{"version":"wab-trust-handshake/1.1","description":"Recommended Ring 4 trust handshake between a sovereign agent and a WAB-enrolled domain.","steps":[{"n":1,"action":"DNS lookup","detail":"Agent queries _wab.<domain> TXT and reads { endpoint, pk }."},{"n":2,"action":"Fetch manifest","detail":"Agent GETs /.well-known/wab.json from the published endpoint."},{"n":3,"action":"Verify signature","detail":"Agent verifies the Ed25519 signature on payload using pk from DNS."},{"n":4,"action":"Resolve trust","detail":"Agent reads trust_profile.* — capabilities, constraints, ttl_seconds."},{"n":5,"action":"Bind invariants","detail":"Agent loads /api/ring4/invariants and freezes them above trust softening."},{"n":6,"action":"Send trust headers","detail":"Subsequent requests include X-WAB-Trust-Domain + X-WAB-Signature + X-WAB-Trust-Nonce."},{"n":7,"action":"Log interaction","detail":"Agent POSTs to /api/ring4/log with its project_id, event_type, outcome."},{"n":8,"action":"Refresh","detail":"When now > expires_at, restart from step 1."}],"invariant":"Trust softens refusals but never overrides hard constitutional boundaries.","test_vectors":{"register_profile":"POST /api/ring4/register { domain, capabilities, constraints, project_id }","fetch_status":"GET  /api/ring4/status/<domain>","verify_sig":"POST /api/ring4/verify  { domain, message, signature }","log_event":"POST /api/ring4/log     { project_id, domain, event_type, outcome }","project_log":"GET  /api/ring4/log/<project_id>"}}