config.example.yml

# mcp-foundation — example config
# (Mahoney Context Protocol — github.com/MahoneyContextProtocol/mcp-foundation)
# Copy this to your own config (e.g. config.yml) and edit the values.
# Run: npm run generate -- config.yml

site:
  # Site origin. https only. No trailing slash.
  hostname: "https://example.com"
  # Optional. Path to your sitemap. Defaults to /sitemap.xml.
  sitemap_path: "/sitemap.xml"

ai_policy:
  # Default policy for the wildcard User-agent block.
  # true  -> "Allow: /"   (open by default, deny specific bots below)
  # false -> "Disallow: /" (closed by default, allow specific bots below)
  default_allow: true

  # Per-bot overrides. Keys are User-agent tokens. Values: allow | disallow.
  # Order is preserved in output.
  ai_bots:
    GPTBot: allow
    Claude-Web: allow
    anthropic-ai: allow
    ClaudeBot: allow
    PerplexityBot: allow
    Perplexity-User: allow
    Google-Extended: allow
    ChatGPT-User: allow
    OAI-SearchBot: allow
    CCBot: allow
    Applebot-Extended: allow
    Bytespider: allow
    Diffbot: allow
    FacebookBot: allow
    Amazonbot: allow
    Meta-ExternalAgent: allow
    cohere-ai: allow
    omgili: allow

  # IETF Content Signals. Each value: yes | no.
  # search   -> may use this content for search indexing
  # ai_train -> may use this content for AI model training
  # ai_input -> may use this content as input to AI inference (RAG, etc.)
  content_signals:
    search: yes
    ai_train: yes
    ai_input: yes

# URLs to publish in sitemap.xml. Each entry maps to one <url> block.
# - path:       Required. URL path relative to site.hostname. Must start with /.
# - priority:   Optional float 0.0–1.0. Defaults to 0.5.
# - changefreq: Optional. One of always|hourly|daily|weekly|monthly|yearly|never.
#               Defaults to "monthly".
urls:
  - path: "/"
    priority: 1.0
    changefreq: "weekly"
  - path: "/api/event"
    priority: 0.8
    changefreq: "monthly"
  - path: "/llms.txt"
    priority: 0.9
    changefreq: "weekly"
  - path: "/operate.txt"
    priority: 0.9
    changefreq: "weekly"
  - path: "/.well-known/agent.json"
    priority: 0.7
    changefreq: "monthly"

# RFC 8288 Link header entries. Emitted to:
#   - output/_headers (Cloudflare Pages / Netlify static headers)
#   - output/worker-link-headers.ts (Cloudflare Worker middleware)
# - target: Required. Relative path (starts with /) or absolute URL.
# - rel:    Required. RFC 8288 relation type.
# - type:   Optional. MIME type for the linked resource.
link_headers:
  - target: "/llms.txt"
    rel: "llms"
  - target: "/operate.txt"
    rel: "agent-playbook"
  - target: "/.well-known/agent.json"
    rel: "agent-manifest"
  - target: "/.well-known/api-catalog"
    rel: "api-catalog"
    type: "application/linkset+json"
  - target: "/.well-known/mcp/server-card.json"
    rel: "mcp-server"
    type: "application/json"

