trailprotocol
diff --git a/‎CODE_OF_CONDUCT.md‎
Lines changed: 85 additions & 0 deletions b/‎CODE_OF_CONDUCT.md‎
Lines changed: 85 additions & 0 deletions
diff --git a/‎CONTRIBUTING.md‎
Lines changed: 13 additions & 2 deletions b/‎CONTRIBUTING.md‎
Lines changed: 13 additions & 2 deletions
diff --git a/‎ETHICS.md‎
Lines changed: 116 additions & 0 deletions b/‎ETHICS.md‎
Lines changed: 116 additions & 0 deletions
@@ -0,0 +1,85 @@
+# Code of Conduct
+
+## Our Pledge
+
+We as members, contributors, and maintainers of the TRAIL Protocol pledge to make participation in our project and community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, caste, color, religion, or sexual identity and orientation.
+
+We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+
+## Our Standards
+
+Examples of behavior that contributes to a positive environment:
+
+- Using welcoming and inclusive language
+- Being respectful of differing viewpoints and experiences
+- Giving and gracefully accepting constructive feedback
+- Focusing on what is best for the community and the protocol
+- Showing empathy toward other community members
+- Prioritizing technical merit and evidence-based reasoning in protocol discussions
+
+Examples of unacceptable behavior:
+
+- The use of sexualized language or imagery, and sexual attention or advances of any kind
+- Trolling, insulting or derogatory comments, and personal or political attacks
+- Public or private harassment
+- Publishing others' private information without explicit permission
+- Misrepresenting your contributions, credentials, or affiliations
+- Using the project's reputation or community channels for commercial promotion unrelated to TRAIL
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## AI-Specific Standards
+
+Because TRAIL Protocol exists at the intersection of AI and identity, we hold ourselves to additional standards:
+
+- **Transparency over obscurity.** We build infrastructure that makes AI systems more accountable, not less. This principle extends to how we work together.
+- **No surveillance by design.** We reject contributions that would enable mass surveillance, social scoring, or discriminatory profiling through AI identity infrastructure.
+- **Human agency first.** AI identity systems must enhance human oversight, not replace it. Contributions that undermine human control over AI systems will not be accepted.
+- **Honest about limitations.** We document what TRAIL can and cannot do. Overstating the protocol's capabilities - especially regarding regulatory compliance - is unacceptable.
+
+## Scope
+
+This Code of Conduct applies within all project spaces, including GitHub repositories, issue discussions, pull requests, W3C CCG mailing lists, DIF Discord channels, and any other space where the TRAIL Protocol community interacts.
+
+It also applies when an individual is officially representing the project in public spaces, such as using an official project email address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+
+## Enforcement
+
+### Reporting
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to:
+
+- **Christian Hommrich** - conduct@trailprotocol.org
+
+All complaints will be reviewed and investigated promptly and fairly. The project team is obligated to maintain confidentiality with regard to the reporter of an incident.
+
+### Enforcement Guidelines
+
+Project maintainers will follow these guidelines in determining consequences for any action they deem in violation of this Code of Conduct:
+
+**1. Correction**
+- **Impact:** Minor, unintentional violation.
+- **Consequence:** A private written warning, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+
+**2. Warning**
+- **Impact:** A violation through a single incident or series of actions.
+- **Consequence:** A warning with consequences for continued behavior. No interaction with the people involved for a specified period. This includes avoiding interactions in community spaces as well as external channels. Violating these terms may lead to a temporary or permanent ban.
+
+**3. Temporary Ban**
+- **Impact:** A serious violation of community standards, including sustained inappropriate behavior.
+- **Consequence:** A temporary ban from any sort of interaction or public communication with the community for a specified period. No public or private interaction with the people involved is allowed during this period. Violating these terms may lead to a permanent ban.
+
+**4. Permanent Ban**
+- **Impact:** Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior, harassment of an individual, or aggression toward or disparagement of classes of individuals.
+- **Consequence:** A permanent ban from any sort of public interaction within the community.
+
+## Relationship to Other Codes
+
+This project participates in the [Decentralized Identity Foundation (DIF)](https://identity.foundation) and the [W3C Credentials Community Group (CCG)](https://www.w3.org/community/credentials/). When participating in those communities on behalf of TRAIL, their respective codes of conduct also apply.
+
+## Attribution
+
+This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/), version 2.1, with AI-specific extensions reflecting TRAIL Protocol's mission.
+
+---
+
+*Version 1.0 - April 2026*
@@ -65,9 +65,20 @@ For minor fixes (typos, formatting), direct PRs are welcome.
 
