docs: OVERT 1.0 status and public-doc cleanup

CONTRIBUTING.md

@@ -36,7 +36,7 @@ pip install -e '.[dev]'   # one-time setup
 scripts/lint_full.sh
 ```
 
-The script chains four checks: `ruff` (style + correctness), `bandit` (security), `mypy` (types — strict on `vaara.policy`, lenient elsewhere while legacy modules are migrated), and `pytest`. Total runtime ~10s. CI runs the same gates, so a green local sweep should mean a green PR.
+The script chains four checks: `ruff` (style + correctness), `bandit` (security), `mypy` (types - strict on `vaara.policy`, lenient elsewhere while legacy modules are migrated), and `pytest`. Total runtime ~10s. CI runs the same gates, so a green local sweep should mean a green PR.
 
 New modules under `src/vaara/` are expected to type-check cleanly. As legacy modules get cleaned up, add them to the strict mypy block in `pyproject.toml` so the typing floor only ratchets upward.
 

README.md

@@ -71,11 +71,11 @@ curl -sX POST http://localhost:8000/v1/score \
   -d '{"tool_name":"tx.transfer","agent_id":"agent-007","base_risk_score":0.5}'
 ```
 
-The contract is in [docs/openapi.yaml](docs/openapi.yaml). Vaara defines the interface; control-plane and orchestration vendors call it. Integration recipes for adopters live under `examples/recipes/`.
+The contract is in [docs/openapi.yaml](docs/openapi.yaml). Vaara defines the interface. Control-plane and orchestration vendors call it. Integration recipes for adopters live under `examples/recipes/`.
 
