diff --git a/integrations/sage-agenttrust/LICENSE b/integrations/sage-agenttrust/LICENSE new file mode 100644 index 0000000..0a4cf1a --- /dev/null +++ b/integrations/sage-agenttrust/LICENSE @@ -0,0 +1,190 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to the Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by the Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding any notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + Copyright 2026 Dhillon Andrew Kannabhiran + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/integrations/sage-agenttrust/README.md b/integrations/sage-agenttrust/README.md new file mode 100644 index 0000000..f375dc9 --- /dev/null +++ b/integrations/sage-agenttrust/README.md @@ -0,0 +1,91 @@ +# SAGE integration with cMCP + TRACE (attested memory provenance) + +[SAGE](https://github.com/l33tdawg/sage) is consensus-validated agent memory: writes go +through BFT consensus, carry a confidence score, and decay over time. This integration is an +attestation-verifying reverse proxy that sits in front of a **stock, unmodified** SAGE node +and admits a `POST /v1/memory/submit` only when it carries a verifiable AgentTrust attestation, +bound to the key that authors the memory on-chain. **Only the submit endpoint is gated** — +other SAGE writes (`/forget`, `/vote`, `/corroborate`, `/challenge`, governance, access) pass +through to SAGE's own Ed25519 auth + RBAC (out of scope for this submission-provenance bridge). + +The agent signs its SAGE `POST /v1/memory/submit` with an Ed25519 key and presents an +attestation in an `X-Attestation` header. The proxy verifies it at the edge, binds it to the +SAGE author, then forwards the **byte-identical** signed request to SAGE (so the node's own +signature check still passes — no SAGE changes). On commit it stores the evidence keyed by the +returned `memory_id`, exposed as a provenance badge at `GET /v1/attestation/{memory_id}`. + +Two paths: +- **TRACE (per-agent) — the enforcing security path.** A standalone TRACE record whose `cnf` + key **is** the agent's SAGE key (signed with `agentrust_trace.sign_record`); the proxy checks + canonical `cnf.jwk.x` encoding, signature, freshness, `cnf == author` key equality, and + `tool_transcript.hash == sha256(submit body)` — a cryptographic, **write-scoped** binding. +- **cMCP — advisory session provenance, no trust root.** The proxy verifies a cMCP + `RuntimeClaim`'s signature and approved policy/catalog hashes with the published + `cmcp_verify.verify_trace_claim` and matches `gateway.agent_identity.agent_id` + (gateway-asserted). With the published stack the gateway signing key is **not anchored to any + trusted issuer**, so a valid C-1 signature authenticates only the claim's structure and that + its policy/catalog hashes match the configured approved set — **anyone can mint a + signature-valid claim naming any `agent_id`**. A RuntimeClaim is also session-scoped with + **no** per-write binding and the agent controls the gateway key, so C-1 is provenance that an + agent ran behind an attested gateway — **not** per-write authorization. + +**What it does not claim:** the bridge does **not** verify any hardware root of trust with the +published AgentTrust stack — `cmcp_verify`'s per-platform verifiers check the measurement +format/parse but **defer the silicon root** (TPM EK chains / AMD VCEK / Intel DCAP quote +signatures go to *unverified_fields*, "out of scope for Phase 1"), and a C-2 record's +`runtime.platform` is self-asserted. So it **never** reports +`hardware_backed`; `verification` is always `edge-only` and a claimed TEE platform is surfaced +only as `platform_claimed` (unverified). Attestation here authenticates the *author and policy* +of a write — **not** the truth of the content (SAGE's content hash and confidence stay +client-asserted). Verification is at the edge (the digest is not re-checked in SAGE