{
  "schema_version": "2026-05-18.eval.v1",
  "id": "trust-evidence-coverage",
  "name": "TokRepo Trust Evidence Coverage Eval",
  "updated_at": "2026-05-18T00:00:00Z",
  "claim": "Agent trust is only useful when assets expose content hashes, permission/risk profiles, verification metadata, evidence_bundle, SBOM-lite, signature_evidence, and a trust_score_v2 decision that agents can inspect before install.",
  "entrypoints_under_test": [
    "https://api.tokrepo.com/api/v1/tokenboard/trust/{uuid_or_slug}",
    "https://api.tokrepo.com/api/v1/tokenboard/workflows/detail?uuid={uuid}",
    "tokrepo verify <uuid> --target codex --json",
    "tokrepo audit <uuid> --target codex --json",
    "scripts/backfill_agent_metadata.py",
    "frontend-nuxt/public/.well-known/tokrepo-trust.json",
    "frontend-nuxt/public/schemas/agent-trust-score.schema.json",
    "frontend-nuxt/public/schemas/asset-verification.schema.json",
    "frontend-nuxt/public/schemas/agent-evidence-bundle.schema.json"
  ],
  "local_command": "node scripts/audit_agent_trust_evidence.mjs --offline --json",
  "production_command": "node scripts/audit_agent_trust_evidence.mjs --sample-size 20 --json",
  "expected_agent_behavior": [
    "Call tokrepo_verify or the trust endpoint before choosing an asset for activation.",
    "Treat assets missing content_hash or permission evidence as caution, not trusted.",
    "Use tokrepo_install_plan only after trust evidence has been inspected.",
    "Record content_hash, install_plan_hash, permission_envelope, policy_decision, trust_score_v2, evidence_bundle.integrity, SBOM-lite, and signature_evidence in session evidence."
  ],
  "public_success_criteria": [
    "Trust endpoint returns algorithm, decision, weighted components, blockers, warnings, and computed_at.",
    "Assets have content_hash coverage high enough for agents to avoid tamper-blind installs.",
    "Trust endpoint accepts the same content_hash evidence exposed by detail metadata and does not emit stale content_hash missing warnings.",
    "Assets have risk_profile, verification metadata, SBOM-lite, and signature/hash evidence so policy packs can make deterministic decisions.",
    "Backfill tooling exists for old rows that predate agent-native metadata."
  ],
  "status": "implemented",
  "last_verified_by": "node scripts/audit_agent_trust_evidence.mjs --offline --json"
}