feat: v0.2 release — industrial bridges, protocol spec, discovery, SDKs (998 tests)

Industrial bridge packages:
- @sint/bridge-mqtt-sparkplug: Sparkplug B v3 MQTT → SINT tier mapping (T0-T3),
  safety-critical DCMD/NCMD escalation, estop/interlock keyword detection (8 tests)
- @sint/bridge-opcua: OPC UA 1.05+ PLC/OT adapter, safety-critical node detection,
  T3 for write/call on safety nodes (6 tests)
- @sint/bridge-open-rmf: Open-RMF v2.x fleet dispatch bridge, emergency stop → T3,
  multi-fleet warehouse orchestration (5 tests)

Protocol specification (SIP-0001):
- docs/SINT_v0.2_SPEC.md: frozen public surface (9 nouns), discovery contract,
  compatibility rules, 3 deployment profiles, 7 bridge profiles
- docs/SIPS.md + docs/sips/: governance process for protocol evolution
- @sint/core: BridgeProfile, SiteProfile, ConstraintEnvelope, Revocation types (protocol.ts)
- @sint/core: SINT_BRIDGE_PROFILES (7), SINT_SITE_PROFILES (3), SINT_SCHEMA_CATALOG (6 schemas)
- @sint/core: SINT_OWASP_COVERAGE map (7 full, 2 partial, 1 gap=ASI06)

Discovery endpoints in @sint/gateway-server:
- GET /.well-known/sint.json (full protocol metadata)
- GET /v1/schemas, GET /v1/schemas/{name} (JSON Schema 2020-12 catalog)
- GET /v1/openapi.json (OpenAPI 3.1.0 spec)

Conformance fixtures (5 new, 77 total):
- industrial-benchmark-scenarios.test.ts: human-in-aisle escalation, stale corridor
  denial, revocation-under-load stress test
- industrial-interoperability.test.ts: cross-protocol tier equivalence (A2A→RMF→ROS2
  and Sparkplug both yield T2_ACT for warehouse move intent)

Multi-language SDKs:
- sdks/python/sint_client.py: zero-dependency urllib client
- sdks/go/sintclient/client.go: stdlib HTTP client

CI/CD: .github/workflows/industrial-benchmark-report.yml — automated benchmark
report generation with GitHub Step Summary integration

Total: 998 tests / 0 failures across 27 packages.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: 2 people

.github/workflows/industrial-benchmark-report.yml

@@ -0,0 +1,45 @@
+name: Industrial Benchmark Report
+
+on:
+  workflow_dispatch:
+  push:
+    branches: [master]
+  pull_request:
+    branches: [master]
+
+jobs:
+  generate-benchmark-report:
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: pnpm/action-setup@v4
+        with:
+          version: 9
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: 22
+          cache: pnpm
+
+      - name: Install dependencies
+        run: pnpm install --frozen-lockfile
+
+      - name: Build workspace
+        run: pnpm run build
+
+      - name: Generate industrial benchmark report
+        run: pnpm run benchmark:report
+
+      - name: Publish report summary
+        run: cat docs/reports/industrial-benchmark-report.md >> "$GITHUB_STEP_SUMMARY"
+
+      - name: Upload benchmark artifacts
+        uses: actions/upload-artifact@v4
+        with:
+          name: industrial-benchmark-report
+          path: |
+            docs/reports/industrial-benchmark-vitest.json
+            docs/reports/industrial-benchmark-report.json
+            docs/reports/industrial-benchmark-report.md

