v0.4.0 — Manual Dual-Control for Malicious Resolution

This release adds one narrow substrate primitive to AgentGate:

manual malicious action resolution now requires dual control.

What changed

Before this release, a manual malicious resolution could finalize from a single eligible non-executor resolver.

Now:

• the first eligible non-executor resolver records a pending malicious vote
• the action remains open after that first vote
• a second distinct eligible non-executor resolver is required to finalize the malicious slash
• duplicate same-resolver malicious votes now fail with DUPLICATE_MALICIOUS_VOTE

What did not change

This release is intentionally narrow.

Unchanged behavior:

• success resolution
• failed resolution
• sweeper auto-slash on expired actions

Sweeper-driven expiry slashing still bypasses manual voting and resolves immediately.

Why it matters

This closes a real substrate gap in the manual malicious-resolution path without redesigning the broader settlement model.

The new honest claim is narrow:

• manual malicious resolution no longer finalizes from one resolver alone
• manual malicious slash now requires two distinct eligible resolver identities
• automatic expiry slashing is unchanged

Verification

Passed:

• focused tests for app / trust-tier / sweeper behavior
• full test suite
• lint
• build

Current suite:

• 123 tests across 12 suites

Notes

This is a substrate-deepening release, not a new repo or a broader framework expansion.

v0.3.0 — MCP transport, replay-hardening, markets, and trust tiers

AgentGate v0.3.0

A collateralized execution engine for AI agents.

This release marks the first broadly complete public version of AgentGate’s core model: signed agent identities, reusable bonds, bounded exposure, replay protection, automatic slashing for expired actions, progressive trust tiers, prediction markets, and MCP access over both stdio and HTTP.

What AgentGate is

AgentGate is an economic accountability layer for AI agents. Before an agent can execute a high-impact action, it must post a bond as collateral. If the action succeeds, the bond is released. If the action is malicious, the bond is slashed. The goal is not just to authenticate agents, but to make bad behavior costly.

What’s in this release

Signed identities and replay-safe action execution

• Ed25519-signed state-changing requests
• Proof-of-possession identity registration
• Signed message format bound to nonce, method, path, timestamp, and body
• Replay protection via both timestamp validation and per-identity nonce storage
• Duplicate nonce rejection at the database level
• Automatic nonce generation in the AgentAdapter layer for agent-facing use

Reusable bond model

• Bonds are reusable execution capacity, not single-use deposits
• Capacity rule uses ceil(exposure × 1.2)
• Multiple concurrent actions can share a bond, subject to remaining capacity
• Clear settlement paths for success, failed, and malicious outcomes

Automatic slashing and lifecycle cleanup

• Background sweeper runs every 60 seconds
• Open actions whose associated bond has expired are auto-resolved as malicious
• Expired nonces are cleaned up on the same interval
• Clean shutdown on SIGINT/SIGTERM

Progressive trust tiers

• Reputation score derived from locks, actions, successes, failures, and malicious outcomes
• Three trust tiers:
  • Tier 1: New
  • Tier 2: Established
  • Tier 3: Trusted
• Promotion requires qualifying successes and distinct resolvers
• Self-resolution is forbidden
• Any malicious resolution immediately demotes the identity to Tier 1
• Tier-based bond caps enforced at lock time

Prediction markets

• Create yes/no markets with resolution deadlines
• Take positions through bonded actions
• Batch settlement on market resolution
• Double resolution rejected
• Cross-market isolation enforced :contentReference[oaicite:6]{index=6}

MCP support

• MCP stdio server
• MCP Streamable HTTP server
• 7 MCP tools exposed:
  • create_identity
  • lock_bond
  • execute_bonded_action
  • resolve_action
  • get_reputation
  • create_market
  • resolve_market :contentReference[oaicite:7]{index=7}

Agent-facing adapter layer

• Clean AgentAdapter interface that hides signing, timestamps, HTTP details, and nonces
• Support for named agents with separate identity files
• Works with both local and remote transport patterns :contentReference[oaicite:8]{index=8}

Dashboard and operator visibility

• Real-time dashboard at /dashboard
• Summary counts, identities, bonds, actions, and trust-tier visibility
• Auto-refresh every 5 seconds :contentReference[oaicite:9]{index=9}

Security posture

Key protections in the current shipped version:

• Ed25519 signatures on all state-changing requests
• Nonce-bound signed messages
• Duplicate nonce rejection per identity
• Rate limiting on execution attempts
• Progressive bond caps via trust tiers
• Outbound HTTP allowlist, timeout, and size limits
• Auto-ban after repeated malicious resolutions
• Admin ban/unban support
• Fail-closed auth behavior outside explicit dev mode

Repo structure highlights

Important files in this release include:

• src/app.ts — REST API routes and nonce enforcement
• src/service.ts — bond logic, action execution, resolution, sweeper, markets
• src/db.ts — SQLite schema and constraints
• src/signing.ts — Ed25519 signing and verification
• src/reputation.ts — trust-tier computation
• src/mcp/server.ts — stdio MCP server
• src/mcp/http-server.ts — HTTP MCP transport
• src/agent-adapter.ts — agent-friendly integration layer
• src/dashboard.ts — live HTML dashboard :contentReference[oaicite:11]{index=11}

Why this release matters

As AI agents reduce the cost of bids, API calls, negotiations, and tool use, ordinary rate limits and auth tokens are not enough. AgentGate is the core proof that runtime economic accountability can be implemented as a narrow deterministic layer: identity, collateral, exposure tracking, and explicit settlement.

Current boundaries

AgentGate is still intentionally narrow.
It is:

• a deterministic bond-and-slash enforcement layer
• local/hosted infrastructure you run yourself
• focused on runtime accountability

It is not:

• a full agent framework
• a general policy engine for every workflow
• a complete answer to sybil resistance or off-chain human disputes

Status

Current public state includes:

• REST API
• MCP stdio and HTTP transport
• prediction markets
• progressive trust tiers
• replay hardening
• dashboard
• test coverage across API, MCP integration, sweeper logic, market logic, and adversarial cases :contentReference[oaicite:14]{index=14}

v0.2.0 — Security & Adversarial Hardening

Security hardening release with structured red team testing, replay protection, identity governance, prediction markets, and remote deployment.

What's new since v0.1.0:

Security & Hardening:

• Nonce store for replay protection (x-nonce header on all POST routes, duplicate rejection per identity)
• MCP endpoint authentication (shared-secret x-agentgate-key header)
• REST API & dashboard authentication (x-agentgate-key + HTTP Basic Auth)
• Identity governance: admin ban/unban endpoints, auto-ban after 3 malicious resolutions
• Structured security event logging (auth_failed, duplicate_nonce, signature_failed, bond_slashed, identity_auto_banned, outbound_blocked)
• Auto-slash sweeper: expired bonds automatically slashed every 60 seconds

Red Team (20 attack scenarios, 5 phases):

• Phase 1: Bond/exposure math (6 tests) — fixed slashed_cents persistence bug, negative exposure gap
• Phase 2: Sweeper edge cases (3 tests) — confirmed race-safe
• Phase 3: Replay attacks (4 tests) — nonce check catches all replays
• Phase 4: SQLite concurrency (2 tests) — serialization confirmed sound
• Phase 5: Outbound HTTP (9 tests) — fixed redirect bypass SSRF, IPv6 bracket bug
• Invariant validator: 8 SQL assertions run after every attack test

Features:

• Prediction market demo (create/resolve markets, auto-settle positions)
• MCP Streamable HTTP transport (port 3001, session management)
• 2 new MCP tools: create_market, resolve_market (7 total)

Infrastructure:

• Remote deployment on DigitalOcean with Caddy reverse proxy and auto-managed TLS
• UFW firewall (ports 22, 80, 443 only)
• pm2 process manager (auto-restart, survives SSH disconnect)
• Health endpoint for uptime monitoring
• GitHub Actions CI
• MIT License

Total: 56 tests passing. 3 bugs fixed, 1 SSRF vulnerability closed.

v0.1.0 — Core Engine

First tagged release of AgentGate.

What's included:

• Ed25519 identity system with cryptographic request signing
• Reusable bond model with exposure tracking
• Action execution and resolution (success/failed/malicious)
• AgentAdapter layer (hides signing, timestamps, HTTP details)
• MCP server exposing 5 tools for Claude Desktop (stdio transport)
• Real-time HTML dashboard with auto-refresh
• Per-identity rate limiting and progressive minimum bond
• Multi-agent support (named agents with separate identity files)
• Outbound HTTP safety rails (allowlist, timeout, size limits)
• Structured JSON logging
• Persistent SQLite database with automatic backups
• 21 tests passing