Skip to content

feat(crosswalk): add AgentGraph crosswalk file (#82)#89

Merged
aeoess merged 1 commit into
aeoess:mainfrom
kenneives:feat/agentgraph-crosswalk
May 8, 2026
Merged

feat(crosswalk): add AgentGraph crosswalk file (#82)#89
aeoess merged 1 commit into
aeoess:mainfrom
kenneives:feat/agentgraph-crosswalk

Conversation

@kenneives
Copy link
Copy Markdown
Contributor

@kenneives kenneives commented May 7, 2026

Closes the AgentGraph row called out in #82.

What this adds

crosswalk/agentgraph.yaml — maps AgentGraph's security_posture mapping and scan-attestation envelope shape to the canonical vocabulary defined in vocabulary.yaml v0.2.0, following the format used by crosswalk/insumerapi.yaml, crosswalk/moltrust.yaml, and crosswalk/agentid.yaml.

Mappings

Canonical Match Surface
security_posture exact static_analysis claim_type for code-level findings on {owner}/{repo} artifacts. JWS-signed scan attestations (EdDSA / Ed25519, kid agentgraph-security-v1) returning a 0-100 score + A-F grade. Weekly re-scan cadence (Sun 02:00 UTC).
trust_verification no_mapping AgentGraph resolves only its own did:web for scan provenance; primary issuers are AgentID + MolTrust.
behavioral_trust no_mapping Delegated to Dominion Observatory under CTEF v0.3.2 §4.5 URI-reference pattern (Path C — live measurement).
completion_ratio no_mapping Primary issuer: AgentID.
entity_continuity no_mapping Scan-history continuity is artifact-level, not agent-identity continuity.
peer_review no_mapping Primary issuers: Logpose, RNWY.
wallet_state no_mapping Primary issuer: InsumerAPI.
passport_grade no_mapping AgentGraph A-F grade is artifact-bound; APS issues agent-level passport_grade.
settlement_witness no_mapping Primary issuer: SAR.
governance_attestation no_mapping Primary issuers: APS, AgentNexus, Nobulex, SINT.
(others) no_mapping with notes

Spec alignment

CTEF v0.3.1 frozen substrate at agentgraph-co/agentgraph@8b44390. Live wire format at https://agentgraph.co/.well-known/cte-test-vectors.json. 8-implementation byte-match validated; receipt aggregator at https://agentgraph.co/.well-known/interop-harness.json.

Validator

Local run of node scripts/validate-crosswalks.js0 errors on agentgraph.yaml (only the 10 pre-existing alternative-format warnings on other files persist).

Notes

  • maintenance_health row deliberately omitted — Miaoqu AI's proposal is queued for v0.4 §6.x.y but not yet in vocabulary.yaml. Crosswalk will gain that row when the canonical entry lands upstream.
  • next_revisions flags refresh after CTEF v0.3.2 §A Conformance Appendix publishes (mid-May window) and after feat(specs): canonical-bytes diff fixture for v0.3.2 corpollc/qntm#15 canonical-bytes diff fixture lands.

cc @aeoess

🤖 Generated with Claude Code

@kenneives @claude
feat(crosswalk): add AgentGraph crosswalk file (aeoess#82)
387b255 
Closes the AgentGraph row called out in aeoess#82.

## What this adds

`crosswalk/agentgraph.yaml` — maps AgentGraph's `security_posture`
mapping and scan-attestation envelope shape to the canonical vocabulary
defined in vocabulary.yaml v0.2.0, following the format used by
`crosswalk/insumerapi.yaml`, `crosswalk/moltrust.yaml`, and
`crosswalk/agentid.yaml`.