README.md

@@ -82,9 +82,13 @@ where each Δ ∈ {0, +1}: human presence detected, trust score below threshold,
 ┌──────────────────▼───────────────────────────────────────────┐
 │  SINT Bridge Layer (L1)                                      │
 │  ┌────────────┐ ┌────────────┐ ┌────────────┐ ┌──────────┐  │
-│  │ bridge-mcp │ │ bridge-ros2│ │ bridge-a2a │ │ (future) │  │
-│  │ MCP tools  │ │ ROS topics │ │ Google A2A │ │ OPC-UA   │  │
+│  │ bridge-mcp │ │ bridge-ros2│ │ bridge-a2a │ │ bridge-  │  │
+│  │ MCP tools  │ │ ROS topics │ │ Google A2A │ │ open-rmf │  │
 │  └────────────┘ └────────────┘ └────────────┘ └──────────┘  │
+│  ┌──────────────────────┐ ┌───────────────────────────────┐  │
+│  │ bridge-mqtt-sparkplug│ │ bridge-opcua                  │  │
+│  │ Industrial IoT       │ │ PLC / OT control plane bridge │  │
+│  └──────────────────────┘ └───────────────────────────────┘  │
 │  Per-resource state: UNREGISTERED→PENDING_AUTH→AUTHORIZED    │
 │  →ACTIVE→SUSPENDED (real-time revocation without restart)    │
 └──────────────────┬───────────────────────────────────────────┘
@@ -120,22 +124,25 @@ where each Δ ∈ {0, +1}: human presence detected, trust score below threshold,
 | [`@sint/bridge-mcp`](packages/bridge-mcp) | MCP tool call interception and risk classification | 43 |
 | [`@sint/bridge-ros2`](packages/bridge-ros2) | ROS 2 topic/service/action interception with physics extraction | 20 |
 | [`@sint/bridge-a2a`](packages/bridge-a2a) | Google A2A Protocol bridge for multi-agent coordination | 24 |
+| [`@sint/bridge-mqtt-sparkplug`](packages/bridge-mqtt-sparkplug) | MQTT Sparkplug profile mapping with industrial command tiering defaults | 8 |
+| [`@sint/bridge-opcua`](packages/bridge-opcua) | OPC UA node/method mapping with safety-critical write/call promotion | 6 |
+| [`@sint/bridge-open-rmf`](packages/bridge-open-rmf) | Open-RMF fleet/facility mapping for warehouse dispatch workflows | 5 |
 | [`@sint/bridge-economy`](packages/bridge-economy) | Economy bridge: balance, budget, trust, billing ports | 55 |
 | [`@sint/persistence`](packages/persistence) | Storage interfaces + in-memory/PG/Redis implementations | 26 |
 | [`@sint/client`](packages/client) | TypeScript SDK for the Gateway API (delegation, SSE) | 12 |
-| [`@sint/conformance-tests`](packages/conformance-tests) | Security regression suite — all phases | 57 |
+| [`@sint/conformance-tests`](packages/conformance-tests) | Security regression suite — all phases | 77 |
 | [`@sint/gateway-server`](apps/gateway-server) | Hono HTTP API with approvals, SSE streaming, A2A routes | 57 |
 | [`@sint/mcp`](apps/sint-mcp) | Security-first multi-MCP proxy server | 90 |
 | [`@sint/dashboard`](apps/dashboard) | Real-time approval dashboard with operator auth | 29 |
-| **Total** | **14 packages** | **815+** |
+| **Total** | **17 packages** | **Workspace-wide conformance suite** |
 
 ## Quick Start
 
 ```bash
 # Prerequisites: Node.js >= 22, pnpm >= 9
 pnpm install
 pnpm run build
-pnpm run test        # 815+ tests
+pnpm run test        # full workspace regression suite
 ```
 
