Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/ci.yml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ jobs:
run: mypy src/ca2a_runtime/ src/ca2a_verify/

- name: Test
run: pytest tests/unit/ -v --tb=short --cov=src --cov-report=xml
run: pytest tests/unit/ tests/conformance/ -v --tb=short --cov=src --cov-report=xml

- name: Upload coverage report
uses: codecov/codecov-action@v7
Expand Down
1 change: 1 addition & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- Peer-call enforcement decision core (Tier 2): `ca2a_runtime.policy.LocalPolicy` and `ca2a_runtime.peer` (`effective_scope`, `enforce_peer_call`). Effective permission is the delegated leaf scope intersected with the callee's local policy; a granted call emits a linked provenance record. New error `SCOPE_NOT_PERMITTED`. Claim C3 (scope-policy intersection) is now a validated experiment. Cedar-engine binding of the local policy and live A2A transport wiring remain open.
- Sealed peer channel (Tier 2): `ca2a_runtime.channel` (`SealedChannel`, `generate_channel_keypair`, `open_sealed`). HPKE-style X25519 -> HKDF-SHA256 -> ChaCha20-Poly1305 sealing a payload to the peer's attested key; only the peer's private key opens it, and a wrong key or tampered ciphertext fails closed. Claim C4 (sealed-payload confidentiality) is now a validated experiment at the cryptographic layer. The enclave-binding of the private key (a hardware property) and live-path wiring remain open.
- Cross-operator attestation (Claim C6) validated in software: a two-operator harness composing the SEV-SNP verifier, measurement pinning, and the sealed channel demonstrates independent keys, mutual attestation, confidential cross-operator delegation, and binary-swap detection. Synthetic report vectors (a genuine report needs SEV-SNP hardware); real hardware end to end remains open. **All six claims (C1-C6) are now validated experiments.**
- cA2A-compatible conformance suite: `tests/conformance/` with a normative README (stable MUST/SHOULD test IDs across delegation, scope-policy, attestation, sealed channel, provenance, and the inbound pipeline) and runnable checks that exercise every MUST-level requirement. Wired into CI and documented at `docs/spec/conformance.md`; ties to the CHARTER trademark language.
- Intel TDX attestation backend: `ca2a_runtime.tee.tdx` (DCAP Quote v4 parsing, `TdxProvider`) and `ca2a_verify.tdx.verify_tdx_quote` (PCK chain to a trusted Intel root, QE report signature, attestation-key binding, quote signature, and MRTD/report-data binding), all fail-closed. Chain path validated against the genuine Intel SGX Root CA; multi-level signature path validated with a synthetic self-consistent quote. Quote generation requires a real TDX guest.
- Transport-agnostic inbound peer request handler: `ca2a_runtime.peer.handle_peer_request` with `PeerRequest` / `PeerResult`. Composes the full pipeline (verify chain, intersect scope and enforce, open a sealed payload with the enclave key, emit a linked provenance record) fail-closed. A transport parses its wire format into a `PeerRequest`; cA2A does not define the transport (profile, not protocol).
- RFC 8785 (JSON Canonicalization Scheme) canonicalization: `ca2a_runtime.canonical.canonicalize`. Credential and provenance bodies are now signed over the JCS encoding (UTF-16 key ordering, JCS string escaping, literal non-ASCII, shortest-decimal integers), so cA2A signatures are cross-verifiable with agent-manifest. ASCII credentials are byte-identical to the previous encoding, so existing signatures still verify.
Expand Down
2 changes: 1 addition & 1 deletion ROADMAP.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,5 +39,5 @@ Real hardware attestation verification (SEV-SNP VCEK chain, Intel TDX quote via