 ## Code of Conduct
 
-This project adheres to the [DIF Code of Conduct](https://github.com/decentralized-identity/org/blob/master/code-of-conduct.md). By participating, you agree to uphold its principles of open, inclusive, and collaborative engagement.
+This project has its own [Code of Conduct](CODE_OF_CONDUCT.md) adapted from the Contributor Covenant with AI-specific extensions. By participating, you agree to uphold its principles.
 
-In short: Be constructive. Technical disagreement is welcome; personal attacks are not. Assume good intent. If conflicts arise, follow the [DIF escalation process](https://github.com/decentralized-identity/org/blob/master/code-of-conduct.md#reporting-guidelines).
+In short: Be constructive. Technical disagreement is welcome; personal attacks are not. Assume good intent. Report violations to conduct@trailprotocol.org.
+
+We also adhere to the [DIF Code of Conduct](https://github.com/decentralized-identity/org/blob/master/code-of-conduct.md) when participating in DIF community spaces.
+
+## Ethics and Governance
+
+TRAIL Protocol maintains explicit ethical principles and a governance model:
+
+- **[ETHICS.md](ETHICS.md)** - The ethical principles that guide protocol design decisions
+- **[GOVERNANCE.md](GOVERNANCE.md)** - How decisions are made, roles, and dispute resolution
+
+All contributions are evaluated against these principles. Please review them before submitting substantial proposals.
 
