{ "status": "ready_for_agent_testing", "service": "k-work-trust", "generated_at": "2026-05-13T15:16:05.535Z", "auth": { "mode": "per_client_registry_only", "protected_api_configured": true, "default_dev_key_accepted": false, "per_client_registry_active_clients": 1, "registry_source": "env_secret_b64", "whoami_endpoint": "/v1/auth/whoami" }, "remote_mcp": { "transport": "streamable-http", "endpoint": "/mcp", "url": "https://k-work-trust-api.fly.dev/mcp", "auth_required": { "initialize": false, "tools_list": false, "tools_call": true }, "supports": [ "initialize", "tools/list", "tools/call" ], "sse_streams_enabled": false, "tools_call_uses_quota": true, "tools_list_uses_quota": false }, "self_serve_signup": { "enabled": true, "provisional_enabled": true, "proof_secret_configured": true, "status_endpoint": "/v1/agent/signup/status", "provisional_challenge_endpoint": "/v1/agent/signup/provisional/challenge?agent_label=", "provisional_issue_endpoint": "/v1/agent/signup/provisional" }, "official_sources": { "nts_business_status_configured": true, "juso_address_search_configured": true, "provisional_keys_can_use_official_sources": false }, "abuse_guard": { "enabled": true, "behavior_based": true, "does_not_infer_nationality": true, "low_trust_max_records_per_request": 1, "low_trust_max_business_number_like_identifiers": 4, "blocks": [ "plaintext API keys or bearer tokens in request bodies", "personal identifier patterns such as resident registration or passport fields", "bulk or batch payloads from low-trust/provisional keys", "many distinct business-number-like identifiers from low-trust/provisional keys" ], "operator_controls": [ "KWT_ABUSE_GUARD_ENABLED=false disables the guard temporarily", "KWT_REJECT_PROVISIONAL_KEYS=true rejects existing provisional keys", "KWT_PROVISIONAL_ALLOW_OFFICIAL_SOURCES=false keeps provisional keys local-only" ] }, "storage": { "usage_log_configured": true, "quota_usage_file_configured": true, "api_clients_source": "env_secret_b64" }, "recommended_flow": [ "GET /.well-known/k-work-trust-agent.json", "GET /v1/agent/signup/status", "GET /v1/agent/signup/provisional/challenge?agent_label=", "POST /v1/agent/signup/provisional", "GET /v1/auth/whoami", "POST /v1/vendor-onboarding/validate" ], "first_call": { "method": "POST", "path": "/v1/vendor-onboarding/validate", "body_example": { "company_name": "Test Company", "registration_number": "1234567891", "phone_number": "01012345678" }, "response_contract": { "success_fields": [ "request_id", "tool", "result.status", "result.decision", "result.blocking_issues", "result.warnings", "result.evidence", "result.agent_next_action" ], "decision_meanings": { "register_vendor": "Proceed only with normalized_record and retained evidence.", "request_human_review": "Pause downstream writes and route warnings/evidence to a human reviewer.", "do_not_proceed": "Abort downstream workflow until blocking_issues are corrected." }, "failure_mode_field": "failure_modes", "escalation_contract": "Use failure_modes to choose retry, abort, or human/operator escalation without guessing from HTTP status alone." } }, "response_contract": { "success_fields": [ "request_id", "tool", "result.status", "result.decision", "result.blocking_issues", "result.warnings", "result.evidence", "result.agent_next_action" ], "decision_meanings": { "register_vendor": "Proceed only with normalized_record and retained evidence.", "request_human_review": "Pause downstream writes and route warnings/evidence to a human reviewer.", "do_not_proceed": "Abort downstream workflow until blocking_issues are corrected." }, "failure_mode_field": "failure_modes", "escalation_contract": "Use failure_modes to choose retry, abort, or human/operator escalation without guessing from HTTP status alone." }, "failure_modes": [ { "code": "UNAUTHORIZED", "applies_to": [ "authenticated_api", "whoami" ], "http_status": 401, "category": "auth_failure", "retry": "do_not_retry_same_key", "agent_next_action": "Abort the protected call, verify the key with /v1/auth/whoami, and obtain a valid key through self-serve signup or the operator.", "escalation": "human_or_operator_if_the_agent_expected_this_key_to_be_active", "safe_to_log": [ "request_id", "error.code" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "RATE_LIMITED", "applies_to": [ "authenticated_api", "signup" ], "http_status": 429, "category": "temporary_limit", "retry": "retry_after_retry_after_seconds", "agent_next_action": "Wait for retry_after_seconds before retrying. If the workflow is urgent or repeated rate limits occur, escalate instead of looping.", "escalation": "human_review_or_alternative_route_for_time_sensitive_workflows", "safe_to_log": [ "request_id", "error.code", "retry_after_seconds" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "QUOTA_EXCEEDED", "applies_to": [ "authenticated_api" ], "http_status": 429, "category": "quota_exhausted", "retry": "do_not_retry_until_resets_at", "agent_next_action": "Stop automated calls for this key until resets_at or ask an operator for review. Do not request a manual key in public channels.", "escalation": "operator_review_required_for_quota_change", "safe_to_log": [ "request_id", "error.code", "quota.limit", "quota.used", "quota.resets_at" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "VALIDATION_BLOCKED", "applies_to": [ "workflow_response" ], "http_status": 200, "category": "business_rule_block", "retry": "retry_only_after_correcting_input", "agent_next_action": "Do not proceed with the workflow action. Preserve blocking_issues and evidence, then collect corrected fields or ask a human reviewer.", "escalation": "human_review_if_the_record_is_business_critical", "safe_to_log": [ "request_id", "status", "decision", "blocking_issues", "warnings" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "MANUAL_REVIEW", "applies_to": [ "workflow_response" ], "http_status": 200, "category": "needs_human_judgment", "retry": "do_not_auto_retry_without_new_information", "agent_next_action": "Route the normalized record, warnings, and evidence to a human reviewer before creating or updating downstream records.", "escalation": "human_review_required_before_downstream_write", "safe_to_log": [ "request_id", "status", "decision", "warnings", "evidence" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "SOURCE_UNAVAILABLE", "applies_to": [ "workflow_response", "official_sources" ], "http_status": 200, "category": "external_source_unavailable", "retry": "retry_later_or_continue_local_only_if_policy_allows", "agent_next_action": "Use local validation only when acceptable. If official-source evidence is required, pause the workflow and escalate with request_id and evidence.", "escalation": "human_or_operator_if_official_source_evidence_is_required", "safe_to_log": [ "request_id", "external_status", "warnings", "evidence" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "PROOF_OF_WORK_FAILED", "applies_to": [ "signup" ], "http_status": 403, "category": "signup_challenge_failure", "retry": "request_fresh_challenge_and_solve_contract", "agent_next_action": "Request a fresh challenge, solve sha256(nonce + ':' + subject + ':' + solution), and avoid repeated blind retries.", "escalation": "only_if_repeated_failures_indicate_onboarding_blocker", "safe_to_log": [ "request_id", "error.code" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "SIGNUP_RATE_LIMITED", "applies_to": [ "signup" ], "http_status": 429, "category": "signup_limit", "retry": "wait_before_requesting_another_challenge_or_mutation", "agent_next_action": "Wait before continuing signup. Do not ask for a pasted plaintext key; use the self-serve flow after the limit resets.", "escalation": "operator_review_only_for_repeated_legitimate_tester_blockers", "safe_to_log": [ "request_id", "error.code" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets" ] }, { "code": "ABUSE_GUARD_BLOCKED", "applies_to": [ "authenticated_api", "workflow_request" ], "http_status": 403, "category": "misuse_or_sensitive_input_guard", "retry": "do_not_retry_same_payload", "agent_next_action": "Stop the request. Remove secrets, sensitive personal identifiers, bulk records, or enumeration-like input before retrying with one synthetic or authorized business record.", "escalation": "operator_review_if_the_agent_believes_the_block_is_false_positive", "safe_to_log": [ "request_id", "error.code", "abuse.reason" ], "do_not_log": [ "plaintext_api_key", "private_records", "secrets", "personal_identifiers" ] } ], "operator_actions_needed": [] }