feat: declare weaver-spec v0.1.0 compatibility + add conformance CI stub

Copilot · dgenio · web-flow · commit e75e7320a241 · 2026-04-11T10:55:29.000Z
Agent-Logs-Url: https://github.com/dgenio/agent-kernel/sessions/5fb5ea48-a67d-46b5-b468-dce096bf5c0e Co-authored-by: dgenio <12731907+dgenio@users.noreply.github.com>
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -45,3 +45,30 @@ jobs:
           python examples/basic_cli.py
           python examples/billing_demo.py
           python examples/http_driver_demo.py
+
+  conformance:
+    name: "Weaver Spec Conformance (v0.1.0)"
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: read
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.12"
+
+      - name: Install dependencies
+        run: pip install -e ".[dev]"
+
+      # Placeholder: activate once dgenio/weaver-spec#4 ships the conformance suite.
+      # Replace this step with:
+      #   pip install weaver-contracts
+      #   python -m weaver_contracts.conformance --target agent_kernel
+      - name: weaver-spec conformance suite (stub)
+        run: |
+          echo "weaver-spec conformance suite not yet published (dgenio/weaver-spec#4)."
+          echo "Stub passes. Activate when weaver_contracts.conformance is available."
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- Declared weaver-spec v0.1.0 compatibility in README: invariants I-01 (firewall), I-02 (authorization + audit), and I-06 (scoped tokens) are satisfied.
+- Added placeholder `conformance` CI job that will activate once the weaver-spec conformance suite ships (dgenio/weaver-spec#4).
+
 ## [0.4.0] - 2026-03-14
 
 ### Added
diff --git a/README.md b/README.md
@@ -110,6 +110,19 @@ asyncio.run(main())
 
 `agent-kernel` sits **above** `contextweaver` (context compilation) and **above** raw tool execution. It provides the authorization, execution, and audit layer.
 
+## Weaver Spec Compatibility: v0.1.0
+
+agent-kernel is a compliant implementation of [weaver-spec v0.1.0](https://github.com/dgenio/weaver-spec).
+The following invariants are satisfied:
+
+| Invariant | Description | How agent-kernel satisfies it |
+|-----------|-------------|-------------------------------|
+| **I-01** | LLM never sees raw tool output by default | `Context Firewall` always transforms `RawResult → Frame`; raw driver output is never returned to the caller |
+| **I-02** | Every execution is authorized and auditable | `PolicyEngine` evaluates every invocation; `TraceStore` records every `ActionTrace`; `HMACTokenProvider` validates tokens before execution |
+| **I-06** | CapabilityTokens are scoped | Tokens bind `principal_id + capability_id + constraints` with an explicit TTL; `revoke_token()` / `revoke_all()` are supported |
+
+See [docs/agent-context/invariants.md](docs/agent-context/invariants.md) for the full internal invariant list and [weaver-spec INVARIANTS.md](https://github.com/dgenio/weaver-spec/blob/main/docs/INVARIANTS.md) for the specification.
+
 ## Security disclaimers
 
 > **v0.1 is not production-hardened for real authentication.**
