tinfoilsh · lsd-cat · May 19, 2026 · May 20, 2026 · May 22, 2026 · May 22, 2026
diff --git a/.github/workflows/tinfoil-conformance.yml b/.github/workflows/tinfoil-conformance.yml
@@ -0,0 +1,78 @@
+name: Tinfoil Conformance
+
+# Runs the cross-SDK Tinfoil conformance suite
+# (https://github.com/tinfoilsh/tinfoil-conformance) against this SDK's
+# `tinfoil-conformance` binary. Speaks the Tinfoil policy-layer CLI
+# contract (JSON-in / JSON-out); distinct from the test/audit workflows
+# which exercise the consumer-facing verifier API.
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+
+permissions: {}
+
+jobs:
+  conformance:
+    name: Tinfoil Conformance
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+    steps:
+      - name: Checkout SDK
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Set up uv
+        uses: astral-sh/setup-uv@08807647e7069bb48b6ef5acd8ec9567f424441b # v8.1.0
+        with:
+          python-version: "3.11"
+
+      - name: Install tinfoil (provides the tinfoil-conformance binary)
+        run: uv sync --locked
+
+      - name: Checkout tinfoil-conformance suite
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          repository: tinfoilsh/tinfoil-conformance
+          ref: main
+          path: tinfoil-conformance
+          persist-credentials: false
+
+      - name: Set up Python for the harness
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0
+        with:
+          python-version: "3.12"
+          cache: "pip"
+          cache-dependency-path: tinfoil-conformance/harness/pyproject.toml
+
+      - name: Install harness
+        run: pip install ./tinfoil-conformance/harness
+
+      - name: Show SDK capabilities
+        run: |
+          tinfoil-conformance capabilities \
+            --sdk "tinfoil-py=uv run --no-sync tinfoil-conformance"
+
+      - name: Run conformance vectors
+        run: |
+          tinfoil-conformance run \
+            --sdk "tinfoil-py=uv run --no-sync tinfoil-conformance" \
+            --vectors tinfoil-conformance/vectors/sigstore
+
+      - name: Upload results
+        if: always()
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: tinfoil-conformance-results
+          path: results/
+
+      - name: Append summary
+        if: always()
+        run: |
+          if [ -f results/latest/results.md ]; then
+            cat results/latest/results.md >> "$GITHUB_STEP_SUMMARY"
+          fi
diff --git a/pyproject.toml b/pyproject.toml
@@ -25,6 +25,12 @@ dependencies = [
     "urllib3>=2.7.0",
 ]
 
+[project.scripts]
+# Cross-SDK conformance binary (separate from the consumer-facing SDK API).
+# Speaks the JSON-in / JSON-out CLI contract defined in
+# https://github.com/tinfoilsh/tinfoil-conformance .
+tinfoil-conformance = "tinfoil.conformance.cli:main"
+
 [dependency-groups]
 dev = [
     "pytest",

diff --git a/src/tinfoil/conformance/__init__.py b/src/tinfoil/conformance/__init__.py
@@ -0,0 +1,7 @@
+"""tinfoil-conformance binary for tinfoil-python.
+
+Implements the cross-SDK conformance CLI contract defined in
+https://github.com/tinfoilsh/tinfoil-conformance. Separate from the
+consumer-facing SDK; this is a thin wrapper that exposes the verifier
+through the JSON-in / JSON-out protocol the harness speaks.
+"""