From 7476b7b226d57b6b81975c8e6855c0b47a834838 Mon Sep 17 00:00:00 2001 From: "Oleg B." <120386835+oleg-bk@users.noreply.github.com> Date: Mon, 18 May 2026 12:03:41 +0200 Subject: [PATCH 1/8] ci: split fast and compatibility test gates --- .github/workflows/tests.yml | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index c391522..1d14eb9 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -4,14 +4,40 @@ on: workflow_dispatch: push: branches: [main, "codex/**"] + tags: ["v*"] pull_request: branches: [main] permissions: contents: read +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + jobs: - test: + fast: + name: fast tests (ubuntu-latest, 3.12) + if: github.event_name == 'push' && !startsWith(github.ref, 'refs/tags/') + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Set up Python 3.12 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: "3.12" + + - name: Install dependencies + run: python -m pip install -e ".[test]" + + - name: Run tests + run: python -m pytest -v + + compatibility: + name: compatibility (${{ matrix.os }}, ${{ matrix.python-version }}) + if: github.event_name == 'pull_request' || github.event_name == 'workflow_dispatch' || startsWith(github.ref, 'refs/tags/v') runs-on: ${{ matrix.os }} strategy: fail-fast: false @@ -23,7 +49,7 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@a26af69be951a213d495a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} From 3482a26d2074ec2652c9fc86d332c5ae7b2f5d77 Mon Sep 17 00:00:00 2001 From: "Oleg B." <120386835+oleg-bk@users.noreply.github.com> Date: Mon, 18 May 2026 12:04:10 +0200 Subject: [PATCH 2/8] ci: fix compatibility setup-python pin --- .github/workflows/tests.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1d14eb9..1030cf6 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -49,7 +49,7 @@ jobs: - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a26af69be951a213d495a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 with: python-version: ${{ matrix.python-version }} From 69057b95623daf6841e592ffa4abe2c69b99ba24 Mon Sep 17 00:00:00 2001 From: "Oleg B." <120386835+oleg-bk@users.noreply.github.com> Date: Mon, 18 May 2026 12:04:28 +0200 Subject: [PATCH 3/8] docs: add CI tier policy --- docs/CI_POLICY.md | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) create mode 100644 docs/CI_POLICY.md diff --git a/docs/CI_POLICY.md b/docs/CI_POLICY.md new file mode 100644 index 0000000..566a957 --- /dev/null +++ b/docs/CI_POLICY.md @@ -0,0 +1,17 @@ +# CI Policy + +This repository uses tiered CI so day-to-day agent work stays fast while release quality remains unchanged. + +## Gates + +- Fast gate: runs on normal branch pushes. It uses Ubuntu and the primary Python version, and must run the full regular pytest suite. +- Compatibility gate: runs on pull requests to `main`, manual dispatch, and release tags. It uses the full supported OS/Python matrix. +- Publish gate: package publication is allowed only after the compatibility gate has passed for the release candidate or tag. + +## Agent Rules + +- Run the relevant local tests before pushing code changes. +- Do not treat the fast gate as release verification. +- Do not use `[skip ci]` for code, packaging, security, or behavior changes. +- Before reporting a change as done, state which local commands and which CI gates actually ran. +- Before tagging or publishing a release, verify that the compatibility gate passed. From 129a85593dd5c3130cc6ccc0eb057928a0383a43 Mon Sep 17 00:00:00 2001 From: "Oleg B." <120386835+oleg-bk@users.noreply.github.com> Date: Mon, 18 May 2026 12:04:59 +0200 Subject: [PATCH 4/8] docs: add agent CI gate rules --- AGENTS.md | 22 ++++++++++++++++------ 1 file changed, 16 insertions(+), 6 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 3723f06..5517b8d 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -2,7 +2,7 @@ ## Project overview -AVP SDK — Python client for Agent Veil Protocol. Trust enforcement for autonomous agents: identity (W3C DID), reputation (EigenTrust), sybil resistance (NetFlow), attestations, audit trail, webhook alerts, jobs delegation. +AVP SDK - Python client for Agent Veil Protocol. Trust enforcement for autonomous agents: identity (W3C DID), reputation (EigenTrust), sybil resistance (NetFlow), attestations, audit trail, webhook alerts, jobs delegation. Production API: https://agentveil.dev PyPI: `pip install agentveil` @@ -15,7 +15,7 @@ pip install agentveil pip install agentveil[test] ``` -No external services needed for development — the SDK connects to the public API at agentveil.dev by default. +No external services needed for development - the SDK connects to the public API at agentveil.dev by default. ## Build and test @@ -30,6 +30,16 @@ python tests/test_live_e2e.py AVP_URL=http://localhost:8000 pytest tests/ -v ``` +## CI policy + +Follow [`docs/CI_POLICY.md`](docs/CI_POLICY.md). + +- Run relevant local tests before pushing code changes. +- The push fast gate is not release verification. +- The full OS/Python compatibility gate must pass before release tags or PyPI publication. +- Do not use `[skip ci]` for code, packaging, security, or behavior changes. +- When reporting done, state the local commands and CI gates that actually ran. + ## Code style - Python 3.10+ @@ -82,14 +92,14 @@ Agents are identified by W3C Decentralized Identifiers: did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK ``` -Format: Ed25519 public key, multicodec-encoded, base58btc. Generated locally — no registry needed for creation. Registered on AVP for reputation tracking. +Format: Ed25519 public key, multicodec-encoded, base58btc. Generated locally - no registry needed for creation. Registered on AVP for reputation tracking. ## Examples | File | Framework | Description | |---|---|---| -| `quickstart.py` | — | 5-step minimal demo | -| `two_agents.py` | — | Multi-agent attestation flow | +| `quickstart.py` | - | 5-step minimal demo | +| `two_agents.py` | - | Multi-agent attestation flow | | `aws_bedrock.py` | AWS Bedrock | Trust-gated delegation via Converse API | | `openai_example.py` | OpenAI | Function calling with AVP tools | | `claude_mcp_example.py` | Claude MCP | MCP server integration | @@ -101,5 +111,5 @@ Format: Ed25519 public key, multicodec-encoded, base58btc. Generated locally — - All write operations require Ed25519 signature (`AVP-Sig` header) - Proof-of-Work (24-bit) required at registration to prevent spam -- Never hardcode private keys — use `agent.save(passphrase="...")` for encrypted storage +- Never hardcode private keys - use `agent.save(passphrase="...")` for encrypted storage - API responses should always be validated before acting on them From b18d27e17e07243135ae473d43ed41d49bebd28f Mon Sep 17 00:00:00 2001 From: "Oleg B." <120386835+oleg-bk@users.noreply.github.com> Date: Mon, 18 May 2026 12:11:46 +0200 Subject: [PATCH 5/8] ci: gate PyPI publish on compatibility tests --- .github/workflows/publish.yml | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 93bf226..32a9749 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -5,8 +5,39 @@ on: tags: - "v*" +permissions: + contents: read + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: false + jobs: + compatibility: + name: compatibility (${{ matrix.os }}, ${{ matrix.python-version }}) + runs-on: ${{ matrix.os }} + strategy: + fail-fast: false + matrix: + os: [ubuntu-latest, windows-latest, macos-latest] + python-version: ["3.10", "3.11", "3.12", "3.13"] + + steps: + - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + + - name: Set up Python ${{ matrix.python-version }} + uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + with: + python-version: ${{ matrix.python-version }} + + - name: Install dependencies + run: python -m pip install -e ".[test]" + + - name: Run tests + run: python -m pytest -v + publish: + needs: compatibility runs-on: ubuntu-latest steps: From 1c9fa7db62dc2e03f5b1adf103e032320726d956 Mon Sep 17 00:00:00 2001 From: "Oleg B." <120386835+oleg-bk@users.noreply.github.com> Date: Mon, 18 May 2026 12:13:15 +0200 Subject: [PATCH 6/8] docs: preserve AGENTS wording while adding CI rules --- AGENTS.md | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/AGENTS.md b/AGENTS.md index 5517b8d..f04cce6 100644 --- a/AGENTS.md +++ b/AGENTS.md @@ -2,7 +2,7 @@ ## Project overview -AVP SDK - Python client for Agent Veil Protocol. Trust enforcement for autonomous agents: identity (W3C DID), reputation (EigenTrust), sybil resistance (NetFlow), attestations, audit trail, webhook alerts, jobs delegation. +AVP SDK — Python client for Agent Veil Protocol. Trust enforcement for autonomous agents: identity (W3C DID), reputation (EigenTrust), sybil resistance (NetFlow), attestations, audit trail, webhook alerts, jobs delegation. Production API: https://agentveil.dev PyPI: `pip install agentveil` @@ -15,7 +15,7 @@ pip install agentveil pip install agentveil[test] ``` -No external services needed for development - the SDK connects to the public API at agentveil.dev by default. +No external services needed for development — the SDK connects to the public API at agentveil.dev by default. ## Build and test @@ -92,14 +92,14 @@ Agents are identified by W3C Decentralized Identifiers: did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK ``` -Format: Ed25519 public key, multicodec-encoded, base58btc. Generated locally - no registry needed for creation. Registered on AVP for reputation tracking. +Format: Ed25519 public key, multicodec-encoded, base58btc. Generated locally — no registry needed for creation. Registered on AVP for reputation tracking. ## Examples | File | Framework | Description | |---|---|---| -| `quickstart.py` | - | 5-step minimal demo | -| `two_agents.py` | - | Multi-agent attestation flow | +| `quickstart.py` | — | 5-step minimal demo | +| `two_agents.py` | — | Multi-agent attestation flow | | `aws_bedrock.py` | AWS Bedrock | Trust-gated delegation via Converse API | | `openai_example.py` | OpenAI | Function calling with AVP tools | | `claude_mcp_example.py` | Claude MCP | MCP server integration | @@ -111,5 +111,5 @@ Format: Ed25519 public key, multicodec-encoded, base58btc. Generated locally - n - All write operations require Ed25519 signature (`AVP-Sig` header) - Proof-of-Work (24-bit) required at registration to prevent spam -- Never hardcode private keys - use `agent.save(passphrase="...")` for encrypted storage +- Never hardcode private keys — use `agent.save(passphrase="...")` for encrypted storage - API responses should always be validated before acting on them From 84f1af97891d7af71f8d126b14bdd50cd4762b6a Mon Sep 17 00:00:00 2001 From: "Oleg B." <120386835+oleg-bk@users.noreply.github.com> Date: Mon, 18 May 2026 12:37:59 +0200 Subject: [PATCH 7/8] docs: add Claude CI policy reference --- CLAUDE.md | 14 ++++++++++++++ 1 file changed, 14 insertions(+) create mode 100644 CLAUDE.md diff --git a/CLAUDE.md b/CLAUDE.md new file mode 100644 index 0000000..80683a2 --- /dev/null +++ b/CLAUDE.md @@ -0,0 +1,14 @@ +# CLAUDE.md + +## Project Instructions + +Follow [`AGENTS.md`](AGENTS.md) for repository-specific project notes and security discipline. + +## CI Policy + +Follow [`docs/CI_POLICY.md`](docs/CI_POLICY.md). + +- Run relevant local tests before pushing code changes. +- Do not treat the fast push gate as release verification. +- Do not use `[skip ci]` for code, packaging, security, or behavior changes. +- Before reporting done, state which local commands and CI gates actually ran. From 306311c5b6389e4934b03c36a5a399c01be1134f Mon Sep 17 00:00:00 2001 From: Oleg Bk Date: Mon, 18 May 2026 12:48:56 +0200 Subject: [PATCH 8/8] ci: update GitHub actions runtime versions Pin checkout and setup-python to Node 24-compatible releases. Implemented with assistance from Codex. --- .github/workflows/publish.yml | 8 ++++---- .github/workflows/tests.yml | 8 ++++---- 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 32a9749..a234fff 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -23,10 +23,10 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }} @@ -41,10 +41,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@v4 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python - uses: actions/setup-python@v5 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" diff --git a/.github/workflows/tests.yml b/.github/workflows/tests.yml index 1030cf6..3dc5dbe 100644 --- a/.github/workflows/tests.yml +++ b/.github/workflows/tests.yml @@ -22,10 +22,10 @@ jobs: runs-on: ubuntu-latest steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python 3.12 - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: "3.12" @@ -46,10 +46,10 @@ jobs: python-version: ["3.10", "3.11", "3.12", "3.13"] steps: - - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 + - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: Set up Python ${{ matrix.python-version }} - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5.6.0 + uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6.2.0 with: python-version: ${{ matrix.python-version }}