Metadata-Version: 2.4
Name: agentrust-trace-tests
Version: 0.1.0
Summary: TRACE conformance test suite
Project-URL: Homepage, https://github.com/agentrust-io/trace-tests
Project-URL: Repository, https://github.com/agentrust-io/trace-tests
Project-URL: Documentation, https://github.com/agentrust-io/trace-tests#readme
Project-URL: Bug Tracker, https://github.com/agentrust-io/trace-tests/issues
Author: agentrust.io
License: Apache-2.0
License-File: LICENSE
Keywords: ai-agents,attestation,conformance,provenance,trace
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Testing
Requires-Python: >=3.11
Requires-Dist: click>=8.1
Requires-Dist: cryptography>=42
Requires-Dist: jsonschema>=4.23
Provides-Extra: dev
Requires-Dist: bandit; extra == 'dev'
Requires-Dist: mypy; extra == 'dev'
Requires-Dist: pip-audit; extra == 'dev'
Requires-Dist: pytest-cov; extra == 'dev'
Requires-Dist: pytest>=8.0; extra == 'dev'
Requires-Dist: ruff; extra == 'dev'
Provides-Extra: test
Requires-Dist: pytest-cov; extra == 'test'
Requires-Dist: pytest>=8.0; extra == 'test'
Description-Content-Type: text/markdown

[![License: Apache 2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)
[![TRACE Spec](https://img.shields.io/badge/TRACE-Spec_v0.1-0ea5e9)](https://github.com/agentrust-io/trace-spec)
[![Tests](https://img.shields.io/badge/Conformance_Tests-7_modules-green)]()

# TRACE Conformance Test Suite

Conformance tests for TRACE v0.1 - Trust, Runtime Attestation, and Compliance Evidence. An implementation producing Trust Records must pass all tests in the applicable level before using the "TRACE-conformant" mark.

If you are building a gateway, agent runtime, or orchestration layer that produces TRACE records, run this suite against your output to verify conformance before claiming TRACE compliance.

## Test modules

| Module | ID prefix | Spec section | What it tests |
|---|---|---|---|
| Envelope | `TR-ENV` | §3.2 | EAT envelope structure, `eat_profile` URI, required fields, `iat` validity |
| Signature | `TR-SIG` | §3.2.1 | Algorithm conformance (ES256/ES384/EdDSA), key binding, chain verification |
| Runtime | `TR-RTE` | §3.1 | TEE platform enum, measurement format, RIM URI resolution |
| Policy | `TR-POL` | §3.1 | Policy bundle hash format, enforcement mode values, TEE binding |
| Transcript | `TR-TXN` | §3.1 | Tool-call transcript hash binding (Phase 2+ records) |
| Transparency | `TR-ANC` | §3.2 | SCITT receipt URI format, inclusion proof structure |
| Provenance | `TR-SCA` | §3.1 | SLSA provenance level, builder URI, digest format |

## Conformance levels

| Level | Required modules | Use case |
|---|---|---|
| 0 | TR-ENV, TR-SIG, TR-POL | Software-only development and staging |
| 1 | Level 0 + TR-RTE, TR-SCA | Production TEE-attested records |
| 2 | Level 1 + TR-TXN, TR-ANC | Full records with transparency anchoring |

## Running

```bash
pip install trace-tests
trace-tests verify --record path/to/trust-record.jwt --level 1
```

## Test structure

Each test case includes:
- A normative reference to the spec section it exercises
- A **positive case** - valid input, expected result: `PASS`
- A **negative case** - invalid input, expected result: `FAIL` with a structured error code

Error codes follow the form `TR-<MODULE>-<NNN>` (e.g., `TR-ENV-001`: missing `eat_profile`).

## Status

Test suite v0.1, in development. The TRACE spec publishes at Confidential Computing Summit, June 23 2026, and the test suite will be usable at that point. The certification program is on a separate timeline, launching 2027.

## Contributing

Open an issue or PR. New tests must include the normative spec reference, a positive case, and a negative case.

## License

Apache 2.0