Add OATR + AgentID security integration

[FransDevelopment]

Summary

Three-layer security gate for CrewAI using open trust standards, built as a collaboration between the Open Agent Trust Registry and AgentID.

Layer 1 (OATR): Verifies the runtime is registered and non-revoked in the Open Agent Trust Registry.
Layer 2 (AgentID): Verifies the specific agent's identity via AgentID certificates.
Layer 3 (Combined): Pre-kickoff callback that gates crew execution on both checks.

Includes auto-registration flow, append-only JSONL audit trail, and 8 tests.

Discussed in crewAIInc/crewAI#5019. Both authors are members of the Agent Identity Working Group (3 ratified specs, 6 independent implementations).

Files

• security_gate.py - three-layer verification module
• agentid_registration.py - auto-register agents on first run with local cache
• audit_trail.py - append-only JSONL audit log per tool call
• main.py - working CrewAI example
• test_security_gate.py - 8 tests
• pyproject.toml - UV-compatible dependencies (crewai>=0.152.0)
• .env.example - environment variable template

How it works

Uses CrewAI's built-in before_kickoff_callbacks hook. The security gate runs before any task executes:

1. Checks runtime attestation against the OATR signed manifest (Ed25519 JWT verification)
2. Checks agent identity via AgentID (ECDSA P-256 certificate verification)
3. If either check fails, the crew does not start

Both checks are optional and composable. A crew can use OATR only, AgentID only, or both.