Schema exchange MUST NOT require request-response negotiation. The sender proactively includes schemas before data when the receiver has not seen them. No round trips, no handshake, no "do you have this schema?" queries.

Each peer tracks which schemas it has sent to the other side. When a peer is about to send data of a type the other side has not seen, it sends the schema first. The receiver never requests schemas — the sender pushes them.

Schemas MUST be encoded using CBOR (RFC 8949). CBOR is self-describing and does not require a schema to parse — avoiding the chicken-and-egg problem of needing a schema to read a schema. Postcard is used for data; CBOR is used for metadata about data.

A schema for a given type ID MUST be sent at most once per connection. Once a peer has sent a schema, it records the type ID as "sent" and does not send it again for the lifetime of the connection.

A type ID is a u64 content hash — a deterministic structural hash of a type declaration's postcard-level definition. For generic types, the hash is of the declaration (with type variable slots), not of any specific instantiation. The same declaration always produces the same hash, regardless of which connection, session, process, or language produced it. On the wire (CBOR), a type ID is encoded as a CBOR unsigned integer.

The content hash of a type declaration is computed by feeding a canonical byte sequence into blake3, then taking the first 8 bytes of the output as a little-endian u64. The canonical byte sequence is constructed by updating the hasher with the components described below.

• Strings (field names, variant names, tag strings, type parameter names) are fed as their byte length as a u32 in little-endian order, followed by the raw UTF-8 bytes. The length prefix ensures the encoding is injective — no two different type structures produce the same byte sequence.
• u64 values (array lengths) are fed as 8 bytes in little-endian order.
• u32 values (variant indices) are fed as 4 bytes in little-endian order.
• TypeRef values are fed according to r[schema.type-id.hash.typeref].

Implementations MUST produce identical hashes for structurally identical type declarations regardless of the source language.

For recursive types, see r[schema.hash.recursive].

A TypeRef is fed into the hasher as follows:

• Concrete without args: the tag "concrete" then the type's content hash (8 bytes, little-endian)
• Concrete with args: the tag "concrete" then the type's content hash (8 bytes, little-endian), then the tag "args", then each argument's TypeRef encoding in order (recursive)
• Var: the tag "var" then the parameter name (length-prefixed UTF-8 string)

The hash of a primitive type is blake3(len(tag) || tag)[0..8] where len(tag) is the tag's byte length as a u32 LE, and tag is one of the following UTF-8 strings:

These 18 hashes are constants. Implementations MAY precompute them.

To hash a struct, update the hasher with:

1. The tag "struct"
2. The type name (length-prefixed UTF-8 string)
3. The number of type parameters as a u32 (4 bytes, LE)
4. Each type parameter name (length-prefixed UTF-8 string), in order
5. For each field, in declaration order: a. The field name (length-prefixed UTF-8 string) b. The field's TypeRef (see r[schema.type-id.hash.typeref])

To hash an enum, update the hasher with:

1. The tag "enum"
2. The type name (length-prefixed UTF-8 string)
3. The number of type parameters as a u32 (4 bytes, LE)
4. Each type parameter name (length-prefixed UTF-8 string), in order
5. For each variant, in declaration order: a. The variant name (length-prefixed UTF-8 string) b. The variant index as a u32 (4 bytes, little-endian) c. The payload tag: "unit", "newtype", "tuple", or "struct" d. For newtype payloads: the inner TypeRef e. For tuple payloads: each element's TypeRef, in order f. For struct payloads: each field as in r[schema.type-id.hash.struct] step 5 (name then TypeRef, in order)

To hash a container type, update the hasher with:

• List: "list" then the element TypeRef
• Option: "option" then the element TypeRef
• Array: "array" then the element TypeRef, then the length as a u64 (8 bytes, little-endian)
• Map: "map" then the key TypeRef, then the value TypeRef

To hash a tuple, update the hasher with:

1. The tag "tuple"
2. Each element's TypeRef, in order

To hash a channel type, update the hasher with:

1. The tag "channel"
2. The direction: "send" or "recv"
3. The element TypeRef
4. The initial credit as a u32 (4 bytes, little-endian)

Every connection starts with zero schema knowledge. A peer MUST NOT assume that schemas sent on one connection are available on another, even within the same session. Each connection half has its own sent/received tracking. However, because type IDs are content hashes, a peer MAY use a previously received schema (from another connection or a persistent cache) to build a translation plan without waiting for the schema to be resent — as long as it does not send data until the remote peer has confirmed (by sending its own schemas) that it can read it.

To compute content hashes for a mutually recursive group of types:

1. Preliminary hashes. Hash each type in the group using the normal rules (see r[schema.type-id.hash]), except that any reference to another type in the same recursive group is replaced with 8 zero bytes (the sentinel). References to types outside the group use their real content hashes as normal. The result is one preliminary hash per type.

