Skip to content

feat(#4521): AGNTCY Identity badge verify — agents-kt-identity module#219

Merged
Skobeltsyn merged 1 commit into
mainfrom
feat/4521-identity-badge-verify
Jun 16, 2026
Merged

feat(#4521): AGNTCY Identity badge verify — agents-kt-identity module#219
Skobeltsyn merged 1 commit into
mainfrom
feat/4521-identity-badge-verify

Conversation

@Skobeltsyn

Copy link
Copy Markdown
Contributor

Summary

AGNTCY Identity badge verify — the trust pillar of epic #4517, beside the OASF discovery record (#4518) and A2A invocation (§12.5). In a trust-gated agent network you accept work only from agents whose badge a known issuer signed. Verify-only; issuance (keys/signing/vaults) is deferred to the self-hosted stack (PRD §12.6).

What landed

  • IdentityVerifier.verify(compactJws, jwks) — validates a JOSE/JWS-secured W3C VC badge against an issuer JWKS (/.well-known/jwks.json), returning VerifiedBadge (issuer / subject / credentialSubject) or throwing BadgeVerificationException.
  • Fail-closed, not hand-rolled — signature verification is trust-critical, so it delegates to the vetted nimbus-jose-jwt DefaultJWTProcessor. Negative tests cover every forgery class: alg: none, HS* algorithm-confusion (sign HMAC with the public key), tamper, expiry, wrong key, unknown kid. DEFAULT_ALGORITHMS is asymmetric-only.
  • IdentityResolver — bounded (timeouts + size cap) fetch of jwks.json / vcs.json. vcs.json is returned raw (AGNTCY VC envelope still settling upstream per W3C VCDM 2.0); the cryptographic verify is the stable, standards-grounded core.
  • New feature module agents-kt-identity (package agents_engine.agntcy.identity) so the JOSE dependency stays out of core — the agents-kt-rag pattern. Lockfile + sha256 verification-metadata for nimbus-jose-jwt:10.3 (no transitives).

Gates

Full ./gradlew build green across all modules (incl. the new module, detekt, DocsConsistencyTest, internals-agent validation, dependency-verification). 8 tests.

README + CHANGELOG + PRD §12.6 + internals adjunct updated. Remaining #4517 subtasks: DIR client (#4520), OASF import/validate (#4519).

CodeQL java-kotlin expected-red on Kotlin 2.4 (codeql#21938); build is the gate.

🤖 Generated with Claude Code

The trust pillar of the AGNTCY epic (#4517), beside the OASF discovery record (#4518)
and A2A invocation. Verify-only; issuance is deferred to the self-hosted stack.

- IdentityVerifier.verify(compactJws, jwks): validates a JOSE/JWS-secured W3C VC badge
  against an issuer JWKS, returns VerifiedBadge or throws BadgeVerificationException.
  Fail-closed and NOT hand-rolled — delegates to nimbus-jose-jwt's DefaultJWTProcessor.
  Negative tests cover every forgery class: alg=none, HS* algorithm-confusion, tamper,
  expiry, wrong key, unknown kid.
- IdentityResolver.fetchJwks(url) / fetchText(url): bounded (timeouts + size cap) reads of
  /.well-known/jwks.json and vcs.json. vcs.json returned raw (AGNTCY VC envelope still
  settling upstream); the cryptographic verify is the stable core.
- New feature module agents-kt-identity (package agents_engine.agntcy.identity) so the
  nimbus dependency stays out of core — the agents-kt-rag pattern. Lockfile + sha256
  verification-metadata for nimbus-jose-jwt 10.3 (no transitives).
- 8 tests. README + CHANGELOG + PRD §12.6 + internals adjunct updated.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@Skobeltsyn Skobeltsyn merged commit 5b3101e into main Jun 16, 2026
3 of 4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant