Protocol Live·Apache-2.0·installs

Open-source enforcement
infrastructure for AI agents.

Identity, delegation, accountability for every AI agent, open spec, open SDKs, open MCP. The hosted enforcement gateway that runs production governance is a separate commercial product. Spec compatibility is permanent.

PAPERS

ESSENTIAL TOOLS

2,884

TESTS

Full surface area: 150 MCP tools, TypeScript + Python SDKs.

GitHubaeoess/agent-passport-system Read the spec npmdraft-pidlisnyi-aps-00 (IETF)

$ npm install agent-passport-system

$ clawhub install agent-passport-system

Independently cited, PDR in Production (University of British Columbia) validates APS Bayesian model. Zenodo

npm SDK v2.6.0-alpha.0 MCP Server v3.1.1 ClawHub Skill Python SDK v2.4.0a1 8 papers →

Quick start – Core subpath, curated essentials

// import the curated essentials
import {
  createPassport, createDelegation,
  evaluateIntent, commercePreflight, generateKeyPair
} from 'agent-passport-system/core'

// full API surface still available at 'agent-passport-system'

Updates

Full log →

May 04ship

Full website redesign

33 pages restrained design, agent-discovery alternates in head, /sitemap.html overview, every link wired, dark/light toggle.

May 02ship

SDK 2.6.0-alpha.0 on npm

v2 evidentiary type safety landed: claim-evidence-types registry with BATCH_ATTESTED and EVIDENCE_CUSTODY_HELD extensions, claim-verifier module, contestation cascade with verifier hook, path-scoped cycle detection in mergeTaints. 2,711 tests passing. npm

May 02ship

Python SDK 2.4.0a1 on PyPI

Full Wave 1 surface ported from TS: v2/accountability/* (action, authority-boundary, bundle, custody, contestability), v2/cognitive_attestation/*, v2/instruction_provenance/*. Cross-language byte-parity verified across 27 fixtures (15 evidentiary + 12 Wave 1). 518 tests. PyPI

May 02standard

Vocab phantom-issuer audit

PR #74 removed RNWY from behavioral_trust and wallet_intelligence (couldn't verify those signals are issued in production); PR #75 marked passport_grade as status: proposed (single-issuer rule). Single-source-of-truth discipline. PRs #74 + #75

May 01standard

Vocab PR #72 opened

completion_ratio as canonical signal type with three production issuers (AgentID, APS, RNWY). Descriptor enforcement_class advisory, completion_ratio_method constraint with strict and quality-weighted modes. PR #72

May 01standard

Vocab #73 opened

self_enforced proposed as fifth canonical refusal_authority value for Nobulex's actor-enforcer collapse via Cedar-inspired covenant DSL. #73

May 01ship

Vocab validator hardened

nested descriptor_dimensions walk under signal_types + legacy whitelist for #57 stale values. Three pre-resolution descriptor uses preserved without warning maintainers. validator

May 01ship

Drift prevention infrastructure live

pre-commit hook + CI scan + standardized .gitignore + final-scan propagation across eight public repos. Four layers, one structural backstop against private-context drift.

Apr 30ship

Wave 1 accountability shipped

Five signed receipt primitives (action, authority-boundary, custody, contestability, bundle). RFC 8785 + Ed25519, deterministic byte-match fixtures, 57 new tests. SDK v2.6.0-alpha.1. module README

Apr 30traction

Vocab PR #66 merged

Edison Munoz Duran's Agent-DID crosswalk lands as the second co-drafted-with-aeoess crosswalk. A2A composition contract co-drafting in flight on a shared spec branch. PR #66

Apr 30convergence

VeritasActa cross-layer integrity 10/10

Knowledge Unit bundle with sidecar-anchored APS DecisionLineageReceipt verifies end-to-end. All ten access receipts cross-layer hash-matched, APS signature valid against sidecar JWKS. Tamper-detection holds across both layers. verify PR #7

Apr 29paper

Paper 8: The Evidence-Safety Gap

Cryptographic agent governance proves procedural validity, not effect safety. Compliance-complete failure named, five omitted-variable classes catalogued, defeat traces in reference implementation. Zenodo.

Apr 29traction

SSRN + ORCID research surface

Three papers entering SSRN (Agent Social Contract, Physics-Enforced Delegation, Cognitive Attestation). ORCID 0009-0002-4700-3594 live with all 8 papers indexed via DOI.

Apr 29interop

in-toto SVR extension Go

Worked-example draft scoped for governance attestation as an in-toto SVR extension. May 1 maintainer meeting on the calendar. Bilateral byte-match track with marcelamelara holds in parallel. Two paths forward: upstream contribution and bilateral interop demonstration.

Apr 29traction

Vocab PR #52 merged

entity_continuity PDR validator with @nanookclaw, 309 LOC pure-Node + 32-test suite + four reference fixture vectors. Behavioral-fingerprint-drift validator complementary to continuity-analyzer's structural fixture. PR #52

Apr 29standard

Vocab PR #61 merged

epoch added to validity_temporal enum, observer-relative ticks on substantive state transitions distinct from sequence's event-relative counts. Issue #58 settled with @lawcontinue's endorsement. PR #61

Apr 29standard

Vocab PR #62 merged

governance_attestation.refusal_authority brought into formal enum compliance (structurally_impossible_to_violate → issuer). One-line correction, @lowkey-divine concurred on issue #57. PR #62

Apr 29traction

Vocab PR #56 merged

AuthorPrime's Sovereign Atom crosswalk, third independent entity_continuity implementation alongside SBR-002 and continuity-analyzer. PR #56

Apr 28traction

IPR module on npm

[email protected] ships canonicalize/envelope/verify for binding agent authority to instruction-file digest at delegation. npm

Apr 28standard

Public gateway POC

aeoess-gateway-v0-poc demonstrates context_root recomputation at action time across three case fixtures. repo

Apr 28standard

Cursor security outreach

first-contact email framing IPR as structural mitigation for the recent instruction-file advisory class, honest-scope language. blog

Apr 28traction

Vocab PR #63 merged

piiiico added trust_verify endpoint to AgentLair behavioral_trust, AAT-based lookup without agentId resolution. PR #63

Apr 28standard

Vocab #64 opened

completion_ratio proposed as canonical signal type, three independent impls (AgentID 180d, APS 90d, RNWY 24h). #64

Apr 28standard

ATVP PR #8 review

REQUEST_CHANGES posted for peer_review/behavioral_trust mapping correction in four places. review

Apr 28standard

Vocab PR #62 opened

governance_attestation refusal_authority correction (verifier → issuer). PR #62

Apr 27standard

agent-governance-spec org created

cross-vendor spec home, co-edited with Lars Kroehl (MolTrust). spec repo

Apr 27traction

Vocab PR #59 merged

DCP-AI crosswalk, composite Ed25519 + ML-DSA-65 in production. PR #59

Apr 27traction

Vocab PR #53 merged

AgentNexus three-issuer fixture, Step 2 of the Interop Week 1 compose chain. PR #53

Apr 27standard

Vocab #60 opened

post-quantum signature capability as vocabulary-level attribute. #60

Apr 27convergence

Vocab #58 epoch enum: three-way endorsement

lawcontinue, kenneives, srotzin. #58

Apr 26standard

Discussion #20 opened

"The threat is laundering, not cyborg contribution." Substance vs. pattern as the half that runs above contributor-reputation tooling. discussion

Apr 26ship

contributor-check installed

MS AGT v3.3.0 composite action live on agent-passport-system, agent-passport-mcp, agent-governance-vocabulary. Pinned to commit 15e001f9b53f, threshold HIGH for calibration window. action source

Apr 26ship

Vocab PR #55 opened

APS ↔ ACTA receipt crosswalk, 14 mappings (1 exact, 7 partial, 3 divergent, 2 no_mapping, 1 non_equivalent). Calibrated against @veritasacta/* and protect-mcp. PR #55

Apr 26ship

aeoess/governance-attestation-predicate live

in-toto sibling to nobulex's Decision Receipt PR #549. JWS+Ed25519, 5 fixture vectors, composition test passes. repo

Apr 26ship

aeoess/aps-conformance-suite live

37 fixture vectors across 4 categories (bilateral-delegation, inference-session, instruction-provenance, AIVSS scenarios). All byte-identical reproducible. repo

Apr 25ship

Vocab PR #51 opened

invariant-survival.md descriptor doc co-authored with QueBallSharken (BBIS). PR #51

Apr 25ship

Vocab PR #52 opened

entity_continuity PDR validator with 32 tests, co-authored with nanookclaw. PR #52

Apr 25traction

Vocab PR #49 merged

PIC Standard becomes the 23rd crosswalk, modeled as parallel verification surface to visa-layer issuance. PR #49

Apr 25traction

Vocab PR #46 merged

AgentLair becomes the third production issuer of behavioral_trust, alongside RNWY and Logpose. PR #46

Apr 25ship

aps-system PR #19 merged

lawcontinue's seven-vector CTEF inference-session fixture pack, all RFC 8785 JCS-canonicalized and Ed25519-signed. PR #19

Apr 25convergence

harness PR #1

MoltyCel published moltrust v0.2.0 to PyPI and opened a draft adapter PR. Mark-ready expected Monday. PR #1

Apr 24standard

A2A extension proposal opened

claim_type discriminator over {identity, transport, authority, continuity}. Aligns to CTEF v0.3.1, no proto changes. issue

Apr 24convergence

Five-way claim_type convergence

AgentGraph, AgentID, APS, Nobulex, and HiveTrust aligned on the wire-format key after a mid-thread rename. #1672

Apr 24standard

OpenClaw #49971 closed

steipete's ruling: trust providers build on five existing public hooks rather than a new core API. #49971

Apr 24convergence

Canonicalization loop closed with AgentGraph

three harnesses now lock through RFC 8785 JCS bytes. Five fixtures byte-identical. thread

Apr 24ship

Rotation-attestation fixtures v1 live at aeoess.com/fixtures/rotation-attestation/. RFC 8785 JCS, deterministic generator. test-vectors

Apr 24ship

autogen-governance-adapter PR #1

first external security contribution. pshkv fixed a silent JWKS kid fallback in _lookup_issuer_key. PR #1

Apr 24ship

Housekeeping batch shipped

seven AUDIT-2026-04-24 fixes across six packages. Audit spec bumped to v2.3. completion

Apr 23convergence

Microsoft AGT #1354

interop proposal posted, mapping #1386's three questions to named APS primitives. Pending response. reply

Apr 23convergence

CTEF v0.3.1 adopts APS composition-rule table verbatim

four-row per-layer grammar pulled into §6.3 as normative. thread

Apr 23ship

Full Code Audit v2.1

pre-publish spec rewritten to forty-two steps across fourteen repos. Three tiers: code integrity, supply chain, runtime. prompt

Apr 23ship

PR Merge Protocol v0.2

added Seven Deep-Review Dimensions for substance issues that pass surface checks. CONTRIBUTING.md expanded. CONTRIBUTING

Apr 23standard

BBIS classification grammar adopted

Hensley's five-bucket model replaces the prior taxonomy. M4 EffectReceipt renamed to FRCBE per qntm#7. qntm#7

Apr 23ship

Agent Ecosystem Directory shipped

three sortable tables: 18 projects, 115 contributors, 93 governance threads. Live GitHub data. directory

Apr 22ship

autogen-governance-adapter v0.1 shipped

glue for autogen's before_tool_call hook. governedToolCall() with provider-agnostic TrustProvider, 12 tests green. repo

Apr 22traction

Third aeoess PR merged in microsoft/agent-governance-toolkit

examples/cognitive-attestation-governed/ landed via PR #1328. PR #1328

Apr 22traction

composed/v1 extends from three to four signals in seven hours

schchit added JEP as decision_event fourth signal. PR #8

Apr 22ship

Mutual Authentication v1 shipped (SDK v2.6.0-alpha.1)

downgrade-proof four-step handshake, A2A and MCP adapters, 29 new tests. module README

Apr 21ship

composed/v1 three-signal worked examples

first AgentID + APS + AgentGraph envelope under one shared subject DID. Kenne LGTM'd. PR #7