 ## OVERT 1.0 attestation
 
-Vaara is the first OSS Python reference implementation of the OVERT 1.0 ([overt.is](https://overt.is/), Glacis Technologies, March 2026) Protocol Profile 1.0 Base Envelope at AAL-3 Phase 2 (Provisional Receipt). Closed-schema 9-field structure, canonical CBOR encoding, Ed25519 signatures, HMAC-SHA256 keyed commitments, IEEE-754 float rejection. External Independent Attestation Providers can promote AAL-3 emission to AAL-4 by attaching Phase 3 notary signatures and transparency-log inclusion proofs.
+Vaara implements the OVERT 1.0 ([overt.is](https://overt.is/)) Protocol Profile 1.0 Base Envelope. OVERT 1.0 is an open standard for runtime trust in AI systems, authored by Glacis Technologies and published in March 2026. Closed-schema 9-field structure at AAL-3 Phase 2 (Provisional Receipt), canonical CBOR (RFC 8949), Ed25519 signatures, HMAC-SHA256 keyed commitments, IEEE-754 float rejection. External Independent Attestation Providers can promote AAL-3 emission to AAL-4 by attaching Phase 3 notary signatures and transparency-log inclusion proofs.
 
 ```
 pip install 'vaara[attestation]'

SECURITY.md

@@ -7,7 +7,7 @@ Please report security vulnerabilities privately through GitHub's
 feature. **Do not open a public issue for anything that could be exploited.**
 
 For communication outside GitHub, reach the maintainers at
-`security@vaara.io`. Use PGP if you prefer end-to-end-encrypted email; the
+`security@vaara.io`. Use PGP if you prefer end-to-end-encrypted email. The
 current public key is published at
 <https://github.com/vaaraio/vaara/blob/main/docs/signing-keys.md>.
 

bench/COMPARISON.md

@@ -1,9 +1,12 @@
 # Comparison with adjacent tools
 
 This doc compares Vaara against the open-source tools most often
-named in the same breath: **NVIDIA NeMo Guardrails**, **Guardrails AI**,
-**OpenAI Guardrails** (for Agents SDK), **LangChain callback handlers**,
-and the **OWASP LLM Top 10** threat taxonomy.
+named in the same breath. Two clusters: LLM-text rails and output
+validators on one side (**NVIDIA NeMo Guardrails**, **Guardrails AI**,
+**OpenAI Guardrails** for Agents SDK, **LangChain callback handlers**,
+and the **OWASP LLM Top 10** threat taxonomy), and agent governance
+plus attestation tools on the other (**Glacis Python SDK** and
+**Microsoft Agent Governance Toolkit**).
 
 No benchmark numbers are cited for the other tools here. Each one
 solves a different problem than Vaara, so a head-to-head TPR/FPR on
@@ -18,24 +21,36 @@ prose, read the sections below it.
 
 ## Capability matrix
 
-| Concern                                          | Vaara | NeMo Guardrails | Guardrails AI | OpenAI Guardrails | LangChain callbacks | OWASP LLM Top 10 |
-| ------------------------------------------------ | :---: | :-------------: | :-----------: | :---------------: | :-----------------: | :--------------: |
-| Validates tool-call **arguments** at runtime     |   ✓   |        ✗        |       ✗       |         ✗         |    observes only    |   not software   |
-| Probabilistic / conformal risk scoring per call  |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |
-| Detects temporal **sequence** patterns           |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |
-| Hash-chained, regulator-exportable audit trail   |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |
-| EU AI Act Art. 12 / 14 / 26 evidence mapping     |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |
-| Validates LLM *output text* (PII, toxicity, etc) |   ✗   |        ✓        |       ✓       |         ✓         |          ✗          |   advisory only  |
-| Validates LLM *input prompt* (jailbreak etc)     |   ✗   |        ✓        |       ✓       |         ✓         |          ✗          |   advisory only  |
-| Structured-output validation (schema / regex)    | partial|        ✓        |       ✓       |         ✓         |          ✗          |        ✗         |
-| Self-hostable Python library (no SaaS required)  |   ✓   |        ✓        |       ✓       |         ✓         |          ✓          |     document     |
-| Apache-2.0                                       |   ✓   |     Apache-2.0  |     Apache-2.0|        MIT        |        MIT          |      CC-BY       |
-
-Reading the matrix: Vaara and the output-validation tools are
-complementary, not competitive. A real deployment uses output
-validation **and** tool-call governance. Vaara does not validate LLM
-text output, so use Guardrails AI or NeMo for that. NeMo and Guardrails
-AI do not validate tool-call arguments at runtime, so use Vaara for that.
+| Concern                                          | Vaara | NeMo Guardrails | Guardrails AI | OpenAI Guardrails | LangChain callbacks | OWASP LLM Top 10 | Glacis Python SDK | MS Agent Governance Toolkit |
+| ------------------------------------------------ | :---: | :-------------: | :-----------: | :---------------: | :-----------------: | :--------------: | :---------------: | :-------------------------: |
+| Validates tool-call **arguments** at runtime     |   ✓   |        ✗        |       ✗       |         ✗         |    observes only    |   not software   |         ✗         |              ✓              |
+| Probabilistic / conformal risk scoring per call  |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |         ✗         |              ✗              |
+| Detects temporal **sequence** patterns           |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |         ✗         |              ✗              |
+| Hash-chained, regulator-exportable audit trail   |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |  partial (Merkle) |      partial (logging)      |
+| EU AI Act Art. 12 / 14 / 26 evidence mapping     |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |         ✗         |              ✗              |
+| OVERT 1.0 Base Envelope emission (RFC 8949 CBOR) |   ✓   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |         ✗         |              ✗              |
+| RFC 6962 Merkle inclusion proof integration      |  ext. IAP  |     ✗      |       ✗       |         ✗         |          ✗          |        ✗         |    ✓ (hosted)     |              ✗              |
