AEOESS
ContactGet Started
aeoess/solutions/Enterprise

Govern internal
agent fleets at scale.

One governance layer across hundreds of agents and five identity formats, no migration. Charter authority, scoped delegation, signed audit by default.

Live primitivesApache-2.0
Trust Mesh

Many orgs, one substrate.

Cross-organization issuer keys, shared vocab crosswalks, common gateway boundaries. The mesh is the network effect.

The gateway, animated

Fourteen gates. Fail-closed.

Every action evaluated against fourteen constraint dimensions: identity, signature, scope, budget, rate, values, reputation, freshness, and six more. 37 + 10 conformance vectors. Missing a check is a deny.

Who this is for

Platform teams, internal agent fleets.

You run hundreds or thousands of agents across teams. Each team has its own identity provider: Okta, Auth0, SPIFFE, Active Directory. You need a single governance layer that does not force a migration, that scales scoped delegation across the fleet, and that produces a unified audit surface without re-instrumenting every team's stack.

What ships

Three primitives for fleet-scale governance.

Identity adapters and governance modules are public. Module paths shown.

Bring your own identity. did:key, did:web, did:aps, SPIFFE SVID, OAuth. Five adapters shipped, signature round-trips verified across TS and Python. No identity migration required.

src/identity/adapters/*
src/auth/mutual-handshake.ts + TrustBundle

Charter and office governance. Multi-party approval for high-risk actions. Separation of powers across offices. Amendment rules, dissolution policy. The governance is constitutional, not procedural.

src/charter/*
src/v2/* (32 constitutional modules)

Hosted gateway with managed deployment. Mutual authentication handshake. Cascade revocation at fleet scale. Self-host or managed.

gateway.aeoess.com
reputation-gated authority resolver
Architecture

Five adapters, one governance surface.

Cross-language byte-parity verified across the Wave 1 surface in 27 fixtures.

MethodSurfaceAuthTypical use
did:keySelf-issued Ed25519Local keypairPrototypes, single-team agents
did:webDomain-rooted DIDTLS + .well-knownOrg-hosted agents, public surface
did:apsAPS-native DIDCharter-bound, rotatableFleets under aeoess governance
SPIFFESVID workload identitymTLS, short-livedService-mesh internal agents
OAuthBearer-token bridgeIdP redirect flowExisting Okta, Auth0, AD setups
Proof

Verifiable on the public record.

  • Microsoft AGT PR #274 merged.
    Reputation-gated authority resolver into agent-governance-toolkit upstream.
  • Microsoft AGT PR #598 merged.
    Fail-closed signature verification, same upstream.
  • Five identity methods implemented and tested.
    did:key, did:web, did:aps, SPIFFE SVID, OAuth bridge.
  • Cross-language byte-parity verified.
    27 test scenarios across TS and Python on Wave 1 governance surface.
Adjacent
deep
Working Group
Cross-vendor charter, offices, separation of powers.
open →
solution
Compliance
Mapping receipts to EU AI Act, NIST AI RMF, ISO 42001.
open →
solution
Payments
Six rails behind one delegation surface.
open →
Self-serve

Wire your fleet.

Pick an identity adapter, write a charter, point your gateway at the policy module. Self-host or hosted.

npm install agent-passport-system
Managed

Managed gateway deployment.

Hosted enforcement edge, multi-region, fleet-scale revocation. Pricing on request.

[email protected]