From 98032103ba4fda1f8ad6bab91e2d5222e1b16a73 Mon Sep 17 00:00:00 2001 From: Imran Siddique Date: Sat, 4 Jul 2026 12:10:53 -0700 Subject: [PATCH] docs: qualify sealed-channel status in README The sealed peer channel is described in the profile and how-it-works sections as if payloads are already sealed to a verified attested measurement, but LIMITATIONS.md states the enclave-measurement binding is not yet wired on a live call ("do not assume a payload is confined to a specific attested measurement"). Add the in-progress qualifier at the point of claim and a status note on the how-it-works flow, so the README matches LIMITATIONS.md and ROADMAP.md. Docs-only. (#38) Co-Authored-By: Claude Opus 4.8 (1M context) --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index bb72502..1ca234e 100644 --- a/README.md +++ b/README.md @@ -54,7 +54,7 @@ cA2A is a trust profile layered on A2A, the way TRACE binds to IETF RATS, EAT, a 1. **Attenuated delegation.** Each hop carries a signed delegation credential whose scope is a provable subset of its parent. Child scope cannot exceed parent; depth is bounded; replay across chains is rejected. (Implemented in [agent-manifest](https://github.com/agentrust-io/agent-manifest).) 2. **Runtime attestation.** A peer proves it is running attested, measured code before it is trusted with a delegated task. (TEE provider abstraction shared with [cmcp](https://github.com/agentrust-io/cmcp).) -3. **Sealed peer channel.** The task payload is sealed to the peer's attested measurement, so it decrypts only inside the verified enclave. +3. **Sealed peer channel.** The task payload is sealed to the peer's attested measurement, so it decrypts only inside the verified enclave. _(Channel encryption is implemented; binding the seal to a **verified** attested measurement on a live call is on the roadmap. Until that lands, do not assume a payload is confined to a specific measurement — see [LIMITATIONS.md](LIMITATIONS.md).)_ 4. **Provenance record.** Each hop emits a TRACE record referencing the parent record hash and delegation credential id, producing an offline-verifiable delegation DAG. --- @@ -94,6 +94,8 @@ Agent A --(delegation cred, scope S_A)--> Agent B --(scope S_B ⊆ S_A)--> Agent 3. The task payload is sealed to B's attested measurement, so only B's verified enclave can read it. 4. Each hop emits a TRACE record linking to its parent, producing a delegation DAG any verifier can check offline without trusting an operator. +> **Status:** the delegation-chain verification and the provenance DAG (steps 1 and 4) are implemented and offline-verifiable today. The live inbound peer path (steps 2–3: verifying a peer's attestation on a real call and sealing the payload to a *verified* measurement) is under construction — see [LIMITATIONS.md](LIMITATIONS.md) and [ROADMAP.md](ROADMAP.md). + --- ## Relationship to the agentrust-io stack