# did:web — verifiable identity (W3C DID Core v1.1, did-method-web).
# Closes the foundation: every other emitted file becomes trust-rooted via
# the MahoneyContextProtocolFoundation service anchor below.
# - enabled:              Required.
# - domain:               Required when enabled. Hostname only (no scheme/path).
# - path:                 Optional. Subpath under which the DID is published.
#                         When empty, DID resolves at /.well-known/did.json.
#                         When set (e.g. "users/alice"), resolves at /<path>/did.json
#                         and DID URI is did:web:<domain>:<path with : separators>.
# - verification_methods: Required when enabled, minItems 1.
#   Each method has type "JsonWebKey2020" (paired with public_key.jwk) OR
#   "Multikey" (paired with public_key.multibase). Foundation does NOT
#   generate keys — supply your own public material.
# - authentication / assertion_method / key_agreement / capability_invocation
#   / capability_delegation: Optional arrays. Reference id_fragments from
#   verification_methods or external DID URLs.
# - services:             Optional. User-supplied service entries.
# - anchor_foundation:    Optional, default true. Auto-emits the
#                         MahoneyContextProtocolFoundation service entry
#                         cataloguing every other foundation file's URL.
did_web:
  enabled: true
  domain: "example.com"
  verification_methods:
    - id_fragment: "key-controller"
      type: "JsonWebKey2020"
      public_key:
        jwk:
          kty: "OKP"
          crv: "Ed25519"
          x: "11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPcHURo"
    - id_fragment: "key-agent-signer"
      type: "Multikey"
      public_key:
        multibase: "z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
  authentication:
    - "key-controller"
  assertion_method:
    - "key-agent-signer"
  services:
    - id_fragment: "agent-discovery"
      type: "AgentDiscoveryEndpoint"
      endpoint: "https://example.com/.well-known/agent-card.json"
      description: "Primary A2A agent card discovery endpoint"
  anchor_foundation: true
  also_known_as:
    - "https://example.com"
# Path-based DID example (commented out — uncomment to publish a per-user DID):
#   path: "users/alice"
# Resolves did:web:example.com:users:alice from
# https://example.com/users/alice/did.json (NOT under .well-known when path is set).

# OpenAPI discovery scaffolding. Generates /.well-known/openapi-index.json
# cataloging every spec the site exposes, serves the primary spec at the
# canonical /openapi.{json,yaml} path, and emits redirects from the emerging
# .well-known/openapi.{json,yaml} convention. Does NOT generate OpenAPI specs
# — provides the discovery layer for ones you already have.
# - enabled:               Required.
# - specs:                 Required when enabled, must have at least one entry.
#   Each spec needs name, version, openapi_version, format, source.
#   - source must be exactly one of: inline (object), file_path (string),
#     external_url (https URL).
# - well_known_redirect:   Optional, default true.
# - link_header_advertise: Optional, default true.
openapi_discovery:
  enabled: true
  well_known_redirect: true
  link_header_advertise: true
  specs:
    - name: "Mahoney Context Protocol Reference API"
      version: "1.0.0"
      openapi_version: "3.1"
      format: "json"
      canonical_path: "/openapi.json"
      api_base_url: "https://example.com/api/v1"
      is_primary: true
      description: "Reference API for the agent-native foundation"
      source:
        inline:
          openapi: "3.1.0"
          info:
            title: "Mahoney Context Protocol Reference API"
            version: "1.0.0"
          servers:
            - url: "https://example.com/api/v1"
          paths:
            "/scan":
              get:
                summary: "Run agent-readiness scan"
                responses:
                  "200":
                    description: "Scan results"
    - name: "Partner Telemetry API"
      version: "0.9.0"
      openapi_version: "3.0"
      format: "yaml"
      description: "Externally-hosted telemetry API spec"
      source:
        external_url: "https://partner.example.com/openapi.yaml"

# ai.txt — AI training opt-in/out declarations. Two competing formats supported:
#   format: "spawning"        — media-allowlist (Spawning ai.txt)
#   format: "ai_visibility"   — INI-style behavioral guidance (AI Visibility v1.1.1)
# Pick the one your audience expects. Namespace fragmentation is real here
# (EU AI Act Article 53, Hamburg ruling Dec 2025) — a future MCP companion
# spec may consolidate these signals; for now mcp-foundation supports both.
ai_txt:
  enabled: true
  format: "ai_visibility"
  last_updated: "2026-05-09"
  identity:
    name: "Mahoney Context Protocol"
    url: "https://example.com"
    description: "Open protocols for the agent-native web"
  permissions:
    - "Summarize publicly available content from this site"
    - "Quote from published specs and documentation with attribution"
    - "Answer factual questions about the protocols and reference implementations"
    - "Index and reference specs in agent capability discovery"
  restrictions:
    - "Do not present generated content as official specification text"
    - "Do not reproduce full specification documents; summarize and link"
    - "Do not generate synthetic specs claiming Mahoney Context Protocol provenance"
  attribution:
    preferred_citation: "Mahoney Context Protocol — https://github.com/MahoneyContextProtocol"
    canonical_url: "https://example.com"
  scope:
    - "Public specification text under /specs/"
    - "Reference implementations under /reference/"
    - "Excludes private GitHub Issues and Discussions content"
  training:
    - "Use of content for general-purpose model training is permitted with attribution"
    - "Commercial fine-tuning requires written permission"
  updates:
    cadence: "monthly"
    notify: "mailto:agents@example.com"

