-blue){kind=icon}
For AI agents: visit aeoess.com/llms.txt for machine-readable docs or llms-full.txt for the complete reference. MCP discovery: .well-known/mcp.json.
Enforcement infrastructure for the agent economy. Every action evaluated in under 2ms. 15 constraint dimensions. 403 ops/sec. Sub-millisecond denial. Feeless Nano payments. 95 modules. 1,919 tests. Not just identity — the full enforcement stack.
AI agents represent companies and people. They spend real money, access sensitive data, negotiate contracts, and talk to other agents. APS is the enforcement layer that answers: what is this agent allowed to do? How much can it spend? Is it trustworthy? What happens when it violates a constraint? And can you prove all of this cryptographically? Independently validated by PDR in Production (Nanook & Gerundium, UBC).
npm install agent-passport-systemEnforce constraints on agent actions — the ProxyGateway is an enforcement boundary that sits between the agent and any tool. Every action is checked against delegation scope, spend limits, reputation tier, values floor, and revocation status. The gateway executes the action, not the agent. The gateway generates the receipt, not the agent. Agents cannot bypass, forge, or skip enforcement.
Track trust with uncertainty — Bayesian reputation scoring where agents earn authority through verified task outcomes. Reputation decays over time. Authority tiers gate what actions an agent can take. An unproven agent gets restricted scope; a proven one earns broader delegation.
Produce cryptographic proof of everything — every action generates a signed receipt linking agent identity, delegation authority, constraint evaluation, and execution result. Receipts chain via hash pointers. Merkle trees commit receipt sets in 32 bytes. Disputes are resolved with math, not arguments.
Control spending — 4-gate commerce enforcement: passport verification, delegation scope check, spend limit enforcement, merchant allowlist. Human approval thresholds for high-value purchases. Cumulative budget tracking across sessions.
Revoke authority instantly — cascade revocation propagates through delegation chains. Revoke a parent, all children are automatically revoked. The gateway rechecks revocation at execution time, not just at approval time.
| Metric | Value | Notes |
|---|---|---|
| Policy eval p50 | <2ms | Full 15-dimension constraint check |
| Policy eval p95 | <5ms | Including reputation lookup |
| Policy eval p99 | <10ms | Worst case with cold cache |
| Denial latency | <1ms | Fail-fast on first constraint violation |
| Throughput | 403 ops/sec | Single-threaded gateway |
| Cascade revocation | <5ms | Chains up to 100 deep |
| Receipt generation | <1ms | Ed25519 signed, hash-chained |
| Nano transaction | <1s | Feeless, delegation-scoped |
15 constraint dimensions: scope, spend, tier, values, revocation, taint, anomaly, circuit, approval, temporal, jurisdiction, purpose, combination, retention, terms. Full benchmarks →
import { createProxyGateway, generateKeyPair, joinSocialContract } from 'agent-passport-system'
// 1. Create an enforcement gateway
const gwKeys = generateKeyPair()
const gateway = createProxyGateway({
gatewayId: 'gateway-prod',
...gwKeys,
floor: loadFloor('values/floor.yaml'),
approvalTTLSeconds: 30,
recheckRevocationOnExecute: true,
enableReputationGating: true,
}, toolExecutor)
// 2. Agent joins with identity + values attestation
const agent = joinSocialContract({ name: 'worker', owner: 'alice', floor: floorYaml })
// 3. Register agent, add delegation
gateway.registerAgent(agent.passport, agent.attestation)
gateway.addDelegation(agent.agentId, delegation)
// 4. Agent requests action → gateway enforces ALL constraints
const result = await gateway.processToolCall({
requestId: 'req-001',
agentId: agent.agentId,
agentPublicKey: agent.publicKey,
tool: 'database_query',
params: { query: 'SELECT * FROM users' },
scopeRequired: 'data_read',
spend: { amount: 5, currency: 'usd' },
signature: sign(canonicalize({ requestId: 'req-001', tool: 'database_query', ... }), agent.privateKey)
})
// result.executed = true
// result.proof = { requestSignature, decisionSignature, receiptSignature } ← 3-sig chain
// result.receipt = signed, tamper-proof, links to delegation chain
// result.tierCheck = reputation tier was sufficientWhat just happened: The gateway verified the agent's identity, checked delegation scope, enforced spend limits, evaluated values floor compliance, verified reputation tier, checked revocation status, executed the tool, generated a signed receipt, and updated reputation. All in one call. The agent never touched the tool directly.
Add governance to any CrewAI crew in 10 lines. Works the same way with LangChain, ADK, A2A, or any custom framework.
import { generateKeyPair, createCrewAIGovernance } from 'agent-passport-system'
const keys = generateKeyPair()
const gov = createCrewAIGovernance({
agentId: 'research-agent',
...keys,
delegationId: 'del_research_2026',
allowedScopes: ['tool:web_search', 'tool:read_file', 'task:execute'],
spendLimitPerAction: 5.00,
})
// Wrap any tool call — permitted actions execute, denied ones don't
const result = await gov.governedToolCall(
'web_search',
{ query: 'AI governance standards' },
() => mySearchTool('AI governance standards'),
0.01 // estimated cost
)
// result.governance.verdict → 'permit' or 'deny'
// result.receipt → signed proof of the action (or denial)
// Use as CrewAI task callback
const receipt = gov.taskCallback({ description: '...', result: '...', agent: 'research-agent' })What you get: scope enforcement (agent can only use allowed tools), spend controls ($5/action limit), signed receipts for every action (permit or deny), and a verifiable audit trail. The agent never bypasses governance because the wrapper executes the action, not the agent.
See examples/crewai-governance.ts for the full working example. Adapters also available for LangChain, Google ADK, and A2A.
Everything above is built on Ed25519 cryptographic identity. But identity is the plumbing, not the value proposition.
// Identity creation is two lines
const keys = generateKeyPair()
const agent = joinSocialContract({ name: 'my-agent', owner: 'alice', floor: floorYaml })
// The value is what you do WITH identity:
// → Scoped delegation with spend limits and time bounds
// → Cascade revocation that propagates through chains
// → Reputation scoring that gates authority
// → Values floor enforcement at execution time
// → Beneficiary attribution via Merkle proofs
// → Commerce gates that prevent unauthorized purchases63 core modules + 32 v2 constitutional modules. 1919 tests. Zero heavy dependencies.
| Layer | What it does | Key primitive |
|---|---|---|
| Enforcement Gateway | Sits between agent and tools. Checks every constraint. Executes, generates receipts. | ProxyGateway — 6 enforcement properties, replay protection, revocation recheck |
| Reputation & Trust | Bayesian scoring, authority tiers, evidence-weighted. Agents earn trust, don't claim it. | ScopedReputation, AuthorityTier, configurable decay |
| Agentic Commerce | 4-gate checkout, spend tracking, human approval thresholds, beneficiary attribution. | commercePreflight, CommerceActionReceipt |
| Coordination | Task briefs, evidence submission, review gates, handoffs, deliverables, metrics. | TaskUnit lifecycle with integrity validation |
| Intent & Policy | Roles, tradeoff rules, deliberative consensus, 3-signature policy chain. | ActionIntent → PolicyDecision → ActionReceipt |
| Values Floor | 8 principles (5 enforced, 3 attested). Graduated enforcement: inline/audit/warn. | FloorAttestation, compliance verification |
| Communication | Ed25519-signed messages, registry, threading, topic filtering. | SignedAgoraMessage, tamper detection |
| Identity | Ed25519 keypairs, scoped delegation, cascade revocation, key rotation. | SignedPassport, Delegation, RevocationRecord |
Extended modules (9-42): W3C DID (did:aps), Verifiable Credentials, A2A Bridge, EU AI Act Compliance, Agent Context, Task Routing, Cross-Chain Data Flow (taint tracking, confused deputy prevention), E2E Encrypted Messaging (X25519 + XSalsa20), Obligations, Governance Provenance, Identity Continuity & Key Rotation, Receipt Ledger (Merkle-committed audit batches), Feasibility Linting, Precedent Control, Re-anchoring, Bounded Escalation, Oracle Witness Diversity, Messaging Audit Bridge, Policy Conflict Detection, Data Source Registration, Decision Semantics, ProxyGateway.
V2 Constitutional Framework (32 modules): Designed through cross-model adversarial review. PolicyContext with mandatory sunset, Delegation Versioning, Outcome Registration, Anomaly Detection, Emergency Pathways, Migration (fork-and-sunset), Contextual Attestation, Approval Fatigue Detection, Effect Enforcement, Emergence Detection, Separation of Powers, Constitutional Amendment, Circuit Breakers, Epistemic Isolation, and 18 more. Source: src/v2/.
