agentrust-trace 0.1.0__py3-none-any.whl

agentrust_trace/__init__.py

@@ -0,0 +1,36 @@
+"""agentrust-trace — TRACE v0.1 Trust Record models and validation."""
+
+from agentrust_trace.models import (
+    Appraisal,
+    BuildProvenance,
+    ConfirmationKey,
+    JWK,
+    ModelInfo,
+    PolicyInfo,
+    RuntimeInfo,
+    ToolTranscript,
+    TrustRecord,
+)
+from agentrust_trace.validate import (
+    iter_errors,
+    SCHEMA,
+    validate_json,
+)
+
+__version__ = "0.1.0"
+
+__all__ = [
+    "__version__",
+    "Appraisal",
+    "BuildProvenance",
+    "ConfirmationKey",
+    "JWK",
+    "ModelInfo",
+    "PolicyInfo",
+    "RuntimeInfo",
+    "ToolTranscript",
+    "TrustRecord",
+    "SCHEMA",
+    "iter_errors",
+    "validate_json",
+]

agentrust_trace/models.py

@@ -0,0 +1,109 @@
+from __future__ import annotations
+
+from typing import Annotated, Literal
+
+from pydantic import BaseModel, ConfigDict, Field
+
+_DIGEST_RE = r"^sha(256|384):[0-9a-f]+"
+
+DigestStr = Annotated[str, Field(pattern=_DIGEST_RE)]
+
+
+class ModelInfo(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    provider: str
+    model_id: str
+    version: str | None = None
+    weights_digest: DigestStr | None = None
+    aibom_uri: str | None = None
+
+
+class RuntimeInfo(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    platform: Literal[
+        "intel-tdx",
+        "amd-sev-snp",
+        "nvidia-h100",
+        "nvidia-blackwell",
+        "aws-nitro",
+        "arm-cca",
+        "google-confidential-space",
+        "tpm2",
+    ]
+    measurement: DigestStr
+    rim_uri: str | None = None
+    nonce: str | None = None
+    firmware_version: str | None = None
+
+
+class PolicyInfo(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    bundle_hash: DigestStr
+    enforcement_mode: Literal["enforce", "advisory", "silent"]
+    version: str | None = None
+    policy_uri: str | None = None
+
+
+class ToolTranscript(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    hash: DigestStr
+    call_count: Annotated[int, Field(ge=0)] | None = None
+    transcript_uri: str | None = None
+
+
+class BuildProvenance(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    slsa_level: Annotated[int, Field(ge=1, le=3)]
+    builder: str | None = None
+    digest: DigestStr
+    provenance_uri: str | None = None
+
+
+class Appraisal(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    status: Literal["affirming", "warning", "contraindicated", "none"]
+    verifier: str
+    policy_ref: str | None = None
+    timestamp: int | None = None
+
+
+class JWK(BaseModel):
+    # JWK params vary by key type (EC, OKP, RSA) — allow unknown members per RFC 7517
+    model_config = ConfigDict(extra="allow")
+
+    kty: str
+    crv: str | None = None
+    x: str | None = None
+    y: str | None = None
+    kid: str | None = None
+
+
+class ConfirmationKey(BaseModel):
+    model_config = ConfigDict(extra="forbid")
+
+    jwk: JWK
+
+
+class TrustRecord(BaseModel):
+    """TRACE v0.1 Trust Record — hardware-attested governance evidence for an AI agent execution."""
+
+    model_config = ConfigDict(extra="forbid")
+
+    eat_profile: Literal["tag:agentrust.io,2026:trace-v0.1"]
+    iat: Annotated[int, Field(ge=1700000000)]
+    subject: Annotated[str, Field(pattern=r"^spiffe://")]
+    model: ModelInfo
+    runtime: RuntimeInfo
+    policy: PolicyInfo
+    data_class: str
+    tool_transcript: ToolTranscript | None = None
+    build_provenance: BuildProvenance
+    appraisal: Appraisal
+    transparency: str
+    cnf: ConfirmationKey

