Open
Conversation
jhateley-godaddy
force-pushed
the
feat/implement-scitt-verification
branch
from
9605836 to
b57dd93
Compare
jhateley-godaddy
force-pushed
the
feat/implement-scitt-verification
branch
from
c2bec8a to
c4ecd0d
Compare
There was a problem hiding this comment.
Pull request overview
Adds SCITT-based verification to the ANS Agent Client SDK and transparency module, updating policies and examples to make SCITT the recommended verification flow while retaining DANE/Badge support.
Changes:
- Introduces SCITT domain model + helpers (headers, parsing/expectations, caching decisions) and expands
TransparencyClientwith SCITT-oriented APIs and trusted-domain validation. - Extends agent-client verification pipeline to support SCITT (new policy presets, pre/post verification integration, server-side request verification types).
- Updates examples/docs/dependencies and CI workflow to reflect SCITT flows and newer tooling.
Reviewed changes
Copilot reviewed 97 out of 106 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResultTest.java | Adds tests for SCITT pre-verify result factories/accessors |
| ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchExceptionTest.java | Adds tests for SCITT fetch exception behavior |
| ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectationTest.java | Adds tests covering expectation statuses, helpers, defensive copies |
| ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecisionTest.java | Adds tests for refresh decision factories |
| ans-sdk-transparency/src/test/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifierTest.java | Adds tests for hash validation, computation, and verification |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/package-info.java | Documents SCITT verification package and flow |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/TrustedDomainRegistry.java | Adds trusted-domain allowlist for TL key fetching |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittVerifier.java | Introduces SCITT verifier interface + post-verification result record |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittPreVerifyResult.java | Adds SCITT pre-verification result record + factories |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittParseException.java | Adds checked exception for SCITT artifact parsing failures |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaders.java | Defines SCITT-related HTTP header constants |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittHeaderProvider.java | Adds abstraction for outgoing/incoming SCITT headers + parsed artifacts |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittFetchException.java | Adds runtime exception for SCITT fetch failures |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/ScittExpectation.java | Introduces expectation/status model for SCITT verification outcomes |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/RefreshDecision.java | Introduces result type for root-key refresh decisioning |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/MetadataHashVerifier.java | Implements metadata integrity verification from token-provided hashes |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/DefaultScittHeaderProvider.java | Implements Base64 header encode/decode and artifact parsing |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CwtClaims.java | Adds CWT claim record + Instant helpers |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/scitt/CoseProtectedHeader.java | Adds COSE protected header record + hex keyId utilities |
| ans-sdk-transparency/src/main/java/com/godaddy/ans/sdk/transparency/TransparencyClient.java | Expands client for SCITT operations (receipt/token/root keys) + trusted-domain validation |
| ans-sdk-transparency/build.gradle.kts | Adds CBOR/Caffeine/BouncyCastle dependencies for SCITT |
| ans-sdk-crypto/src/main/java/com/godaddy/ans/sdk/crypto/CertificateUtils.java | Reuses CryptoCache for SHA-256 fingerprint + exposes normalization |
| ans-sdk-core/src/test/java/com/godaddy/ans/sdk/concurrent/AnsExecutorsTest.java | Adds tests for scheduled executors and queue capacity |
| ans-sdk-core/src/main/java/com/godaddy/ans/sdk/crypto/CryptoCache.java | Adds thread-local caching for digests/signature verification |
| ans-sdk-core/src/main/java/com/godaddy/ans/sdk/concurrent/AnsExecutors.java | Adds bounded IO executor + scheduled executor helpers |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/VerificationResultTest.java | Updates enum tests for new SCITT verification type |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResultTest.java | Extends tests to cover SCITT fields and behavior |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnssecValidationModeTest.java | Adds tests for DNSSEC validation mode enum behavior |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DnsResolverConfigTest.java | Adds tests for DNS resolver presets |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultResolverFactoryTest.java | Adds tests for resolver factory behavior |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultConnectionVerifierTest.java | Extends verifier tests to cover SCITT flows and policy combining |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DefaultCertificateFetcherTest.java | Adds tests for certificate fetcher singleton + behavior |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/verification/DanePolicyTest.java | Adds tests for DANE policy behavior |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifierTest.java | Updates tests after policy preset rename/removal |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/http/DefaultAgentHttpClientFactoryTest.java | Updates tests to use DANE_AND_BADGE instead of removed FULL |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationExceptionTest.java | Adds tests for SCITT verification exception mapping |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationExceptionTest.java | Adds tests for client configuration exception |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/VerificationPolicyTest.java | Updates policy preset tests for SCITT presets and removal of FULL |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/ConnectOptionsTest.java | Updates tests for preset policy changes |
| ans-sdk-agent-client/src/test/java/com/godaddy/ans/sdk/agent/AnsConnectionTest.java | Adds tests for new AnsConnection post-verification behaviors |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/VerificationResult.java | Adds SCITT verification type |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/TlsaUtils.java | Uses CryptoCache for SHA-256/SHA-512 matching types |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/PreVerificationResult.java | Adds SCITT pre-verify result storage + helper methods |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ConnectionVerifier.java | Adds scittPreVerify() with default not-present behavior; updates combine signature |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerifier.java | Adds server-side API for validating incoming client requests |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/verification/ClientRequestVerificationResult.java | Adds structured result type for client request verification |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/http/NoOpConnectionVerifier.java | Implements SCITT pre-verify no-op default |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ScittVerificationException.java | Adds typed exception for SCITT verification failures |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/exception/ClientConfigurationException.java | Adds exception for verified-client initialization/config failures |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/VerificationPolicy.java | Adds SCITT policy dimension + new presets SCITT_REQUIRED/ENHANCED |
| ans-sdk-agent-client/src/main/java/com/godaddy/ans/sdk/agent/AnsConnection.java | Adds connection handle for post-verification using captured TLS cert |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/resources/application.yml | Adds config for Spring MCP server example (SCITT, mTLS, policies) |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/health/ScittHealthIndicator.java | Adds actuator health indicator for SCITT artifacts |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ScittHeaderResponseFilter.java | Adds servlet filter that injects SCITT headers on responses |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/filter/ClientVerificationFilter.java | Adds request filter to verify clients via SCITT+mTLS |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/controller/McpController.java | Adds MCP endpoint controller wiring MCP servlet transport |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittLifecycle.java | Starts/stops background SCITT refresh lifecycle |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/ScittConfig.java | Configures TransparencyClient, ScittArtifactManager, request verifier beans |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/config/McpServerProperties.java | Adds typed config properties with policy parsing |
| ans-sdk-agent-client/examples/mcp-server-spring/src/main/java/com/godaddy/ans/examples/mcp/spring/McpServerSpringApplication.java | Adds Spring Boot app entrypoint + BouncyCastle registration |
| ans-sdk-agent-client/examples/mcp-server-spring/build.gradle.kts | Adds Gradle config for Spring MCP server example |
| ans-sdk-agent-client/examples/mcp-server-spring/README.md | Documents Spring MCP server example, flows, configuration |
| ans-sdk-agent-client/examples/mcp-client/build.gradle.kts | Updates MCP SDK dependency version |
| ans-sdk-agent-client/examples/mcp-client/README.md | Updates client example docs to use AnsVerifiedClient + SCITT policies |
| ans-sdk-agent-client/examples/http-api/src/main/java/com/godaddy/ans/examples/httpapi/HttpApiExample.java | Adds SCITT verification example via AnsVerifiedClient |
| ans-sdk-agent-client/examples/http-api/README.md | Updates docs to include SCITT example and policy guidance |
| ans-sdk-agent-client/examples/a2a-client/src/main/java/com/godaddy/ans/examples/a2a/A2aClientExample.java | Adds AnsVerifiedClient-based SCITT example alongside manual flow |
| ans-sdk-agent-client/examples/a2a-client/README.md | Documents both manual and SCITT verification patterns |
| ans-sdk-agent-client/examples/README.md | Updates examples overview to include SCITT policies |