Apr 21traction

Microsoft AGT merged ADR 0006 on constitutional constraints, after our five posts on fanout-as-risk-signal. PR #1199

Apr 21ship

a2a-compliance-harness v0.1 shipped

five-step Python check for A2A Agent Cards. repo

Apr 21ship

A2A trust-header Week 3

dual-provider verifier, 9/9 fixtures pass. MolTrust ready for drop-in. PR #6

Apr 21standard

OpenLineage upstream PR opened

AgentAttributionRunFacet spec, four DCO-signed commits, CI green. First AEOESS contribution to LF-hosted. PR #4480

Apr 21standard

context_dimensions added to vocabulary

third top-level section, four day-1 entries. PR #34

Apr 21traction

Interop Week 1 Step 1 fixture merged

AgentID trust_verification fixture. PR #38

Apr 20ship

Cognitive Attestation envelope (SDK v2.1.0)

Paper 7 primitive ported to SDK. JCS canonicalization, three-stage verification, typed dispute primitives.

Apr 20ship

verifyBoundWallet object-form overload

Asymmetry with bindWallet gone. MoltyCel's ask in SDK#16.

Apr 20standard

APS filed with AAIF

Project proposal #14. Path toward Linux Foundation stewardship for the protocol layer. Commercial stack kept independent.

Apr 20ship

v2.0.0 promoted to npm @latest

SDK + MCP + Python flipped from @next. v1.46.0 / MCP v2.27.0 parked on legacy-v1 for six months. Four partner integrations landed clean during the stability window. Release notes

Apr 19traction

Interop Week 1 opened

Five-signal compose test proposal. Two fixtures confirmed within 45 minutes of open (Nobulex step 2, continuity-analyzer step 3). vocab#36

Apr 19traction

continuity-analyzer crosswalk merged

nutstrut's PR #33 after a five-check protocol review.

Apr 18ship

AgentNexus Track A round-trip

Fixtures verify end-to-end under APS. JCS + Ed25519 + delegation walk + monotonic narrowing. PR #17

Apr 18ship

VeritasActa KU receipt signer

APS receipt slots into external_receipts.aps. Cross-verified. PR #7

Apr 18paper

Paper 7: Cognitive Attestation

A cryptographic commitment attached to an agent's action record, to which sparse-autoencoder features were active during the decision. Envelope spec, three-stage verification, four dispute primitives. Experimental results against Llama-3.1-8B via Neuronpedia. Zenodo.

Apr 18traction

Vocab registry at 14 external crosswalks

SINT refresh (PR #30) and RNWY A2A Agent Card mapping (PR #32) both merged same day.

Apr 18traction

MnemoPay composition hook

Three-point read on x402#1904. Composition via delegation-reference in X-Agent-Identity.

Apr 18traction

ArkForge three-plane decomposition

+1 on desiorac's delegation/decision/execution model. Notes-column cross-reference pinned in ECOSYSTEM table. ATF#8

Apr 17ship

v2.0.0 architecture separation

Protocol primitives stay public SDK, product intelligence moves to private gateway. SDK v2.0.0-beta.0 and MCP v3.1.1 on npm @next. Python v2.0.0b0 pre-release on PyPI. Gateway redeployed zero-downtime. Blog · Release notes

Apr 17traction

aeoess-aps crosswalk published

First time we published our own crosswalk alongside the twelve external partner crosswalks in the registry.

Apr 17traction

APS added to governance_attestation.issuers_in_production

4th production issuer via Build D2 JWS trust profiles.

Apr 16ship

Build C — Settlement Pipeline

Per-period signed settlement records aggregating Attribution Primitives across D/P/G/C axes. 3 new MCP tools, 123 modules. Blog

Apr 16ship

Build A — unified four-axis attribution primitive

One signed Merkle receipt across D (data), P (protocol), G (governance), C (compute). Four independently-verifiable projections, one envelope. SDK v2.0.0, MCP v3.1.1, Python v0.13.0. Blog.

Apr 16ship

Build D2 — gateway trust profiles are now JWS-signed

/api/v1/public/trust/:agentId returns X-APS-JWS / X-APS-JWS-KID / X-APS-JWS-JWKS headers. Ed25519, kid gateway-v1, cross-engine verifiable against the public JWKS.

Apr 15ship

SDK v2.0.0 — Solana wallet_ref

Added to the chain enum with base58 validation. End-to-end wallet binding now spans Ethereum, Bitcoin, Solana.

Apr 15ship

Gateway chain-aware wallet normalization

Case-sensitivity fix so Solana wallet_ref round-trips correctly. openclaw #49971 closed.

Apr 15traction

Vocabulary registry — four PRs merged

asqav (ML-DSA-65), JEP, insumerapi license fix, validator cleanup. 14+ contributors since Apr 11. Repo.

Apr 14paper

Governance in the Medium — paper published

Unit of agent governance is the population-with-medium, not the agent. Six rounds of adversarial review. Zenodo.

Apr 14ship

Three boundary primitives

AttributionConsent, ProvisionalStatement, HumanEscalationFlag. Representation, commitment, escalation. SDK v2.0.0. Blog.

Apr 14traction

WG scope ratified — Authority Constraints + Vocabulary

72-hour window closed on qntm#7. Six co-authors accepted with shipped-code evidence. qntm#7.

Apr 10ship

PDR v2.19 adapter batch — six primitives

Six new exports close the gap between paper citations and shipped code. SDK v2.0.0. Blog.

Apr 10paper

PDR in Production v2.19 cites AEOESS

Three-axis framework; AEOESS is the within-session fidelity axis. §8.10 substrate-swap is the test that would settle the orthogonality claim.

Apr 10ship

Agent Governance Vocabulary repo

Neutral canonical-naming layer. Four teams converging in the first hour. Blog.

Apr 10traction

Cross-vendor convergence

APS + MolTrust + AgentNexus on a shared governance_attestation envelope. APS ↔ SINT handshake v1.0-draft landed with 11 conformance tests.

Apr 9ship

Repositioning

SDK leads with /core (25 curated functions), MCP defaults to APS_PROFILE=essential (20 tools). Full surface still available. Blog.

Apr 8ship

Quantum governance on real hardware

7 experiments on IBM Quantum. Bell 5.2pp, GHZ 7.7pp fidelity gaps. Blog.

Apr 8paper

Paper 5: Physics-Enforced Delegation

Governing quantum hardware quality. Zenodo · Code.

Apr 8traction

External verification

tomjwxf verified 3/3 APS composition receipts via protect-mcp (first cross-engine). OWASP BBIS scored APS 10/12.

Apr 8paper

Paper 4: Behavioral Derivation Rights

Telemetry scopes, BMOs, BYOM. Zenodo.

Apr 7ship

Customer-ready gateway

4-pass audit, 30 fixes. Portal, docs, status, billing alerts all live. Blog.

Apr 7ship

New protocol primitives

Bilateral completion receipts, scope_version_hash, measurementType discriminator, per-task-class trust profiles.

Apr 6ship

12 primitives in one day

All 12 Nate B Jones primitives live. Session persistence, coordination API, Stripe billing, portal, pagination. Blog.

Apr 5ship

6-session build day

Key rotation, auto-mint receipts, audit packets, 9-section governance export, trust bootstrap adapters. Blog.

Apr 4ship

Microsoft AGT approved + SINT v0.2 shipped

AGT PR#598 approved (fail-closed signature verification). SINT v0.2 shipped with our delegation_depth_floor. Blog.

Apr 4standard

W3C behavioral attestation spec normative

Timing asymmetry became normative. Evidence-based passport grading + freshness semantics across 11 threads.

Apr 3ship

Bring Your Own Identity

did:key, did:web, SPIFFE SVID, OAuth interop. Python SDK v0.8.0 proves cross-language: signatures round-trip TS ↔ Python. Blog.

Apr 3traction

Microsoft AGT PR fixes + production audit PASS

Fail-closed verification, dependency pinning, input validation pushed. Audit clean.

Apr 2ship

SDK v2.0.0 — governance hardening

34 new tests. 3-layer architecture convergence across OpenShell, OWASP, W3C. Blog.

