Skip to content

Add example: cryptographically verifiable AgentFacts trust fields via Attestix#1

Open
ascender1729 wants to merge 3 commits into
projnanda:mainfrom
ascender1729:feat/attestix-verifiable-agentfacts
Open

Add example: cryptographically verifiable AgentFacts trust fields via Attestix#1
ascender1729 wants to merge 3 commits into
projnanda:mainfrom
ascender1729:feat/attestix-verifiable-agentfacts

Conversation

@ascender1729

@ascender1729 ascender1729 commented Jun 17, 2026

Copy link
Copy Markdown

Problem

certification and evaluations (auditTrail, auditorID) are reserved for trust, but the format ships no way to prove them. They are plain strings any publisher can write anything into. A consumer reading certification.level: "EU-AI-Act-Annex-III" cannot tell a real audit from a self-asserted claim.

Change

A self-contained, runnable example (examples/attestix_verifiable_agentfacts/) that makes those fields cryptographically verifiable using Attestix (Apache-2.0):

  1. Attestix issues an Ed25519-signed W3C Verifiable Credential about the agent.
  2. certification / evaluations.auditTrail / evaluations.auditorID are populated from that credential; the credential travels with the doc under x-attestix-credential (extra top-level properties are allowed by the schema).
  3. Anyone verifies offline, with no call back to the issuer, that the signature is valid and that the visible certification fields match exactly what was signed. A publisher cannot upgrade their own certification.level without detection.

Verified

Run against attestix 0.4.1 + jsonschema 4.26:

[PASS] AgentFacts validates against agentfacts_schema.json
  [PASS] credential signature valid
  [PASS] credential is about this agent
  [PASS] certification.level matches signed claim
  [PASS] certification.issuer matches signer
  [PASS] certification dates match the credential
  [PASS] evaluations.auditorID matches signer
  [PASS] evaluations.auditTrail points to the credential
  [PASS] forged certification.level is REJECTED offline
  [PASS] forged certification.expirationDate is REJECTED offline

The script generates agent.agentfacts.json locally (gitignored output) and ships with a README.

Field mapping

AgentFacts field Filled with
certification.level / issuer / dates the signed credential's claim, issuer DID, validity window
evaluations.auditorID the Attestix issuer DID
evaluations.auditTrail the credential id (pointer to the verifiable evidence)
x-attestix-credential the full signed credential, so verification is offline

Context

This is the AgentFacts side of the Attestix ↔ NANDA integration Prof. Raskar asked us to demo. A companion PR to projnanda/adapter adds optional attestation to the agent-registration handshake. Happy to adapt either to your preferred repo/path or sign a CLA (I don't see a LICENSE file yet).

Opened as a draft for discussion, not asking for a merge yet.

@ascender1729 ascender1729 force-pushed the feat/attestix-verifiable-agentfacts branch from bcd142d to 54f5e39 Compare June 17, 2026 10:58
… Attestix

The certification and evaluations fields are reserved for trust but the format
ships no way to prove them - they are plain strings today. This adds a runnable
example that uses Attestix (Apache-2.0) to issue a signed W3C Verifiable
Credential for an agent, populate certification / evaluations.auditTrail /
auditorID from it, carry the credential under x-attestix-credential, and verify
the whole thing offline. A forged certification.level is rejected without any
call back to the issuer.

Includes a schema-validated sample (agent.agentfacts.json) and a README.
@ascender1729 ascender1729 force-pushed the feat/attestix-verifiable-agentfacts branch from 54f5e39 to 9a35e85 Compare June 17, 2026 11:05
ascender1729 added 2 commits June 28, 2026 15:07
The example was written against the 0.4.1rc2 pre-release; attestix 0.4.1 is
now the stable PyPI release. Re-verified end-to-end against 0.4.1 stable
(schema validation + offline verify + both forgery rejections still pass).
Addresses review feedback: agent.agentfacts.json is regenerated on every run
(fresh UUID and timestamps), so it is now gitignored instead of committed, and
running the example no longer dirties the tree. Synced the README expected
output to a real run, added a Limitations note (verify-only; expiry, trust
root, and live revocation out of scope), and quoted the pip version spec.
@ascender1729 ascender1729 marked this pull request as ready for review June 28, 2026 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant