Skip to content

chore(deps): update agentrust-trace requirement from >=0.2.0 to >=0.3.0#43

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/agentrust-trace-gte-0.3.0
Open

chore(deps): update agentrust-trace requirement from >=0.2.0 to >=0.3.0#43
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/pip/agentrust-trace-gte-0.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown

Updates the requirements on agentrust-trace to permit the latest version.

Changelog

Sourced from agentrust-trace's changelog.

[0.3.0] — 2026-06-30

Security

  • verify_record now requires an explicit trusted key. Self-verification from the embedded cnf.jwk is no longer the default; use allow_embedded_key=True to opt in.
  • Verification enforces freshness (iat / max_age_seconds, default 24h) and an optional expected_nonce. JWK kty / crv are validated.

Breaking

  • BREAKING: Canonicalization is now RFC 8785 (JCS). Trust records are NOT cross-verifiable with 0.2.0 (the prior json.dumps canonicalization was non-conformant).

[0.1.0] — 2026-06-23

Initial public draft. Announced at Confidential Computing Summit, San Francisco.

Specification

  • Trust Record logical schema (§3.1): subject, model, runtime, policy, data_class, tool_transcript, build_provenance, appraisal, transparency, cnf
  • Wire format (§3.2): EAT/JWT and CBOR-COSE envelopes; profile URI tag:agentrust.io,2026:trace-v0.1
  • Signing and key management (§3.2.1): ES256/ES384/EdDSA; four-layer key hierarchy; hash agility; revocation
  • Verification protocol (§3.3): five-step offline verification, no issuer callback
  • Standards composition (§4): RATS/EAT, SLSA, SPIFFE, SCITT, EAR, MCP, A2A, AIBOM, C2PA
  • Hardware roots (§4.2): NVIDIA H100/Blackwell, Intel TDX, AMD SEV-SNP, Azure MAA, GCP Confidential Space, AWS Nitro
  • Reference implementation (§5): cMCP Phase 1–3 roadmap

Schema

  • schema/trace-claim.json: JSON Schema (draft/2020-12) for Trust Record validation

Examples

  • examples/amd-sev-snp.json: AMD SEV-SNP Trust Record
  • examples/intel-tdx.json: Intel TDX Trust Record
  • examples/nvidia-h100.json: NVIDIA H100 Confidential Computing Trust Record

Open questions

Seven open questions requiring community input before v0.2 are documented in §7 of the spec.


[0.2.0] — TBD

Specification

  • Extend subject field to accept DID URIs (any did: method) in addition to SPIFFE SVIDs. Previously ^spiffe:// only; now ^(spiffe://|did:). Additive, backward-compatible. DID-native runtimes (e.g. AGT did:mesh: identities) no longer require a parallel SPIFFE identity.

... (truncated)

Commits
  • 5082c88 chore(release): agentrust-trace 0.3.0 (#75)
  • 1a3a711 feat(canonicalization): use RFC 8785 (JCS) for sign/verify (#74)
  • 177b57a fix(verify): require a trusted key, enforce freshness, validate JWK type (#73)
  • 9d7dda9 fix(models): reject private key material in cnf.jwk (#72)
  • 6b16f20 docs: correct brand name to AgenTrust (#71)
  • 9a82331 docs: standardize OPAQUE brand capitalization in prose (#69)
  • e82ca69 feat(adapters): TraceAGTAdapter — one-line AGT → TRACE upgrade path (#65)
  • 3f64ee8 docs: add registry anchoring and audit chain verification tutorials (#63)
  • 30aa65a docs: add registry anchoring and audit chain verification tutorials (#62)
  • 5b7bd7a fix(docs): correct hallucinations and wrong values in tutorials
  • Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Updates the requirements on [agentrust-trace](https://github.com/agentrust-io/trace-spec) to permit the latest version.
- [Release notes](https://github.com/agentrust-io/trace-spec/releases)
- [Changelog](https://github.com/agentrust-io/trace-spec/blob/main/CHANGELOG.md)
- [Commits](agentrust-io/trace-spec@v0.2.0...v0.3.0)

---
updated-dependencies:
- dependency-name: agentrust-trace
  dependency-version: 0.3.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file python Pull requests that update python code labels Jul 4, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file python Pull requests that update python code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants