Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 17 additions & 6 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0

## [Unreleased]

### Added
## [0.1.0a1] - 2026-07-09

First public alpha. Everything in this release is verifiable offline or in
software today. cA2A is a profile in active design: the delegation semantics and
the TEE verifiers are implemented and tested, but the profile is not yet attested
across trust domains on real hardware and there is no live A2A transport. That
milestone gates the first non-alpha release. See LIMITATIONS.md for the exact
built/stubbed boundary.

### What this release provides

- Initial cA2A profile draft: attested, attenuated agent-to-agent delegation on top of A2A
- `ca2a-verify`: offline delegation-chain verification skeleton (scope attenuation, signature, depth, replay checks)
Expand All @@ -27,10 +36,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
- RFC 8785 (JSON Canonicalization Scheme) canonicalization: `ca2a_runtime.canonical.canonicalize`. Credential and provenance bodies are now signed over the JCS encoding (UTF-16 key ordering, JCS string escaping, literal non-ASCII, shortest-decimal integers), so cA2A signatures are cross-verifiable with agent-manifest. ASCII credentials are byte-identical to the previous encoding, so existing signatures still verify.
- Repository scaffold: governance, CI/CD, docs framework, and packaging at parity with the agentrust-io house standard

### Not yet implemented
### What this release does NOT yet claim

- Live A2A transport wiring for the peer-enforcement decision core, including binding the seal to a verified attestation report (Tier 2)
- Cedar policy engine binding for the local policy (Tier 2)
- End-to-end SEV-SNP, TDX, and TPM validation against real hardware quotes on a confidential VM
- Not attested or confidential across trust domains on real hardware: all attestation validation is software / synthetic-vector. No real SEV-SNP, TDX, or TPM quote has been verified end to end against a golden measurement on a confidential VM.
- No live A2A transport: the peer-enforcement decision core and sealed channel run in-process. Nothing parses real A2A wire messages into a `PeerRequest` yet, and the seal is not bound to a verified attestation report on a live inbound call.
- The sealed channel does not by itself establish the enclave-held-private-key property; that is a hardware attestation guarantee that lands with real-hardware validation.
- Alpha schemas: the delegation credential and TRACE link schemas are not yet stable or versioned, and peer attestation evidence is not yet RATS/EAT conformant.

[Unreleased]: https://github.com/agentrust-io/ca2a/commits/main
[Unreleased]: https://github.com/agentrust-io/ca2a/compare/v0.1.0a1...main
[0.1.0a1]: https://github.com/agentrust-io/ca2a/releases/tag/v0.1.0a1
4 changes: 2 additions & 2 deletions pyproject.toml
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ build-backend = "hatchling.build"

[project]
name = "ca2a-runtime"
version = "0.1.0"
version = "0.1.0a1"
description = "Confidential agent-to-agent runtime: attested, attenuated delegation and sealed peer channels for A2A"
readme = "README.md"
license = { text = "MIT" }
authors = [
{ name = "AgentTrust Contributors", email = "oss@agentrust.io" },
{ name = "AgenTrust Contributors", email = "oss@agentrust.io" },
]
keywords = ["a2a", "agent-to-agent", "delegation", "tee", "attestation", "confidential-computing", "ai-agents"]
classifiers = [
Expand Down