diff --git a/ards/README.md b/ards/README.md new file mode 100644 index 0000000..4f536be --- /dev/null +++ b/ards/README.md @@ -0,0 +1,69 @@ +# ARDS — Governed Agent Discovery + +This directory shows how agentrust.io participates in the [Agentic Resource Discovery Specification](https://github.com/ards-project/ard-spec) (ARDS v0.9) as a **governed-agent federated registry** — a specialized ARD registry that only indexes agents carrying TRACE-v0.2 runtime governance attestations. + +## What's here + +| File | Description | +|---|---| +| `ai-catalog.json` | agentrust.io's `/.well-known/ai-catalog.json` — the static catalog that ARD crawlers ingest. Lists cMCP, Agent Manifest SDK, and TRACE Registry as governed MCP servers, plus the agentrust.io registry entry for ARD federation. | + +## The integration point + +ARDS `trustManifest.attestations` accepts any attestation type. TRACE-v0.2 is a **runtime governance attestation** — it proves an agent ran under a specific Cedar policy in a verified TEE, with a signed tool-call transcript, in one independently verifiable artifact. + +```json +{ + "trustManifest": { + "identity": "spiffe://trust.agentrust.io/gateway/cmcp/prod", + "identityType": "spiffe", + "attestations": [ + { "type": "SPIFFE-X509", "uri": "https://agentrust.io/.well-known/spiffe/jwks" }, + { + "type": "TRACE-v0.2", + "uri": "https://trace.agentrust.io/records/cmcp-prod-latest", + "digest": "sha256:3f4a8b2c..." + } + ] + } +} +``` + +The `uri` resolves to a TRACE Trust Record — an EAT (RFC 9711) signed JSON artifact containing the Cedar policy hash, TEE measurement, and tool transcript hash. The `digest` is the SHA-256 of that record. Both fields allow an ARD registry or orchestrator to verify the governance claim offline, without calling agentrust.io. + +## Filtering for governed agents in ARD search + +Any ARD registry that ingests the agentrust.io catalog will make this filter work: + +```json +{ + "query": { + "text": "policy-governed MCP gateway with hardware attestation", + "filter": { + "trustManifest.attestations.type": ["TRACE-v0.2"] + } + } +} +``` + +This returns only agents with hardware-verifiable runtime governance records — across any registry in the federation that has ingested TRACE-attested entries. + +## agentrust.io as a federated governed-agent registry + +The last entry in `ai-catalog.json` registers the agentrust.io registry itself: + +```json +{ + "identifier": "urn:ai:agentrust.io:registry:governed-agents", + "type": "application/ai-registry+json", + "url": "https://registry.agentrust.io/api/v1/" +} +``` + +ARD registries discovering this entry can route queries with `trustManifest.attestations.type: TRACE-v0.2` to `registry.agentrust.io` via federation referrals, delegating governed-agent discovery without replicating the trust logic. + +## TRACE spec + +- Spec: [agentrust-io/trace-spec](https://github.com/agentrust-io/trace-spec) +- ARDS PR: [ards-project/ard-spec#6](https://github.com/ards-project/ard-spec/pull/6) +- AGT ADR: `docs/adr/0032-agt-emits-trace-v01-trust-records.md` in [microsoft/agent-governance-toolkit](https://github.com/microsoft/agent-governance-toolkit) diff --git a/ards/ai-catalog.json b/ards/ai-catalog.json new file mode 100644 index 0000000..a7911d9 --- /dev/null +++ b/ards/ai-catalog.json @@ -0,0 +1,105 @@ +{ + "$comment": "Reference: agentrust.io governed-agent catalog. All entries carry TRACE-v0.2 runtime governance attestations alongside SPIFFE X.509 identity.", + "specVersion": "1.0", + "host": { + "displayName": "agentrust.io", + "identifier": "agentrust.io", + "documentationUrl": "https://agentrust.io/docs", + "logoUrl": "https://agentrust.io/assets/logo.svg", + "trustManifest": { + "identity": "spiffe://trust.agentrust.io/registry/global", + "identityType": "spiffe", + "attestations": [ + { + "type": "SPIFFE-X509", + "uri": "https://agentrust.io/.well-known/spiffe/jwks" + } + ] + } + }, + "entries": [ + { + "identifier": "urn:ai:agentrust.io:governed:cmcp-gateway", + "displayName": "Confidential MCP Gateway (cMCP)", + "description": "Hardware-attested policy enforcement gateway for MCP tool calls. Cedar policies evaluated inside AMD SEV-SNP / Intel TDX TEE. Every session produces a TRACE Trust Record independently verifiable offline.", + "type": "application/mcp-server+json", + "url": "https://api.agentrust.io/mcp/cmcp", + "version": "0.2.0", + "tags": ["governance", "confidential-computing", "policy-enforcement", "mcp", "tee"], + "capabilities": ["PolicyEnforcement", "HardwareAttestation", "AuditLog", "TRACE"], + "trustManifest": { + "identity": "spiffe://trust.agentrust.io/gateway/cmcp/prod", + "identityType": "spiffe", + "attestations": [ + { + "type": "SPIFFE-X509", + "uri": "https://agentrust.io/.well-known/spiffe/jwks" + }, + { + "type": "TRACE-v0.2", + "uri": "https://trace.agentrust.io/records/cmcp-prod-latest", + "digest": "sha256:3f4a8b2c1d9e7f6a5b4c3d2e1f0a9b8c7d6e5f4a3b2c1d0e9f8a7b6c5d4e3f2" + } + ] + } + }, + { + "identifier": "urn:ai:agentrust.io:governed:agent-manifest", + "displayName": "Agent Manifest SDK", + "description": "Hardware-anchors all 10 artifacts defining an agent at deployment. Attestation extended to agents — attested at registration and re-attested on any change.", + "type": "application/mcp-server+json", + "url": "https://api.agentrust.io/mcp/agent-manifest", + "version": "0.1.0", + "tags": ["governance", "identity", "attestation", "agent-manifest"], + "capabilities": ["AgentIdentity", "HardwareAttestation", "ManifestVerification"], + "trustManifest": { + "identity": "spiffe://trust.agentrust.io/service/agent-manifest/prod", + "identityType": "spiffe", + "attestations": [ + { + "type": "SPIFFE-X509", + "uri": "https://agentrust.io/.well-known/spiffe/jwks" + }, + { + "type": "TRACE-v0.2", + "uri": "https://trace.agentrust.io/records/agent-manifest-prod-latest", + "digest": "sha256:a1b2c3d4e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f4a5b6c7d8e9f0a1b2" + } + ] + } + }, + { + "identifier": "urn:ai:agentrust.io:governed:trace-registry", + "displayName": "TRACE Registry", + "description": "Public append-only Merkle registry for TRACE Trust Record anchors. Query attested session records for any TRACE-governed agent. Supports SCITT-anchored verification.", + "type": "application/mcp-server+json", + "url": "https://trace.agentrust.io/mcp", + "version": "0.2.0", + "tags": ["governance", "attestation", "trace", "audit", "scitt"], + "capabilities": ["TRACEVerification", "AuditQuery", "SCITTAnchoring"], + "trustManifest": { + "identity": "spiffe://trust.agentrust.io/service/trace-registry/prod", + "identityType": "spiffe", + "attestations": [ + { + "type": "SPIFFE-X509", + "uri": "https://agentrust.io/.well-known/spiffe/jwks" + }, + { + "type": "TRACE-v0.2", + "uri": "https://trace.agentrust.io/records/trace-registry-prod-latest", + "digest": "sha256:f0e9d8c7b6a5f4e3d2c1b0a9f8e7d6c5b4a3f2e1d0c9b8a7f6e5d4c3b2a1f0e9" + } + ] + } + }, + { + "identifier": "urn:ai:agentrust.io:registry:governed-agents", + "displayName": "agentrust.io Governed Agent Registry", + "description": "Federated ARD registry for TRACE-attested, policy-governed agents. All indexed entries carry TRACE-v0.2 runtime governance attestations. Filter with trustManifest.attestations.type=[TRACE-v0.2] to find governed agents across the federation.", + "type": "application/ai-registry+json", + "url": "https://registry.agentrust.io/api/v1/", + "tags": ["registry", "governance", "federation", "trace"] + } + ] +}