Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@ TRACE only works as a standard if it is genuinely neutral. Integrations are list

| Integration | Vendor | Integrates with | Tier |
|---|---|---|---|
| _none yet - be the first_ | | | |
| [claude-code](claude-code/) | agentrust-io | agent-manifest, trace | community |

## Community

Expand Down
11 changes: 11 additions & 0 deletions claude-code/.claude-plugin/plugin.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "agentrust-claude-code",
"description": "Agent-integrity for Claude Code: capture what your agent IS (Agent Manifest) and what it DID (TRACE), and check nothing was added or subtracted since your approved baseline.",
"version": "0.1.0",
"author": {
"name": "agentrust-io"
},
"homepage": "https://github.com/agentrust-io/integrations/tree/main/claude-code",
"repository": "https://github.com/agentrust-io/integrations",
"license": "Apache-2.0"
}
7 changes: 7 additions & 0 deletions claude-code/.gitignore
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
__pycache__/
*.pyc
.pytest_cache/
# local capture artifacts
manifest.json
trace.json
live.json
91 changes: 91 additions & 0 deletions claude-code/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,91 @@
# AgenTrust for Claude Code

Agent-integrity for the coding agent you already use. This plugin captures, every
session:

- an **Agent Manifest** — what your Claude agent *is*: skills, tools, MCP servers,
model, permission policy, and instruction layer, each fingerprinted and signed
([agent-manifest](https://github.com/agentrust-io/agent-manifest)).
- a **TRACE Trust Record** — what your agent *did* this run, signed and
conformance-checkable ([trace](https://github.com/agentrust-io/trace-spec)).

and answers the one question that matters on a developer box:

> **Is the agent I'm running the one I approved — nothing added, nothing subtracted?**

A rogue skill dropped into `~/.claude/skills`, a widened permission, an edited
`CLAUDE.md`, or an unexpected MCP server all change a fingerprint, and the next
SessionStart tells you.

## What it does

| Surface | What runs | Needs crypto packages? |
|---|---|---|
| **SessionStart hook** | snapshot the agent from disk, diff against your approved baseline, warn in-session on drift | No (stdlib only) |
| `/manifest verify` | full diff including the live tool/MCP roster the agent reports | No |
| `/manifest approve` | make the current composition the approved baseline | No (add `--sign` for records) |
| `/trace` | build + sign the Agent Manifest and TRACE record, explain them in plain English | Yes |

The hook is deliberately dependency-free so it never blocks session start. Signing
runs only when you ask for records.

## Install

```bash
# 1. plugin (hooks + commands)
/plugin marketplace add agentrust-io/integrations
/plugin install agentrust-claude-code

# 2. only for signed records (/trace, /manifest approve --sign)
pip install -r claude-code/requirements.txt
```

First SessionStart establishes your baseline at `~/.claude/agentrust/baseline.json`.
Every later session is checked against it. Run `/manifest approve` whenever you
intentionally change your setup.

## What it captures (and what it does not)

Captured, by fingerprint — never raw content, never secrets:

- **skills** — each `~/.claude/skills/*/SKILL.md`
- **permissions** — `~/.claude/settings.json` (the allow/deny policy)
- **instruction layer** — your `CLAUDE.md` / memory tree
- **tools + MCP servers** — the roster the agent reports at report time
- **model** — provider, id, version

It never reads `~/.claude/.credentials.json`, and records skill / tool / MCP
**names** only, never tokens or environment values.

## Known gaps (read before relying on it)

- **Software-only, Level 0.** A normal dev box has no TEE, so the TRACE record is
software-only integrity, not hardware-rooted attestation. Labelled as such.
- **Instruction layer is a proxy.** The `system_prompt` fingerprint covers your
`CLAUDE.md` and memory, not Claude Code's internal system prompt, which is not
on disk.
- **`policy_language` mismatch.** agent-manifest's `policy_language` enum
(`cedar`/`rego`/`yaml-agt`/`composite`) has no value for host-native agent
permission systems like Claude Code's `settings.json`. Modelled as `composite`;
a spec value for host-native permissions is proposed upstream.
- **Hook visibility.** A shell hook cannot enumerate the live tool roster, so the
SessionStart check compares skills, permissions, and the instruction layer.
The full tool/MCP diff runs in `/manifest verify`, where the agent supplies the
live roster.
- **agent-manifest version.** The manifest builder targets agent-manifest 0.3.x;
PyPI currently publishes 0.2.0. Install agent-manifest from source until 0.3.x
ships.

## Layout

```
claude-code/
.claude-plugin/plugin.json plugin manifest
hooks/hooks.json SessionStart -> engine/capture.py hook
commands/manifest.md /manifest capture | verify | approve
commands/trace.md /trace report
engine/capture.py capture engine (stdlib hook + signing report)
tests/test_capture.py stdlib-only tests
integration.yaml agentrust-io integration manifest
requirements.txt crypto deps for signing only
```
36 changes: 36 additions & 0 deletions claude-code/commands/manifest.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,36 @@
---
description: Capture, verify, or approve the integrity baseline of your Claude Code agent
argument-hint: "[verify | approve | show]"
---

You are running the AgenTrust agent-integrity command. The engine is at
`${CLAUDE_PLUGIN_ROOT}/engine/capture.py`. It captures the agent's composition
(skills, tools, MCP servers, model, permissions, instruction layer) and diffs it
against the user's approved baseline at `~/.claude/agentrust/baseline.json`.

The shell hook cannot see the live tool roster, so YOU enrich it. Before running,
write the current session's real facts to a temp `live.json`:

```json
{
"model_id": "<the model you are running>",
"model_provider": "anthropic",
"model_version": "<version>",
"builtin_tools": ["<your actual built-in tool names>"],
"mcp_servers": ["<the MCP servers actually connected this session>"]
}
```

Then dispatch on `$ARGUMENTS`:

- `verify` (default): run
`python "${CLAUDE_PLUGIN_ROOT}/engine/capture.py" verify --live-context live.json`
and show the "nothing added, nothing subtracted" result. Explain any change in
plain language and ask whether to approve it.
- `approve`: run `... approve --live-context live.json --sign --out .` to make the
current composition the new approved baseline and write signed records.
- `show`: run `... snapshot --live-context live.json` to display the current
composition without touching the baseline.

Report the result in plain English. Never claim hardware attestation: on a normal
dev box this is software-only (Level 0) integrity, not silicon-rooted proof.
30 changes: 30 additions & 0 deletions claude-code/commands/trace.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,30 @@
---
description: Generate a signed TRACE + Agent Manifest report for this Claude Code session
argument-hint: ""
---

You are running the AgenTrust report command. Generate a signed record of THIS
session and explain it in plain English. Engine:
`${CLAUDE_PLUGIN_ROOT}/engine/capture.py`.

Steps:

1. Ensure the packages are installed (once):
`pip install agent-manifest agentrust-trace "agentrust-trace-tests>=0.2"`.
2. Write this session's real facts to `live.json` (do NOT invent values):
`model_id`, `model_provider`, `model_version`, `builtin_tools` (your actual
built-in tools), `mcp_servers` (the MCP servers actually connected now).
3. Run
`python "${CLAUDE_PLUGIN_ROOT}/engine/capture.py" report --live-context live.json --out .`
4. Optionally confirm the TRACE record passes the suite:
`trace-tests verify --record trace.json --level 0` (or
`python -m trace_tests.cli verify ...` if the script is not on PATH).

Then explain the report the user actually cares about:
- what the agent IS (skills, tools, MCP, model, permissions), each fingerprinted,
- what it DID this run (TRACE record, software-only / Level 0 on a dev box),
- whether anything changed since their approved baseline.

Be honest about scope: no TEE on a normal laptop means Level 0, not hardware
attestation. The "instruction layer" fingerprint covers CLAUDE.md and memory,
not Claude Code's internal system prompt (which is not on disk).
Loading