Schema Reference

The authoritative reference for all VhyxSeal types. Interfaces are exact copies from packages/core/src/schema/. Do not modify the schema without leadership approval — all changes must be logged in .claude/decisions.md.

ComponentContract

The core primitive. Describes what a component does, what an agent must verify before interacting, what changes after interaction, and how carefully the agent must proceed.

packages/core/src/schema/contract.ts

export interface ComponentContract {
  // IDENTITY
  id: string;
  type: ComponentType;
  intent: string;
  description: string;

  // PRECONDITIONS
  requires: readonly Condition[];
  requiredPermissions: readonly string[];

  // CONSEQUENCE
  consequence: string;
  affects: readonly string[];
  reversible: boolean;
  reversibleWindow?: number;

  // SAFETY
  safetyLevel: SafetyLevel;
  requiresConfirmation: boolean;
  destructive: boolean;

  // AGENT NAVIGATION HINTS
  alternatives?: readonly string[];
  nextExpected?: readonly string[];
  errorStates?: readonly ErrorState[];

  // CONTRACT METADATA
  contractVersion: string;
  fingerprint?: string;
  lastVerified?: string;
  verifiedBy?: "auto" | "manual" | "test";
  changelog?: readonly ContractChangelog[];
}

Field	Type	Required	Description
id	string	required	Unique identifier for this component on the page
type	ComponentType	required	Category of component — how agents interpret it
intent	string	required	Machine-readable intent e.g. place-order
description	string	required	Human-readable explanation for agent reasoning
requires	Condition[]	required	Preconditions that must all be satisfied
requiredPermissions	string[]	required	Permission scopes required
consequence	string	required	Plain description of what changes after interaction
affects	string[]	required	System areas affected e.g. [cart, orders]
reversible	boolean	required	Whether the action can be undone
reversibleWindow	number	optional	Seconds within which undo is possible
safetyLevel	SafetyLevel	required	How carefully the agent must proceed
requiresConfirmation	boolean	required	Agent must obtain human approval first
destructive	boolean	required	Permanently deletes or modifies data
alternatives	string[]	optional	Other component ids with similar function
nextExpected	string[]	optional	Component ids typically following this one
errorStates	ErrorState[]	optional	Known failure modes and recovery paths
contractVersion	string	required	Developer-managed semver e.g. 1.0.0
fingerprint	string	optional	Auto-generated — hash of contract content
lastVerified	string	optional	ISO date — when contract was last confirmed
verifiedBy	auto \| manual \| test	optional	How the contract was verified
changelog	ContractChangelog[]	optional	History of changes to this contract

import { defineContract } from '@vhyxseal/core'

const checkoutContract = defineContract({
  id: "checkout-submit-btn",
  type: "action",
  intent: "place-order",
  description: "Submits the cart as a purchase order",
  requires: [
    { field: "user.authenticated", operator: "===", value: true, description: "User must be logged in" },
    { field: "cart.hasItems", operator: "===", value: true, description: "Cart must have items" },
  ],
  requiredPermissions: ["write:orders"],
  consequence: "Creates order, charges payment, triggers fulfillment",
  affects: ["cart", "orders", "payment"],
  reversible: true,
  reversibleWindow: 300,
  safetyLevel: "high",
  requiresConfirmation: true,
  destructive: false,
  contractVersion: "1.0.0",
})

Condition

A precondition that must be satisfied before an agent interacts. Always use abstract field references — never expose internal data structure or database field names.

packages/core/src/schema/contract.ts

export interface Condition {
  /** Abstract field reference — never expose internals e.g. "user.hasPaymentMethod" */
  field: string;
  operator: "===" | "!==" | ">" | "<" | ">=" | "<=" | "includes" | "excludes";
  value: unknown;
  description: string;
}

Field	Type	Required	Description
field	string	required	Abstract reference e.g. user.hasPaymentMethod — never internal DB field names
operator	=== \| !== \| > \| < \| >= \| <= \| includes \| excludes	required	Comparison operator
value	unknown	required	The value to compare against
description	string	required	Human-readable e.g. User must have a payment method saved

ErrorState

A known failure mode for a component and how an agent should recover. Include every failure mode that an agent might encounter.

packages/core/src/schema/contract.ts

export interface ErrorState {
  /** What causes this error e.g. "payment declined" */
  trigger: string;
  /** What the UI shows e.g. "red banner with payment failed message" */
  display: string;
  /** What the agent should do e.g. "navigate to update-payment-method" */
  recovery: string;
}

Field	Type	Description
trigger	string	What causes this error e.g. payment declined
display	string	What the UI shows e.g. red banner with payment failed message
recovery	string	What the agent should do e.g. navigate to update-payment-method

ComponentType

The five categories of UI component. Determines how agents interpret and interact with a component.

packages/core/src/schema/contract.ts

export type ComponentType =
  | "action"        // buttons, triggers — does something
  | "input"         // forms, search, filters — collects data
  | "navigation"    // links, menus, tabs — moves somewhere
  | "display"       // shows current state — read only
  | "confirmation"; // gates a decision — dialogs, modals

Value	Use when
action	Buttons, triggers — the component causes something to happen
input	Forms, search fields, filters — the component collects data
navigation	Links, menus, tabs — the component moves to another location
display	Read-only content showing current state — agent reads, does not act
confirmation	Modals, dialogs — the component gates a decision

SafetyLevel

Controls how carefully an agent must proceed. Higher levels require explicit human confirmation. When in doubt, choose the higher level.

packages/core/src/schema/contract.ts

export type SafetyLevel =
  | "low"       // read, filter, sort — agent proceeds freely
  | "medium"    // send message, save draft — proceed with care
  | "high"      // place order, submit form — confirm with human
  | "critical"  // delete account, payment — always require human
  | "sensitive"; // medical, financial data — extra protections apply

Value	Confirmation	Examples
low	Not required	Search, filter, sort, navigate, sign-out
medium	Not required	Send message, save draft, update profile, upload file
high	Required	Place order, submit form, publish content, cancel booking
critical	Always required	Delete account, make payment, irreversible data changes
sensitive	Required	Medical data, financial information, passwords

Relationship Types

Three relationship types cover all component interactions. Use relationships to describe flows that span multiple components.

CompositionRelationship

Components that belong together structurally. Used when a parent requires specific children to be valid before it can act.

packages/core/src/schema/relationships.ts

export interface CompositionRelationship {
  type: "composition";
  id: string;
  parent: string;
  children: readonly string[];
  completionRequires: readonly string[];
  description: string;
}

SequenceRelationship

Components with a defined order. Used for multi-step flows like checkout or onboarding where the agent must follow steps in sequence.

packages/core/src/schema/relationships.ts

export interface SequenceStep {
  order: number;
  componentId: string;
  canSkip: boolean;
  skipCondition?: string;
  onComplete: string;
  onFail: string;
}

export interface SequenceRelationship {
  type: "sequence";
  id: string;
  description: string;
  steps: readonly SequenceStep[];
  linear: boolean;
}

DependencyRelationship

One component's state gates another's behavior. Used when filling an input enables a button, or selecting a plan shows additional fields.

packages/core/src/schema/relationships.ts

export type DependencyEffect =
  | "enables" | "disables" | "shows" | "hides" | "modifies";

export interface DependencyRelationship {
  type: "dependency";
  id: string;
  source: string;
  target: string;
  condition: Condition;
  effect: DependencyEffect;
  description: string;
}

Capability

The highest level of abstraction. Agents think in capabilities — not individual components. A capability groups all relationships and components needed to accomplish a user-facing goal.

packages/core/src/schema/capability.ts

export interface Capability {
  id: string;
  description: string;
  entryPoint: string;
  exitPoints: readonly ExitPoint[];
  relationships: readonly CapabilityRelationshipRef[];
  estimatedSteps: number;
  requiresAuth: boolean;
  safetyLevel: SafetyLevel;
  spanPages?: readonly string[];
}