- Stable delegation credential and TRACE link schema with documented versioning guarantees
- Full RATS/EAT conformance for peer attestation evidence
- Conformance suite for "cA2A-compatible" claims
- Conformance suite for "cA2A-compatible" claims: **landed** (`tests/conformance/`, normative README + runnable MUST-level checks, in CI). A production run on confidential-computing hardware is the remaining step for a hardware-attested claim.
- OWASP liaison on the multi-agent threat mapping; ITI conversation on conformance
2 changes: 1 addition & 1 deletion docs/SPEC.md
Original file line number Diff line number Diff line change
Expand Up @@ -27,7 +27,7 @@ cA2A is a profile, not a transport. It does not define how tasks are moved betwe

## Conformance

An implementation may claim "cA2A-compatible" for a given version when it enforces, on an inbound peer call: delegation chain verification (signature, continuity, attenuation, anti-replay), peer attestation against an expected measurement, payload sealing to that measurement, and emission of a linked TRACE record. Conformance tests are on the roadmap for v1.0.
An implementation may claim "cA2A-compatible" for a given version when it enforces, on an inbound peer call: delegation chain verification (signature, continuity, attenuation, anti-replay), peer attestation against an expected measurement, payload sealing to that measurement, and emission of a linked TRACE record. These requirements are defined as a numbered, runnable conformance suite; see [conformance](spec/conformance.md).

## Relationship to sibling specs

Expand Down
34 changes: 34 additions & 0 deletions docs/spec/conformance.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,34 @@
# Conformance

An implementation may claim **cA2A-compatible** for a given version when it passes all MUST-level tests in the cA2A conformance suite for that version. This ties directly to the trademark language in [CHARTER.md](../../CHARTER.md): the mark asserts that a deployment satisfies the attestation, attenuation, sealing, and provenance requirements defined here.

## The normative suite

The suite is defined in [`tests/conformance/README.md`](https://github.com/agentrust-io/ca2a/blob/main/tests/conformance/README.md). It is a spec document expressed as stable, numbered test IDs grouped by area, each referencing the section it validates. The runnable checks in `tests/conformance/test_profile_conformance.py` exercise every MUST-level requirement against the reference implementation; a third-party implementation is expected to satisfy the same behaviors.

```bash
pip install -e ".[dev]"
pytest tests/conformance/ -v
```

## Requirement groups

| Group | Covers | Spec |
|---|---|---|
| Delegation (`DELEG-*`) | Signature, attenuation, continuity, depth, anti-replay | [delegation-chain.md](delegation-chain.md) |
| Scope-policy (`POLICY-*`) | Effective scope = delegated ∩ local policy | [cedar-policy.md](cedar-policy.md) |
| Attestation (`ATTEST-*`) | Fail-closed providers, measurement, chain, tamper, MRTD | [attestation.md](attestation.md) |
| Sealed channel (`SEAL-*`) | Seal to attested key, no plaintext, tamper fails closed | [sealed-channel.md](sealed-channel.md) |
| Provenance (`PROV-*`) | DAG integrity, tamper detection, bound to authority | [provenance-dag.md](provenance-dag.md) |
| Inbound pipeline (`PIPE-*`) | The handler grants, records, and fails closed correctly | [call-graph.md](call-graph.md) |

## Levels

- **MUST**: required for a cA2A-compatible claim. Partial conformance (MUST only) is sufficient.
- **SHOULD**: recommended; indicates a higher-quality implementation.

Test IDs are stable: once assigned, an ID is never reused even if the test is removed. This lets a conformance report for one version be compared against another.

## Scope note

The attestation requirements are validated against synthetic report and quote vectors plus the genuine AMD and Intel roots, since producing a real report requires confidential-computing hardware. A production conformance run on hardware, and end-to-end validation against a real quote, are the remaining step before a hardware-attested cA2A-compatible claim; see [LIMITATIONS.md](../../LIMITATIONS.md).
297 changes: 149 additions & 148 deletions mkdocs.yml
Original file line number Diff line number Diff line change
@@ -1,148 +1,149 @@
site_name: cA2A
site_description: Confidential agent-to-agent delegation, attested and attenuated, as a profile on A2A
site_url: https://ca2a.agentrust-io.com
repo_url: https://github.com/agentrust-io/ca2a
repo_name: agentrust-io/ca2a
edit_uri: edit/main/
docs_dir: .
exclude_docs: |
.github/
node_modules/
benchmarks/
src/
tests/
schemas/
examples/
LICENSE
NOTICE
ADOPTERS.md
MAINTAINERS.md
SECURITY.md
CHARTER.md
CODE_OF_CONDUCT.md
pyproject.toml
.gitignore

