feat: add comply54 → TRACE v0.1 integration (Level 0, African regulatory compliance)

[kingztech2019]

What this does

This integration is built on top of agt-policies-nigeria — the policy pack repo cited in Microsoft AGT. comply54 is the Python/TypeScript enforcement layer built on top of those same Rego policies, packaged as an importable library (pip install comply54). This adapter bridges comply54's ComplianceResult into a signed TRACE v0.1 JWT (Ed25519, Level 0 software-only).

comply54 evaluates AI agent actions against 13 African data protection and financial regulations: NDPA 2023 (Nigeria), CBN Transaction Controls, NFIU AML/MLPPA 2022, KDPA 2019 (Kenya), POPIA (South Africa), Ghana DPA, Rwanda DPA 2021, Egypt PDPL 2020, Ethiopia PDP 2024, Mauritius DPA 2017, Tanzania PDPA 2022, Uganda DPPA 2019, and 5 OWASP Agentic AI universal controls.

The adapter maps the compliance decision into a verifiable TRACE claim so the policy outcome becomes a cryptographic receipt — auditable evidence that the African regulatory policy ran and what it decided.

---

Files

integrations/comply54/
  integration.yaml                   — schema-validated manifest
  README.md                          — usage, conformance table, limitations
  requirements.txt                   — PyJWT>=2.8.0, cryptography>=42.0.0
  src/comply54_to_trace.py           — adapter: ComplianceResult JSON → TRACE JWT
  tests/test_comply54_to_trace.py    — 20 tests (appraisal mapping, envelope, extension claims, JWT signing)

---

Decision → Appraisal mapping

comply54 overall	TRACE appraisal.status
allow	affirming
audit	advisory
escalate	warning
deny	contraindicated

---

Reproduce in 2 minutes

pip install comply54 PyJWT cryptography pytest

# 1. Generate a ComplianceResult from the published PyPI package
python3 -c "
from comply54 import NigeriaFintechCompliance
import json
result = NigeriaFintechCompliance().check(
    'transfer_funds',
    {'amount': 15_000_000, 'currency': 'NGN'},
    context={'kyc_tier': 3},
)
json.dump(result.model_dump(mode='json'), open('result.json', 'w'), default=str)
print('overall:', result.overall)
"
# output: overall: deny

# 2. Convert to TRACE JWT
python integrations/comply54/src/comply54_to_trace.py result.json \
  --agent-id payments-agent \
  --model anthropic/claude-sonnet-4-6

# 3. Inspect
python3 -c "
import jwt
p = jwt.decode(open('claim.jwt').read(), options={'verify_signature': False})
print('eat_profile:     ', p['eat_profile'])
print('appraisal.status:', p['appraisal']['status'])
print('violations:      ', [v['pack'] for v in p['comply54']['violations']])
"
# eat_profile:      tag:agentrust.io,2026:trace-v0.1
# appraisal.status: contraindicated
# violations:       ['nigeria/cbn', 'nigeria/nfiu-aml', 'universal/human-approval']

# 4. Run tests
python -m pytest integrations/comply54/tests/ -v
# 20 passed

---

Verified output (4 scenarios, tested against comply54==0.1.0 from PyPI)

Scenario	comply54	TRACE appraisal	Violations
get_balance	allow	affirming	—
₦15M transfer (exceeds CBN NIP cap)	deny	contraindicated	nigeria/cbn, nigeria/nfiu-aml, universal/human-approval
₦6M transfer (NFIU CTR threshold)	escalate	warning	nigeria/cbn, nigeria/nfiu-aml, universal/human-approval
Biometric export → China (11 jurisdictions)	deny	contraindicated	NDPA, KDPA, POPIA, Ghana DPA, Rwanda DPA, Egypt PDPL, Ethiopia PDP, Mauritius DPA, Tanzania PDPA, Uganda DPPA, universal/pii-leakage

---

Conformance level

Level 0 (software-only). Hardware TEE fields (runtime.measurement, model.weights_digest, build_provenance.digest) are explicitly marked not-attested or software-simulated. No claims are made beyond Level 0.

---

Limitations (stated explicitly)

• Hardware attestation fields are software-simulated placeholders. Level 1/2 requires running comply54 inside a TEE (AMD SEV-SNP, Intel TDX, or equivalent).
• transparency is empty — no SCITT log anchor at Level 0.
• model.* fields reflect what the caller passes via --model. comply54 evaluates policy against the agent's action; it does not independently verify which model ran.

---

cc @imran-siddique — you know the underlying policy work from my AGT Nigeria contribution. comply54 is the enforcement library built on top of those same packs — this adapter makes the compliance decisions TRACE-verifiable. Happy to address any feedback before merge.

[github-actions]

🟡 Contributor Check: MEDIUM

Check	Result
Profile	MEDIUM
Credential	NONE
Overall	MEDIUM

Automated check by AGT Contributor Check.