# SAM Protocol

> SAM Protocol is the signed envelope for agent-ready merchants. It composes UCP, AP2, MCP, ACP, and A2A into a single, signed, time-bounded `/.well-known/sam.json` document. SAM does not replace those standards — it attests them under one merchant key with a freshness window.

## Positioning

SAM is NOT another commerce protocol. The agentic commerce stack of 2026 already has UCP for capabilities, AP2 for user authorization, MCP for tools, ACP for catalogs, and A2A for agent-to-agent. SAM is the signed envelope that makes any combination of them verifiable in one place.

> *Publish one signed file. Reference everything else.*

## Core documents (v2.2)

- [White Paper v2.2](https://github.com/SAM-protocol/SAM-Protocol/blob/main/docs/SAM_Protocol_WhitePaper_v2_2_EN.md): The Signed Envelope for Agent-Ready Merchants. Composition thesis, normative core, security model, adoption roadmap.
- [Normative One-Pager](https://github.com/SAM-protocol/SAM-Protocol/blob/main/docs/SAM_Protocol_Normative_OnePager.md): RFC 2119 conformance requirements (MUST / SHOULD / MAY).
- [Technical Appendix](https://github.com/SAM-protocol/SAM-Protocol/blob/main/docs/SAM_Protocol_Technical_Appendix.md): Python implementation snippets — manifest verification, mandate evaluation, RFC 9421 request signing, operator key resolution.
- [W3C CG Submission](https://github.com/SAM-protocol/SAM-Protocol/blob/main/docs/SAM_W3C_CG_CallForParticipation.md): Proposal to the W3C Agent Identity Registry Protocol Community Group.

## Schema and test vectors

- [JSON Schema v2.2](https://github.com/SAM-protocol/SAM-Protocol/blob/main/schemas/sam.json.schema.json): Draft 2020-12 schema for the SAM envelope.
- [Valid examples](https://github.com/SAM-protocol/SAM-Protocol/tree/main/examples/valid): composing envelope (UCP+AP2+MCP), bootstrap envelope, L0 starter.
- [Invalid examples](https://github.com/SAM-protocol/SAM-Protocol/tree/main/examples/invalid): structural and runtime failure modes.

## Key concepts

- **sam.json**: A signed document served at `/.well-known/sam.json` declaring merchant identity, capability references via `sam:composes`, a merchant-issued policy mandate, agent authentication (RFC 9421 + ed25519), and human escalation channels.
- **sam:composes**: Declarative references to UCP, AP2, MCP, ACP, A2A under the merchant's signature. The structural innovation of v2.2.
- **Merchant policy mandate**: A small, closed grammar of eight primitives, AND-only, stateless, evaluated locally by the agent. Distinct from AP2's user-issued mandates.
- **Conformance levels**: L0 (merchant-ready, discovery only), L1 (agent-ready, identity + signature), L2 (bounded autonomy, mandate + agentAuth).
- **Constitutional freshness**: `validUntil` TTL with no fail-open on revocation.

## Repository

- [GitHub: SAM-protocol/SAM-Protocol](https://github.com/SAM-protocol/SAM-Protocol)
- License: Apache 2.0
- Status: v2.2 draft. Open issues tracked for canonicalization, composition-drift detection, operator trust, replay protection, and `sam-user-context` semantics under AP2.

## Contact

- Website: https://sam-protocol.org
- Issues and discussions: https://github.com/SAM-protocol/SAM-Protocol/issues