openagp 0.0.2

Reference Python SDK for the Agent Governance Protocol (AGP)

openagp/sdk-python

Reference Python SDK for AGP — vendor-side and plane-side.

Install

pip install openagp

Python 3.10+. Runtime depends on cryptography, rfc8785, jsonschema, referencing.

Quick start

from openagp import generate_keypair, sign, verify, InvalidSignature

# vendor side
keys = generate_keypair()

event = {
    "agp_version": "0.1",
    "schema_version": "1.0",
    "event_id": "evt_01JFXY8B5Z9RHQXM3WTNPK4VG2",
    "occurred_at": "2026-08-12T14:23:11.412Z",
    "actor": {
        "vendor": "yourcompany.com",
        "agent_id": "agt_42",
    },
    "action": {
        "type": "tool_call",
        "tool_name": "browser.navigate",
    },
}

signed = sign(event, private_key_b64=keys.private_key_b64, key_id="yourcompany-2026-q2")

# plane side
verify(signed, public_key_b64=keys.public_key_b64)   # raises InvalidSignature on tamper

What the SDK does (and doesn't)

Implements — per ADR 0001:

• RFC 8785 JCS canonicalization
• Ed25519 sign / verify
• JSON Schema validation against bundled v0.1 schemas (Draft 2020-12)
• Tamper detection via signature
• Algorithm-substitution rejection (only Ed25519 is accepted)

Does NOT implement yet (Phase 1+):

• HTTP client / server scaffolds (FastAPI vendor + plane apps)
• Policy DSL evaluation
• Real-time decision callback (Flow C)
• Registry resolution and key rotation
• Replay-cache / event_id deduplication

Schemas

The SDK ships a bundled copy of every AGP JSON Schema under openagp/_schemas/. These are kept in lockstep with the canonical schemas in openagp/spec — CI fails if they drift. To sync after pulling the latest spec:

scripts/sync-schemas.sh

Development

Clone alongside openagp/spec (tests load fixtures and test vectors from a sibling checkout — CI clones both repos automatically):

git clone https://github.com/openagp/spec
git clone https://github.com/openagp/sdk-python
cd sdk-python
pip install -e ".[dev]"

Then:

pytest                  # run all tests, including the cross-language vectors
ruff check openagp tests  # lint
scripts/sync-schemas.sh   # pull canonical schemas from ../spec/schemas/

Bundled schemas under openagp/_schemas/ must stay in sync with ../spec/schemas/ — CI fails if they drift. Run scripts/sync-schemas.sh after pulling spec changes.

For cross-language sanity, also run the conformance suite locally:

cd ../cts && make vectors    # builds agp-cts + runs embedded test vectors

See CONTRIBUTING.md at the org level for DCO sign-off and PR conventions, and SUPPORT.md for where to ask questions or file bugs.

CLI

A small validator CLI ships with the SDK:

python -m openagp.tools.validate --kind event --instance path/to/event.json
python -m openagp.tools.validate --schema schemas/event.json --instance fixtures/events/01-tool-call-allowed.json

Status

Scaffold + Phase 0 sign/verify roundtrip. The full Phase 1 SDK is in progress (see §4.2 Phase 1 of the spec).

License

Apache-2.0.