# humans.txt (humanstxt.org/Standard.html). Authorship/credits file at /humans.txt.
# Per spec, sites should also include this in their HTML <head>:
#   <link type="text/plain" rel="author" href="/humans.txt" />
# That snippet is emitted to output/humans-link-tag.html for copy-paste.
humans_txt:
  enabled: true
  team:
    - role: "Founder"
      name: "Joe Mahoney"
      contact: "https://example.com/team/joe"
      github: "joemahoney"
      location: "Cloud Latitude"
    - role: "Engineering Partner"
      name: "Claude (Anthropic)"
      contact: "https://www.anthropic.com"
  thanks:
    - "The folks running well-known file conventions before agents got here"
    - "https://schema.org"
    - "https://llmstxt.org"
  site:
    last_update: "2026-05-09"
    language: "en"
    standards:
      - "RFC 9116"
      - "RFC 9309"
      - "RFC 9727"
      - "RFC 9728"
      - "Schema.org"
    components:
      - "TypeScript"
      - "Cloudflare Workers"
      - "MCP"
      - "WebMCP"
    software:
      - "mcp-foundation"

# JSON-LD structured data (Schema.org). Emits per-entity JSON files
# plus a combined <script type="application/ld+json"> tag for the site root,
# plus per-page artifacts at output/jsonld/pages/{id}.json. Includes a
# Worker injection middleware that adds the root tag to HTML <head>.
# Field names in YAML use snake_case; the generator translates to Schema.org's
# camelCase (sameAs, contactPoint, datePublished, etc.).
# - enabled:      Required.
# - organization: Optional but strongly recommended. Drives the root Organization.
# - website:      Optional. WebSite block, optional SearchAction.
# - breadcrumbs:  Optional. Renders a BreadcrumbList.
# - pages:        Optional. Per-page Article/WebPage/FAQPage/Product/SoftwareApplication.
# - agent_software: Optional. Territorial SoftwareApplication block declaring
#                   the site as a machine-callable service.
json_ld:
  enabled: true
  organization:
    name: "Mahoney Context Protocol"
    url: "https://example.com"
    logo: "https://example.com/logo.png"
    description: "Open protocols for the agent-native web"
    same_as:
      - "https://github.com/MahoneyContextProtocol"
    founder:
      name: "Joe Mahoney"
      url: "https://example.com/team/joe"
    founding_date: "2026-04"
    contact_point:
      email: "agents@example.com"
      contact_type: "customer support"
  website:
    name: "Mahoney Context Protocol"
    url: "https://example.com"
    search_action_target: "https://example.com/search"
    in_language: "en"
  breadcrumbs:
    - name: "Home"
      url: "https://example.com"
    - name: "Specs"
      url: "https://example.com/specs"
  pages:
    - id: "operate-txt-spec"
      type: "Article"
      url: "https://example.com/specs/operate-txt"
      name: "operate.txt v1.0 Specification"
      description: "The Mahoney Context Protocol operations manifest spec"
      date_published: "2026-05-09"
      author:
        name: "Joe Mahoney"
        url: "https://example.com/team/joe"
  agent_software:
    name: "Mahoney Context Protocol Foundation"
    description: "Agent-readable foundation services for example.com"
    application_category: "DeveloperApplication"
    offers_type: "free"
    has_part:
      - "https://example.com/.well-known/agent-card.json"
      - "https://example.com/.well-known/mcp.json"
      - "https://example.com/.well-known/api-catalog"
      - "https://example.com/.well-known/agent-skills/index.json"
      - "https://example.com/llms.txt"
      - "https://example.com/operate.txt"

# security.txt (RFC 9116). Vulnerability disclosure file emitted at:
#   /.well-known/security.txt (canonical)
#   /security.txt             (fallback per §3)
# - enabled:           Required.
# - contacts:          Required when enabled. Non-empty list of mailto:, tel:,
#                      or https:// URIs. Order matters — first is highest priority.
# - expires:           Required when enabled. RFC 3339 timestamp with uppercase Z
#                      timezone. MUST be in the future at generation time.
# - encryption:        Optional. https:// or dns: URIs to PGP keys.
# - acknowledgments:   Optional. https:// URLs to hall-of-fame pages.
# - preferred_languages: Optional. BCP 47 language tags, comma-space-joined.
# - canonical:         Optional. https:// URL(s) where this file canonically lives.
# - policy:            Optional. https:// URLs to disclosure policy pages.
# - hiring:            Optional. https:// URLs to security job listings.
# - agent_disclosure:  Optional. MCP custom extension. https:// URL where AI
#                      agents report security issues they discover at runtime.
security_txt:
  enabled: true
  contacts:
    - "mailto:security@example.com"
    - "https://example.com/security/contact"
  expires: "2027-05-09T00:00:00Z"
  encryption:
    - "https://example.com/.well-known/pgp-key.asc"
  acknowledgments:
    - "https://example.com/security/hall-of-fame"
  preferred_languages:
    - "en"
  canonical:
    - "https://example.com/.well-known/security.txt"
  policy:
    - "https://example.com/security/policy"
  hiring:
    - "https://example.com/careers/security"
  agent_disclosure: "https://example.com/.well-known/agent-vuln-report"

# operate.txt — Mahoney Context Protocol operate-txt v1.0 spec.
# Spec: https://github.com/MahoneyContextProtocol/operate-txt-spec
# Renders /operate.txt at the site root: an agent operations manual covering
# protocol pointers, tools, auth, rate limits, error conventions, escalation,
# and house conventions. Every emitted file cites the spec URL in its
# frontmatter.
# - enabled:      Required.
# - site_name:    Required when enabled.
# - summary:      Required when enabled. One sentence describing the site.
# - protocols:    Optional. Pointers to sibling well-known files.
# - tools:        Optional. Each tool needs name, description, invocation.
# - auth:         Optional. If present, requires required + methods (enum).
# - rate_limits:  Optional. Each entry needs scope + requests_per_minute (>0).
# - body_markdown: Optional. Override the auto-generated body verbatim.
operate_txt:
  enabled: true
  site_name: "Mahoney Context Protocol"
  summary: "Open protocols and reference implementations for the agent-native web."
  protocols:
    mcp_server_card: "/.well-known/mcp.json"
    a2a_agent_card: "/.well-known/agent-card.json"
    api_catalog: "/.well-known/api-catalog"
    oauth_protected_resource: "/.well-known/oauth-protected-resource"
    llms_txt: "/llms.txt"
  tools:
    - name: "scan_site"
      description: "Run an agent-readiness scan on any URL"
      invocation: "WebMCP tool — see /webmcp-init.js"
    - name: "list_skills"
      description: "Enumerate available agent skills"
      invocation: "GET /.well-known/agent-skills/index.json"
  auth:
    required: false
    methods: ["none"]
  rate_limits:
    - scope: "anonymous"
      requests_per_minute: 60
    - scope: "authenticated"
      requests_per_minute: 600
  error_conventions:
    format: "rfc7807"
    retry_after_header: true
  escalation:
    human_contact: "agents@example.com"
    support_url: "https://example.com/support"
  conventions:
    - "Send Content-Type: application/json on all POST requests"
    - "Use ?cursor= for pagination, max 100 items per page"
    - "Idempotency-Key header honored on POST endpoints"

# llms.txt site summary (https://llmstxt.org). Renders /llms.txt at the
# site root — NOT a .well-known file. Adopted by Anthropic, Vercel,
# Cloudflare, Mintlify, FastHTML, Hugging Face, and others.
# - enabled:              Required.
# - site_name:            Required when enabled. Rendered as H1.
# - tagline:              Required when enabled. Rendered as a blockquote line.
# - context:              Optional. Markdown block between tagline and first section.
# - sections:              Required when enabled. Each becomes an H2 with a link list.
#                          Section name "Optional" is a spec-recognized signal that
#                          its links are secondary; the generator does not enforce this.
# - full_content_enabled: Optional. If true, also emits /llms-full.txt with each
#                          page's full markdown body inlined (requires full_content_pages).
llms_txt:
  enabled: true
  site_name: "Mahoney Context Protocol"
  tagline: "Open protocols for the agent-native web."
  context: |
    The Mahoney Context Protocol family ships open standards
    and reference implementations for sites that need to be
    first-class citizens of the agent-native web. Three layers:
    discovery (mcp-foundation), runtime (mcp-runtime), and
    orchestration (mcp-orchestrator).
  sections:
    - name: "Core protocols"
      links:
        - title: "mcp-foundation"
          url: "https://github.com/MahoneyContextProtocol/mcp-foundation"
          description: "Discovery layer — config-driven generators for every well-known file an agent might fetch"
        - title: "it-IS-agent-ready"
          url: "https://github.com/MahoneyContextProtocol/it-IS-agent-ready"
          description: "Reference scanner and live agent-readiness scoreboard"
    - name: "Optional"
      links:
        - title: "Spec index"
          url: "https://github.com/MahoneyContextProtocol"
          description: "All Mahoney Context Protocol repos and specs"
  full_content_enabled: false

# WebMCP runtime tool registration. Generates a JavaScript snippet that
# registers MCP tools on a page via navigator.modelContext.provideContext()
# so AI agents in the browser can call site-specific tools directly.
# Spec: https://webmachinelearning.github.io/webmcp/
# Note: handlers are passed through verbatim into `async function (args) { ... }`.
# They must be valid JS body source.
# - enabled:         Required.
# - ready_attribute: Optional, default true. Sets data-webmcp-ready="true"
#                    on the document element after registration.
# - tools:           Required when enabled. Each tool needs:
#   - name:        Required. Must match /^[a-zA-Z_][a-zA-Z0-9_]*$/.
#   - description: Required.
#   - parameters:  Required. JSON Schema with type: "object".
#   - handler:     Required. JS body executed with `args` parameter.
webmcp:
  enabled: true
  ready_attribute: true
  tools:
    - name: "get_agent_card"
      description: "Fetch this site's A2A agent card"
      parameters:
        type: "object"
        properties: {}
      handler: |
        const r = await fetch('/.well-known/agent-card.json');
        return await r.json();
    - name: "list_skills"
      description: "List available agent skills"
      parameters:
        type: "object"
        properties: {}
      handler: |
        const r = await fetch('/.well-known/agent-skills/index.json');
        return await r.json();

# Agent Skills index. Emits the cloudflare/agent-skills-discovery-rfc
# v0.2.0 manifest at /.well-known/agent-skills/index.json plus a v0.1.0
# legacy index at /.well-known/skills/index.json, plus the actual SKILL.md
# files at /.well-known/agent-skills/{name}/SKILL.md.
# - enabled:    Required.
# - schema_url: Optional. Defaults to schemas.agentskills.io/discovery/0.2.0.
# - skills:     Required when enabled. Each skill needs name + description.
#   - name:        Required. Lowercase alphanumeric + hyphens, 1-64 chars,
#                  no leading/trailing/consecutive hyphens.
#   - description: Required. Brief, action-oriented description.
#   - type:        Optional. "skill-md" (default) or "archive".
#   - content:     Required for skill-md type. Full SKILL.md markdown.
#   - url:         Optional. Override URL for the artifact.
#   - digest:      Optional. sha256:<hex>. Auto-computed for skill-md if absent.
#   - files:       Optional. Used by v0.1.0 legacy index, defaults to ["SKILL.md"].
agent_skills:
  enabled: true
  skills:
    - name: "agent-readiness-audit"
      description: "Run a Cloudflare-style agent-readiness scan against a target URL and return a scored report."
      type: "skill-md"
      content: |
        # Agent Readiness Audit

        Use this skill when an agent needs to evaluate how well a website
        exposes itself to other agents.

        ## When to use
        - User asks "is my site agent-ready?"
        - Pre-launch checks before publishing a new domain.

        ## Inputs
        - `url`: the https origin to audit.

        ## Example invocation
        > Audit https://example.com for agent readiness.

    - name: "protocol-compliance-check"
      description: "Validate a site's well-known files against current specifications."
      type: "skill-md"
      content: |
        # Protocol Compliance Check

        Validate a deployed site's protocol layer against current specs.