Apr 2ship

MCP→gateway bridge

Every passport issued through MCP auto-registers. Two independent observation points (APS + AgentID) correlate on the same agent.

Apr 1ship

First Code Integration + 5 Security Fixes

PR merged (Solana Agent Kit). 12 features, 5 security gaps closed, compaction-drift probe, tool integrity. 29 threads, 99 modules, 2,085 tests. Blog

Mar 31ship

Multi-Attestation Verification

Gateway Ed25519 identity + JWKS endpoint. APS verified as 5th issuer in multi-attestation spec (5/5 PASS). Policy hash chaining. Routing divergence detection. Public signed attestations. 9 new SDK functions from ecosystem conversations. Blog

Mar 30ship

Agent Attestation Architecture

3-round multi-model architectural review (Claude+GPT+Gemini+Portal). 4-tier evidence model, passport grades 0-3, Sybil 4-gate pipeline, trust profile API, behavioral sequence tracking. Microsoft AGT adapter PR. Blog

Mar 29ship

Agent Wallets

Nano payment rail + wallet system. 36 gateway routes. Feeless, delegation-scoped. Wallet · Blog

Mar 29ship

Pixel attribution live

Data source tracking, access receipts, derivation chains, settlement. Dashboard

Mar 29traction

Cited in production paper

PDR in Production (University of British Columbia) validates APS Bayesian model. Zenodo

Mar 29ship

Module interconnection sprint

9 orphaned modules wired into gateway. 20%→79% connected. 2,085 tests.

Mar 28deploy

Gateway on Railway

Production enforcement at gateway.aeoess.com. Multi-tenant. Policy evaluation in <1ms. Dashboard

Mar 28rebrand

Governance for the Agent Economy

Academic redesign. Enterprise positioning. 10-question FAQ. Blog

Mar 27paper

Faceted Authority Attenuation

Product lattice model. Seven dimensions. Zenodo

Mar 27standard

IETF Internet-Draft submitted

draft-pidlisnyi-aps-00. Zero idnits errors.

Mar 26ship

Institutional governance layer

Charter, offices, approval, federation, reserves. Blog

Mar 25deploy

First publication deploys APS

Every article cryptographically governed.

Mar 25ship

Governance distribution

aps.txt, 360 consumer loop, 150 MCP tools. Blog

Mar 25ship

Interactive protocol map

57-module molecular layout. Blog

Mar 24standard

3 WG specs ratified

QSP-1, DID Resolution, Entity Verification. Blog

Mar 23ship

OATR founding member + data governance

Ledger, settlement, attribution. Blog

Mar 22ship

Constitutional v2 complete

32 modules. 2,085 tests. Blog

Mar 22ship

First encrypted relay envelope

E2E through qntm bridge. Blog

Mar 21ship

Decision semantics

Content-addressable decisions. Blog

Mar 20standard

AMCS v0.1.0

AI-native media credentialing spec. Spec

Mar 20ship

Data attribution layer

Contribution receipts, Merkle proofs. Blog

Mar 19ship

8 modules in one session

Oracle witness, audit bridge, policy conflict, key rotation. Blog

Mar 18ship

Gateway enforcement engine

9 audit findings fixed. Blog

Mar 17standard

WG spec demand

Three groups asked for the same thing. Blog

Mar 16traction

YC CEO endorsed

Garry Tan repost. Microsoft merged APS code. Federal agency reviewing. Blog

Mar 15ship

Mingle v2.0

Semantic matching, persistent identity, ghost mode. More

Mar 14ship

Substack launch

Cross-protocol bridge article. Blog

Mar 13ship

Security hardening

Gateway bugs, setup commands, cross-protocol resolve. Blog

Mar 12ship

Mingle v1 ships

Your AI finds people for you. Blog

Mar 11ship

Intent Network

Publish-discover-match for agents. Blog

Mar 10ship

Reputation-gated authority

Agents earn trust, not just receive it. Blog

Mar 9paper

Paper 2: Monotonic Narrowing

Authority attenuation formalized. Zenodo

Mar 7ship

Autoresearch

AI finds bugs AI wrote. Blog

Mar 6ship

Principal identity + Python SDK

Three new protocol extensions. Blog

Mar 5standard

OWASP AI Security mapping

Community health baseline. Blog

Mar 4ship

SDK v1.21.2 + MCP v2.12.0

Two agents get their next mission. Blog

Mar 3ship

First real audit

Agents review the code. Blog

Mar 2ship

Graduated enforcement + threat model

Agent District RPG. Blog

Mar 1ship

Agentic commerce

Layer 8. 4-gate checkout. MCP v2.1.0. Blog

Feb 28ship

Documentation sprint

llms.txt, passport spec. Blog

Feb 27ship

Coordination primitives

Task lifecycle, evidence, review. Blog

Feb 25ship

Intent architecture

Layer 5 foundations. Blog

Feb 21paper

Paper 1: The Agent Social Contract

First formalization. Zenodo

Feb 18start

Project begins

Ed25519 identity, delegation chains, first tests.

Architecture

Identity. Delegation. Action. Receipt.

The protocol pairs identity with delegation. Each action signs against both. The receipt is verifiable by any auditor without going through aeoess. Six scenes, switch tabs to walk the surface.

Capabilities

Twelve primitives in one protocol.

Each primitive is a typed envelope with deterministic canonicalization (RFC 8785) and Ed25519 signatures. The SDK exports them; the MCP server exposes them; the gateway enforces them.

IDENTITY

Every agent gets a cryptographic identity. Ed25519 signatures, deterministic canonicalization, verifiable by any auditor.

DELEGATION

Authority can only narrow. A parent can never give a child more scope than it holds. Provable at every step.

REPUTATION

Trust is earned through performance. Each receipt updates a Bayesian score. Scores travel with the passport.

COORDINATION

Agents discover each other through signed capability ads. No central registry, no single point of trust.

COMMUNICATION

Every message is a signed envelope. Tamper-evident, replay-resistant, addressable by DID.

GOVERNANCE

Policies are first-class objects. Versioned, signed, and evaluated at the gateway.

COMMERCE

Spend caps, currency limits, recipient allowlists. Enforced before the call leaves the agent.

DATA

Per-resource scopes. Read vs. write. Time-bounded. Auto-expires.

NETWORK

Egress is gated. Allowlists by host and method. No silent exfiltration.

TEMPORAL

Every passport has a TTL. Every delegation has a TTL. No long-lived credentials by default.

ATTRIBUTION

Every action carries the chain that authorized it. Forensics by replay, not by guessing.

COMPOSITION

Sub-agents inherit a strict subset. Delegation chains form a tree the gateway can revoke at any node.

Quick start

Mint, delegate, verify.

Three calls cover the full audit loop. Authority can only narrow. Every action emits a verifiable receipt.

quickstart.tsTypeScript

import { createPassport, signDelegation, verifyReceipt } from 'agent-passport-system';

// 1. mint a passport for an agent
const passport = await createPassport({
  identity: 'did:web:agents.example.com:agent-1',
  scopes:   ['read:invoices', 'spend:usd<=200'],
  ttl:      '24h',
});

// 2. sign a delegation that can only narrow the scope
const delegation = await signDelegation(passport, {
  to:     'did:key:z6Mki...sub-agent',
  scopes: ['read:invoices'],
  ttl:    '1h',
});

// 3. every action emits a receipt your auditor can verify
const ok = await verifyReceipt(receipt, { rootPassport: passport });

Independently cited

Where the protocol shows up outside this repo.

University of British Columbia

Personal Data Repositories, validates APS Bayesian reputation model

Zenodo · doi:10.5281/zenodo.19323172

Microsoft Agent Toolkit

Reference integration of APS for delegation and audit

PR in review

NIST NCCoE

Concept paper on agent governance primitives

submitted

Read the spec, run the SDK, file an issue.

GitHub →Spec Dev log

Open-source enforcementinfrastructure for AI agents.

Identity. Delegation. Action. Receipt.

Twelve primitives in one protocol.

Mint, delegate, verify.

Where the protocol shows up outside this repo.

Read the spec, run the SDK, file an issue.

Open-source enforcement
infrastructure for AI agents.