consensus — +proposed upstream, not shipped); the badge reflects edge-verification at submit (`proposed`) +time, not consensus commit. `agentrust-trace-tests` **rejects** a self-signed bare TRACE record +(`LoadError`: a `signature` field without `cmcp_version`) and never grades it, so we make **no** +conformance-level claim for the C-2 path; the cMCP-envelope form passes `agentrust-trace-tests` +**0.1.0** Level 0. The `ReplayCache` (byte-identical de-dup) only blocks naive third-party +replay, not the minting agent, is **process-local** (a multi-instance deployment needs a shared +store) and effective single-instance only. The `GET /v1/attestation/{memory_id}` badge endpoint +is **unauthenticated** read-only — no secrets, but it discloses the attestation digest, `cnf` +thumbprint, and SPIFFE subject for a known `memory_id`. Canonicalization follows +`agentrust_trace`'s recipe (sorted-keys JSON), which equals RFC 8785 / JCS only for ASCII string ++ integer-number content. + +## Run it + +Against released packages (`cmcp-runtime` 0.2.1, `agentrust-trace` 0.2.0): + +```bash +git clone https://github.com/l33tdawg/sage-agenttrust && cd sage-agenttrust +python -m venv .venv && . .venv/bin/activate && pip install -e ".[dev]" + +# stock SAGE node, isolated in Docker (image pinned by digest for reproducibility) +docker run -d --name sage-demo -p 127.0.0.1:18080:8080 -e SAGE_PASSPHRASE=demo-passphrase \ + ghcr.io/l33tdawg/sage@sha256:f08ebd392638d28248a06dab5791d975041e635a5c814c7e57e7632c3c10c05d serve + +# the attestation-verifying proxy +SAGE_UPSTREAM=http://127.0.0.1:18080 uvicorn bridge.app:app --port 19090 & + +# end-to-end: attested submit -> consensus commit -> provenance-badge fetch +BRIDGE_URL=http://127.0.0.1:19090 python demo/run_demo.py +``` + +## What is verified (reproduction steps for maintainers when requesting verification) + +`./run_tests.sh` (offline, no node) reproduces: + +- A standalone TRACE record minted via `agentrust_trace.sign_record` verifies, and is + **rejected** when (a) the record is tampered, (b) its `cnf` key ≠ the SAGE author key, or + (c) it is replayed onto a different submit body. +- A cMCP `RuntimeClaim` is accepted via `cmcp_verify.verify_trace_claim`, and **rejected** + when it names a different agent or its policy/catalog hash does not match the approved set. +- The cMCP `RuntimeClaim` **passes `agentrust-trace-tests` Level 0**, and `software-only` + **fails Level 1** (no hardware root) — asserted in `tests/test_conformance.py`. + +`demo/run_demo.py` reproduces the live chain against a stock SAGE container: an attested +submit reaches consensus `committed`, the badge is retrievable, and a tampered or +wrong-author attestation returns `422` and never reaches SAGE. + +## Links + +- Integration source: https://github.com/l33tdawg/sage-agenttrust +- SAGE: https://github.com/l33tdawg/sage diff --git a/integrations/sage-agenttrust/integration.yaml b/integrations/sage-agenttrust/integration.yaml new file mode 100644 index 0000000..8f37ae5 --- /dev/null +++ b/integrations/sage-agenttrust/integration.yaml @@ -0,0 +1,22 @@ +name: SAGE AgentTrust Bridge +vendor: SAGE AgentTrust Bridge +integrates_with: + - cmcp + - trace +description: >- + Reverse proxy that edge-verifies a TRACE record (key-equal) or cMCP + RuntimeClaim (gateway-asserted) before admitting a memory submit to a stock, + unmodified SAGE consensus-memory node. +maintainer: + github: l33tdawg + email: dhillon.andrew@gmail.com +repository: https://github.com/l33tdawg/sage-agenttrust +homepage: https://github.com/l33tdawg/sage +license: Apache-2.0 +tier: community +# Level the cMCP-RuntimeClaim (envelope) path passes; the bare C-2 TRACE record is not graded +# by agentrust-trace-tests (LoadError), so it carries no conformance level — see README. +trace_conformance_level: 0 +tested_against: + cmcp-runtime: "0.2.1" + agentrust-trace: "0.2.0"