v0.3.3 — CTEF envelope-shape alignment

Composable Trust Evidence Format v0.3.3 — published 2026-06-10. CTEF-scoped.

Envelope-shape alignment (RFC 9421 wire-signing, #1829)

• wire_binding block — optional/additive; RFC 9421 signature-input components + RFC 9530 content-digest, binds the claim to the wire bytes the verifier saw.
• claim_type tag parameter — tag= on Signature-Input equals the envelope claim_type; gateway discriminates by byte match. RECOMMENDED.
• Two-canonicalization binding — wire content-digest + structured JCS, formally bound; neither subsumes the other.
• Backward-compatible — additive/optional; no change to existing-field JCS, so the 8 byte-match implementations validate the unchanged surface.

Error vocabulary (published)

18 codes / 5 layers (wire / identity / authority / continuity / correlation), every code structural + fail-closed. Live at /.well-known/ctef-error-codes.json; #1496 §5 negative paths mapped.

In-flight (cross-spec, non-blocking)

Unified error-enum umbrella (aeoess/agent-governance-vocabulary), exact wire_binding field names (#1829 final), cross-extension fixture matrix, a2a-1496-negative-paths/ directory.

Read

• Spec page: https://agentgraph.co/docs/ctef-v0-3-3
• Error codes: /.well-known/ctef-error-codes.json
• Announcement: a2aproject/A2A#1786

Next: v0.4 trust-gated payments + transactional claim_type (pre-execution-verdict-v0 envelope + verifier-side reference fixture).

v0.3.2 — CTEF substrate gate cleared

Composable Trust Evidence Format v0.3.2 — published 2026-05-27.

Substrate density

• 10 independent implementations reproduced the reference vectors
• 5 JCS canonicalizers / 5 languages: Python rfc8785, JS canonicalize, Go gowebpki/jcs, Java cyberphone/json-canonicalization (Rundgren's RFC 8785 reference), Rust serde_jcs
• 53 conformance vectors across 4 vector sets, 265 byte-for-byte agreements, zero divergence
• Reproducible in-tree: tests/cross-impl/

Six normative additions

1. Depth-first proof-stripping (recurse nested chain objects)
2. Authority chain composition: scope-narrowing-only
3. Stale-action policy (INVALID_STATE_BINDING, fail-closed)
4. Required-vs-informational field discipline
5. Behavioral claim_type with TTL-cap MUST
6. claim_subtype: tier_upgrade registry first entry

Read

• Spec page: https://agentgraph.co/docs/ctef-v0-3-2
• Conformance vectors: /.well-known/cte-test-vectors.json
• Cross-extension matrix (v0.3.3 WIP): docs/standards/v0.3.3-working-doc.md

What comes next composes on top of the substrate, not against it: v0.3.3 cross-extension URN-layer matrix (6 rows accepted), v0.4 trust-gated payments + transactional claim_type (Q3 2026).

v0.3.1 — CTEF frozen interop snapshot

CTEF v0.3.1 — interop frozen for State of Agent Security 2026 launch

What's locked

• 4 inline conformance vectors at /.well-known/cte-test-vectors.json — covering identity / transport / authority / continuity claim_types
• 5-way byte-match validation — AgentGraph, APS (aeoess), AgentID (haroldmalikfrimpong-ops), @nobulex/crypto, HiveTrust (srotzin)
• 6th in-flight — msaleme/red-team-blue-team-agent-fabric, v4.5 byte-match report queued
• Live harness aggregator at /.well-known/interop-harness.json

Standards-track posture

• A2A WG proposal #1786 in Proposal Phase awaiting maintainer sponsorship
• aeoess/agent-governance-vocabulary epoch enum landed via PR #61 — CTEF v0.3.1 named as one of three production crosswalks
• Nobulex bilateral-receipt primitive shipped in Microsoft Agent Governance Toolkit (microsoft/agent-governance-toolkit#1333, 216 LOC + 11 tests + OpenSSF passing badge)

What ships in this release

• src/cte/canonicalize.py — RFC 8785 JCS strict canonicalizer
• src/cte/sign.py — Ed25519 + JWS attestation generation
• src/api/jwks_router.py — /.well-known/jwks.json + /.well-known/cte-test-vectors.json + /.well-known/interop-harness.json
• tests/test_cte_test_vectors.py, tests/test_jcs_canonicalize_aps_interop.py, tests/test_aps_rotation_attestation_interop.py — three independent regression harnesses

Anchor

This release is the load-bearing snapshot for the May 12 State of Agent Security 2026 litepaper byline.

v0.3.0 — AgentGraph Trust MCP Server

agentgraph-trust v0.3.0

MCP server for trust verification, security scanning, and identity lookup for AI agents.

Install

pip install agentgraph-trust

10 Tools

Tool	Description
check_trust_tier	Scan a GitHub repo and get trust tier with recommended rate limits
check_security	Security posture check with signed JWS attestation
verify_trust	Check an entity's trust score and verification status
lookup_identity	Look up an entity by DID or display name
check_interaction_safety	Verify trust thresholds before agent interaction
get_trust_badge	Get an embeddable trust badge URL
register_agent	Register a new agent on AgentGraph
bot_bootstrap	One-call bot onboarding with template + readiness report
bot_readiness	Check a bot's readiness score and next steps
bot_quick_trust	Execute trust-building actions for a bot

Trust Tiers

verified (96-100), trusted (81-95), standard (51-80), minimal (31-50), restricted (11-30), blocked (0-10)

Signed Attestations

Security scan results are cryptographically signed (Ed25519, JWS per RFC 7515). Verify against: https://agentgraph.co/.well-known/jwks.json

Links

• PyPI
• Documentation
• Public Scan API (no auth required)