Add standards alignment track

Author: dinpd

README.md

@@ -81,6 +81,7 @@ For MCP gateway integration, see [`docs/mcp-gateway-integration.md`](docs/mcp-ga
 For provider-side MCP authorization, see [`docs/provider-mcp-authorization.md`](docs/provider-mcp-authorization.md).
 For provider MCP contract CI checks, see [`docs/provider-mcp-ci.md`](docs/provider-mcp-ci.md).
 For provider MCP positioning and adoption ideas, see [`docs/provider-mcp-positioning.md`](docs/provider-mcp-positioning.md).
+For DID, Verifiable Credential, OAuth/OIDC, MCP, A2A, AGNTCY, and NIST alignment, see [`docs/standards-alignment.md`](docs/standards-alignment.md).
 For the API-to-MCP article, see [`docs/turn-your-api-into-mcp-safely.md`](docs/turn-your-api-into-mcp-safely.md).
 For the provider MCP authorization demo, see [`docs/provider-mcp-demo.md`](docs/provider-mcp-demo.md).
 For job-to-be-done boundaries, see [`docs/job-boundaries.md`](docs/job-boundaries.md).
@@ -116,6 +117,13 @@ section maps customer identity-provider claims to AgentID concepts such as
 tenant, user, and agent, then declares the scopes required to authorize tool
 calls, read policies, or issue JIT grants.
 
+AgentID can also carry optional distributed identity metadata. A manifest may
+bind an agent to a DID, declare trusted issuers, and include VC-style
+attestations for security review, provider approval, compliance status, or
+operational readiness. These fields are evidence inputs for runtime policy; they
+do not replace AgentID's action-level authorization decision. See
+[`docs/standards-alignment.md`](docs/standards-alignment.md).
+
 ## Positioning in one minute
 
 AgentID sits between agent identity and tool execution.
@@ -350,6 +358,9 @@ For MCP server calls, including internal and provider-hosted servers, see
 For the provider side of that boundary, including authorization receipts and
 provider execution receipts, see
 [`docs/provider-mcp-authorization.md`](docs/provider-mcp-authorization.md).
+For standards alignment and contribution targets around DID, Verifiable
+Credentials, OAuth/OIDC, MCP, A2A, AGNTCY, and NIST, see
+[`docs/standards-alignment.md`](docs/standards-alignment.md).
 For a reference adapter, see [`mcp-gateway-adapter/`](mcp-gateway-adapter/).
 For provider-side Express receipt verification middleware, see
 [`packages/provider-express/`](packages/provider-express/).

agentid/explain.py

@@ -15,13 +15,17 @@ def explain_manifest(manifest: dict[str, Any]) -> str:
     audit = manifest.get("audit", {})
     kill_switch = manifest.get("kill_switch", {})
     oidc = manifest.get("oidc", {})
+    trusted_issuers = manifest.get("trusted_issuers", [])
+    attestations = manifest.get("attestations", [])
 
     lines: list[str] = []
 
     lines.append(f"Agent: {agent.get('name', 'Unnamed agent')} ({agent.get('id', 'missing-id')})")
     lines.append(f"Owner: {agent.get('owner', 'missing-owner')}")
     lines.append(f"Environment: {agent.get('environment', 'unspecified')}")
     lines.append(f"Purpose: {agent.get('purpose', 'unspecified')}")
+    if agent.get("did"):
+        lines.append(f"DID: {agent['did']}")
     if agent.get("expires_at"):
         lines.append(f"Authority expires: {agent['expires_at']}")
 
@@ -54,6 +58,27 @@ def explain_manifest(manifest: dict[str, Any]) -> str:
             + ", ".join(f"{name}={scope}" for name, scope in scopes.items())
         )
 