 ### Start the Gateway Server
@@ -145,6 +152,28 @@ pnpm --filter @sint/gateway-server dev
 # → http://localhost:3100/v1/health
 ```
 
+### Standardization and Deployment Artifacts
+
+- v0.2 protocol surface spec: [`docs/SINT_v0.2_SPEC.md`](docs/SINT_v0.2_SPEC.md)
+- SIP governance track: [`docs/SIPS.md`](docs/SIPS.md)
+- Release notes: [`docs/RELEASE_NOTES_v0.2.md`](docs/RELEASE_NOTES_v0.2.md)
+- Conformance/certification matrix: [`docs/CONFORMANCE_CERTIFICATION_MATRIX_v0.2.md`](docs/CONFORMANCE_CERTIFICATION_MATRIX_v0.2.md)
+- Deployment profile templates:
+  - [`docs/profiles/warehouse-amr.policy.template.json`](docs/profiles/warehouse-amr.policy.template.json)
+  - [`docs/profiles/industrial-cell.policy.template.json`](docs/profiles/industrial-cell.policy.template.json)
+  - [`docs/profiles/edge-gateway.policy.template.json`](docs/profiles/edge-gateway.policy.template.json)
+- Runnable demos:
+  - [`examples/hello-world/README.md`](examples/hello-world/README.md)
+  - [`examples/warehouse-amr/README.md`](examples/warehouse-amr/README.md)
+  - [`examples/industrial-cell/README.md`](examples/industrial-cell/README.md)
+- Multi-language SDK starters:
+  - [`sdks/python/sint_client.py`](sdks/python/sint_client.py)
+  - [`sdks/go/sintclient/client.go`](sdks/go/sintclient/client.go)
+- Benchmark report automation:
+  - Script: [`scripts/generate-industrial-benchmark-report.mjs`](scripts/generate-industrial-benchmark-report.mjs)
+  - CI workflow: [`.github/workflows/industrial-benchmark-report.yml`](.github/workflows/industrial-benchmark-report.yml)
+  - Generated artifacts: [`docs/reports/industrial-benchmark-report.md`](docs/reports/industrial-benchmark-report.md)
+
 ## Approval Tiers
 
 Graduated authorization mapped to physical consequence severity:
@@ -242,7 +271,11 @@ The `@sint/bridge-a2a` package implements the Google Agent-to-Agent (A2A) protoc
 
 | Method | Endpoint | Description |
 |--------|----------|-------------|
+| `GET` | `/.well-known/sint.json` | Public protocol discovery (version, bridges, profiles, schemas) |
 | `GET` | `/v1/health` | Health check |
+| `GET` | `/v1/schemas` | List machine-readable public schemas |
+| `GET` | `/v1/schemas/:name` | Fetch schema by name |
+| `GET` | `/v1/openapi.json` | OpenAPI surface for gateway integration |
 | `POST` | `/v1/intercept` | Evaluate a single request |
 | `POST` | `/v1/intercept/batch` | Evaluate multiple requests (207 Multi-Status) |
 | `POST` | `/v1/tokens` | Issue a capability token |
@@ -254,7 +287,7 @@ The `@sint/bridge-a2a` package implements the Google Agent-to-Agent (A2A) protoc
 | `GET` | `/v1/approvals/events` | SSE stream for real-time approval events |
 | `POST` | `/v1/a2a` | JSON-RPC 2.0 A2A protocol endpoint |
 | `GET/POST` | `/v1/a2a/agents` | Agent Card registration |
-| `GET` | `/metrics` | Prometheus metrics |
+| `GET` | `/v1/metrics` | Prometheus metrics |
 
 ## Development Phases
 
@@ -264,7 +297,7 @@ The `@sint/bridge-a2a` package implements the Google Agent-to-Agent (A2A) protoc
 | **Phase 2** (complete) | Engine Core — bridge-mcp, bridge-ros2, engine packages, persistence, gateway-server | +221 (646) |
 | **Phase 3** (complete) | Economy Bridge — @sint/bridge-economy with port/adapter pattern, EconomyPlugin | +91 (737) |
 | **Phase 4** (complete) | Standards Alignment — A2A bridge, rate limiting, M-of-N quorum, W3C DID identity | +78 (815) |
