Seed Protocol
Draft Standard — Version 1.0 — 2026
Seed/1.0 defines a minimal wire format for transferring context between agents and tools. A seed is a single UTF-8 file simultaneously valid as markdown and bash: two readers, one representation. The protocol specifies three layers (transport, metadata, payload), three operations (pack, plant, grow), a structured vocabulary for grow directives, and an HTTP registry API that any domain can implement. This document is the normative specification.
1.Introduction
HTTP carries hypertext. SMTP carries mail. TCP carries bytes. Every protocol defines a capsule — a unit of transfer — and the semantics governing what happens when it arrives. Software built on large models has no such primitive. Context — the structured information a model needs to act — has no standard wire format. Skills, tools, and prompts ship as zip files, git repositories, bash scripts, or unstructured markdown. Nothing is interoperable. Nothing composes.
The bitter lesson of AI research is that scale beats craft. The same lesson is landing in software: context beats interfaces. A capable model does not need a perfectly-typed schema — it needs context that transfers reliably across boundaries. Seed/1.0 is the wire format for that transfer.
2.Capsule Format
A seed is a single UTF-8 file. It is simultaneously valid markdown (the agent sees prose) and valid bash (the shell sees a self-contained install script). The dual-legibility invariant is the core constraint. Grammar below uses ABNF (RFC 5234).
seed = transport-open metadata payload transport-close
transport-open = usage-comment LF LF bootstrap LF heredoc-open LF
metadata = "---" LF required-fields *meta-field "---" LF LF
payload = *OCTET ; MUST NOT contain sentinel
transport-close= sentinel LF *post-grow
usage-comment = "# Usage: curl -sSL " url " | bash -s <path>"
heredoc-open = "cat > " DQUOTE "$TARGET/" filename DQUOTE " <<'" sentinel "'"
sentinel = "SEED_" 8HEXDIG ; uppercase; 32 bits entropy
required-fields= "seed:" SP version LF grow-field LF
grow-field = "grow:" SP directive ; scalar
/ "grow:" LF 1*grow-item ; sequence, in order
grow-item = SP SP "- " directive LF
version = DQUOTE "1.0" DQUOTE
Figure 1 — Seed anatomy (reload to replay)
transport-open
# Usage: curl -sSL https://seed.show/s/abc12 | bash -s <path>
set -euo pipefail; TARGET="$1"; mkdir -p "$TARGET"
cat > "$TARGET/skill.md" <<'SEED_3F9A1B2C'
metadata
---
seed: "1.0"
type: skill
grow: [unfold, show]
name: my-skill
---
payload
# my-skill
What the agent reads.
curl -sSL https://seed.show/s/abc12 | bash -s <path>
transport-close
SEED_3F9A1B2C
2.1 Transport Layer
The transport layer is POSIX sh. Line 1 of the seed MUST be a usage comment in the form specified by the grammar; it is the primary inspection surface in both reading contexts. The sentinel MUST be SEED_ followed by exactly 8 uppercase hexadecimal digits. The sentinel MUST be verified absent from the payload before emission; implementations choosing a colliding sentinel MUST regenerate. Backward-compatibility: the prefix XDOWN_ is a valid sentinel in conforming implementations of Seed/1.0.
2.2 Metadata Layer
The metadata layer is YAML 1.2 frontmatter. The fields seed and grow are MUST fields. Implementations SHOULD include type (one of skill, tool, context, data, archive) and name. Unknown fields MUST be preserved on round-trip and ignored during growing.
2.3 Payload Layer
The payload is arbitrary UTF-8 content, typically markdown. It MUST NOT contain the sentinel. The dual-legibility invariant holds without transformation: to the agent, the heredoc delimiters read as a fenced block header and trailer; the payload is natural prose. To the shell, the heredoc writes the payload to disk unchanged.
2.4 Archive Encoding
When type: archive, the payload MUST conform to the Seed archive format: YAML frontmatter followed by HTML-comment file sections. The frontmatter MUST include marker: <6-hex>, root: <dir-name>, and at: <ISO-8601>. File sections use the delimiter <!--seed:MARKER@file path="..."-->; the backward-compatible form <!--fold:MARKER@...--> is also valid. Path safety rules from Section 7.2 apply.
archive = arc-meta 1*arc-section arc-end
arc-meta = "---" LF arc-fields "---" LF LF
arc-fields = "seed:" SP version LF "marker:" SP 6HEXDIG LF
"root:" SP dirname LF "at:" SP iso8601 LF
arc-section = file-header LF *OCTET
file-header = "<!--seed:" 6HEXDIG "@file path=" DQUOTE path DQUOTE *attr "-->"
arc-end = "<!--seed:" 6HEXDIG "@end-->"
attr = SP "mode=" DQUOTE 3DIGIT DQUOTE ; unix octal permissions
3.Operations
Three operations are sufficient. They are composable and independently implementable. A conforming implementation of any one is not required to implement the others.
| Operation | Syntax | Definition |
|---|
| pack |
seed pack <dir> |
Serialize a directory tree into a single conforming seed. For multi-file sources, the payload MUST use archive encoding (Section 2.4). Pack is idempotent: packing a seed produces a conforming seed. |
| plant |
seed plant [--to <registry>] |
Publish a seed to a Seed-compatible registry. The registry MUST return a stable URL and an edit key. --url <url> embeds the URL in the usage comment without uploading (local wrap only). Plant is pure: it does not modify the payload or metadata. |
| grow |
curl <url> | bash -s <path> |
Fetch a seed and execute its grow directives at the destination path. Growing is triggered by the transport layer after the seed is written to disk. Receivers MUST fail closed on unknown directives. Subsequent directives in a sequence MUST NOT execute after any failure. |
4.The Grow Directive
The grow: field is the receiver’s instruction set. It accepts a single directive (scalar) or an ordered YAML sequence. Execution is in listed order; fail closed on any failure.
# scalar
grow: unfold
# sequence — in order, fail closed
grow:
- unfold
- show
| Directive | Semantics | Notes |
|---|
| unfold |
Expand the payload as a Seed archive (Section 2.4) into the destination directory. Requires type: archive. |
MUST validate paths; no ../ or absolute paths. |
| show |
Write the payload to stdout. No side effects. Safe default for inspection. |
No execution. Recommended for untrusted seeds. |
| exec |
Execute the payload as a POSIX sh script. $TARGET and $DEST are in scope. |
MUST NOT run untrusted seeds. See Section 7.1. |
| install |
Link $TARGET/<name> into $PATH. Requires name: in metadata. Receiver SHOULD prompt before modifying PATH. |
Requires name: field. |
| copy |
Copy files from the archive to destination without directory creation semantics. |
Path safety rules apply. |
| <url> |
Fetch the resource at the URL and execute as sh. $TARGET and $DEST in scope. URL MUST use HTTPS. |
MUST use HTTPS. Review before use. |
Receivers MUST fail with a non-zero exit and a descriptive message on unknown directives. Silent failure is a protocol violation.
5.Complete Example
A conforming seed for a single-file skill. Transport (blue) wraps metadata (gold) wraps payload (green). This file is simultaneously paste-to-agent and curl | bash.
# Usage: curl -sSL https://seed.show/s/abc12 | bash -s <path>
set -euo pipefail
[ -z "${1:-}" ] && { echo "seed: pass an install path" >&2; exit 1; }
TARGET="$1"; mkdir -p "$TARGET"
cat > "$TARGET/skill.md" <<'SEED_3F9A1B2C'
---
seed: "1.0"
type: skill
grow: show
name: my-skill
---
# my-skill
Use when the user wants to do X.
## Install
curl -sSL https://seed.show/s/abc12 | bash -s <path>
SEED_3F9A1B2C
6.Registry API
Any domain that implements the following endpoints is a conforming Seed registry. The registry stores seeds and serves them at stable URLs. Authentication for mutation operations uses opaque edit keys returned at plant time. The full registry specification is at /registry.
POST /seeds plant a seed; returns {url, id, edit_key, expires_at}
GET /seeds/:id grow a seed; returns raw capsule bytes (text/plain)
PATCH /seeds/:id replant; update content or metadata with edit_key
DELETE /seeds/:id uproot; remove with edit_key
7.Security Considerations
7.1 Execution Trust
The directives exec and grow: <url> execute arbitrary code with the receiver’s privileges. Receivers MUST NOT execute untrusted seeds. The usage comment on line 1 is the inspection surface. CTP does not define authentication; implementations SHOULD verify seed provenance via HTTPS, content-addressable storage, or cryptographic signature before using execution directives.
7.2 Path Safety
Implementations of unfold and copy MUST validate that no archive path resolves outside the destination directory. Paths containing ../ components or beginning with / are invalid and MUST cause the grow operation to fail.
7.3 Sentinel Collision
The sentinel SEED_ followed by 8 uppercase hex digits provides 32 bits of entropy. Implementations MUST scan the payload for the chosen sentinel before emitting. On collision, regenerate; the probability of requiring more than two attempts is negligible for payloads under 1 MB.
8.Conformance
A conforming seed MUST: contain all three layers in fixed order; include seed: "1.0" and grow: in metadata; use a sentinel not present in the payload; begin with a usage comment on line 1.
A conforming pack implementation MUST produce conforming seeds. A conforming plant implementation MUST serve seeds at stable HTTPS URLs. A conforming grow implementation MUST resolve grow directives without silent failure.
9.Implementations
| Operation | Implementation | Endpoint | Status |
|---|
| pack |
fold |
fold.dom.vin |
live |
| plant |
xdown + seed.show |
seed.show |
live |
| grow |
— |
— |
draft |
| registry |
seed.show |
seed.show |
live |
10.Status
ProtocolSeed/1.0
StatusDraft Standard
Published2026
Authoritydom.vin
ObsoletesCTP/1.0 (informally)
Cite as
Vinyard, D. (2026). Seed Protocol, Version 1.0. https://sp.dom.vin/spec