Skip to content

feat: add comply54 → TRACE v0.1 integration (Level 0, African regulatory compliance)#11

Open
kingztech2019 wants to merge 3 commits into
agentrust-io:mainfrom
kingztech2019:feat/comply54-integration
Open

feat: add comply54 → TRACE v0.1 integration (Level 0, African regulatory compliance)#11
kingztech2019 wants to merge 3 commits into
agentrust-io:mainfrom
kingztech2019:feat/comply54-integration

Conversation

@kingztech2019

@kingztech2019 kingztech2019 commented Jun 26, 2026

Copy link
Copy Markdown

What this does

This integration is built on top of agt-policies-nigeria — the policy pack repo cited in Microsoft AGT. comply54 is the Python/TypeScript enforcement layer built on top of those same Rego policies, packaged as an importable library (pip install comply54). This adapter bridges comply54's ComplianceResult into a signed TRACE v0.1 JWT (Ed25519, Level 0 software-only).

comply54 evaluates AI agent actions against 13 African data protection and financial regulations: NDPA 2023 (Nigeria), CBN Transaction Controls, NFIU AML/MLPPA 2022, KDPA 2019 (Kenya), POPIA (South Africa), Ghana DPA, Rwanda DPA 2021, Egypt PDPL 2020, Ethiopia PDP 2024, Mauritius DPA 2017, Tanzania PDPA 2022, Uganda DPPA 2019, and 5 OWASP Agentic AI universal controls.

The adapter maps the compliance decision into a verifiable TRACE claim so the policy outcome becomes a cryptographic receipt — auditable evidence that the African regulatory policy ran and what it decided.

Files

integrations/comply54/
  integration.yaml                   — schema-validated manifest
  README.md                          — usage, conformance table, limitations
  requirements.txt                   — PyJWT>=2.8.0, cryptography>=42.0.0
  src/comply54_to_trace.py           — adapter: ComplianceResult JSON → TRACE JWT
  tests/test_comply54_to_trace.py    — 20 tests (appraisal mapping, envelope, extension claims, JWT signing)

Decision → Appraisal mapping

comply54 overall TRACE appraisal.status
allow affirming
audit advisory
escalate warning
deny contraindicated

Reproduce in 2 minutes

pip install comply54 PyJWT cryptography pytest

# 1. Generate a ComplianceResult from the published PyPI package
python3 -c "
from comply54 import NigeriaFintechCompliance
import json
result = NigeriaFintechCompliance().check(
    'transfer_funds',
    {'amount': 15_000_000, 'currency': 'NGN'},
    context={'kyc_tier': 3},
)
json.dump(result.model_dump(mode='json'), open('result.json', 'w'), default=str)
print('overall:', result.overall)
"
# output: overall: deny

# 2. Convert to TRACE JWT
python integrations/comply54/src/comply54_to_trace.py result.json \
  --agent-id payments-agent \
  --model anthropic/claude-sonnet-4-6

# 3. Inspect
python3 -c "
import jwt
p = jwt.decode(open('claim.jwt').read(), options={'verify_signature': False})
print('eat_profile:     ', p['eat_profile'])
print('appraisal.status:', p['appraisal']['status'])
print('violations:      ', [v['pack'] for v in p['comply54']['violations']])
"
# eat_profile:      tag:agentrust.io,2026:trace-v0.1
# appraisal.status: contraindicated
# violations:       ['nigeria/cbn', 'nigeria/nfiu-aml', 'universal/human-approval']

# 4. Run tests
python -m pytest integrations/comply54/tests/ -v
# 20 passed

Verified output (4 scenarios, tested against comply54==0.1.0 from PyPI)

Scenario comply54 TRACE appraisal Violations
get_balance allow affirming
₦15M transfer (exceeds CBN NIP cap) deny contraindicated nigeria/cbn, nigeria/nfiu-aml, universal/human-approval
₦6M transfer (NFIU CTR threshold) escalate warning nigeria/cbn, nigeria/nfiu-aml, universal/human-approval
Biometric export → China (11 jurisdictions) deny contraindicated NDPA, KDPA, POPIA, Ghana DPA, Rwanda DPA, Egypt PDPL, Ethiopia PDP, Mauritius DPA, Tanzania PDPA, Uganda DPPA, universal/pii-leakage

Conformance level

Level 0 (software-only). Hardware TEE fields (runtime.measurement, model.weights_digest, build_provenance.digest) are explicitly marked not-attested or software-simulated. No claims are made beyond Level 0.

Limitations (stated explicitly)

  • Hardware attestation fields are software-simulated placeholders. Level 1/2 requires running comply54 inside a TEE (AMD SEV-SNP, Intel TDX, or equivalent).
  • transparency is empty — no SCITT log anchor at Level 0.
  • model.* fields reflect what the caller passes via --model. comply54 evaluates policy against the agent's action; it does not independently verify which model ran.

cc @imran-siddique — you know the underlying policy work from my AGT Nigeria contribution. comply54 is the enforcement library built on top of those same packs — this adapter makes the compliance decisions TRACE-verifiable. Happy to address any feedback before merge.

