Metadata-Version: 2.4
Name: agent-manifest
Version: 0.1.0a1
Summary: Agent Manifest SDK — cryptographically anchor all 10 artifacts defining an AI agent at deployment
Project-URL: Homepage, https://github.com/agentrust-io/agent-manifest
Project-URL: Repository, https://github.com/agentrust-io/agent-manifest
Project-URL: Documentation, https://github.com/agentrust-io/agent-manifest/tree/main/spec
Project-URL: Bug Tracker, https://github.com/agentrust-io/agent-manifest/issues
Project-URL: Changelog, https://github.com/agentrust-io/agent-manifest/releases
Author-email: Imran Siddique <imran.siddique@opaque.co>
License: Apache-2.0
Keywords: agent-manifest,ai-agents,attestation,confidential-computing,governance,hardware-attestation,mcp,pydantic,tee,trust
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: Apache Software License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Monitoring
Classifier: Typing :: Typed
Requires-Python: >=3.11
Requires-Dist: cryptography<44,>=42
Requires-Dist: pydantic<3,>=2.7
Provides-Extra: all
Requires-Dist: click>=8.1; extra == 'all'
Requires-Dist: fastapi>=0.111; extra == 'all'
Requires-Dist: httpx>=0.27; extra == 'all'
Requires-Dist: pyoqs>=0.10; extra == 'all'
Requires-Dist: uvicorn[standard]>=0.29; extra == 'all'
Provides-Extra: cli
Requires-Dist: click>=8.1; extra == 'cli'
Provides-Extra: dev
Requires-Dist: click>=8.1; extra == 'dev'
Requires-Dist: fastapi>=0.111; extra == 'dev'
Requires-Dist: httpx>=0.27; extra == 'dev'
Requires-Dist: jcs>=0.3; extra == 'dev'
Requires-Dist: pyoqs>=0.10; extra == 'dev'
Requires-Dist: pytest-asyncio>=0.23; extra == 'dev'
Requires-Dist: pytest>=8; extra == 'dev'
Requires-Dist: uvicorn[standard]>=0.29; extra == 'dev'
Provides-Extra: pq
Requires-Dist: pyoqs>=0.10; extra == 'pq'
Provides-Extra: server
Requires-Dist: fastapi>=0.111; extra == 'server'
Requires-Dist: httpx>=0.27; extra == 'server'
Requires-Dist: uvicorn[standard]>=0.29; extra == 'server'
Description-Content-Type: text/markdown

# agent-manifest

**Cryptographically anchor all 10 artifacts defining an AI agent at deployment.**

The Agent Manifest SDK implements the Agent Manifest Specification v0.1 — a hardware-attestable document that binds every artifact defining an agent's behavior (system prompt, policy bundle, tool schemas, model identity, RAG corpus, memory state, audit chain, delegation chain, supply chain, and human approvals) into a single tamper-evident identity primitive.

```
pip install agent-manifest
```

## Why

A signed JWT proves who called an API. An Agent Manifest proves who the agent **was**, what it was **allowed to do**, how it was **built**, what it **decided**, who **approved** it, and whether any of that changed between approval and execution.

```python
from agent_manifest import (
    Manifest, ArtifactBindings,
    SystemPromptBinding, PolicyBundleBinding, ModelIdentityBinding,
    CryptoProfile, DeploymentType, EnforcementMode, PolicyLanguage,
    generate_ed25519, Ed25519Signer,
)
from agent_manifest._types import HashValue, ManifestId
from datetime import datetime, timedelta, timezone

now = datetime.now(timezone.utc)

manifest = Manifest(
    manifest_id=ManifestId("018f4a3b-2c1d-7e5f-a8b9-0d1e2f3a4b5c"),
    agent_id="spiffe://trust.example/agent/kyc/prod",
    issued_at=now,
    expires_at=now + timedelta(days=90),
    issuer="spiffe://trust.example/signing-authority",
    crypto_profile=CryptoProfile.standard,
    artifacts=ArtifactBindings(
        system_prompt=SystemPromptBinding(
            hash=HashValue("sha256:" + "a" * 64),
            bound_at=now,
        ),
        policy_bundle=PolicyBundleBinding(
            hash=HashValue("sha256:" + "b" * 64),
            policy_language=PolicyLanguage.cedar,
            version="1.0.0",
            enforcement_mode=EnforcementMode.enforce,
            bound_at=now,
        ),
        model_identity=ModelIdentityBinding(
            provider="anthropic",
            model_id="claude-sonnet-4-6",
            version="20251001",
            deployment_type=DeploymentType.api,
            bound_at=now,
        ),
    ),
)

keypair = generate_ed25519()
signer = Ed25519Signer(keypair)
sig_block = signer.sign(manifest.model_dump(mode="json", by_alias=True))
print(sig_block["algorithm"])   # Ed25519
print(sig_block["key_id"])      # sha256:<hex>
```

