Conformance
agentrc conformance is profile-based.
A tool, package builder, registry, runner, or workflow engine should state exactly which profiles it supports.
Profile names
agentrc/core-agentfile/v0.1agentrc/security-cedar/v0.1agentrc/oci-package/v0.1agentrc/tool-projection/v0.1agentrc/runner/v0.1agentrc/workflow/v0.1draft
Why profiles?
A local validator should not need to implement microVM isolation. A registry should not need to evaluate every runtime boundary. A runner should not need to become a workflow engine.
Profiles keep the spec implementable.
Conformance suite (v0.1 outline)
A specification without an executable test suite is prose. The conformance suite is what makes a profile claim verifiable: an implementation either passes the suite for a profile or it does not. The suite is intentionally as important as the spec text, and it must include adversarial cases — the suite proves a runner does the safe thing under bad input, not just the happy path.
Positive cases
| ID | Profile | Given | Expect |
|---|---|---|---|
core-parse-minimal |
Core | The minimal valid Agentfile | Parses; directive order preserved; structured tree emitted |
core-policy-block |
Core | A POLICY ... END block |
Inner lines captured verbatim, not parsed as directives |
oci-roundtrip |
OCI Package | A built package | Push, pull by digest, and inspect reproduce identical content |
cedar-permit |
Cedar | A request matching a permit |
Allowed and (if AUDIT requires) recorded |
Adversarial / fail-closed cases
These are the cases that catch real implementation gaps. Each one has a single correct outcome.
| ID | Profile | Given | MUST |
|---|---|---|---|
policy-unparseable-denies |
Cedar | Policy source that does not parse | Deny every request (fail closed), never allow |
policy-eval-error-denies |
Cedar | Policy that errors during evaluation | Deny the request |
forbid-overrides-permit |
Cedar | A request matched by both a permit and a forbid |
Deny (deny wins) |
unknown-required-directive |
Core / Runner | An unknown directive marked required | Reject the package, do not silently ignore |
cred-value-redacted |
Security | A CRED resolves to a secret value |
Value redacted from logs, audit, lockfile, and package metadata |
cred-plaintext-rejected |
Security | A package containing a plaintext secret | Reject / fail validation |
child-widens-forbid-fails |
Inheritance | A child package that removes or widens an inherited forbid/ceiling |
Fail the build |
audit-required-unsupported-fails |
Runner | AUDIT required but the runner cannot emit audit events |
Fail closed, do not run |
boundary-unsupported-fails |
Runner | A required boundary the runner cannot enforce | Fail closed, do not silently weaken |
A runner that claims a profile but fails any of that profile’s adversarial cases is not conformant to that profile, regardless of how many positive cases it passes.
Honest conformance status of the reference implementation
agentrc is the specification; the reference implementation (the aio-* packages in this repository) is an implementation and test harness, not the definition. Spec-first work means the spec leads the implementation, so the implementation is expected to lag — and that gap must be labeled honestly rather than implied away.
As of this draft, the reference implementation should be described as passing only the profiles it actually passes today (Agentfile parsing and OCI packaging), and not yet claiming the Cedar profile or full fail-closed Security/Runner conformance until a real Cedar evaluator and the adversarial cases above are in place. Implementations MUST NOT advertise a profile they do not pass.