agentrust_trace/schema/trace-v0.1.json

@@ -0,0 +1,243 @@
+{
+  "$schema": "https://json-schema.org/draft/2020-12/schema",
+  "$id": "https://agentrust.io/schema/trace-v0.1.json",
+  "title": "TRACE Trust Record",
+  "description": "A TRACE v0.1 Trust Record — hardware-attested governance evidence for an AI agent execution.",
+  "type": "object",
+  "required": [
+    "eat_profile",
+    "iat",
+    "subject",
+    "model",
+    "runtime",
+    "policy",
+    "data_class",
+    "build_provenance",
+    "appraisal",
+    "transparency",
+    "cnf"
+  ],
+  "properties": {
+    "eat_profile": {
+      "type": "string",
+      "const": "tag:agentrust.io,2026:trace-v0.1",
+      "description": "EAT profile URI identifying this as a TRACE v0.1 Trust Record."
+    },
+    "iat": {
+      "type": "integer",
+      "description": "Issued-at time as Unix epoch seconds.",
+      "minimum": 1700000000
+    },
+    "subject": {
+      "type": "string",
+      "description": "Workload identity as a SPIFFE SVID URI.",
+      "pattern": "^spiffe://"
+    },
+    "model": {
+      "type": "object",
+      "description": "Model identity and provenance.",
+      "required": ["provider", "model_id"],
+      "properties": {
+        "provider": {
+          "type": "string",
+          "description": "Model provider (e.g. 'anthropic', 'openai', 'meta')."
+        },
+        "model_id": {
+          "type": "string",
+          "description": "Model identifier as used by the provider."
+        },
+        "version": {
+          "type": "string",
+          "description": "Model version or snapshot identifier."
+        },
+        "weights_digest": {
+          "type": "string",
+          "description": "SHA-256 or SHA-384 digest of the model weights. Required for local/confidential-inference deployments.",
+          "pattern": "^sha(256|384):[0-9a-f]+"
+        },
+        "aibom_uri": {
+          "type": "string",
+          "format": "uri",
+          "description": "URI to SPDX 3.0 AI Profile or CycloneDX 1.7 ML-BOM for this model."
+        }
+      },
+      "additionalProperties": false
+    },
+    "runtime": {
+      "type": "object",
+      "description": "TEE measurement chain binding the workload to hardware.",
+      "required": ["platform", "measurement"],
+      "properties": {
+        "platform": {
+          "type": "string",
+          "enum": [
+            "intel-tdx",
+            "amd-sev-snp",
+            "nvidia-h100",
+            "nvidia-blackwell",
+            "aws-nitro",
+            "arm-cca",
+            "google-confidential-space",
+            "tpm2"
+          ],
+          "description": "Hardware platform providing the root of trust."
+        },
+        "measurement": {
+          "type": "string",
+          "description": "Hardware measurement of the workload (e.g. TDX MRTD, SEV measurement, TPM PCR composite).",
+          "pattern": "^sha(256|384):[0-9a-f]+"
+        },
+        "rim_uri": {
+          "type": "string",
+          "format": "uri",
+          "description": "URI to the vendor-published Reference Integrity Manifest for this measurement."
+        },
+        "nonce": {
+          "type": "string",
+          "description": "Freshness nonce binding the attestation report to this record (base64url, no padding)."
+        },
+        "firmware_version": {
+          "type": "string",
+          "description": "Firmware or microcode version included in the measurement."
+        }
+      },
+      "additionalProperties": false
+    },
+    "policy": {
+      "type": "object",
+      "description": "Policy bundle sealed to the TEE measurement.",
+      "required": ["bundle_hash", "enforcement_mode"],
+      "properties": {
+        "bundle_hash": {
+          "type": "string",
+          "description": "SHA-256 or SHA-384 digest of the policy bundle in force at execution time.",
+          "pattern": "^sha(256|384):[0-9a-f]+"
+        },
+        "enforcement_mode": {
+          "type": "string",
+          "enum": ["enforce", "advisory", "silent"],
+          "description": "How policy decisions were applied: enforce (block on deny), advisory (log only), silent (no logging)."
+        },
+        "version": {
+          "type": "string",
+          "description": "Policy bundle version (semantic versioning recommended)."
+        },
+        "policy_uri": {
+          "type": "string",
+          "format": "uri",
+          "description": "URI to the policy bundle for verification."
+        }
+      },
+      "additionalProperties": false
+    },
+    "data_class": {
+      "type": "string",
+      "description": "Highest-sensitivity data classification of inputs and outputs processed during this execution.",
+      "examples": ["public", "internal", "confidential", "restricted", "top-secret"]
+    },
+    "tool_transcript": {
+      "type": "object",
+      "description": "Bound hash of the MCP/A2A tool-call transcript. OPTIONAL for Phase 1 records; REQUIRED for Phase 2+.",
+      "required": ["hash"],
+      "properties": {
+        "hash": {
+          "type": "string",
+          "description": "SHA-256 or SHA-384 digest of the full tool-call transcript, bound into the EAT envelope.",
+          "pattern": "^sha(256|384):[0-9a-f]+"
+        },
+        "call_count": {
+          "type": "integer",
+          "minimum": 0,
+          "description": "Total number of tool calls in this session."
+        },
+        "transcript_uri": {
+          "type": "string",
+          "format": "uri",
+          "description": "URI to the full transcript on the transparency log."
+        }
+      },
+      "additionalProperties": false
+    },
+    "build_provenance": {
+      "type": "object",
+      "description": "SLSA provenance for the workload (agent code + container image).",
+      "required": ["slsa_level", "digest"],
+      "properties": {
+        "slsa_level": {
+          "type": "integer",
+          "minimum": 1,
+          "maximum": 3,
+          "description": "SLSA Build Level achieved. Level 2 minimum for TRACE conformance; Level 3 for production mark."
+        },
+        "builder": {
+          "type": "string",
+          "description": "SLSA builder URI."
+        },
+        "digest": {
+          "type": "string",
+          "description": "SHA-256 or SHA-384 digest of the container image or workload binary.",
+          "pattern": "^sha(256|384):[0-9a-f]+"
+        },
+        "provenance_uri": {
+          "type": "string",
+          "format": "uri",
+          "description": "URI to the SLSA provenance attestation on a Sigstore/Rekor or compatible log."
+        }
+      },
+      "additionalProperties": false
+    },
+    "appraisal": {
+      "type": "object",
+      "description": "Verifier's EAR appraisal of the evidence (draft-ietf-rats-ar4si).",
+      "required": ["status", "verifier"],
+      "properties": {
+        "status": {
+          "type": "string",
+          "enum": ["affirming", "warning", "contraindicated", "none"],
+          "description": "EAR appraisal status."
+        },
+        "verifier": {
+          "type": "string",
+          "format": "uri",
+          "description": "URI identifying the verifier that produced this appraisal."
+        },
+        "policy_ref": {
+          "type": "string",
+          "format": "uri",
+          "description": "URI to the appraisal policy used."
+        },
+        "timestamp": {
+          "type": "integer",
+          "description": "Unix epoch seconds when the appraisal was produced."
+        }
+      },
+      "additionalProperties": false
+    },
+    "transparency": {
+      "type": "string",
+      "format": "uri",
+      "description": "SCITT receipt URI. The Trust Record is the Signed Statement; this URI resolves to the inclusion proof (Receipt) on the transparency log."
+    },
+    "cnf": {
+      "type": "object",
+      "description": "Confirmation key (RFC 8747) — binds the Trust Record to the TEE-held signing key.",
+      "required": ["jwk"],
+      "properties": {
+        "jwk": {
+          "type": "object",
+          "description": "JWK (RFC 7517) representing the TEE-sealed public key.",
+          "required": ["kty"],
+          "properties": {
+            "kty": {"type": "string"},
+            "crv": {"type": "string"},
+            "x":   {"type": "string"},
+            "y":   {"type": "string"},
+            "kid": {"type": "string"}
+          }
+        }
+      },
+      "additionalProperties": false
+    }
+  },
+  "additionalProperties": false
+}

