Govern internal agent fleets at scale.
One governance layer across hundreds of agents and five identity formats, no migration. Charter authority, scoped delegation, signed audit by default.
Many orgs, one substrate.
Trust Mesh
Cross-organization issuer keys, shared vocab crosswalks, common gateway boundaries. The mesh is the network effect.
Fourteen gates. Fail-closed.
The gateway, animated
Every action evaluated against fourteen constraint dimensions: identity, signature, scope, budget, rate, values, reputation, freshness, and six more. 37 + 10 conformance vectors. Missing a check is a deny.
Platform teams, internal agent fleets.
Who this is for
You run hundreds or thousands of agents across teams. Each team has its own identity provider: Okta, Auth0, SPIFFE, Active Directory. You need a single governance layer that does not force a migration, that scales scoped delegation across the fleet, and that produces a unified audit surface without re-instrumenting every team's stack.
Three primitives for fleet-scale governance.
What ships
Identity adapters and governance modules are public. Module paths shown.
Bring your own identity. did:key, did:web, did:aps, SPIFFE SVID, OAuth. Five adapters shipped, signature round-trips verified across TS and Python. No identity migration required.
src/identity/adapters/*src/auth/mutual-handshake.ts + TrustBundle
Charter and office governance. Multi-party approval for high-risk actions. Separation of powers across offices. Amendment rules, dissolution policy. The governance is constitutional, not procedural.
src/charter/*src/v2/* (26 constitutional modules)
Hosted gateway with managed deployment. Mutual authentication handshake. Cascade revocation at fleet scale. Self-host or managed.
gateway.aeoess.comreputation-gated authority resolver
Five adapters, one governance surface.
Architecture
Cross-language byte-parity verified across the Wave 1 surface in 27 fixtures.
| Method | Surface | Auth | Typical use |
|---|---|---|---|
did:key | Self-issued Ed25519 | Local keypair | Prototypes, single-team agents |
did:web | Domain-rooted DID | TLS + .well-known | Org-hosted agents, public surface |
did:aps | APS-native DID | Charter-bound, rotatable | Fleets under aeoess governance |
SPIFFE | SVID workload identity | mTLS, short-lived | Service-mesh internal agents |
OAuth | Bearer-token bridge | IdP redirect flow | Existing Okta, Auth0, AD setups |
Verifiable on the public record.
Proof
- Microsoft AGT PR #274 merged. Reputation-gated authority resolver into agent-governance-toolkit upstream.
- Microsoft AGT PR #598 merged. Fail-closed signature verification, same upstream.
- Five identity methods implemented and tested. did:key, did:web, did:aps, SPIFFE SVID, OAuth bridge.
- Cross-language byte-parity verified. 27 test scenarios across TS and Python on Wave 1 governance surface.
Adjacent
deep
Working Group
Cross-vendor charter, offices, separation of powers.
open →
solution
Compliance
Mapping receipts to EU AI Act, NIST AI RMF, ISO 42001.
open →
solution
Payments
Six rails behind one delegation surface.
open →
Self-serve
Wire your fleet.
Pick an identity adapter, write a charter, point your gateway at the policy module. Self-host or hosted.
npm install agent-passport-systemManaged
Managed gateway deployment.
Hosted enforcement edge, multi-region, fleet-scale revocation. Pricing on request.
For AI agents: llms-full.txt · MCP descriptor