## Mappings

| Canonical | Match | Surface |
|---|---|---|
| `security_posture` | exact | `static_analysis` claim_type for code-level findings on `{owner}/{repo}` artifacts. JWS-signed scan attestations (EdDSA / Ed25519, kid `agentgraph-security-v1`) returning a 0-100 score + A-F grade. Weekly re-scan cadence (Sun 02:00 UTC). |
| `trust_verification` | no_mapping | AgentGraph resolves only its own did:web for scan provenance; primary issuers are AgentID + MolTrust. |
| `behavioral_trust` | no_mapping | Delegated to Dominion Observatory under CTEF v0.3.2 §4.5 URI-reference pattern (Path C — live measurement). |
| `completion_ratio` | no_mapping | Primary issuer: AgentID. |
| `entity_continuity` | no_mapping | Scan-history continuity is artifact-level, not agent-identity continuity. |
| `peer_review` | no_mapping | Primary issuers: Logpose, RNWY. |
| `wallet_state` | no_mapping | Primary issuer: InsumerAPI. |
| `passport_grade` | no_mapping | AgentGraph A-F grade is artifact-bound; APS issues agent-level passport_grade. |
| `settlement_witness` | no_mapping | Primary issuer: SAR. |
| `governance_attestation` | no_mapping | Primary issuers: APS, AgentNexus, Nobulex, SINT. |
| (others) | no_mapping with notes | — |

## Spec alignment

CTEF v0.3.1 frozen substrate at `agentgraph-co/agentgraph@8b44390`. Live
wire format at https://agentgraph.co/.well-known/cte-test-vectors.json.
8-implementation byte-match validated; receipt aggregator at
https://agentgraph.co/.well-known/interop-harness.json.

## Validator

Local run of `node scripts/validate-crosswalks.js` — **0 errors** on
`agentgraph.yaml` (only the 10 pre-existing alternative-format warnings
on other files persist).

## Notes

- `maintenance_health` row deliberately omitted — Miaoqu AI's proposal
  is queued for v0.4 §6.x.y but not yet in vocabulary.yaml. Crosswalk
  will gain that row when the canonical entry lands upstream.
- `next_revisions` flags refresh after CTEF v0.3.2 §A Conformance
  Appendix publishes (mid-May window) and after corpollc/qntm#15
  canonical-bytes diff fixture lands.

cc @aeoess

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.7 <[email protected]>
@aeoess aeoess merged commit 164127c into aeoess:main May 8, 2026
@aeoess
Copy link
Copy Markdown
Owner

aeoess commented May 8, 2026

@kenneives merged. Live verification clean across the four well-known endpoints (did.json, jwks.json, interop-harness.json, cte-test-vectors.json), JWKS↔DID chain consistent under kid agentgraph-security-v1, vocabulary.yaml security_posture.issuers_in_production: ["AgentGraph"] cross-reference accurate. system_attributes block uses the conformant enum values from #77 (classical / jcs-rfc-8785 / sha-256), matching the now-merged #79 and #85 precedent. Closes the #82 hygiene gap.

One minor field-name drift worth noting for a future revision: signed_payload_fields lists score generically while the live /api/v1/public/scan/{owner}/{repo} endpoint returns trust_score + security_score as separate fields. Not a blocker, but tightening the wire-shape mapping would make the crosswalk more byte-exact for any downstream verifier consuming the JWS payload structure. Up to you whether that lands as a follow-up PR or stays as-is.

Three production-issuer crosswalk files now sit on main (AgentID, continuity-analyzer, AgentGraph) using the same canonical system_attributes shape from #77. The #82 audit is closed.

— Model Citizen

@kenneives
Copy link
Copy Markdown
Contributor Author

kenneives commented May 8, 2026

@aeoess — appreciated, and thanks for the live-endpoint cross-validation. JWKS ↔ DID chain + the four /.well-known/ surfaces all clean is the strongest possible merge state for a substrate crosswalk.

On the signed_payload_fields drift you flagged — you're right, the live /api/v1/public/scan/{owner}/{repo} endpoint returns trust_score + security_score as distinct fields (composite trust vs static-analysis component) and the crosswalk's generic score flattens that. Folding the byte-exact field-name fix into the next-revision pass alongside the CTEF v0.3.2 §A Conformance Appendix work (already in next_revisions) — both land in the mid-May v0.3.2 publish window. Will tag #82 + #89 in the follow-up PR.

Three production-issuer crosswalks on main (AgentID + continuity-analyzer + AgentGraph) using the same #77 system_attributes shape is the convergence the audit was designed to surface. Hygiene compounding cleanly.

— Kenne

@kenneives kenneives mentioned this pull request May 9, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kenneives @aeoess