Contributing

Channels

• Issues: github.com/PlawIO/machineauthority-protocol/issues — bugs, spec ambiguities, proposed changes.
• Discussions: github.com/PlawIO/machineauthority-protocol/discussions — async design conversations. Lower barrier than PRs.
• Pull requests: github.com/PlawIO/machineauthority-protocol/pulls — spec text, schemas, examples, tooling.

Contribution areas

1. Independent implementations — v1.0 has one reference implementation (Node, in reference/). A second independent implementation in any language is the highest-value contribution. Use test-vectors/ as the conformance bar.
2. Test vectors — new valid/ and invalid/ cases for canonicalization, CAR, decision envelope, elicitation loop, and CAC. Each invalid vector must declare its expected verdict per the verifier-CLI contract in CONFORMANCE.md.
3. Bindings & integrations — OPA / Cedar / OpenFGA policy adapters, MCP server middleware, SPIFFE / DID identity binders, Sigstore (Rekor) profile for MAP-CAC-DSSE-1.
4. Spec ambiguities — if two readings of any v1.0 normative MUST are possible, file an issue. Spec text under v1.0 stability is fixed for 12 months; clarifying errata is the path.
5. Post-v1.0 roadmap — multi-approver quorum, polling profile for the loop, ML-DSA hybrid signatures, transparency-log profile, revocation discovery. Discussions are open; no normative changes until the next major version.

Legal

Every commit MUST be signed off with the Developer Certificate of Origin (DCO): git commit -s. PRs lacking sign-off on every commit are blocked at merge — reviewers verify sign-off manually until the CI check lands (planned for v1.0 + 30 days, tracked in repo Issues). Until then, reviewers will request a force-push to add Signed-off-by: trailers if missing. No CLA is required; the DCO is sufficient.

The specification and this website are MIT-licensed. Reference implementations MAY use any OSI-approved license; MIT or Apache 2.0 is recommended.