 ## Community
 
 
@@ -0,0 +1,116 @@
+# TRAIL Protocol - Ethical Principles
+
+## Why This Document Exists
+
+TRAIL Protocol builds identity infrastructure for AI systems. Infrastructure shapes behavior. The choices we make in protocol design determine what is easy, what is hard, and what is impossible for everyone who builds on top of TRAIL.
+
+This document states the ethical principles that guide those choices. It is a commitment to our contributors, users, and the broader AI ecosystem.
+
+## Core Principles
+
+### 1. AI Must Serve Humans, Not the Other Way Around
+
+TRAIL exists because AI systems are becoming autonomous actors in commerce, governance, and daily life. Identity infrastructure for AI must strengthen human oversight, not erode it.
+
+**In practice, this means:**
+- Every AI identity in TRAIL is linked to a verifiable human or organizational controller
+- The protocol requires explicit disclosure of AI nature - no AI system should pass as human
+- Human override and revocation capabilities are non-negotiable protocol features
+- We design for human comprehension: trust signals must be interpretable by non-technical stakeholders
+
+### 2. Transparency Is Non-Negotiable
+
+Trust cannot be built on hidden mechanisms. TRAIL's trust model is based on verifiable, auditable, and publicly inspectable data.
+
+**In practice, this means:**
+- Trust Score computation is fully documented and reproducible by any verifier
+- The specification is open (CC BY 4.0) and the reference implementation is open source (MIT)
+- We publicly document the limitations of our trust model, not just its strengths
+- Registry operations, governance decisions, and protocol changes are published with rationale
+
+### 3. No Surveillance Infrastructure - and Dual-Use Awareness
+
+AI identity infrastructure could be weaponized for mass surveillance, social scoring, or discriminatory profiling. We refuse to build that.
+
+We also acknowledge that identity infrastructure is inherently dual-use. The same system that enables trust verification could be repurposed for state-controlled gatekeeping, systematic exclusion, or coercive compliance regimes. This is not a theoretical risk - it has happened with every major identity system in history. TRAIL is designed with active countermeasures against these failure modes.
+
+**In practice, this means:**
+- TRAIL uses minimal disclosure: only the information necessary for trust verification is exposed
+- No behavioral tracking across contexts - a DID interaction with one verifier must not leak to another
+- GDPR compliance is a design constraint, not an afterthought
+- We actively reject feature requests or contributions that enable population-scale monitoring
+- Correlation risk analysis is a required part of any protocol extension review
+- TRAIL must never become a whitelist-only system where unregistered agents are blocked from operating. Tier 0 (self-signed) exists precisely to ensure that registration is a choice, not a precondition for existence
+- Protocol design is evaluated against misuse scenarios: "How could an authoritarian actor use this feature?" is a mandatory review question for every extension proposal
+
+### 4. Honesty About What We Are and What We Are Not
+
+TRAIL is a trust infrastructure protocol. It is not a regulatory compliance certificate, not a safety guarantee, and not a substitute for responsible AI development.
+
+**In practice, this means:**
+- TRAIL registration does NOT constitute EU AI Act compliance - we say this explicitly in the spec
+- A high Trust Score indicates verifiable identity practices, not that an AI system is safe or ethical
+- We do not claim to solve AI alignment, bias, or safety - those are different problems
+- Marketing and communication about TRAIL must reflect these boundaries accurately
+- We support regulation like the EU AI Act not because it is mandated, but because we believe good regulation strengthens AI trust. Compliance-by-conviction, not compliance theater
+
+### 5. Inclusive by Design
+
+AI identity infrastructure will shape who can and who cannot deploy AI systems commercially. We design for broad access, not gatekeeping.
+
+**In practice, this means:**
+- Tier 0 (self-issued) identities work offline and cost nothing - the barrier to entry is zero
+- The protocol is vendor-neutral: no single company controls who can operate a registry
+- Federation is a core architectural feature, preventing monopolistic control
+- We actively seek contributors from diverse geographies, industries, and technical backgrounds
+- Specification language is accessible: we explain jargon and provide examples
+- No protocol feature may require a specific vendor, jurisdiction, or commercial relationship to function at its base tier
+
+### 6. Security as a Precondition for Trust
+
+Identity infrastructure that can be forged, spoofed, or compromised destroys the trust it claims to provide. Security is not a feature - it is a precondition.
+
+**In practice, this means:**
+- Cryptographic choices are conservative and well-studied (Ed25519, JCS)
+- Crypto agility is built in, with documented migration paths and deprecation windows
+- We actively invite security challenges and vulnerability reports
+- Key ceremony processes are documented and witnessed
+- We do not deploy features that have not undergone threat modeling
+
+## Applying These Principles
+
+### For Contributors
+
+These principles guide what we accept into the protocol. If a proposed feature or change conflicts with these principles, it will be rejected - regardless of its technical elegance. When in doubt, open an issue to discuss the ethical implications before investing implementation effort.
+
+### For Registry Operators
+
+Organizations operating TRAIL registries commit to these principles by adopting the protocol. Registry operators who violate these principles - for example, by enabling surveillance use cases or misrepresenting trust guarantees - may have their operator credentials revoked through the governance process defined in `GOVERNANCE.md`.
+
+### For AI Agent Deployers
+
+Registering an AI agent with TRAIL is a statement that you take identity and accountability seriously. These principles set the baseline expectation. Deployers who misuse TRAIL identity to create false trust signals undermine the ecosystem for everyone.
+
+## Evolution
+
+These principles are not immutable. As the AI landscape evolves, our ethical understanding must evolve with it. Changes to this document require:
+
+1. A public proposal (GitHub Issue with the `ethics` label)
+2. A minimum 30-day community review period
+3. Approval by the Governance Board (or Founding Maintainer in Phase 1)
+4. Publication of the rationale for any changes
+
+We will never weaken these principles to accommodate commercial pressure. We may strengthen them as new risks emerge.
+
+## Influences and Acknowledgments
+
+These principles draw on:
+- [OECD AI Principles](https://oecd.ai/en/ai-principles) (2019)
+- [EU AI Act](https://eur-lex.europa.eu/eli/reg/2024/1689) - Articles 4a (AI literacy), 13 (transparency), 14 (human oversight)
+- [W3C Ethical Web Principles](https://www.w3.org/TR/ethical-web-principles/)
+- [Montreal Declaration for Responsible AI](https://montrealdeclaration-responsibleai.com/)
+- [DIF Code of Conduct](https://github.com/decentralized-identity/org/blob/master/code-of-conduct.md)
+
+---
+
+*Version 1.0 - April 2026*