For AI agents: visit aeoess.com/llms.txt for machine-readable docs or llms-full.txt for the complete reference.
The infrastructure layer for the agent economy.
Every team building AI agents hits the same wall: identity, delegation, trust, enforcement, receipts. Most rebuild these from scratch. APS is the shared foundation so you don't have to.
Seven independent projects have cross-tested against these primitives. AgentID: 7/7. MolTrust: 5/5. Kanoniv delegation chains: verified. Three languages, three codebases, identical results. The interop is proven.
Build your application on top. Don't rebuild what's underneath.
npm install agent-passport-system| Project | What they do | What APS provides |
|---|---|---|
| AgentID | CA-issued identity, trust scoring | Self-sovereign identity, delegation chains |
| MolTrust | On-chain constraint envelopes | Scope narrowing, spend limits, expiry |
| qntm | Encrypted relay transport | Identity keys, signed envelopes |
| Signet | MCP transport signing | Policy gate, execution attestation |
| ArkForge | External proof anchoring | Receipts to anchor |
| Microsoft AGT | Enterprise policy engine | Trust signals, scope verification |
See INTEGRATION.md for how to compose your project with APS.
Enforce constraints on agent actions — the ProxyGateway is an enforcement boundary that sits between the agent and any tool. Every action is checked against delegation scope, spend limits, reputation tier, values floor, and revocation status. The gateway executes the action, not the agent. The gateway generates the receipt, not the agent. Agents cannot bypass, forge, or skip enforcement.
Track trust with uncertainty — Bayesian reputation scoring where agents earn authority through verified task outcomes. Reputation decays over time. Authority tiers gate what actions an agent can take. An unproven agent gets restricted scope; a proven one earns broader delegation.
Produce cryptographic proof of everything — every action generates a signed receipt linking agent identity, delegation authority, constraint evaluation, and execution result. Receipts chain via hash pointers. Merkle trees commit receipt sets in 32 bytes. Disputes are resolved with math, not arguments.
Control spending — 4-gate commerce enforcement: passport verification, delegation scope check, spend limit enforcement, merchant allowlist. Human approval thresholds for high-value purchases. Cumulative budget tracking across sessions.
Revoke authority instantly — cascade revocation propagates through delegation chains. Revoke a parent, all children are automatically revoked. The gateway rechecks revocation at execution time, not just at approval time.
import { createProxyGateway, generateKeyPair, joinSocialContract } from 'agent-passport-system'
// 1. Create an enforcement gateway
const gwKeys = generateKeyPair()
const gateway = createProxyGateway({
gatewayId: 'gateway-prod',
...gwKeys,
floor: loadFloor('values/floor.yaml'),
approvalTTLSeconds: 30,
recheckRevocationOnExecute: true,
enableReputationGating: true,
}, toolExecutor)
// 2. Agent joins with identity + values attestation
const agent = joinSocialContract({ name: 'worker', owner: 'alice', floor: floorYaml })
// 3. Register agent, add delegation
gateway.registerAgent(agent.passport, agent.attestation)
gateway.addDelegation(agent.agentId, delegation)
// 4. Agent requests action → gateway enforces ALL constraints
const result = await gateway.processToolCall({
requestId: 'req-001',
agentId: agent.agentId,
agentPublicKey: agent.publicKey,
tool: 'database_query',
params: { query: 'SELECT * FROM users' },
scopeRequired: 'data_read',
spend: { amount: 5, currency: 'usd' },
signature: sign(canonicalize({ requestId: 'req-001', tool: 'database_query', ... }), agent.privateKey)
})
// result.executed = true
// result.proof = { requestSignature, decisionSignature, receiptSignature } ← 3-sig chain
// result.receipt = signed, tamper-proof, links to delegation chain
// result.tierCheck = reputation tier was sufficientWhat just happened: The gateway verified the agent's identity, checked delegation scope, enforced spend limits, evaluated values floor compliance, verified reputation tier, checked revocation status, executed the tool, generated a signed receipt, and updated reputation. All in one call. The agent never touched the tool directly.
Everything above is built on Ed25519 cryptographic identity. But identity is the plumbing, not the value proposition.
// Identity creation is two lines
const keys = generateKeyPair()
const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floorYaml })
// The value is what you do WITH identity:
// → Scoped delegation with spend limits and time bounds
// → Cascade revocation that propagates through chains
// → Reputation scoring that gates authority
// → Values floor enforcement at execution time
// → Beneficiary attribution via Merkle proofs
// → Commerce gates that prevent unauthorized purchases67 core modules + 32 v2 constitutional modules. 2,085 tests. Zero heavy dependencies.