theme:
name: material
logo: docs/assets/icon.svg
favicon: docs/assets/icon.svg
palette:
- scheme: slate
primary: custom
accent: custom
toggle:
icon: material/brightness-7
name: Switch to light mode
- scheme: default
primary: custom
accent: custom
toggle:
icon: material/brightness-4
name: Switch to dark mode
features:
- navigation.instant
- navigation.tracking
- navigation.tabs
- navigation.tabs.sticky
- navigation.sections
- navigation.top
- navigation.path
- search.suggest
- search.highlight
- content.code.copy
- content.tabs.link
- toc.follow
- header.autohide
icon:
repo: fontawesome/brands/github
font:
text: Inter, system-ui, -apple-system, sans-serif
code: JetBrains Mono, Cascadia Code, monospace

plugins:
- search
- minify:
minify_html: true
- mkdocstrings:
default_handler: python
handlers:
python:
paths: [src]
options:
docstring_style: google
show_source: false
show_root_heading: true
show_root_full_path: false
show_symbol_type_heading: true
show_symbol_type_toc: true
members_order: source
separate_signature: true
show_signature_annotations: true
unwrap_annotated: true

markdown_extensions:
- admonition
- pymdownx.details
- pymdownx.superfences:
custom_fences:
- name: mermaid
class: mermaid
format: !!python/name:pymdownx.superfences.fence_code_format
- pymdownx.tabbed:
alternate_style: true
- pymdownx.highlight:
anchor_linenums: true
- pymdownx.inlinehilite
- pymdownx.snippets
- pymdownx.emoji:
emoji_index: !!python/name:material.extensions.emoji.twemoji
emoji_generator: !!python/name:material.extensions.emoji.to_svg
- attr_list
- md_in_html
- tables
- toc:
permalink: true

extra:
social:
- icon: fontawesome/brands/github
link: https://github.com/agentrust-io/ca2a
generator: false

extra_css:
- docs/stylesheets/extra.css

nav:
- Home: README.md
- Quick Start: docs/quickstart.md
- How It Works: docs/concepts.md
- Configuration: docs/configuration.md
- Tutorials:
- Verify a delegation chain: docs/tutorials/verify-a-delegation-chain.md
- Authoring a delegation credential: docs/tutorials/authoring-a-delegation-credential.md
- Emit and verify provenance: docs/tutorials/emit-and-verify-provenance.md
- Reproducing the claims: docs/tutorials/reproducing-the-claims.md
- Integrating with A2A: docs/tutorials/integrating-with-a2a.md
- Specification:
- Overview: docs/SPEC.md
- A2A Profile: docs/spec/profile.md
- Transport Binding: docs/spec/transport.md
- Component Model: docs/spec/component-model.md
- Inbound Peer-Call Decision: docs/spec/call-graph.md
- Delegation Chain: docs/spec/delegation-chain.md
- Provenance DAG: docs/spec/provenance-dag.md
- Sealed Peer Channel: docs/spec/sealed-channel.md
- Attestation: docs/spec/attestation.md
- Scope-Policy Intersection: docs/spec/cedar-policy.md
- TRACE A2A Profile: docs/spec/trace-a2a-profile.md
- Verification Library: docs/spec/verification-library.md
- Error Codes: docs/spec/error-codes.md
- Failure Modes: docs/spec/failure-modes.md
- Threat Model: docs/spec/threat-model.md
- Project:
- Limitations: LIMITATIONS.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Governance: GOVERNANCE.md
- Roadmap: ROADMAP.md
site_name: cA2A
site_description: Confidential agent-to-agent delegation, attested and attenuated, as a profile on A2A
site_url: https://ca2a.agentrust-io.com
repo_url: https://github.com/agentrust-io/ca2a
repo_name: agentrust-io/ca2a
edit_uri: edit/main/
docs_dir: .
exclude_docs: |
.github/
node_modules/
benchmarks/
src/
tests/
schemas/
examples/
LICENSE
NOTICE
ADOPTERS.md
MAINTAINERS.md
SECURITY.md
CHARTER.md
CODE_OF_CONDUCT.md
pyproject.toml
.gitignore

theme:
name: material
logo: docs/assets/icon.svg
favicon: docs/assets/icon.svg
palette:
- scheme: slate
primary: custom
accent: custom
toggle:
icon: material/brightness-7
name: Switch to light mode
- scheme: default
primary: custom
accent: custom
toggle:
icon: material/brightness-4
name: Switch to dark mode
features:
- navigation.instant
- navigation.tracking
- navigation.tabs
- navigation.tabs.sticky
- navigation.sections
- navigation.top
- navigation.path
- search.suggest
- search.highlight
- content.code.copy
- content.tabs.link
- toc.follow
- header.autohide
icon:
repo: fontawesome/brands/github
font:
text: Inter, system-ui, -apple-system, sans-serif
code: JetBrains Mono, Cascadia Code, monospace

plugins:
- search
- minify:
minify_html: true
- mkdocstrings:
default_handler: python
handlers:
python:
paths: [src]
options:
docstring_style: google
show_source: false
show_root_heading: true
show_root_full_path: false
show_symbol_type_heading: true
show_symbol_type_toc: true
members_order: source
separate_signature: true
show_signature_annotations: true
unwrap_annotated: true

markdown_extensions:
- admonition
- pymdownx.details
- pymdownx.superfences:
custom_fences:
- name: mermaid
class: mermaid
format: !!python/name:pymdownx.superfences.fence_code_format
- pymdownx.tabbed:
alternate_style: true
- pymdownx.highlight:
anchor_linenums: true
- pymdownx.inlinehilite
- pymdownx.snippets
- pymdownx.emoji:
emoji_index: !!python/name:material.extensions.emoji.twemoji
emoji_generator: !!python/name:material.extensions.emoji.to_svg
- attr_list
- md_in_html
- tables
- toc:
permalink: true

extra:
social:
- icon: fontawesome/brands/github
link: https://github.com/agentrust-io/ca2a
generator: false

extra_css:
- docs/stylesheets/extra.css

nav:
- Home: README.md
- Quick Start: docs/quickstart.md
- How It Works: docs/concepts.md
- Configuration: docs/configuration.md
- Tutorials:
- Verify a delegation chain: docs/tutorials/verify-a-delegation-chain.md
- Authoring a delegation credential: docs/tutorials/authoring-a-delegation-credential.md
- Emit and verify provenance: docs/tutorials/emit-and-verify-provenance.md
- Reproducing the claims: docs/tutorials/reproducing-the-claims.md
- Integrating with A2A: docs/tutorials/integrating-with-a2a.md
- Specification:
- Overview: docs/SPEC.md
- A2A Profile: docs/spec/profile.md
- Transport Binding: docs/spec/transport.md
- Component Model: docs/spec/component-model.md
- Inbound Peer-Call Decision: docs/spec/call-graph.md
- Delegation Chain: docs/spec/delegation-chain.md
- Provenance DAG: docs/spec/provenance-dag.md
- Sealed Peer Channel: docs/spec/sealed-channel.md
- Attestation: docs/spec/attestation.md
- Scope-Policy Intersection: docs/spec/cedar-policy.md
- TRACE A2A Profile: docs/spec/trace-a2a-profile.md
- Verification Library: docs/spec/verification-library.md
- Conformance: docs/spec/conformance.md
- Error Codes: docs/spec/error-codes.md
- Failure Modes: docs/spec/failure-modes.md
- Threat Model: docs/spec/threat-model.md
- Project:
- Limitations: LIMITATIONS.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- Governance: GOVERNANCE.md
- Roadmap: ROADMAP.md
Loading
Loading