-| **Phase 5** (planned) | Avatar Layer — trust interface, dynamic consent, CSML-driven tier escalation | — |
+| **Phase 5** (complete) | Protocol Surface v0.2 — discovery/OpenAPI/schema endpoints, industrial profiles, token execution metadata | shipped |
 
 ## Tech Stack
 

apps/gateway-server/__tests__/api.test.ts

@@ -60,6 +60,32 @@ describe("Gateway Server API", () => {
     expect(body.protocol).toBe("SINT Gate");
   });
 
+  it("GET /.well-known/sint.json returns discovery metadata", async () => {
+    const res = await app.request("/.well-known/sint.json");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.name).toBe("SINT Protocol");
+    expect(body.version).toBeDefined();
+    expect(Array.isArray(body.supportedBridges)).toBe(true);
+    expect(Array.isArray(body.deploymentProfiles)).toBe(true);
+  });
+
+  it("GET /v1/schemas returns schema catalog", async () => {
+    const res = await app.request("/v1/schemas");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.total).toBeGreaterThan(0);
+    expect(Array.isArray(body.schemas)).toBe(true);
+  });
+
+  it("GET /v1/openapi.json returns OpenAPI document", async () => {
+    const res = await app.request("/v1/openapi.json");
+    expect(res.status).toBe(200);
+    const body = await res.json();
+    expect(body.openapi).toBe("3.1.0");
+    expect(body.paths["/.well-known/sint.json"]).toBeDefined();
+  });
+
   // ── Intercept ──
 
   it("POST /v1/intercept with valid request", async () => {

apps/gateway-server/__tests__/auth.test.ts

@@ -131,6 +131,11 @@ describe("Authentication Middleware", () => {
       expect(res.status).toBe(200);
     });
 
+    it("exempts /.well-known/sint.json from signature requirement", async () => {
+      const res = await app.request("/.well-known/sint.json");
+      expect(res.status).toBe(200);
+    });
+
     it("exempts /v1/keypair from signature requirement", async () => {
       const res = await app.request("/v1/keypair", { method: "POST" });
       expect(res.status).toBe(200);
@@ -179,6 +184,11 @@ describe("Authentication Middleware", () => {
       expect(res.status).toBe(200);
     });
 
+    it("exempts /.well-known/sint.json from API key requirement", async () => {
+      const res = await app.request("/.well-known/sint.json");
+      expect(res.status).toBe(200);
+    });
+
     it("skips API key auth when no key is configured (dev mode)", async () => {
       const devApp = createApp(ctx);
       const res = await devApp.request("/v1/ledger");

apps/gateway-server/src/middleware/auth.ts

@@ -12,7 +12,13 @@ import type { Context, Next } from "hono";
 import { verify } from "@sint/gate-capability-tokens";
 
 /** Paths exempt from all authentication. */
-const EXEMPT_PATHS = new Set(["/v1/health", "/v1/keypair"]);
+const EXEMPT_PATHS = new Set([
+  "/v1/health",
+  "/v1/keypair",
+  "/.well-known/sint.json",
+  "/v1/openapi.json",
+  "/v1/schemas",
+]);
 
 /** Paths that require admin API key (not agent signature). */
 const ADMIN_PATHS = [

apps/gateway-server/src/routes/approvals.ts

@@ -112,6 +112,7 @@ export function approvalRoutes(ctx: ServerContext): Hono {
       agentId: request.request.agentId,
       params: request.request.params,
       physicalContext: request.request.physicalContext,
+      executionContext: request.request.executionContext,
       fallbackAction: request.fallbackAction,
       timeoutMs: request.timeoutMs,
       createdAt: request.createdAt,

apps/gateway-server/src/routes/discovery.ts