125 tools across all modules. Any MCP client connects agents directly.
npm install -g agent-passport-system-mcp
npx agent-passport-system-mcp setupEvery operation Ed25519 signed. Role-scoped access control. Auto-configures Claude Desktop and Cursor.
npm: agent-passport-system-mcp · GitHub: aeoess/agent-passport-mcp
Full Python implementation. Signatures created in Python verify in TypeScript and vice versa.
pip install agent-passport-systemPyPI: agent-passport-system · GitHub: aeoess/agent-passport-python
14 commands: join, delegate, work, prove, audit, verify, inspect, status, agora post, agora read, agora list, agora verify, agora register, agora topics.
npx agent-passport join --name my-agent --owner alice --floor values/floor.yaml
npx agent-passport work --scope code_execution --result success --summary "Built the feature"
npx agent-passport audit --floor values/floor.yamlnpm test
# 1919 tests across 98 files, 484 suites, 0 failures50 adversarial tests: Merkle tampering, attribution gaming, compliance violations, floor negotiation attacks, cross-chain confused deputy, taint laundering, authority probing.
| APS | DeepMind | GaaS | OpenAI | LOKA | |
|---|---|---|---|---|---|
| Status | Running code | Paper | Simulated | Advisory | Paper |
| Enforcement gateway | 6 properties, replay protection | — | — | — | — |
| Reputation/trust scoring | Bayesian + tiers | — | — | — | Consensus |
| Identity | Ed25519 | Proposed | External | — | Proposed |
| Delegation | Scoped + cascade revoke | Proposed | N/A | — | — |
| Commerce | 4-gate + spend tracking | — | — | — | — |
| Signed receipts | 3-sig chain | Proposed | Logs | General | — |
| Values enforcement | 8 principles, graduated | — | Rules | — | — |
| Coordination | Task lifecycle + MCP | — | — | — | — |
| Tests | 1852 (50 adversarial) | None | Limited | None | None |
- Integrated into Microsoft agent-governance-toolkit (PR #274)
- Public comment submitted to NIST NCCoE on AI Agent Identity and Authorization standards
- Collaboration with IETF DAAP draft author (draft-mishra-oauth-agent-grants-01) on delegation spec
- Listed on MCP Registry
- Endorsed by Garry Tan (CEO, Y Combinator)
- AMCS — AI-Native Media Credentialing Standard published
"Monotonic Narrowing for Agent Authority" — Published on Zenodo. Read →
"Faceted Authority Attenuation: A Product Lattice Model for AI Agent Governance" — Published on Zenodo. Seven-dimensional product lattice formalization with authorization witnesses, constraint vectors, and institutional governance composition.
Cited by: Nanook & Gerundium, "PDR in Production: Empirical Validation of Behavioral Trust Scoring in Multi-Agent Systems" (DOI:10.5281/zenodo.19323172) — Section 7.6 independently validates the APS Bayesian reputation model, sigma dynamics, and structuralVerdict/trustVerdict separation using production data from UBC.
Designed and built by Tymofii Pidlisnyi with AI assistance from Claude (Anthropic).
Protocol: aeoess.com/protocol.html · Agora: aeoess.com/agora.html · npm: agent-passport-system · MCP: agent-passport-system-mcp
- Index: aeoess.com/llms.txt
- Full docs: aeoess.com/llms-full.txt
- Quick start: aeoess.com/llms/quickstart.txt
- API reference: aeoess.com/llms/api.txt
Passports issued through official AEOESS infrastructure are countersigned with the AEOESS issuer key. Self-signed passports are cryptographically valid but won't pass issuer verification.
import { countersignPassport, verifyIssuerSignature } from 'agent-passport-system'
// Issuer countersigns after agent self-signs
const issued = countersignPassport(signedPassport, issuerPrivateKey, 'aeoess')
// Anyone can verify against the published public key
const AEOESS_KEY = 'e11f46f5831432d17852189d5df10ed21d5774797ae9ee52dbab8c650fec16ae'
const trusted = verifyIssuerSignature(issued, AEOESS_KEY) // truePublished key: aeoess.com/.well-known/aeoess-issuer.json
MCP tool: verify_issuer
Apache-2.0 — see LICENSE