| Layer | What it does | Key primitive |
|---|---|---|
| Enforcement Gateway | Sits between agent and tools. Checks every constraint. Executes, generates receipts. | ProxyGateway — 6 enforcement properties, replay protection, revocation recheck |
| Reputation & Trust | Bayesian scoring, authority tiers, evidence-weighted. Agents earn trust, don't claim it. | ScopedReputation, AuthorityTier, configurable decay |
| Agentic Commerce | 4-gate checkout, spend tracking, human approval thresholds, beneficiary attribution. | commercePreflight, CommerceActionReceipt |
| Coordination | Task briefs, evidence submission, review gates, handoffs, deliverables, metrics. | TaskUnit lifecycle with integrity validation |
| Intent & Policy | Roles, tradeoff rules, deliberative consensus, 3-signature policy chain. | ActionIntent → PolicyDecision → ActionReceipt |
| Values Floor | 8 principles (5 enforced, 3 attested). Graduated enforcement: inline/audit/warn. | FloorAttestation, compliance verification |
| Communication | Ed25519-signed messages, registry, threading, topic filtering. | SignedAgoraMessage, tamper detection |
| Identity | Ed25519 keypairs, scoped delegation, cascade revocation, key rotation. | SignedPassport, Delegation, RevocationRecord |
Extended modules (9-67): W3C DID (did:aps), Verifiable Credentials, A2A Bridge, EU AI Act Compliance, Agent Context, Task Routing, Cross-Chain Data Flow (taint tracking, confused deputy prevention), E2E Encrypted Messaging (X25519 + XSalsa20), Obligations, Governance Provenance, Identity Continuity & Key Rotation, Receipt Ledger (Merkle-committed audit batches), Feasibility Linting, Precedent Control, Re-anchoring, Bounded Escalation, Oracle Witness Diversity, Messaging Audit Bridge, Policy Conflict Detection, Data Source Registration, Decision Semantics, Decision Equivalence, Execution Attestation, Bilateral Receipts, Governance Blocks, aps.txt, Governance 360, Data Lifecycle, Persistent Passports, ProxyGateway.
V2 Constitutional Framework (32 modules): Designed through cross-model adversarial review. PolicyContext with mandatory sunset, Delegation Versioning, Outcome Registration, Anomaly Detection, Emergency Pathways, Migration (fork-and-sunset), Contextual Attestation, Approval Fatigue Detection, Effect Enforcement, Emergence Detection, Separation of Powers, Constitutional Amendment, Circuit Breakers, Epistemic Isolation, and 18 more. Source: src/v2/.
125 tools across all modules. Any MCP client connects agents directly.
npm install -g agent-passport-system-mcp
npx agent-passport-system-mcp setupEvery operation Ed25519 signed. Role-scoped access control. Auto-configures Claude Desktop and Cursor.
npm: agent-passport-system-mcp · GitHub: aeoess/agent-passport-mcp
Full Python implementation. Signatures created in Python verify in TypeScript and vice versa.
pip install agent-passport-systemPyPI: agent-passport-system · GitHub: aeoess/agent-passport-python
14 commands: join, delegate, work, prove, audit, verify, inspect, status, agora post, agora read, agora list, agora verify, agora register, agora topics.
npx agent-passport join --name my-agent --owner alice --floor values/floor.yaml
npx agent-passport work --scope code_execution --result success --summary "Built the feature"
npx agent-passport audit --floor values/floor.yamlnpm test
# 2,085 tests, 0 failures50 adversarial tests: Merkle tampering, attribution gaming, compliance violations, floor negotiation attacks, cross-chain confused deputy, taint laundering, authority probing.
| APS | DeepMind | GaaS | OpenAI | LOKA | |
|---|---|---|---|---|---|
| Status | Running code | Paper | Simulated | Advisory | Paper |
| Enforcement gateway | 6 properties, replay protection | — | — | — | — |
| Reputation/trust scoring | Bayesian + tiers | — | — | — | Consensus |
| Identity | Ed25519 | Proposed | External | — | Proposed |
| Delegation | Scoped + cascade revoke | Proposed | N/A | — | — |
| Commerce | 4-gate + spend tracking | — | — | — | — |
| Signed receipts | 3-sig chain | Proposed | Logs | General | — |
| Values enforcement | 8 principles, graduated | — | Rules | — | — |
| Coordination | Task lifecycle + MCP | — | — | — | — |
| Tests | 2,085 (50 adversarial) | None | Limited | None | None |
- Working Group with 4 founding members: APS, AgentID, qntm, OATR. Cross-protocol interop proven across three languages.
- Integrated into Microsoft agent-governance-toolkit (PR #598)
- Referenced in MITRE ATLAS agent security techniques
- Referenced in MCP SEP-1763 interceptor framework
- NIST NCCoE public comment on AI Agent Identity and Authorization
- Collaboration with IETF DAAP draft author on delegation spec
- Endorsed by Garry Tan (CEO, Y Combinator)
"Monotonic Narrowing for Agent Authority" — Published on Zenodo. Read →
Built by Tymofii Pidlisnyi (@tima). Protocol designed with AI assistance from Claude (Anthropic), GPT (OpenAI), and Gemini (Google) through adversarial cross-model review.
Website: aeoess.com · npm: agent-passport-system · MCP: agent-passport-system-mcp
- Index: aeoess.com/llms.txt
- Full docs: aeoess.com/llms-full.txt
- Quick start: aeoess.com/llms/quickstart.txt
- API reference: aeoess.com/llms/api.txt
Apache-2.0 — see LICENSE