Agent Data Pod Specification

Abstract

This specification defines conventions for storing AI agent data in Solid Pods. It specifies container structures, RDF vocabularies, encryption requirements, and access control patterns that enable portable, user-controlled agent data storage.

The specification is designed to complement the W3C AI Agent Protocol Community Group's work on agent identity, discovery, and communication protocols.

Status of This Document

This is a Draft Specification. It has not been reviewed or endorsed by any standards body. Implementation feedback is welcome via GitHub Issues.

1. Conformance

1.1 Terminology

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119.

1.2 Conformance Levels

2. Pod Structure

An Agent Data Pod extends a standard Solid Pod with agent-specific containers. The following structure MUST be used:

/profile/card                  # WebID profile with agent:AIAgent type
/private/
  └── agent/
      ├── memory/
      │   └── episodes/        # Memory episodes (encrypted)
      ├── state/               # Current agent state (encrypted)
      └── audit/               # Audit trail entries
/public/
  └── agent/
      ├── capabilities.ttl     # Capability declarations
      └── ad.json              # ANP Agent Description

2.1 [A1] Agent Profile

The Pod profile at /profile/card MUST include agent:AIAgent type and MAY include MCP endpoint and capability links.

@prefix foaf: <http://xmlns.com/foaf/0.1/> .
@prefix agent: <https://awkronos.github.io/web/vocab#> .
@prefix schema: <https://schema.org/> .

<#me>
    a foaf:Agent, agent:AIAgent ;
    foaf:name "Personal Assistant" ;
    schema:identifier <did:wba:example.com:user:agent-001> ;
    agent:mcpEndpoint <wss://api.example.com/mcp/agent-001> ;
    agent:capabilities </public/agent/capabilities.ttl#caps> .

2.2 [A2] Private Containers

The /private/agent/ container MUST have access restricted to the Pod owner and explicitly authorized agents.

2.3 [A3] Public Containers

The /public/agent/ container MAY be readable by any authenticated agent for discovery purposes.

3. Memory Episodes

3.1 [A4] Episode Format

Each memory episode MUST be stored as a separate RDF resource with the following required properties:

3.2 [A5] Episode Example

@prefix agent: <https://awkronos.github.io/web/vocab#> .
@prefix dct: <http://purl.org/dc/terms/> .
@prefix xsd: <http://www.w3.org/2001/XMLSchema#> .

<>
    a agent:MemoryEpisode ;
    agent:content "User prefers morning meetings before 10am." ;
    dct:created "2026-02-01T09:30:00Z"^^xsd:dateTime ;
    agent:importance "0.8"^^xsd:decimal ;
    agent:memoryType "semantic" ;
    agent:tag "preferences", "calendar" .

3.3 Memory Sector Taxonomy

The agent:memoryType property aligns with OpenMemory HMD v2 (Human Memory Descriptor) taxonomy:

• episodic — Autobiographical events and experiences
• semantic — Facts, concepts, and general knowledge
• procedural — How-to knowledge and learned processes
• emotional — Affective context and sentiment
• reflective — Meta-cognitive observations about own behavior

4. Capabilities

4.1 [A6] Capability Declarations

Agents SHOULD declare their capabilities publicly at /public/agent/capabilities.ttl.

@prefix agent: <https://awkronos.github.io/web/vocab#> .

<#caps>
    a agent:CapabilitySet ;
    agent:capability [
        a agent:Capability ;
        agent:name "send_email" ;
        agent:description "Send email on behalf of user" ;
        agent:requiredPermission <urn:solid:acl:Write> ;
        agent:protocol <https://modelcontextprotocol.io/>
    ] .

4.2 did:wba Integration

For Agent Network Protocol (ANP) compatibility, the profile MAY include humanAuthorization and keyAgreement verification methods. See Interoperability Guide for details.

5. Security Requirements

5.1 [S1] Encryption at Rest

Contents of /private/agent/memory/ and /private/agent/state/ MUST be encrypted using AES-256-GCM.

5.2 [S2] Key Derivation

Encryption keys MUST be derived using HKDF-SHA256 from a master secret. The Pod URL SHOULD be used as context info.

5.3 [S3] Access Control

Pods MUST implement either Web Access Control (WAC) or Access Control Policy (ACP) for authorization.

5.4 [S4] Audit Trail

All modifications to memory episodes MUST be logged in /private/agent/audit/ with PROV-O compatible provenance.

5.5 [S5] Integrity Verification

Resources SHOULD include cryptographic content hashes using RDFC-1.0 canonicalization and N-Quads serialization.

<>
    agent:contentHash "sha256-uU0nuZNNPgilLlLX2n2r+sSE7+N6U4DukIj3rOLvzek=" ;
    agent:signature "lDkEZ7f9dRvGj5kNpPiXmLqRqYT8oKvT3mLZjQ1nXw4..."^^xsd:base64Binary ;
    agent:signedBy </profile/card#me> .

5.6 [S6] Signature Algorithms

Implementations MUST support the following verification key types:

• Ed25519VerificationKey2020 — RECOMMENDED
• EcdsaSecp256k1VerificationKey2019 — MUST be supported for did:wba compatibility
• JsonWebKey2020 — MAY be supported

5.7 [S7] DPoP Token Binding

Authenticated requests SHOULD use DPoP-bound access tokens per RFC 9449.

5.8 [S8] Multi-User Considerations

When multiple users share a Pod server, agent data MUST be isolated. Cross-user access MUST require explicit WAC/ACP grants.

6. References

Normative References

[RFC2119]

Key words for use in RFCs to Indicate Requirement Levels. https://www.rfc-editor.org/rfc/rfc2119

[SOLID-PROTOCOL]

Solid Protocol, Version 0.11.0. https://solidproject.org/TR/protocol

[WAC]

Web Access Control. https://solid.github.io/web-access-control-spec/

[PROV-O]

PROV-O: The PROV Ontology. https://www.w3.org/TR/prov-o/

[RDFC-1.0]

RDF Dataset Canonicalization. https://w3c.github.io/rdf-canon/spec/

Informative References

[DID-WBA]

ANP did:wba Method. https://agentnetworkprotocol.com/en/specs/03-did-wba-method-specification/

[A2A]

Agent2Agent Protocol. https://a2a-protocol.org/latest/specification/

[MCP]

Model Context Protocol. https://modelcontextprotocol.io/