Add Fidacy Trust-Verdict extension sample#620
Conversation
A neutral, independently verifiable trust verdict (approve/review/deny) for agent payments: the complement to x402 (settlement) and AP2 (authorization). The verdict rides the AP2 risk_data slot or A2A Task.metadata; the signed EdDSA JWS is the source of truth, verifiable against the public JWKS. Includes the v1 spec and a runnable Python sample (assess over A2A, then verify). Apache-2.0.
There was a problem hiding this comment.
Code Review
This pull request introduces the Fidacy Trust-Verdict Extension (v1) for the Agent2Agent (A2A) protocol, including a specification document, documentation, and a Python reference sample demonstrating how to assess a payment mandate and verify the signed EdDSA JWS verdict against a public JWKS. The review feedback focuses on improving the robustness of the Python sample by preventing potential KeyError and StopIteration exceptions during dictionary lookups and key resolution, as well as fixing a minor typo in the README.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
- Use .get() for riskPayloadJws and guard if the JWS is absent. - next() with a default + guard when the kid is not in the JWKS. - .get() on the verified claims in the final prints. - Fix README spacing.
|
Thanks for the review! Addressed all of it: safer |
- Rewrite the Python sample to pass the repo ruff config (Google style): module + function docstrings, type hints, single quotes, main() entrypoint, add __init__.py (INP001). ruff check: all checks passed. - Markdown: remove trailing spaces (MD009) and align table pipes (MD060). Sample still runs end to end (signature valid: True).
The previous alignment pass split on escaped pipes (\|) in the decision row and mangled the claims table into extra columns. Rebuilt it as a clean two-column aligned table with the escaped pipes preserved.
Proposes a new sample extension demonstrating a trust verdict for agent payments: a signed approve/review/deny decision that any party verifies independently against a public JWKS, with no trust in the issuer required. It is the neutral complement to the existing
a2a-x402(settlement) and AP2 (authorization) work, and it fills the AP2risk_dataslot, which is reserved but implementation-defined.It does not invent a new container. The verdict rides the existing AP2
risk_datafield or A2ATask.metadata, and the signed EdDSA JWS is the source of truth.Layout matches
secure-passport(README, HOWTORUN, v1/spec.md, v1/samples/python). The Python sample runs end to end (assess over A2A, then verify the JWS against the public JWKS) and printssignature valid: True. Apache-2.0.Live, verifiable references:
Per CONTRIBUTING, glad to discuss or adjust to your conventions. If a maintainer is interested in sponsoring it toward experimental status under the extension governance framework, I would happily follow that process.