| ans-sdk-agent-client/build.gradle.kts | Adds caffeine + CBOR to support SCITT/caching in agent-client |
| README.md | Updates docs to replace removed FULL policy with DANE_AND_BADGE |
| .github/workflows/ci.yml | Updates GitHub Actions wrapper validation and cache actions versions |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
bchen-godaddy
previously approved these changes
Apr 6, 2026
- Update BouncyCastle to 1.79, add Caffeine and MCP SDK dependencies - Fix Jacoco coverage to only enforce 90% on publishable modules - Add mcp-server-spring example to settings - Enhance AnsExecutors with virtual thread support and named executors - Add CryptoCache for thread-safe caching of crypto operations - Minor CertificateUtils enhancement Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
Add comprehensive SCITT (Supply Chain Integrity, Transparency, and Trust) verification infrastructure: - CoseSign1Parser: Parse COSE_Sign1 structures from receipts and tokens - ScittReceipt: Merkle inclusion proof verification - StatusToken: Time-bounded agent status assertions with fingerprint validation - ScittVerifier/DefaultScittVerifier: Full verification pipeline - MerkleProofVerifier: Consistency proof validation - ScittArtifactManager: Caching and refresh management - ScittHeaderProvider: HTTP header extraction (X-SCITT-Receipt, X-ANS-Status-Token) - TrustedDomainRegistry: Domain-based trust configuration Includes CBOR/COSE dependencies and comprehensive test coverage. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- TransparencyClient: Add SCITT root key fetching, domain configuration, and artifact retrieval methods - TransparencyService: Major enhancements for SCITT artifact management, status token validation, and receipt verification - CachingBadgeVerificationService: Refactor to use new SCITT infrastructure with improved caching and refresh logic Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- VerificationPolicy: Add SCITT_REQUIRED policy for full SCITT verification - PreVerificationResult: Add SCITT result fields and builder methods - ConnectionVerifier/DefaultConnectionVerifier: Integrate SCITT verification into the connection flow - ScittVerifierAdapter: Bridge SCITT verification from transparency module to agent-client connection verification - Add ScittVerificationException and ClientConfigurationException - Comprehensive test coverage for all verification components Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- AnsVerifiedClient: High-level client supporting all verification policies (PKI_ONLY, BADGE_REQUIRED, DANE_REQUIRED, SCITT_REQUIRED) - AnsConnection: Connection wrapper with verification result access - ClientRequestVerifier/DefaultClientRequestVerifier: Per-request SCITT verification for response headers - ClientRequestVerificationResult: Structured verification results Provides a simple, fluent API for secure agent-to-agent communication with configurable trust policies. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
- Update all example READMEs with SCITT verification documentation - A2A client example: Add SCITT_REQUIRED policy demonstration - HTTP API example: Add per-request SCITT verification - MCP client example: Simplify and add SCITT support - Add new mcp-server-spring example: Spring Boot MCP server with SCITT header injection and client verification filters Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
jhateley-godaddy
force-pushed
the
feat/implement-scitt-verification
branch
from
8053347 to
e485564
Compare
jhateley-godaddy
force-pushed
the
feat/implement-scitt-verification
branch
2 times, most recently
from
be95898 to
d06dc2d
Compare
jhateley-godaddy
force-pushed
the
feat/implement-scitt-verification
branch
2 times, most recently
from
076abcc to
a009fd1
Compare
jhateley-godaddy
force-pushed
the
feat/implement-scitt-verification
branch
from
a009fd1 to
199b959
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This pull request introduces support for SCITT-based verification to the ANS Agent Client SDK and its integration examples, updating documentation, examples, and dependencies to reflect the new approach. The changes provide a high-level, recommended verification flow using SCITT, while retaining and clarifying the existing manual DANE/Badge flow. The documentation and code now clearly distinguish between the two verification patterns, and new dependencies are added to support caching and SCITT artifact handling.
SCITT Verification Support and Example Integration:
AnsVerifiedClientinA2aClientExample.java, including detailed step-by-step output and integration pattern documentation. [1] [2] [3] [4] [5]Verification Policy and Documentation Updates:
FULLin favor ofSCITT_REQUIREDandSCITT_ENHANCED, and clarified the recommended use cases for each policy. [1] [2] [3] [4]Dependency and Build Configuration:
build.gradle.ktsto support SCITT artifact handling and improve test coverage. [1] [2] [3]ans-sdk-agent-clientmodule.CI and Workflow Maintenance:
gradle/actions/wrapper-validationandactions/cachefor better reliability and security. (.github/workflows/ci.yml)These changes modernize the verification flow, making SCITT the recommended approach for production environments, and provide clear guidance and examples for developers integrating with the ANS Agent Client SDK.