        ## Inputs
        - `url`: the https origin to validate.
        - `specs`: optional list of specs to focus on.

        ## Outputs
        Per-spec pass/fail report with byte-level failure reasons.

# A2A Agent Card discovery. Emits the same Agent Card at two paths:
#   /.well-known/agent-card.json (canonical, A2A spec)
#   /.well-known/agent.json      (legacy alias for older clients)
# Cloudflare's Agent Readiness scanner checks the canonical path.
# Note: A2A spec uses camelCase in JSON. The generator translates from
# snake_case config keys to camelCase output keys automatically.
# - enabled:    Required.
# - name, description, url, version, capabilities, authentication,
#   default_input_modes, default_output_modes, skills (non-empty):
#   Required when enabled.
# - provider:   Optional, but if present requires organization + url.
a2a_agent_card:
  enabled: true
  name: "cloud-latitude-foundation-agent"
  description: "Cloud Latitude foundation agent for agent-readiness audits and protocol compliance checks."
  url: "https://example.com/a2a"
  version: "1.0.0"
  documentation_url: "https://example.com/docs/a2a"
  provider:
    organization: "Cloud Latitude"
    url: "https://cloudlatitude.io"
  capabilities:
    streaming: true
    push_notifications: false
    state_transition_history: true
  authentication:
    schemes:
      - "Bearer"
  default_input_modes:
    - "text/plain"
    - "application/json"
  default_output_modes:
    - "application/json"
  skills:
    - id: "agent-readiness-audit"
      name: "Agent Readiness Audit"
      description: "Run a Cloudflare-style agent-readiness scan against a target URL and return a scored report."
      tags: ["audit", "agent-readiness", "cloudflare"]
      examples:
        - "Audit https://example.com for agent readiness."
        - "Score this site against the Cloudflare scanner."
    - id: "protocol-compliance-check"
      name: "Protocol Compliance Check"
      description: "Validate a site's well-known files (robots.txt, sitemap, MCP, A2A) against current specs."
      tags: ["compliance", "well-known", "mcp", "a2a"]
      input_modes:
        - "text/plain"
      output_modes:
        - "application/json"

# MCP Server Card discovery. Emits the same metadata at three candidate
# well-known paths to satisfy SEP-1649, SEP-1960, and SEP-2127:
#   /.well-known/mcp.json                  (SEP-1960)
#   /.well-known/mcp/server-card.json      (SEP-1649)
#   /.well-known/mcp/server-cards.json     (SEP-2127, JSON array)
# Cloudflare's Agent Readiness scanner checks all three; publishing all
# three guarantees you pass regardless of which check the scanner runs.
# - enabled:    Required. Set false to skip emission.
# - name:       Required when enabled. Server identifier.
# - version:    Required when enabled. Semver string.
# - endpoints:  Required when enabled, must have at least one entry.
# - authentication: When methods includes "oauth2", oauth2 sub-block is required.
mcp_server_card:
  enabled: true
  name: "example-mcp-server"
  version: "1.0.0"
  description: "Example MCP server hosted at example.com"
  mcp_version: "1.0"
  endpoints:
    streamable_http: "https://example.com/mcp"
    sse: "https://example.com/mcp/sse"
  capabilities:
    tools: true
    resources: true
    prompts: true
    sampling: false
    roots: false
    logging: true
  authentication:
    required: true
    methods:
      - "oauth2"
    oauth2:
      authorization_endpoint: "https://example.com/oauth/authorize"
      token_endpoint: "https://example.com/oauth/token"
      scopes_supported:
        - "mcp:read"
        - "mcp:write"
  security:
    tls_required: true
    min_tls_version: "1.3"
    signed_requests_required: false
    security_contact: "security@example.com"
    security_policy: "https://example.com/security"
  rate_limits:
    requests_per_minute: 600
    tokens_per_minute: 100000

# OAuth Protected Resource (RFC 9728). Declares which auth servers
# issue valid tokens for this resource and (optionally) which paths
# require a Bearer token. Pairs with oauth_discovery (Feature 07).
# - enabled:               Required.
# - resource:              Required when enabled. https URL identifying this resource.
# - authorization_servers: Required when enabled. Non-empty list of issuer URLs.
# - bearer_methods_supported: Optional subset of [header, body, query].
# - protected_paths:       Optional. Glob-style patterns the Worker handler will
#                          gate behind a Bearer token check (* = wildcard).
#                          NOT emitted in the metadata JSON — runtime-only.
oauth_protected_resource:
  enabled: true
  resource: "https://example.com/api/v1"
  authorization_servers:
    - "https://example.com"
  bearer_methods_supported:
    - "header"
  scopes_supported:
    - "read:profile"
    - "write:profile"
  resource_documentation: "https://example.com/docs/auth"
  protected_paths:
    - "/api/v1/*"