## The 10 Attested Artifacts

| # | Artifact | What it proves |
|---|----------|---------------|
| 1 | System Prompt | The exact prompt that defines the agent's persona and safety constraints |
| 2 | Policy Bundle | The Cedar/Rego/YAML governance rules that were in force |
| 3 | Tool Manifest | Every tool schema and description the agent was authorized to call |
| 4 | Model Identity | Which model and version ran (binary hash for local, version for API) |
| 5 | RAG Corpus | The knowledge base the agent was grounded on (Merkle root) |
| 6 | Memory Baseline | Approved agent memory state with TTL-based re-approval |
| 7 | Decision Trace | Hardware-signed audit chain root for all agent decisions |
| 8 | A2A Delegation | Signed delegation chain from human principal to current agent |
| 9 | Supply Chain | Container digest, SLSA provenance, SBOM, MCP server supply chain |
| 10 | HITL Approvals | Hardware-signed human oversight records (EU AI Act Art. 14) |

## Hardware Attestation

```python
from agent_manifest._auto_provider import select_provider

# auto-selects: OPAQUE → SEV-SNP → TDX → TPM → Software
provider = select_provider(level=1)   # Level 1+ requires hardware
provider.extend_manifest_hash(manifest_dict)
report = provider.get_attestation_report()
# report.platform: "amd-sev-snp" | "intel-tdx" | "tpm" | "opaque"
```

| Provider | Hardware | Level | Install |
|----------|----------|-------|---------|
| `TPMProvider` | TPM 2.0 / AWS Nitro | 1 | `apt install tpm2-tools` |
| `SEVSNPProvider` | AMD SEV-SNP | 2 | Needs `/dev/sev-guest` |
| `TDXProvider` | Intel TDX | 2 | Needs `/dev/tdx-guest` |
| `OPAQUEProvider` | Opaque Runtime | 3 | Set `OPAQUE_ATTESTATION_URL` |

## Verification

```python
from agent_manifest._verify import verify_manifest, VerificationContext, RevocationStore

result = verify_manifest(
    manifest_dict,
    VerificationContext(
        system_prompt_hash="sha256:...",
        policy_bundle_hash="sha256:...",
        enforce_hitl=True,
    ),
    RevocationStore(),
)
print(result.result)   # VALID | MISMATCH | EXPIRED | REVOKED | ...
```

## CLI

```bash
pip install "agent-manifest[cli]"

manifest keygen -d ./keys/
manifest create config.json -o draft.json
manifest sign draft.json --key keys/private.hex -o signed.json
manifest attest signed.json --provider auto --level 1 -o attested.json
manifest verify attested.json
manifest revoke <manifest-id> --reason "key compromise" --revoked-by security@example.com
```

## Cryptography

- **Standard profile**: Ed25519 (RFC 8032), SHA-256, RFC 8785 canonical JSON
- **Post-quantum profile**: ML-DSA-65 (NIST FIPS 204), SHAKE-256 — `pip install "agent-manifest[pq]"`
- **Hybrid**: Both signatures required, identical pre-image
- **Transparency**: Rekor/Sigstore integration for non-repudiation

## Specification

The full Agent Manifest Specification v0.1 is at [`spec/agent-manifest-spec-v0.1.md`](https://github.com/agentrust-io/agent-manifest/blob/main/spec/agent-manifest-spec-v0.1.md).

Being submitted to the [Agentic AI Foundation (AAIF)](https://agenticai.foundation) under the Linux Foundation alongside AGT.

## License

Apache 2.0