agentrust_trace/validate.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+import importlib.resources
+import json
+from functools import lru_cache
+from typing import Any, cast
+
+import jsonschema
+
+
+@lru_cache(maxsize=1)
+def _schema() -> dict[str, Any]:
+    ref = importlib.resources.files("agentrust_trace") / "schema" / "trace-v0.1.json"
+    return cast(dict[str, Any], json.loads(ref.read_text(encoding="utf-8")))
+
+
+@lru_cache(maxsize=1)
+def _validator() -> jsonschema.Draft202012Validator:
+    return jsonschema.Draft202012Validator(_schema())
+
+
+# Canonical schema exposed for downstream tooling that needs the raw dict.
+SCHEMA: dict[str, Any] = _schema()
+
+
+def validate_json(record: dict[str, Any]) -> None:
+    """Validate *record* against the canonical TRACE v0.1 JSON Schema.
+
+    Raises :class:`jsonschema.ValidationError` on the first violation found.
+    Use :func:`iter_errors` for all violations.
+    """
+    _validator().validate(record)
+
+
+def iter_errors(record: dict[str, Any]) -> list[jsonschema.exceptions.ValidationError]:
+    """Return all JSON Schema violations for *record* (empty list if valid)."""
+    return list(_validator().iter_errors(record))

agentrust_trace-0.1.0.dist-info/METADATA

@@ -0,0 +1,121 @@
+Metadata-Version: 2.4
+Name: agentrust-trace
+Version: 0.1.0
+Summary: TRACE v0.1 — hardware-attested governance records for AI agents
+Project-URL: Homepage, https://github.com/agentrust-io/trace-spec
+Project-URL: Repository, https://github.com/agentrust-io/trace-spec
+Project-URL: Issues, https://github.com/agentrust-io/trace-spec/issues
+Project-URL: Changelog, https://github.com/agentrust-io/trace-spec/blob/main/CHANGELOG.md
+License: Apache-2.0
+License-File: LICENSE
+Keywords: ai-governance,attestation,confidential-computing,eat,rats,tee,trace
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: Apache Software License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
+Classifier: Topic :: Security
+Classifier: Typing :: Typed
+Requires-Python: >=3.11
+Requires-Dist: jsonschema>=4.20
+Requires-Dist: pydantic>=2.0
+Provides-Extra: dev
+Requires-Dist: mypy>=1.10; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.4; extra == 'dev'
+Requires-Dist: types-jsonschema; extra == 'dev'
+Description-Content-Type: text/markdown
+
+<p align="center">
+  <img src="docs/assets/icon.svg" width="96" height="96" alt="TRACE"/>
+</p>
+
+# TRACE — Trust Runtime Attestation and Compliance Evidence
+
+An open specification for hardware-attested AI agent governance records. TRACE defines the format, anchoring protocol, and verification rules for cryptographically provable evidence that an AI agent ran under a specific policy, in a verified hardware environment, on classified data, invoking identified tools — bound into a single signed artifact rooted in silicon attestation.
+
+## What a TRACE Trust Record Is
+
+```json
+{
+  "eat_profile": "tag:agentrust.io,2026:trace-v0.1",
+  "iat": 1750676142,
+  "subject": "spiffe://trust.example.org/agent/payments-processor/prod",
+  "model": {
+    "provider": "anthropic",
+    "model_id": "claude-sonnet-4-6",
+    "version": "20251001",
+    "weights_digest": "sha256:a3f8d2c1..."
+  },
+  "runtime": {
+    "platform": "amd-sev-snp",
+    "measurement": "sha384:c9e4b1d2e3f4...",
+    "rim_uri": "https://kdsintf.amd.com/vcek/v1/..."
+  },
+  "policy": {
+    "bundle_hash": "sha256:b2c3d4e5...",
+    "enforcement_mode": "enforce",
+    "version": "1.2.0"
+  },
+  "data_class": "confidential",
+  "tool_transcript": {
+    "hash": "sha256:d4e5f6a7...",
+    "call_count": 3
+  },
+  "build_provenance": {
+    "slsa_level": 2,
+    "builder": "https://github.com/slsa-framework/slsa-github-generator",
+    "digest": "sha256:e5f6a7b8..."
+  },
+  "appraisal": {
+    "status": "affirming",
+    "verifier": "https://trust-authority.example.org",
+    "policy_ref": "https://trust-authority.example.org/policy/agent-v1"
+  },
+  "transparency": "https://registry.agentrust.io/claim/trace-2026-06-23T09:15:42Z-f2a8d1",
+  "cnf": {
+    "jwk": {"kty": "EC", "crv": "P-256", "x": "MEkwEw...", "y": "..."}
+  }
+}
+```
+
+The record is a single EAT envelope (RFC 9711). Each field is independently verifiable. No callback to the issuer is required.
+
+## Specification
+
+- [`spec/trace-v0.1.md`](spec/trace-v0.1.md) — full specification
+- [`schema/trace-claim.json`](schema/trace-claim.json) — JSON Schema
+- [`examples/`](examples/) — example Trust Records for Intel TDX, AMD SEV-SNP, and NVIDIA H100
+
+## Standards composition
+
+TRACE profiles existing standards rather than replacing them:
+
+| Primitive | Role in TRACE |
+|---|---|
+| RATS / EAT (RFC 9711) | Wire envelope and claim model |
+| SLSA Provenance v1.0 | Build-time provenance (`build_provenance`) |
+| SPIFFE SVID | Workload identity (`subject`) |
+| SCITT | Append-only transparency anchoring (`transparency`) |
+| EAR (draft-ietf-rats-ar4si) | Verifier appraisal output (`appraisal`) |
+| MCP / A2A | Agent tool-call transcript surface (`tool_transcript`) |
+| AIBOM (SPDX 3.0 / CycloneDX 1.7) | Model component inventory (`model`) |
+
+## Reference implementation
+
+[agentrust-io/cmcp](https://github.com/agentrust-io/cmcp) — Confidential MCP Gateway. Hardware-attested policy enforcement at the MCP tool-call boundary on Intel TDX, AMD SEV-SNP, and NVIDIA H100/Blackwell.
+
+## Registry
+
+A public append-only Merkle registry of TRACE Trust Record anchors: [agentrust-io/trace-registry](https://github.com/agentrust-io/trace-registry).
+
+## Status
+
+Draft v0.1 — publishing at Confidential Computing Summit, San Francisco, June 23 2026. Targeting submission to the [Agentic AI Foundation (AAIF)](https://agenticai.foundation) under the Linux Foundation.
+
+## License
+
+Creative Commons Attribution 4.0 International (CC BY 4.0)

agentrust_trace-0.1.0.dist-info/RECORD

@@ -0,0 +1,9 @@
+agentrust_trace/__init__.py,sha256=4gC8kls9mXPfas2o_5fGdcGCY1vYyrT3TjyqII04p3o,633
+agentrust_trace/models.py,sha256=aqOey_GnF75vERCHANSGDOq4fvFrXCqcwLodwGOxSVk,2721
+agentrust_trace/py.typed,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
+agentrust_trace/validate.py,sha256=e8HkiiQ0MY8rJ6k8TfJvkjLLELFNd0kFx7xmq6WyekU,1130
+agentrust_trace/schema/trace-v0.1.json,sha256=csfXAh_K-3dCjZwpxAXyiydvfxui2nT8XIgVY2msYhE,8281
+agentrust_trace-0.1.0.dist-info/METADATA,sha256=p3WWLeMVWzbDF5vLuaQxQRxUM_bnqt_uVT-L98mRqa0,4793
+agentrust_trace-0.1.0.dist-info/WHEEL,sha256=mffPy8wBnZQn2VnJUU5jE99KsxaSfiyMHV9Yt0aLVxs,87
+agentrust_trace-0.1.0.dist-info/licenses/LICENSE,sha256=PjaoS-amJGME7ximD1Llf74eQ7IlQ8a-CERUAl0IKxc,1614
+agentrust_trace-0.1.0.dist-info/RECORD,,

agentrust_trace-0.1.0.dist-info/WHEEL

@@ -0,0 +1,4 @@
+Wheel-Version: 1.0
+Generator: hatchling 1.30.1
+Root-Is-Purelib: true
+Tag: py3-none-any

agentrust_trace-0.1.0.dist-info/licenses/LICENSE

@@ -0,0 +1,37 @@
+The TRACE specification and this repository use a dual license:
+
+SPECIFICATION TEXT (spec/*.md, README.md, CHANGELOG.md)
+=========================================================
+Creative Commons Attribution 4.0 International (CC BY 4.0)
+https://creativecommons.org/licenses/by/4.0/
+
+You are free to share and adapt the specification text for any purpose,
+including commercial, provided you give appropriate credit, link to the
+license, and indicate if changes were made.
+
+SCHEMA, EXAMPLES, AND CODE (schema/, examples/, .github/)
+==========================================================
+Apache License, Version 2.0
+https://www.apache.org/licenses/LICENSE-2.0
+
+Copyright 2026 OPAQUE Systems, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use these files except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+PATENT PROMISE
+==============
+OPAQUE Systems, Inc. grants a royalty-free, worldwide, non-exclusive
+license under any patent claims it controls that are necessarily infringed
+by a conforming implementation of this specification, for the purpose of
+implementing or operating a product that conforms to this specification.
+This promise applies to v0.1 and all subsequent versions of TRACE.