+| Validates LLM *output text* (PII, toxicity, etc) |   ✗   |        ✓        |       ✓       |         ✓         |          ✗          |   advisory only  |         ✗         |              ✗              |
+| Validates LLM *input prompt* (jailbreak etc)     |   ✗   |        ✓        |       ✓       |         ✓         |          ✗          |   advisory only  |         ✗         |              ✗              |
+| Structured-output validation (schema / regex)    | partial|        ✓        |       ✓       |         ✓         |          ✗          |        ✗         |         ✗         |          partial            |
+| Zero-trust agent identity primitives             |   ✗   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |         ✗         |              ✓              |
+| Capability-based access control                  | policy schema |  ✗        |       ✗       |         ✗         |          ✗          |        ✗         |         ✗         |              ✓              |
+| Execution sandboxing                             |   ✗   |        ✗        |       ✗       |         ✗         |          ✗          |        ✗         |         ✗         |              ✓              |
+| Multi-language SDKs                              | Python only |     N/A    |   Python      |  Python (Agents)  |   Python / JS       |      N/A         |    Python only    |              ✓              |
+| Self-hostable Python library (no SaaS required)  |   ✓   |        ✓        |       ✓       |         ✓         |          ✓          |     document     |         ✓         |              ✓              |
+| License                                          | Apache-2.0 |   Apache-2.0 |   Apache-2.0 |        MIT        |        MIT          |      CC-BY       |    Apache-2.0     |             MIT             |
+
+Reading the matrix: Vaara and the other tools are complementary, not
+competitive. Different cells of the matrix. Different parts of the
+stack. A real production agent deployment uses several of these at
+once. Vaara owns the runtime risk-scoring + Article 14 evidence +
+OVERT 1.0 attestation slice. NeMo and Guardrails AI cover the LLM
+text-rail slice. Microsoft AGT covers the agent identity, capability,
+and sandboxing slice. Glacis SDK is a client to Glacis's hosted
+attestation service. Vaara does not validate LLM text output, so use
+Guardrails AI or NeMo for that. Vaara does not provide zero-trust
+agent identity, so use Microsoft AGT for that. The text-rail tools do
+not validate tool-call arguments at runtime, so use Vaara for that.
 
 ## One paragraph each
 
@@ -79,6 +94,29 @@ vocabulary. Not software, so there is nothing to install. Vaara's
 signals and sequence patterns are informed by this taxonomy, but the
 taxonomy itself does not do runtime enforcement.
 
+**Glacis Python SDK.** Apache-2.0 client library for Glacis
+Technologies' hosted attestation service, using RFC 8785 canonical
+JSON, SHA-256 hashing, Ed25519 signatures, and RFC 6962 Merkle
+inclusion proofs delivered in-line by the hosted service. Glacis
+Technologies also authored OVERT 1.0, the open standard for
+runtime trust in AI systems, published at overt.is in March 2026.
+Either tool can be used depending on whether you need a
+Glacis-hosted-service client or an OVERT 1.0 Base Envelope emitter
+in your runtime.
+
+**Microsoft Agent Governance Toolkit.** MIT-licensed toolkit for
+agent identity, capability-based access control, execution sandboxing,
+and reliability engineering. The toolkit frames its surface around
+the OWASP Agentic Top 10 and zero-trust principles, with multi-language
+SDKs for deployers running heterogeneous agent stacks. Where Vaara
+provides runtime risk scoring and Article 14 audit evidence, AGT
+provides agent identity primitives and the sandboxing layer that
+isolates agent execution from the host environment. The two tools
+cover different layers of the same governance stack. The
+`GenAI-Gurus/awesome-eu-ai-act` curator places Vaara and AGT side
+by side in the AI Agent Governance section for exactly this reason:
+deployers running production agents typically want both wired in.
+
 ## Where Vaara fits
 
 Vaara is the gate between an AI agent's *decision* to take an action
@@ -96,15 +134,24 @@ The three things Vaara does that the tools above do not:
 3. Produce **regulator-ready** evidence: cryptographic audit chain,
    signal breakdown per decision, conformity report.
 
-The three things Vaara does not do that the tools above handle well:
+The things Vaara does not do that the tools above handle well:
 
-1. LLM output validation (PII, toxicity, schema).
-2. LLM input guardrails (jailbreak detection, topical rails).
-3. Constrained decoding and structured output generation.
+1. LLM output validation, PII redaction, toxicity filtering (NeMo,
+   Guardrails AI, OpenAI Guardrails).
+2. LLM input guardrails, jailbreak detection, topical rails (same).
+3. Constrained decoding and structured output generation (same).
+4. Zero-trust agent identity primitives and capability-based access
+   control as first-class types (Microsoft Agent Governance Toolkit).
+5. Execution sandboxing as a built-in primitive (Microsoft AGT).
+6. Hosted Merkle-inclusion-proof attestation as a managed service
+   (Glacis Python SDK).
 
 If you are building an agent that writes to user-visible text **and**
-executes tools, you want both Vaara and one of the output-validation
-tools wired in. They run in different places in the stack.
+executes tools, you want Vaara plus one of the output-validation
+tools wired in. If you are running agents in production, you want
+Vaara plus Microsoft AGT for the identity, capability, and sandboxing
+layer Vaara does not cover. They run in different places in the
+stack and the matrix above shows where each tool lives.
 
 ## Numbers we publish
 

bench/README.md

@@ -123,7 +123,7 @@ contract as **vaara-bench-v1**. See [`vaara-bench-v1.md`](vaara-bench-v1.md)
 for the frozen corpus hash, the methodology, the headline numbers
 under Vaara 0.11.0, the reproduction commands, and the license. Use
 the spec doc when citing Vaara's adversarial-detection numbers
-externally; this README is the running commentary.
+externally. This README is the running commentary.
 
 `bench/adversarial_corpus.jsonl` is a **synthetic** labelled corpus
 of 77 traces generated deterministically by `bench/build_corpus.py`.