@@ -0,0 +1,98 @@
+/**
+ * SINT Gateway Server — Discovery and schema routes.
+ *
+ * Exposes machine-readable protocol metadata and schema catalog.
+ *
+ * Endpoints:
+ * - GET /.well-known/sint.json
+ * - GET /v1/schemas
+ * - GET /v1/schemas/:name
+ * - GET /v1/openapi.json
+ *
+ * @module @sint/gateway-server/routes/discovery
+ */
+
+import { Hono } from "hono";
+import {
+  SINT_PROTOCOL_VERSION,
+  SINT_PROTOCOL_BOUNDARY,
+  SINT_BRIDGE_PROFILES,
+  SINT_SITE_PROFILES,
+  SINT_SCHEMA_CATALOG,
+} from "@sint/core";
+
+export function discoveryRoutes(): Hono {
+  const app = new Hono();
+
+  app.get("/.well-known/sint.json", (c) => {
+    return c.json({
+      name: "SINT Protocol",
+      version: SINT_PROTOCOL_VERSION,
+      boundary: SINT_PROTOCOL_BOUNDARY,
+      identityMethods: ["ed25519", "did:key"],
+      attestationModes: ["intel-sgx", "arm-trustzone", "amd-sev", "tpm2", "none"],
+      deploymentProfiles: SINT_SITE_PROFILES,
+      supportedBridges: SINT_BRIDGE_PROFILES,
+      schemaCatalog: Object.keys(SINT_SCHEMA_CATALOG).map((name) => ({
+        name,
+        path: `/v1/schemas/${name}`,
+      })),
+      openapi: "/v1/openapi.json",
+    });
+  });
+
+  app.get("/v1/schemas", (c) => {
+    return c.json({
+      total: Object.keys(SINT_SCHEMA_CATALOG).length,
+      schemas: Object.keys(SINT_SCHEMA_CATALOG).map((name) => ({
+        name,
+        path: `/v1/schemas/${name}`,
+      })),
+    });
+  });
+
+  app.get("/v1/schemas/:name", (c) => {
+    const name = c.req.param("name");
+    const schema = SINT_SCHEMA_CATALOG[name];
+    if (!schema) {
+      return c.json({
+        error: "Schema not found",
+        available: Object.keys(SINT_SCHEMA_CATALOG),
+      }, 404);
+    }
+    return c.json(schema);
+  });
+
+  app.get("/v1/openapi.json", (c) => {
+    return c.json({
+      openapi: "3.1.0",
+      info: {
+        title: "SINT Gateway API",
+        version: SINT_PROTOCOL_VERSION,
+        description: SINT_PROTOCOL_BOUNDARY,
+      },
+      paths: {
+        "/.well-known/sint.json": { get: { summary: "Protocol discovery document" } },
+        "/v1/health": { get: { summary: "Health status" } },
+        "/v1/metrics": { get: { summary: "Prometheus metrics" } },
+        "/v1/intercept": { post: { summary: "Intercept one request" } },
+        "/v1/intercept/batch": { post: { summary: "Intercept a batch of requests" } },
+        "/v1/tokens": { post: { summary: "Issue capability token" } },
+        "/v1/tokens/delegate": { post: { summary: "Delegate capability token" } },
+        "/v1/tokens/revoke": { post: { summary: "Revoke capability token" } },
+        "/v1/ledger": { get: { summary: "Query evidence ledger" } },
+        "/v1/approvals/pending": { get: { summary: "List pending approvals" } },
+        "/v1/approvals/{requestId}/resolve": { post: { summary: "Resolve approval" } },
+        "/v1/a2a": { post: { summary: "A2A JSON-RPC endpoint" } },
+        "/v1/a2a/agents": { get: { summary: "List A2A agents" }, post: { summary: "Register A2A agent" } },
+        "/v1/schemas": { get: { summary: "List public JSON schemas" } },
+        "/v1/schemas/{name}": { get: { summary: "Fetch schema by name" } },
+      },
+      components: {
+        schemas: SINT_SCHEMA_CATALOG,
+      },
+    });
+  });
+
+  return app;
+}

apps/gateway-server/src/routes/intercept.ts

@@ -32,6 +32,7 @@ export function interceptRoutes(ctx: ServerContext): Hono {