@kingztech2019
feat: add comply54 → TRACE v0.1 integration (Level 0)
e5b3942 
Adds a comply54 integration that converts a ComplianceResult from the
comply54 African regulatory compliance library into a signed TRACE v0.1
JWT (Ed25519, Level 0 software-only conformance).

What's included:
- integration.yaml — schema-validated manifest
- src/comply54_to_trace.py — adapter: ComplianceResult JSON → TRACE JWT
- tests/test_comply54_to_trace.py — 20 passing tests covering appraisal
  mapping, envelope fields, comply54 extension claims, and JWT signing
- requirements.txt — PyJWT + cryptography
- README.md — usage, conformance table, limitations

Decision mapping:
  allow → affirming | audit → advisory | escalate → warning | deny → contraindicated

Policy bundle hash: SHA-256 of sorted comply54 pack IDs (reproducible).
Conforms to TRACE v0.1 at Level 0. Hardware fields are placeholders.

Signed-off-by: oluwajuwon omotayo <oluwajuwon.omotayo@ginuxai.com>
Signed-off-by: oluwajuwon omotayo <ginuxtechacademy@gmail.com>
@kingztech2019
chore: remove pycache from comply54 integration
64841cb 
Signed-off-by: oluwajuwon omotayo <oluwajuwon.omotayo@ginuxai.com>
Signed-off-by: oluwajuwon omotayo <ginuxtechacademy@gmail.com>
@github-actions

github-actions Bot commented Jun 26, 2026

Copy link
Copy Markdown

🟡 Contributor Check: MEDIUM

Check Result
Profile MEDIUM
Credential NONE
Overall MEDIUM

Automated check by AGT Contributor Check.

@github-actions github-actions Bot added the needs-review:MEDIUM Contributor check flagged MEDIUM risk label Jun 26, 2026
@kingztech2019 kingztech2019 force-pushed the feat/comply54-integration branch from 3dde037 to 64841cb Compare June 26, 2026 18:45
carloshvp
carloshvp reviewed Jun 27, 2026
View reviewed changes

@carloshvp carloshvp left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Review pass on current head (64841cb). This looks much cleaner structurally than the earlier Sentinel PRs.

Checked locally:

  • Manifest validates against schema/integration.schema.json; comply54 is picked up from integrations/comply54/integration.yaml.
  • Tests pass with the integration requirements installed:
    • uv run --with-requirements integrations/comply54/requirements.txt --with pytest --env-file /dev/null python -m pytest integrations/comply54/tests -q -> 20 passed
  • CLI smoke succeeds and writes a compact signed JWT:
    • uv run --with-requirements integrations/comply54/requirements.txt python integrations/comply54/src/comply54_to_trace.py <result.json> --agent-id payments-agent --model openai/gpt-4o --out <claim.jwt>
    • output file exists and has 3 JWT parts.
  • File layout is under integrations/comply54/, and I do not see generated __pycache__ files in the PR.

No blocker from my pass. One small docs tweak worth considering: the README test step says pip install pytest, but a clean environment also needs the adapter requirements (PyJWT, cryptography). I’d suggest making that command explicit, for example pip install -r integrations/comply54/requirements.txt pytest from the repo root, or the equivalent from inside integrations/comply54/.

The remaining failing check appears to be the maintainer-approval gate, not a validation/test failure.

@kingztech2019
docs(comply54): fix test setup command to include adapter requirements
50fefc4 
Per carloshvp review: `pip install pytest` alone misses PyJWT and
cryptography. Now uses `pip install -r requirements.txt pytest` so a
clean environment has all dependencies before running the 20 tests.
@kingztech2019

kingztech2019 commented Jun 28, 2026

Copy link
Copy Markdown
Author

Thanks for the thorough pass, @carloshvp — really appreciate you checking the manifest, running the tests locally, and verifying the CLI output end-to-end.

The docs fix is in: pushed 50fefc4 which changes the test setup step to:

```bash
pip install -r integrations/comply54/requirements.txt pytest
```

That now covers PyJWT and cryptography so a clean environment has everything it needs before the 20 tests run — exactly what you suggested.

And agreed on the failing check — I can see it's the maintainer gate rather than a test or validation failure. Happy to address anything else if it comes up during the final review.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@imran-siddique imran-siddique Awaiting requested review from imran-siddique imran-siddique is a code owner
1 more reviewer
@carloshvp carloshvp carloshvp left review comments
Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

needs-review:MEDIUM Contributor check flagged MEDIUM risk

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kingztech2019 @carloshvp