CAP Integration β Technical Reference
CAPScore Agent integrates with the CROO Commerce Agent Protocol (CAP) to register capabilities, accept orders, run audit pipelines, and deliver cryptographically-verifiable proof of results.
Order Lifecycle
CROO Network CAPScore cap-provider (TS) CAPScore API (Python)
β β β
β WebSocket: new_order β β
ββββββββββββββββββββββββββββββββΊβ β
β β POST /jobs/{capability} β
β ββββββββββββββββββββββββββββββββΊβ
β β β create job (PENDING)
β β {job_id, status: "pending"} β
β βββββββββββββββββββββββββββββββββ
β β β background: run workers
β β β - repo_reproducer
β β β - cap_inspector
β β β - claim_verifier
β β β - security_scanner
β β β - readme_rewriter
β β β - demo_coach
β β β compute scorecard
β β GET /jobs/{job_id} (poll) β build proof pack
β ββββββββββββββββββββββββββββββββΊβ
β β {status: "done", scorecard} β
β βββββββββββββββββββββββββββββββββ
β β β
β CAP delivery: proof_pack_url β β
βββββββββββββββββββββββββββββββββ β
β β β
SDK Methods Used
Registration (registerCapabilities.ts)
import { CROOClient } from "@croo/agent-sdk";
const client = new CROOClient({
apiKey: process.env.CROO_SDK_KEY,
agentId: process.env.CAPSCORE_AGENT_ID,
});
// Register all 3 capabilities
await client.registerCapability({
id: "audit_repository",
schema: AUDIT_REPO_SCHEMA,
pricing: { amount: 0.05, currency: "CROO" },
sla: { max_seconds: 300 },
});
await client.registerCapability({
id: "audit_agent_listing",
schema: AUDIT_AGENT_SCHEMA,
pricing: { amount: 0.08, currency: "CROO" },
sla: { max_seconds: 480 },
});
await client.registerCapability({
id: "verify_claims",
schema: VERIFY_CLAIMS_SCHEMA,
pricing: { amount: 0.02, currency: "CROO" },
sla: { max_seconds: 120 },
});
Order Handling (orderHandler.ts)
client.onOrder(async (order) => {
const response = await fetch(`${process.env.CAPSCORE_API_URL}/jobs/${order.capability}`, {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify(order.input),
});
const job = await response.json();
// Poll until done
const result = await pollUntilDone(job.job_id);
// Deliver proof via CAP
await client.deliverProof(order.id, {
result: result.scorecard,
proof_pack_url: result.proof_pack_url,
result_hash: result.result_hash,
});
});
Proof Delivery (deliverProof.ts)
await client.deliverProof(orderId, {
status: "completed",
output: {
scorecard: job.scorecard,
overall_score: job.scorecard.overall_score,
result_hash: job.result_hash,
proof_pack_url: job.proof_pack_url,
a2a_calls: job.a2a_calls,
},
proof: {
hash: job.result_hash,
algorithm: "sha256",
canonical: "json-sorted-keys",
},
});
Capability Schemas
audit_repository
{
"type": "object",
"required": ["github_url"],
"properties": {
"github_url": {
"type": "string",
"description": "HTTPS URL of the GitHub repository to audit"
},
"branch": {
"type": "string",
"default": "main",
"description": "Branch to audit"
},
"run_tests": {
"type": "boolean",
"default": true,
"description": "Whether to attempt running the test suite"
},
"run_security_scan": {
"type": "boolean",
"default": true,
"description": "Whether to scan for hardcoded secrets and dangerous patterns"
},
"expected_start_command": {
"type": "string",
"description": "Optional override for the detected start command"
}
},
"additionalProperties": false
}
audit_agent_listing
{
"type": "object",
"required": ["agent_listing_url"],
"properties": {
"agent_listing_url": {
"type": "string",
"description": "CROO Agent Store listing URL"
},
"github_url": {
"type": "string",
"description": "GitHub repository URL (optional but improves score accuracy)"
},
"demo_url": {
"type": "string",
"description": "Demo video URL (YouTube, Loom, etc.)"