         resource: parsed.data.resource,
         action: parsed.data.action,
         decision: decision.action,
+        executionContext: parsed.data.executionContext,
       },
     });
 
@@ -79,6 +80,7 @@ export function interceptRoutes(ctx: ServerContext): Hono {
           resource: parsed.data.resource,
           action: parsed.data.action,
           decision: decision.action,
+          executionContext: parsed.data.executionContext,
         },
       });
 

apps/gateway-server/src/server.ts

@@ -35,6 +35,7 @@ import { interceptRoutes } from "./routes/intercept.js";
 import { tokenRoutes } from "./routes/tokens.js";
 import { ledgerRoutes } from "./routes/ledger.js";
 import { approvalRoutes } from "./routes/approvals.js";
+import { discoveryRoutes } from "./routes/discovery.js";
 import { economyRoutes, type EconomyRouteContext } from "./routes/economy.js";
 import { a2aRoutes, type A2ARouteContext } from "./routes/a2a.js";
 import type { SintConfig } from "./config.js";
@@ -209,6 +210,7 @@ export function createApp(ctx?: ServerContext, opts?: ServerOptions): Hono {
   app.route("", tokenRoutes(context));
   app.route("", ledgerRoutes(context));
   app.route("", approvalRoutes(context));
+  app.route("", discoveryRoutes());
   app.route("", metricsRoutes());
 
   // Economy routes (optional — only when economy context is configured)

docs/CONFORMANCE_CERTIFICATION_MATRIX_v0.2.md

@@ -0,0 +1,23 @@
+# SINT v0.2 Conformance and Certification Matrix
+
+This matrix tracks canonical fixture coverage for major interoperability paths.
+
+| Path | Protocol Surface | Canonical Fixture | Expected Outcome |
+|---|---|---|---|
+| MCP tool call interception | `@sint/bridge-mcp` + gateway | `packages/conformance-tests/src/bridge-mcp-regression.test.ts` | Correct tiering, denial on invalid token, ledger evidence |
+| A2A delegated task path | `@sint/bridge-a2a` + gateway | `packages/conformance-tests/src/phase4-regression.test.ts` | Unauthorized denied, physical tasks escalated |
+| ROS 2 physical command path | `@sint/bridge-ros2` + gateway | `packages/conformance-tests/src/bridge-ros2-regression.test.ts` | Constraint enforcement, T2/T3 escalation deterministic |
+| MQTT Sparkplug command path | `@sint/bridge-mqtt-sparkplug` + gateway | `packages/conformance-tests/src/industrial-interoperability.test.ts` | Equivalent approval behavior vs ROS2/RMF route |
+| OPC UA control path | `@sint/bridge-opcua` + gateway | `packages/bridge-opcua/__tests__/opcua-resource-mapper.test.ts` | Safety-critical writes/calls elevated |
+| Open-RMF dispatch path | `@sint/bridge-open-rmf` + gateway | `packages/conformance-tests/src/industrial-interoperability.test.ts` | Dispatch actions mapped to T2 escalation |
+| Revocation under load | token store + gateway | `packages/conformance-tests/src/industrial-benchmark-scenarios.test.ts` | No T2/T3 fail-open after revocation |
+| Stale corridor envelope | gateway execution envelope checks | `packages/conformance-tests/src/industrial-benchmark-scenarios.test.ts` | Deterministic deny on stale/mismatch corridor |
+
+## Operational Certification Artifacts
+
+- Discovery contract: `/.well-known/sint.json`
+- Public schema catalog: `/v1/schemas`, `/v1/schemas/:name`
+- OpenAPI surface: `/v1/openapi.json`
+- Benchmark report outputs:
+  - `docs/reports/industrial-benchmark-report.json`
+  - `docs/reports/industrial-benchmark-report.md`