
10 passed | 157 tests | ~800ms
Run tests:
cd sdk/typescript && npm test| Platform | Status | Description |
|---|---|---|
| OSSA Reference Node | Live | SQLite-backed reference node (reference-node/) |
@bluefly/duadp TypeScript SDK |
v0.1.5 | Client + Express server + CLI (sdk/typescript/) |
duadp Python SDK |
v0.1.5 | Client + FastAPI server + CLI (sdk/python/) |
| Drupal Agent Marketplace | In Progress | DUADP node with federation (Drupal module) |
| Static JSON template | Planned | GitHub Pages starter |
| Language | Package | Registry |
|---|---|---|
| TypeScript | @bluefly/duadp |
npm |
| Python | duadp |
PyPI |
The reference node seeds with realistic OSSA-formatted resources:
| Kind | Count | Examples |
|---|---|---|
| Skills | 5 | web-search, code-review, text-summarizer, data-analyzer, image-classifier |
| Agents | 6 | orchestrator, code-reviewer, drupal-contributor, gitlab-ci-agent, security-audit-agent |
| Tools | 3 | mcp-filesystem (MCP), a2a-email (A2A), openapi-weather (REST) |
| Audit Log | 10 | Resource creation, updates, federation sync, auth events |
| Feedback | 5 | Human, agent, and system feedback with structured dimensions |
| Token Usage | 5 | Per-agent token tracking with model and cost data |
| Attestations | 3 | Signed outcome records with metrics |
See CONTRIBUTING.md. All contributions welcome — spec changes, new SDKs, reference implementations, conformance tests.
Apache License 2.0 - see LICENSE.