Field	Type	Required	Description
id	string	required	Unique capability identifier e.g. purchase-item
description	string	required	Human and agent readable description
entryPoint	string	required	Component id where the capability starts
exitPoints	ExitPoint[]	required	All possible end states (success, failure, cancelled)
relationships	CapabilityRelationshipRef[]	required	Relationships that make up this capability
estimatedSteps	number	required	Approximate step count — helps agent plan
requiresAuth	boolean	required	User must be authenticated
safetyLevel	SafetyLevel	required	Highest safety level in the capability chain
spanPages	string[]	optional	Routes this capability spans across multiple pages

import { defineCapability } from '@vhyxseal/core'

const purchaseCapability = defineCapability({
  id: "purchase-item",
  description: "Browse, select, and purchase a product",
  entryPoint: "product-add-to-cart-btn",
  exitPoints: [
    { componentId: "order-confirmation-display", outcome: "success", description: "Order placed" },
    { componentId: "payment-error-display", outcome: "failure", description: "Payment failed" },
  ],
  relationships: [],
  estimatedSteps: 4,
  requiresAuth: true,
  safetyLevel: "high",
})

VhyxSealManifest

The complete manifest served at /__agent__/manifest.json. Auto-generated — never hand-written. Contains all contracts, relationships, capabilities, and the site's agent access policy.

packages/core/src/manifest/types.ts

export interface VhyxSealManifest {
  // Schema identification
  vhyxseal: string;          // schema version e.g. "1.0.0"
  schemaUrl: string;

  // Site identification
  domain: string;
  domainVerified: boolean;
  verificationToken: string;

  // Integrity
  signature: string;         // HMAC-SHA256 or "unsigned" (stub)
  signedAt: string;
  fingerprint: string;

  // Content
  capabilities: readonly Capability[];
  components: readonly ComponentContract[];
  relationships: readonly Relationship[];

  // Policy
  agentPolicy: AgentPolicy;

  // Cache and freshness
  generatedAt: string;       // ISO datetime
  expiresAt: string;
}

// GET /__agent__/manifest.json
{
  "vhyxseal": "1.0.0",
  "domain": "example.com",
  "domainVerified": true,
  "signature": "unsigned",
  "fingerprint": "vhyxs_a3f8b2c1",
  "components": [...],
  "relationships": [],
  "capabilities": [...],
  "agentPolicy": {
    "allowedAgents": ["*"],
    "blockedAgents": [],
    "allowedActions": ["*"],
    "blockedActions": [],
    "requiresConfirmation": ["place-order", "delete-account"],
    "rateLimits": {
      "actionsPerMinute": 60,
      "actionsPerHour": 500,
      "manifestRequestsPerMinute": 10,
      "perAgentSession": true
    }
  },
  "generatedAt": "2026-05-27T10:00:00.000Z",
  "expiresAt": "2026-05-27T11:00:00.000Z"
}

AgentPolicy

Access policy controlling which agents may act on a site. Site owners set this in SealProvider config. The default policy allows all agents with reasonable rate limits.

packages/core/src/manifest/types.ts

export interface AgentPolicy {
  allowedAgents: readonly string[];          // ["*"] for all
  blockedAgents: readonly string[];
  requireAgentIdentification: boolean;
  rateLimits: RateLimits;
  allowedActions: readonly string[];         // intent ids; ["*"] for all
  blockedActions: readonly string[];
  requiresConfirmation: readonly string[];   // intent ids
  requiresHumanPresent: readonly string[];   // intent ids
  manifestAccess: "public" | "private";
  manifestAuth?: "bearer-token";             // only when manifestAccess is "private"
}

Field	Default	Description
allowedAgents	["*"]	Use specific agent identifiers to restrict access
blockedAgents	[]	Patterns to explicitly block
requireAgentIdentification	false	Agents must identify before acting
allowedActions	["*"]	Restrict to specific intent ids
blockedActions	[]	Explicitly blocked intent ids
requiresConfirmation	[]	Intent ids always needing human confirmation
requiresHumanPresent	[]	Intent ids needing verified human in loop
manifestAccess	"public"	Set to private to require bearer token

RateLimits

Per-agent rate limits. Configured within AgentPolicy.rateLimits. Rate limit enforcement is schema-defined but not yet enforced by VhyxSeal middleware in 1.0.0-rc — see the Security guide for details.

packages/core/src/manifest/types.ts

export interface RateLimits {
  actionsPerMinute: number;
  actionsPerHour: number;
  manifestRequestsPerMinute: number;
  perAgentSession: boolean;
}

Field	Default	Description
actionsPerMinute	60	Maximum agent actions per minute
actionsPerHour	500	Maximum agent actions per hour
manifestRequestsPerMinute	10	Maximum manifest fetches per minute
perAgentSession	true	Apply limits per agent session (true) or globally (false)