2. Deduplication. If two types in the group have identical canonical byte sequences (the full input to blake3 from step 1), they are structurally identical at the postcard level and MUST be deduplicated — collapsed to a single entry before proceeding. (Type identity is structural; two nominal types with the same postcard-level structure are the same type.)

3. Canonical ordering. Sort the (now-unique) types by their preliminary hash (ascending, unsigned integer comparison). In the unlikely event that two types have the same preliminary hash but different canonical byte sequences (a 64-bit collision), break the tie by lexicographic comparison of their canonical byte sequences.

4. Final hashes. Compute the group hash as blake3(preliminary_hash_0 || preliminary_hash_1 || ...)[0..8] where the preliminary hashes are concatenated in canonical order. Then each type's final content hash is blake3(group_hash || index)[0..8] where index is the type's position in the canonical order, encoded as a u64 in little-endian order.

These final hashes are the types' TypeSchemaIds — plain u64 values, indistinguishable from non-recursive type hashes. No special representation is needed on the wire or in data structures.

A non-recursive type does not participate in this algorithm. Its content hash is computed directly from its structure as described in r[schema.type-id.hash].

A schema MUST be a CBOR map containing:

• id — a CBOR unsigned integer (the type declaration's content hash)
• type_params — a CBOR array of type parameter names (UTF-8 strings). Empty array for non-generic types. MAY be omitted if empty.
• kind — one of: "struct", "enum", "tuple", "list", "map", "array", "option", "channel", "primitive"
• Kind-specific fields as defined below

A TypeSchemaId MUST be encoded as a CBOR unsigned integer.

A TypeRef MUST be encoded as one of:

• A CBOR map {"concrete": type_id} — a non-generic concrete type
• A CBOR map {"concrete": type_id, "args": [type_ref, ...]} — a generic type with type arguments (each argument is itself a TypeRef)
• A CBOR map {"var": name} — a reference to a type parameter of the enclosing schema's type_params list, by name (UTF-8 string)

A primitive schema MUST contain:

• kind: "primitive"
• primitive_type: one of "bool", "u8", "u16", "u32", "u64", "u128", "i8", "i16", "i32", "i64", "i128", "f32", "f64", "char", "string", "unit", "bytes", "payload"

A struct schema MUST contain:

• kind: "struct"
• name: the type name (UTF-8 string, MUST NOT be empty)
• fields: a CBOR array of field descriptors, each a map with:
  • name: field name (UTF-8 string)
  • type_ref: a TypeRef (see r[schema.format.type-ref])
  • required: a CBOR boolean — true if the field has no default value, false if it does

Fields MUST be listed in declaration order (which is also postcard serialization order).

An enum schema MUST contain:

• kind: "enum"
• name: the type name (UTF-8 string, MUST NOT be empty)
• variants: a CBOR array of variant descriptors, each a map with:
  • name: variant name (UTF-8 string)
  • index: the postcard variant index (u32)
  • payload: one of:
    • "unit" — no payload
    • {"newtype": type_ref} — single value
    • {"tuple": [type_ref, ...]} — tuple of unnamed values
    • {"struct": [field_descriptors...]} — struct variant (field descriptors follow r[schema.format.struct])

Container schemas MUST contain:

• kind: "list", "map", "array", or "option"
• element: a TypeRef (for list, array, option)
• key and value: TypeRefs (for map)
• length: a u64 (for array only)

Sets (HashSet<T>, BTreeSet<T>, etc.) have the same postcard encoding as lists and MUST use kind: "list". The schema does not distinguish between ordered and unordered sequences.

A tuple schema MUST contain:

• kind: "tuple"
• elements: a CBOR array of TypeRefs, one per element, in order

The elements array MUST contain at least one element. A zero-element tuple is not valid — use PrimitiveType::Unit instead.

A channel schema MUST contain:

• kind: "channel"
• direction: "send" or "recv"
• element: a TypeRef for the channel's element type
• initial_credit: a u32 — the initial flow-control credit (buffer size) for this channel

Channels are serialized as () (unit) on the wire. The actual channel ID is passed out-of-band in the message's channels field. The schema records the direction, element type, and credit so that translation plans can correctly map channel positions across schema versions.

When sending schemas for a recursive group, the sender MUST include all schemas in the group that have not already been sent on this connection. The receiver MUST be able to resolve every TypeSchemaId referenced in the schemas using either the schemas included in the current SchemaPayload or schemas previously received on this connection.

When a SchemaMessage includes schemas, the set of schemas MUST be self-contained. Every TypeSchemaId referenced by any schema in the set MUST either be defined in the same set or have been previously sent on this connection. The receiver MUST be able to build translation plans for all included types before deserializing the payload.