# OAuth/OIDC discovery (RFC 8414 + OpenID Connect Discovery 1.0).
# Emits well-known metadata so agents can authenticate against your APIs.
# - enabled: Required.
# - mode:    Required when enabled. One of "oauth", "oidc", "both".
#   - "oauth" emits /.well-known/oauth-authorization-server only
#   - "oidc"  emits /.well-known/openid-configuration only
#   - "both"  emits both
# - issuer, authorization_endpoint, token_endpoint: required when enabled.
# - jwks_uri, subject_types_supported, id_token_signing_alg_values_supported:
#   required when mode includes "oidc".
# All endpoint URLs must be https.
oauth_discovery:
  enabled: true
  mode: "both"
  issuer: "https://example.com"
  authorization_endpoint: "https://example.com/oauth/authorize"
  token_endpoint: "https://example.com/oauth/token"
  userinfo_endpoint: "https://example.com/oauth/userinfo"
  jwks_uri: "https://example.com/.well-known/jwks.json"
  registration_endpoint: "https://example.com/oauth/register"
  revocation_endpoint: "https://example.com/oauth/revoke"
  introspection_endpoint: "https://example.com/oauth/introspect"
  end_session_endpoint: "https://example.com/oauth/logout"
  scopes_supported: ["openid", "profile", "email", "offline_access"]
  response_types_supported: ["code", "id_token", "code id_token"]
  response_modes_supported: ["query", "fragment", "form_post"]
  grant_types_supported: ["authorization_code", "refresh_token", "client_credentials"]
  token_endpoint_auth_methods_supported: ["client_secret_basic", "client_secret_post", "private_key_jwt"]
  subject_types_supported: ["public"]
  id_token_signing_alg_values_supported: ["RS256"]
  code_challenge_methods_supported: ["S256"]
  claims_supported: ["sub", "iss", "aud", "exp", "iat", "email", "name"]

# API Catalog (RFC 9727 + RFC 9264) published at /.well-known/api-catalog
# as application/linkset+json. Lets agents discover the APIs this site exposes.
# - enabled:      Required. Set false to skip emission.
# - apis:         Required when enabled. Each entry must include `anchor`.
#   - anchor:        Required. https URL identifying the API root.
#   - service_desc:  Optional. https URL to OpenAPI/AsyncAPI/etc spec.
#   - service_doc:   Optional. https URL to human-readable docs.
#   - status:        Optional. https URL to a health endpoint.
#   - service_meta:  Optional. https URL to general service metadata.
api_catalog:
  enabled: true
  apis:
    - anchor: "https://example.com/api/v1"
      service_desc: "https://example.com/api/v1/openapi.json"
      service_doc: "https://example.com/docs/api"
      status: "https://example.com/api/v1/health"

# Optional richer AI policy manifest published at /.well-known/ai-preferences.json.
# Mirrors and extends robots.txt Content-Signal directives.
# - enabled:    Required. Set false to skip emission.
# - policy_url: Optional. Public link to your full AI usage policy. Must be https.
# - contact:    Optional. Email or https URL for policy questions.
# - signals:    Required when enabled. Same shape as ai_policy.content_signals.
ai_preferences:
  enabled: true
  policy_url: "https://example.com/ai-policy"
  contact: "ai-policy@example.com"
  signals:
    search: yes
    ai_train: yes
    ai_input: yes

# Markdown content negotiation. When an agent requests a page with
# `Accept: text/markdown`, the configured route is rewritten to its
# .md companion. Emitted as:
#   - output/_redirects (Cloudflare Pages / Netlify rules)
#   - output/worker-markdown-negotiation.ts (Cloudflare Worker)
#   - output/node-markdown-middleware.ts (Express-compatible Node)
# Set enabled: false to skip emission and produce no-op stubs.
markdown_negotiation:
  enabled: true
  routes:
    - path: "/"
      markdown: "/index.md"
    - path: "/about"
      markdown: "/about.md"
    - path: "/docs"
      markdown: "/docs.md"