Core models¶

The Manifest and all nested types are Pydantic v2 models. All fields are serialisable to JSON via .model_dump(mode="json"). See ADR-0004 for the rationale.

Manifest¶

Manifest ¶

Bases: SpecModel

Root Agent Manifest document - spec Section 3.1.

json_schema ¶

json_schema() -> dict[str, Any]

Export JSON Schema for non-Python verifier implementations.

Artifact bindings¶

ArtifactBindings ¶

Bases: SpecModel

Container for the 8 artifact bindings that live under artifacts.

ModelIdentityBinding ¶

Bases: SpecModel

Artifact #4 - spec Section 3.2.4.

model_hash conditionality (spec 3.2.4): - deployment_type=api or third-party-api -> model_hash MUST be null and model_attestation_type MUST be 'provider-asserted' - deployment_type=local or confidential-inference -> model_hash REQUIRED and model_attestation_type MUST be 'hash-bound'

SystemPromptBinding ¶

Bases: SpecModel

Artifact #1 - spec Section 3.2.1.

PolicyBundleBinding ¶

Bases: SpecModel

Artifact #2 - spec Section 3.2.2.

ToolManifestBinding ¶

Bases: SpecModel

Artifact #3 - spec Section 3.2.3.

RagCorpusBinding ¶

Bases: SpecModel

Artifact #5 - spec Section 3.2.5.

MemoryBaselineBinding ¶

Bases: SpecModel

Artifact #6 - spec Section 3.2.6.

Conditionality (spec 3.2.6): - memory_type=none -> snapshot_hash MUST be null; ttl_seconds omitted - memory_type=session -> snapshot_hash REQUIRED - memory_type=persistent -> snapshot_hash and ttl_seconds REQUIRED - memory_type=shared -> snapshot_hash, ttl_seconds and shared_memory_owner REQUIRED ttl_seconds: min 3600 (1 hour), max 7776000 (90 days).

DecisionTraceBinding ¶

Bases: SpecModel

Artifact #7 - spec Section 3.2.7 (added in #24).

SupplyChainBinding ¶

Bases: SpecModel

Artifact #9 - spec Section 3.2.8 (renumbered from 3.2.7 in #24).

Delegation and approval¶

DelegationHop ¶

Bases: SpecModel

One hop in the A2A delegation chain (Artifact #8 - spec Section 3.4).

ScopeGrant ¶

Bases: SpecModel

HitlRecord ¶

Bases: SpecModel

Artifact #10 - spec Section 3.5.

required=true with an empty approvals list is structurally valid: approvals attach post-issuance (the signing pre-image normalizes approvals to [] - spec Section 3.6 / ADR-0006 as amended). Whether an approval must be present is enforced at verification time (enforce_hitl), not at schema validation time.

HitlApproval ¶

Bases: SpecModel

Signature¶

ManifestSignature ¶

Bases: SpecModel

Manifest signature block - spec Section 3.6.

Signature field conditionality

algorithm=Ed25519 or ML-DSA-65 -> signature_value REQUIRED
algorithm=hybrid-Ed25519-ML-DSA-65 -> classical_signature and pq_signature REQUIRED (signature_value may be empty/omitted)

Supporting types¶

ToolEntry ¶

Bases: SpecModel

One tool in the bound catalog - spec Section 3.2.3.

Field names follow the spec's protocol-agnostic forms: tool_name is the protocol-native tool name (e.g. MCP tool name) and endpoint_id is the SPIFFE URI of the tool endpoint server (e.g. MCP server).

McpServer ¶

Bases: SpecModel

PoisoningScan ¶

Bases: SpecModel

SlsaProvenance ¶

Bases: SpecModel

Spec Section 3.2.8 - DSSE/in-toto aligned provenance pointer.

Sbom ¶

Bases: SpecModel

Enumerations¶

CryptoProfile ¶

Bases: str, Enum

RiskTier ¶

Bases: str, Enum

DataClassification ¶

Bases: str, Enum

PrincipalType ¶

Bases: str, Enum

SlsaLevel ¶

Bases: int, Enum

PolicyLanguage ¶

Bases: str, Enum

EnforcementMode ¶

Bases: str, Enum

DeploymentType ¶

Bases: str, Enum

MemoryType ¶

Bases: str, Enum

TraceType ¶

Bases: str, Enum

SbomFormat ¶

Bases: str, Enum

PoisoningResult ¶

Bases: str, Enum

ApprovalMethod ¶

Bases: str, Enum

SignatureAlgorithm ¶

Bases: str, Enum

KeyType ¶

Bases: str, Enum