Application-level schemas are delivered as a standalone SchemaMessage containing a CBOR-encoded SchemaPayload. The payload MUST include:

• All schemas needed for the method's types that have not been previously sent on this connection
• The root TypeSchemaId for one (method_id, direction) binding

The root type for a response is always the full Result<T, VoxError<E>> wire type, regardless of whether the handler succeeded or failed.

A SchemaMessage binds exactly one (method_id, direction) pair. If all schemas for that method's types have already been sent on this connection, the schemas array MAY be empty — but the binding message MUST still be sent the first time this (method_id, direction) pair is introduced on the connection. The receiver needs the binding to know which previously-sent TypeSchemaId is the root for this method. Sending a schema whose TypeSchemaId has already been sent on this connection is a protocol error.

Each peer MUST track the set of type IDs for which it has sent schemas to the other peer. This set starts empty and grows monotonically over the connection lifetime.

Each peer MUST track the set of type IDs for which it has received schemas from the other peer. This set starts empty and grows monotonically over the connection lifetime.

When a schema is sent, all type IDs transitively referenced by that schema are also marked as sent. A schema payload is self-contained (see r[schema.format.self-contained]), so sending a struct schema implicitly sends the schemas of all its field types, their field types, and so on.

Each peer MUST track the set of (method_id, direction) pairs for which it has sent method bindings on this connection. A binding MUST be sent the first time a method's schemas are delivered for a given direction, even if all the schemas themselves were already sent by a previous call to a different method.

Before sending a Request, the caller MUST check whether the schemas for the method's argument types have been sent to this peer on this connection. If any have not, the caller MUST send a SchemaMessage carrying all unsent schemas and the method binding before sending the Request (see r[schema.format.delivery]).

Before sending any Response for a method, the callee MUST check whether the schemas for the method's statically-known response type have been sent to this peer on this connection. If any have not, the callee MUST send a SchemaMessage carrying all unsent schemas and the method binding before sending the Response.

The response schema is determined by the method signature — it is the full Result<T, VoxError<E>> wire type. It MUST NOT vary based on whether the handler succeeded or failed. Sending schemas for a different type (e.g. Result<(), VoxError<E>> when the method returns Result<T, VoxError<E>>) is a protocol error.

Channel element types are included in schema exchange. If a method's arguments contain Tx<T> or Rx<T>, the schema for T MUST be included in the caller's schemas. Channels MUST NOT appear in return types (see r[rpc.channel.placement]).

Application-level schema exchange is mandatory. If a peer receives a Request or Response and either (a) the schemas for any referenced type have not been received on that connection, or (b) no method binding for this (method_id, direction) pair has been received on this connection, this is a protocol error and the connection MUST be torn down. The sender is always responsible for sending both schemas and bindings before the data that needs them.

If the caller has already sent schemas for a method's argument types (from a previous call to the same or different method using the same types), no schemas need to be included. The r[schema.principles.once-per-type] rule applies — each type ID is sent at most once. However, the binding for a new (method_id, direction) pair MUST still be sent in its own SchemaMessage even when all schemas are already known (see r[schema.tracking.bindings]).

The method ID MUST be computed as:

method_id = blake3(kebab(ServiceName) + "." + kebab(methodName))[0..8]

The signature hash (sig_bytes from r[signature.hash.algorithm]) is excluded. Only the service name and method name contribute to the method ID.

Fields MUST be matched by name, not by position. For each field in the local type, the translation plan looks up the corresponding field in the remote schema by name. If found, the plan records the remote field's position so the deserializer knows which postcard field to read.

If the remote schema contains fields that do not exist in the local type, those fields MUST be skipped during deserialization. The translation plan records how many bytes to skip for each unknown remote field, based on the remote field's type schema.

If the local type contains fields that do not exist in the remote schema, those fields MUST be filled with their default values. Whether a field has a default is determined by the local type definition (e.g. a #[facet(default)] annotation in Rust, or equivalent in other languages) — this information is not part of the remote schema. Local fields without default values that are missing from the remote schema cause a translation plan error (see r[schema.errors.missing-required]).

If fields exist in both the local and remote types but in different order, the translation plan MUST handle the reordering. The deserializer reads postcard bytes in remote field order but writes values into local field positions.

For each matched field, the remote field type and local field type MUST be compatible. Two types are compatible if:

• They are the same primitive type
• They are both containers of the same kind with compatible element types
• They are both structs and a nested translation plan can be built
• They are both enums and variant matching succeeds (see r[schema.translation.enum])
• They are both tuples and tuple matching succeeds (see r[schema.translation.tuple])

Schema exchange does NOT affect serialization. A peer always serializes using its own local type definition and postcard. The translation plan applies only on the deserialization side — the receiver adapts to the sender's layout.

Enum variants MUST be matched by name, not by variant index. The translation plan maps remote variant names to local variant indices and records how to deserialize each variant's payload.

If a remote enum has variants that the local type does not, those variants are skippable in the schema but cause an error at runtime if actually received. The translation plan records that these variants exist in the remote schema; if a message arrives with an unknown variant, the deserializer MUST return an error.

If the local enum has variants that the remote schema does not, this is fine — those variants will never appear in data from that remote peer. No error is needed. The local peer can still use those variants when sending data.

For each variant that exists in both the remote and local types, the variant payloads MUST be compatible: unit matches unit, newtype matches newtype with a compatible inner type, tuple matches tuple with compatible elements (see r[schema.translation.tuple]), struct matches struct with compatible fields (same rules as top-level struct matching).

Tuple types MUST have the same arity (number of elements) in both the remote and local types. For each position, the remote element type and local element type MUST be compatible (per r[schema.translation.type-compat]). Adding, removing, or reordering tuple elements is a breaking change.

Type incompatibilities MUST be detected at translation-plan construction time, not during deserialization of individual messages. When a peer receives a schema and attempts to build a translation plan against a local type, all structural incompatibilities MUST be reported before any data of that type is processed.

A translation plan failure is a call-level error, not a connection-level fault. The connection remains open and other method calls are unaffected. This is distinct from missing schemas entirely (a protocol error per r[schema.exchange.required]), which tears down the connection.

If the callee cannot build a translation plan for incoming request arguments, it MUST respond with an error describing the incompatibility (including a diff of the remote schema versus the local type).

If the caller cannot build a translation plan for an incoming response, the failure is local — the call's result resolves to an error. There is no further message to send; the response has already been received.

A translation plan failure is non-retryable for the life of the connection to that remote peer. The remote peer's schema for a given type does not change while the connection is open, so retrying the same call will always reproduce the same translation plan failure. Callers MUST treat a translation plan failure as non-retryable (see r[rpc.fallible.vox-error.retryable]).

If a local struct has a field without a default value that is not present in the remote schema, the translation plan MUST fail with an error identifying the missing field by name and type. Whether a field has a default is a property of the local type definition, not of the remote schema (see r[schema.translation.fill-defaults]).

If a field exists in both the remote and local types but the types are incompatible (e.g., remote has u32, local has String), the translation plan MUST fail with an error identifying the field, the remote type, and the local type.

If a message arrives containing an enum variant that exists in the remote schema but not in the local type, the deserializer MUST return an error for that specific message. This is a runtime error because the translation plan cannot predict which variant a given message will contain.

All schema-related errors MUST include:

• The remote type ID
• The local type name (for diagnostics)
• The specific incompatibility (missing field, type mismatch, etc.)
• For field-level errors: the field name and both the remote and local field types

Implementations SHOULD provide tooling to snapshot the schemas of a service's types. A snapshot captures the full schemas for every type used in the service's method signatures.

Implementations SHOULD provide tooling to compare two snapshots and report:

• Compatible changes — changes where a translation plan can be built in both directions (e.g., adding an optional field)
• One-way compatible changes — changes where old can read new but not vice versa (e.g., adding a required field with a default)
• Breaking changes — changes where no translation plan can be built (e.g., removing a required field, changing a field's type incompatibly)

Schema compatibility checks SHOULD be integrated into CI pipelines. Breaking changes should fail the build unless explicitly acknowledged.

A breaking change is one where a translation plan cannot be built between the old and new versions. Whether a breaking change is acceptable depends on the project's deployment model (rolling updates vs. coordinated releases). The tooling reports facts; policy is up to the project.

Channels are unaffected by schema exchange beyond their element types. Channel semantics (creation, flow control, close, reset) are unchanged. The element type's schema is exchanged as part of the method's argument or response schemas (see r[schema.exchange.channels]), and translation plans apply to channel items the same way they apply to request/response payloads.

Operation stores MUST store schemas alongside serialized payloads. A sealed operation contains postcard-encoded bytes that are only meaningful together with the schemas that describe them. When replaying a sealed response, the replaying peer MUST send schemas for the response types on the current connection if they have not already been sent, just as it would for a live response.

Because type IDs are content hashes, the operation store does not need a per-connection schema ID namespace. The stored schemas use the same content hashes regardless of which connection originally produced them or which connection replays them. A disk-backed operation store that survives process restarts can use content hashes as stable keys for its schema cache.

Metadata is unaffected by schema exchange. Metadata key-value pairs are not typed in the postcard sense and do not participate in schema exchange.