},
"claimed_tracks": {
"type": "array",
"items": { "type": "string" },
"description": "Hackathon tracks the agent is submitted to"
},
"depth": {
"type": "string",
"enum": ["quick", "standard", "deep"],
"default": "standard",
"description": "Audit depth: quick=2min, standard=5min, deep=10min"
}
},
"additionalProperties": false
}
verify_claims
{
"type": "object",
"required": ["claims"],
"properties": {
"claims": {
"type": "array",
"items": { "type": "string" },
"minItems": 1,
"maxItems": 20,
"description": "List of claims to verify"
},
"evidence_urls": {
"type": "array",
"items": { "type": "string" },
"description": "URLs to use as evidence (GitHub, Agent Store, demo video)"
},
"strictness": {
"type": "string",
"enum": ["lenient", "standard", "strict"],
"default": "standard",
"description": "How strictly to evaluate claims"
}
},
"additionalProperties": false
}
Output Schema (all capabilities)
{
"job_id": "capscore_YYYYMMDD_HHMMSS_hex8",
"status": "done | failed | pending | running",
"capability": "audit_repository | audit_agent_listing | verify_claims",
"created_at": "ISO-8601",
"completed_at": "ISO-8601",
"scorecard": {
"overall_score": 84.0,
"technical_execution": { "score": 85.7, "notes": "...", "checks": [] },
"a2a_composability": { "score": 85.7, "notes": "...", "checks": [] },
"innovation": { "score": 80.0, "notes": "...", "checks": [] },
"adoption_readiness": { "score": 83.3, "notes": "...", "checks": [] },
"presentation_readiness": { "score": 80.0, "notes": "...", "checks": [] },
"critical_issues": ["..."],
"top_fixes": ["..."]
},
"result_hash": "sha256:<hex64>",
"proof_pack_url": "https://<host>/jobs/<job_id>/proof-pack.zip",
"a2a_calls": [
{
"provider_agent": "source-verifier-mock",
"cap_order_id": "order_sv_001",
"task": "verify_github_source",
"result_hash": "sha256:...",
"status": "cleared",
"started_at": "ISO-8601",
"completed_at": "ISO-8601"
}
]
}
Proof Delivery Format
When CAPScore delivers a CAP proof to the ordering agent, the payload is:
{
"status": "completed",
"output": {
"scorecard": { "...": "..." },
"overall_score": 84.0,
"result_hash": "sha256:e3b0c44298fc1c149afbf4c8996fb924...",
"proof_pack_url": "https://capscore.croo.network/jobs/.../proof-pack.zip"
},
"proof": {
"hash": "sha256:e3b0c44298fc1c149afbf4c8996fb924...",
"algorithm": "sha256",
"canonical": "json-sorted-keys",
"description": "SHA-256 of canonical JSON (sort_keys=True, no whitespace)"
}
}
The result_hash is computed as:
import json, hashlib
canonical = json.dumps(scorecard_dict, sort_keys=True, ensure_ascii=False, separators=(",", ":"))
result_hash = "sha256:" + hashlib.sha256(canonical.encode("utf-8")).hexdigest()
Any agent that receives this proof can independently verify it against the downloaded proof pack.
A2A Call Format
When CAPScore calls a sub-agent (e.g., security-scanner-mock), it uses:
const subResult = await crooClient.placeOrder({
agentId: "security-scanner-mock",
capability: "scan_secrets",
input: { github_url: repoUrl },
timeout: 120,
});
// Logged in manifest.json as:
{
"provider_agent": "security-scanner-mock",
"cap_order_id": "order_sec_001",
"task": "scan_secrets",
"result_hash": subResult.proof.hash,
"status": "cleared",
"started_at": "...",
"completed_at": "..."
}
Each sub-agent result hash is included in the CAPScore manifest, creating a chain of provenance from buyer order to final proof pack.