+    lines.append("")
+    lines.append("Trust and attestations:")
+    if trusted_issuers:
+        lines.append("- Trusted issuers: " + ", ".join(trusted_issuers))
+    else:
+        lines.append("- Trusted issuers: none declared")
+    if not attestations:
+        lines.append("- No attestations declared.")
+    else:
+        for attestation in attestations:
+            summary = (
+                f"- {attestation.get('type', 'unnamed-attestation')}: "
+                f"issuer={attestation.get('issuer', 'missing-issuer')}, "
+                f"result={attestation.get('result', 'unknown')}"
+            )
+            if attestation.get("standard"):
+                summary += f", standard={attestation['standard']}"
+            if attestation.get("expires_at"):
+                summary += f", expires={attestation['expires_at']}"
+            lines.append(summary)
+
     lines.append("")
     lines.append("Just-in-time authorization:")
     lines.append(f"- Enabled: {bool(jit.get('enabled'))}")
@@ -94,6 +119,9 @@ def explain_manifest(manifest: dict[str, Any]) -> str:
     lines.append(f"- Enforce manifest: {bool(runtime.get('enforce_manifest'))}")
     lines.append(f"- Detect tool drift: {bool(runtime.get('detect_tool_drift'))}")
     lines.append(f"- Detect new destinations: {bool(runtime.get('detect_new_destinations'))}")
+    lines.append(f"- Require valid attestations: {bool(runtime.get('require_valid_attestations'))}")
+    lines.append(f"- Deny if attestation expired: {bool(runtime.get('deny_if_attestation_expired'))}")
+    lines.append(f"- Deny if credential revoked: {bool(runtime.get('deny_if_credential_revoked'))}")
 
     lines.append("")
     lines.append("Audit:")

agentid/manifest.py

@@ -24,6 +24,7 @@ class ValidationResult:
 VALID_APPROVAL = {"none", "notify", "required", "human_confirm", "step_up", "manager", "block"}
 VALID_AUTH_MODE = {"delegated", "service", "just_in_time"}
 VALID_OIDC_TOKEN_MODES = {"jwks", "demo_hs256"}
+VALID_ATTESTATION_RESULTS = {"pass", "fail", "partial", "unknown"}
 
 
 def load_manifest(path: str | Path) -> dict[str, Any]:
@@ -56,6 +57,9 @@ def validate_manifest(manifest: dict[str, Any]) -> ValidationResult:
         if not agent.get(field):
             errors.append(f"Missing required field: agent.{field}")
 
+    _validate_agent_identity(manifest, errors, warnings)
+    _validate_trusted_issuers(manifest, errors, warnings)
+    _validate_attestations(manifest, errors, warnings)
     _validate_jit_authorization(manifest, errors, warnings)
     _validate_oidc(manifest, errors, warnings)
     _validate_tools(manifest, errors, warnings)
@@ -76,6 +80,87 @@ def validate_manifest(manifest: dict[str, Any]) -> ValidationResult:
     return ValidationResult(ok=not errors, errors=errors, warnings=warnings)
 
