Skip to content

chore(release): prepare 0.1.0a1 alpha#46

Merged
imran-siddique merged 1 commit into
mainfrom
release/prep-0.1.0a1
Jul 12, 2026
Merged

chore(release): prepare 0.1.0a1 alpha#46
imran-siddique merged 1 commit into
mainfrom
release/prep-0.1.0a1

Conversation

@imran-siddique

Copy link
Copy Markdown
Contributor

Prep for the first public alpha. Does not cut a tag — this only makes the repo ready so you can publish a 0.1.0a1 GitHub release when you choose.

Changes

  • Brand fix: package author AgentTrust Contributors -> AgenTrust Contributors (correct wordmark; this would otherwise ship into PyPI metadata).
  • Version: 0.1.0 -> 0.1.0a1 so the build produces the alpha.
  • CHANGELOG: converted the Unreleased section into a 0.1.0a1 entry that states what the release provides and, explicitly, what it does not yet claim. Dropped a stale "not yet implemented" bullet (Cedar binding, which has landed).

Draft GitHub release body (for when you cut the tag)

cA2A 0.1.0a1 (alpha). Everything in this release is verifiable offline or in software today. cA2A is a profile in active design.

Provides: the cA2A profile spec as an A2A binding; attenuated delegation with offline chain + provenance-DAG verification (ca2a-verify); an in-process peer-enforcement decision core (enforce_peer_call, LocalPolicy or real Cedar); a sealed peer channel (X25519 -> HKDF-SHA256 -> ChaCha20-Poly1305); SEV-SNP / TDX / TPM verifiers (fail-closed, chain paths against real vendor roots, signature paths synthetic-vector validated); a conformance suite in CI.

Does not yet claim: attestation across trust domains on real hardware (all validation is software / synthetic-vector); a live A2A transport (decision core and sealing run in-process); a seal bound to a verified measurement on a live call; stable/versioned schemas or RATS/EAT conformance. See LIMITATIONS.md.

Before publishing (your action, not code)

  • release.yml already publishes to PyPI via Trusted Publishing (pypa/gh-action-pypi-publish, OIDC, environment: pypi). The only prerequisite is registering the trusted publisher for ca2a-runtime on PyPI (owner agentrust-io, repo ca2a, workflow release.yml, environment pypi).
  • Then publishing a v0.1.0a1 GitHub release triggers build -> PyPI publish -> AGT governance-release evidence.

- Fix package author metadata: AgentTrust -> AgenTrust (correct wordmark).
- Bump version 0.1.0 -> 0.1.0a1 so the build produces the alpha.
- Rework the CHANGELOG Unreleased section into a 0.1.0a1 entry that states
  plainly what the release provides and, explicitly, what it does NOT yet
  claim (no real-hardware attestation, no live A2A transport, alpha schemas).
  Drops a stale "not yet implemented" bullet for Cedar binding, which landed.

Does not cut a tag. release.yml already publishes to PyPI via Trusted
Publishing; the only remaining prerequisite is configuring the trusted
publisher for ca2a-runtime on PyPI.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Imran Siddique <imran.siddique@opaque.co>

@carloshvp carloshvp left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Requesting changes on the release metadata claim surface.

The changelog does the right thing by saying 0.1.0a1 is not yet attested or confidential across trust domains on real hardware, but the package metadata that this PR prepares for PyPI still publishes:

description = "Confidential agent-to-agent runtime: attested, attenuated delegation and sealed peer channels for A2A"

That description is the public package tagline and will be read outside the README/LIMITATIONS context. For this alpha, it still overclaims the real-hardware attestation boundary that the changelog explicitly tries to preserve. Please make the pyproject.toml description match the alpha claim, for example by calling it an experimental/software-validated cA2A runtime or otherwise removing the standalone "attested/confidential" claim until the live transport + hardware-backed attestation tracker is done.

Validation performed: inspected the PR metadata and patch only; no runtime tests run because this is a release-metadata/changelog change.

@imran-siddique imran-siddique merged commit 65df59b into main Jul 12, 2026
13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants