spendguard: Agentic SpendGuard × TRACE integration (fills scaffold-spendguard)#30
spendguard: Agentic SpendGuard × TRACE integration (fills scaffold-spendguard)#30m24927605 wants to merge 7 commits into
Conversation
Fill the scaffold TODOs: - spendguard_trace.build_trace_record maps a SpendGuard evidence bundle (committed signed allow-decision fixture) onto TRACE record fields, matching the golden outputs of SpendGuard's own fixture verifier - examples/emit_record.py signs the record with an ephemeral Ed25519 key (agentrust_trace.sign_record), verifies the round-trip, and writes both the trace-tests-gradable unsigned payload and the signed form - tests: field mapping, envelope-marker guard, sign/verify round-trip, and a tamper probe that must fail verification - integration.yaml: trace_conformance_level 0 (passes with the explicit TR-SIG-005 UNVERIFIED finding; trace-tests 0.1.0 does not grade plain trace record signatures), integrates_with narrowed to trace until the cMCP Cedar policy patterns land - README: exact repro steps and explicit non-claims (rules 2 and 4) Verified locally against released packages: pytest 4 passed; trace-tests verify --level 0 PASS (8 checks, 1 UNVERIFIED). Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ppn8E9B6rYAx2jVmaLWTNm
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 63c75dfff9
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| @@ -0,0 +1,45 @@ | |||
| # agentrust-io conformance workflow for the Agentic SpendGuard integration. | |||
There was a problem hiding this comment.
Move conformance workflow to the repository root
Because this workflow is added under integrations/spendguard/.github/workflows, GitHub Actions will not discover it for this repository; GitHub's workflow syntax docs state that workflow files must be stored in the repository's root .github/workflows directory. In the current location, the push/PR/scheduled conformance job described by this file and the README never runs, so the integration's TRACE conformance is not continuously exercised.
Useful? React with 👍 / 👎.
There was a problem hiding this comment.
Good catch — fixed in 15d0dc6. Moved to the repository root as .github/workflows/spendguard-conformance.yml (named per-integration to avoid collisions), kept the integrations/spendguard/** path scoping, and added the workflow file itself to the path filters. README link updated.
Heads-up for maintainers: integrations/_template/ ships the workflow in the same undiscoverable location, so every future integration copying the template will hit this. Happy to send a small follow-up PR against the template if useful.
GitHub Actions only discovers workflows in the root .github/workflows directory, so the job never ran from integrations/spendguard/.github/. Renamed to spendguard-conformance.yml (unique per integration), kept the paths scoping, and added the workflow file itself to the path filters so changes to it also trigger a run. README link updated. Note: integrations/_template/ ships the workflow in the same undiscoverable location — same fix applies there if wanted. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01Ppn8E9B6rYAx2jVmaLWTNm
imran-siddique
left a comment
There was a problem hiding this comment.
Approving for community tier. Schema-valid manifest, runs against released packages (rule 1), and rules 2 and 4 are handled correctly: integrates_with narrowed to [trace] to avoid an unverifiable cMCP claim, and the README discloses the TR-SIG-005 UNVERIFIED / unsigned-payload limitation rather than overstating it. Conformance CI is green on 3.11-3.13.
Two non-blocking notes:
- Verified tier is a separate, deliberate step. The level-0 pass grades the unsigned payload (a limitation of released trace-tests, not this PR), so the badge flip is a conscious call rather than automatic.
build_provenance.slsa_levelis fixture data and level 0 does not grade it; it needs real provenance behind it before any level-1+ claim.
|
Thanks for the fast review. Agreed on both notes — starting at community tier is the right call. We'll come back for the Verified conversation once (a) there's a graded path for the signed record (either trace-tests growing plain-record signature grading, or us emitting a form it grades), and (b) real build provenance replaces the fixture |
Agentic SpendGuard × TRACE integration
Fills the TODOs in the
scaffold-spendguardbranch (thanks for setting that up — this PR builds directly on those commits).What's implemented
spendguard_trace.build_trace_record— maps a SpendGuard evidence bundle (the signed audit output of one spend/gate decision) onto a TRACE Trust Record. The committed example bundle inexamples/fixtures/allow/is SpendGuard's public allow-decision fixture; the field mapping matches the golden outputs of SpendGuard's own fixture verifier, so both repos derive the identical record shape from the same evidence.examples/emit_record.py— builds the record, signs it with an ephemeral Ed25519 key viaagentrust_trace.sign_record, verifies the round-trip withagentrust_trace.verify_record(..., allow_embedded_key=True), and writes both the trace-tests-gradable unsigned payload (--out) and the signed form (<out>.signed.json).tests/test_mapping.py— field mapping against the fixture, an envelope-marker guard, the sign/verify round-trip, and a tamper probe that must fail verification.Reproduction (what CI runs)
Verified locally against released packages (
agentrust-trace0.3.0,agentrust-trace-tests0.1.0) on Python 3.14; the conformance workflow covers 3.11–3.13.Honest boundaries (rules 2 & 4)
trace_conformance_level: 0— and level 0 passes with the explicitTR-SIG-005 UNVERIFIEDfinding. The released trace-tests 0.1.0 loader rejects any plain trace record carrying a top-levelsignaturefield (anti-downgrade), and TR-SIG grades signatures only on cMCP RuntimeClaim envelopes. The signed form is emitted alongside and verifies withagentrust_trace.verify_record; it is not graded by trace-tests. The README states this precisely.integrates_withis narrowed from the scaffold's[trace, cmcp]to[trace]: there is no cMCP content in this directory yet, and I didn't want an unverifiable claim in the manifest. Cedar spend-policy patterns for the cMCP tool boundary (amount thresholds, HITL-above-X, per-workflow limits) are the planned follow-up, andcmcpgoes back in when they land. Happy to revert if you'd rather keep the scaffold's declaration.Verified tier
Requesting a Verified-tier review at the level documented above (level 0, with the UNVERIFIED caveat stated in the README). The reproduction steps are exactly what the bundled conformance workflow runs.
🤖 Generated with Claude Code
https://claude.ai/code/session_01Ppn8E9B6rYAx2jVmaLWTNm