 
+def _validate_agent_identity(manifest: dict[str, Any], errors: list[str], warnings: list[str]) -> None:
+    agent = manifest.get("agent", {})
+    if not isinstance(agent, dict):
+        return
+
+    did = agent.get("did")
+    if did is None:
+        return
+    if not isinstance(did, str) or not did:
+        errors.append("agent.did must be a non-empty string if provided.")
+    elif not did.startswith("did:"):
+        warnings.append("agent.did does not look like a decentralized identifier.")
+
+
+def _validate_trusted_issuers(manifest: dict[str, Any], errors: list[str], warnings: list[str]) -> None:
+    issuers = manifest.get("trusted_issuers")
+    attestations = manifest.get("attestations", [])
+
+    if issuers is None:
+        if attestations:
+            warnings.append("trusted_issuers is not set. Attestation signatures may lack an explicit trust policy.")
+        return
+
+    if not isinstance(issuers, list):
+        errors.append("trusted_issuers must be a list.")
+        return
+
+    for idx, issuer in enumerate(issuers):
+        if not isinstance(issuer, str) or not issuer:
+            errors.append(f"trusted_issuers[{idx}] must be a non-empty string.")
+
+
+def _validate_attestations(manifest: dict[str, Any], errors: list[str], warnings: list[str]) -> None:
+    attestations = manifest.get("attestations")
+    if attestations is None:
+        runtime = manifest.get("runtime", {})
+        if isinstance(runtime, dict) and runtime.get("require_valid_attestations"):
+            errors.append("attestations is required when runtime.require_valid_attestations is true.")
+        return
+
+    if not isinstance(attestations, list):
+        errors.append("attestations must be a list.")
+        return
+
+    agent_did = manifest.get("agent", {}).get("did") if isinstance(manifest.get("agent"), dict) else None
+    trusted_issuers = set(manifest.get("trusted_issuers", []) or [])
+
+    for idx, attestation in enumerate(attestations):
+        prefix = f"attestations[{idx}]"
+        if not isinstance(attestation, dict):
+            errors.append(f"{prefix} must be an object.")
+            continue
+
+        for field in ["type", "issuer", "result"]:
+            if not attestation.get(field):
+                errors.append(f"{prefix}.{field} is required.")
+
+        issuer = attestation.get("issuer")
+        if isinstance(issuer, str) and trusted_issuers and issuer not in trusted_issuers:
+            warnings.append(f"{prefix}.issuer is not listed in trusted_issuers: {issuer}.")
+
+        subject = attestation.get("subject")
+        if subject is not None and (not isinstance(subject, str) or not subject):
+            errors.append(f"{prefix}.subject must be a non-empty string if provided.")
+        elif agent_did and subject and subject != agent_did:
+            warnings.append(f"{prefix}.subject does not match agent.did.")
+
+        result = attestation.get("result")
+        if result and result not in VALID_ATTESTATION_RESULTS:
+            errors.append(f"{prefix}.result must be one of: {', '.join(sorted(VALID_ATTESTATION_RESULTS))}.")
+
+        expires_at = attestation.get("expires_at")
+        if expires_at:
+            _validate_date_field(f"{prefix}.expires_at", expires_at, errors, warnings)
+        else:
+            warnings.append(f"{prefix}.expires_at is not set.")
+
+        if not attestation.get("credential_status"):
+            warnings.append(f"{prefix}.credential_status is not set. Revocation checks may not be possible.")
+
+
 def _validate_oidc(manifest: dict[str, Any], errors: list[str], warnings: list[str]) -> None:
     oidc = manifest.get("oidc")
     if oidc is None:
@@ -331,6 +416,18 @@ def _validate_runtime(manifest: dict[str, Any], errors: list[str], warnings: lis
         if not runtime.get(field):
             warnings.append(f"runtime.{field} is not true.")
 
+    if runtime.get("require_valid_attestations"):
+        if not manifest.get("attestations"):
+            errors.append("runtime.require_valid_attestations is true but attestations is empty.")
+        if not manifest.get("trusted_issuers"):
+            errors.append("runtime.require_valid_attestations is true but trusted_issuers is empty.")
+
+    if runtime.get("require_valid_attestations") and not runtime.get("deny_if_attestation_expired"):
+        warnings.append("runtime.deny_if_attestation_expired is not true while valid attestations are required.")
+
+    if runtime.get("require_valid_attestations") and not runtime.get("deny_if_credential_revoked"):
+        warnings.append("runtime.deny_if_credential_revoked is not true while valid attestations are required.")
+
 
 def _validate_audit(manifest: dict[str, Any], errors: list[str], warnings: list[str]) -> None:
     audit = manifest.get("audit", {})
@@ -365,3 +462,17 @@ def _validate_expiry(value: Any, warnings: list[str], errors: list[str]) -> None
 
     if expiry < date.today():
         warnings.append("agent.expires_at is in the past.")
+
+
+def _validate_date_field(field: str, value: Any, errors: list[str], warnings: list[str]) -> None:
+    try:
+        if isinstance(value, date):
+            parsed = value
+        else:
+            parsed = datetime.strptime(str(value), "%Y-%m-%d").date()
+    except ValueError:
+        errors.append(f"{field} must be YYYY-MM-DD.")
+        return
+
+    if parsed < date.today():
+        warnings.append(f"{field} is in the past.")