Add SAGE AgentTrust Bridge integration (cMCP + TRACE)

[l33tdawg]

Adds integrations/sage-agenttrust/ — an attestation-verifying reverse proxy that gates POST /v1/memory/submit on a stock, unmodified SAGE consensus-memory node with a verified AgentTrust attestation, binding the attested identity to the on-chain memory author.

integrates_with: cmcp, trace · tier: community · runs against released cmcp-runtime 0.2.1 / agentrust-trace 0.2.0 (no forks, no SAGE core changes).

Two paths

• TRACE (C-2), enforcing: a standalone TRACE record whose cnf key is the agent's SAGE Ed25519 key — verified for canonical cnf.jwk.x, signature, freshness, cnf == author key-equality, and tool_transcript.hash == sha256(body) (write-scoped binding).
• cMCP (C-1), advisory: a RuntimeClaim verified via the published cmcp_verify.verify_trace_claim (signature + approved policy/catalog hashes + gateway-asserted identity). Session-scoped, re-mintable, no trust root in this configuration — provenance, not authorization.

Honest scope (see README): with the published stack the bridge does not verify any hardware root of trust (cmcp_verify defers TPM EK / AMD VCEK / Intel DCAP signatures as "out of scope for Phase 1"), so it never reports hardware_backed — verification is always edge-only. Only the submit endpoint is gated. Attestation authenticates author + policy, not content truth.

TRACE conformance: the cMCP-envelope path passes agentrust-trace-tests 0.1.0 Level 0; a bare C-2 record is not graded by the suite (LoadError), so no conformance level is claimed for it.

Reproduce (offline, ~2 min, no node): git clone https://github.com/l33tdawg/sage-agenttrust && cd sage-agenttrust && python -m venv .venv && . .venv/bin/activate && pip install -e ".[dev]" && ./run_tests.sh — exercises crypto core, the proxy vs a signature-verifying mock SAGE, cMCP verification, hardening/edge cases, and the Level-0 conformance assertion. demo/run_demo.py runs the full chain against a stock SAGE container (image pinned by digest in the README).

Maintainer: @l33tdawg.

[carloshvp]

Nice scope discipline here: the README is explicit about edge-only verification, no hardware root, and the distinction between the enforcing TRACE path and advisory cMCP path.

One small wording suggestion before merge: since tier: community is set by maintainers and Verified status is not self-declared, maybe rename “reproduction steps for the Verified tier” to “reproduction steps for maintainers when requesting verification.” The content can stay mostly the same; this just keeps the tier language aligned with the repo rules.

[l33tdawg]

Thanks @carloshvp - Agreed on keeping the tier language aligned with the repo rules. Done in the latest push: the section is now "What is verified (reproduction steps for maintainers when requesting verification)", and tier: community stays maintainer-set in the manifest.

For a quick check, ./run_tests.sh reproduces all the verification claims offline (~2 min, no node) — crypto core, the proxy vs a signature-verifying mock SAGE, cMCP verification, hardening/edge cases, and the Level-0 conformance assertion; demo/run_demo.py runs the full chain against the digest-pinned SAGE container. Happy to adjust anything else.