Tessorium Trust Protocol
When your agent calls an API, tool, or another agent — how do you know it's safe? TTP is the cryptographic trust layer that answers that question before anything happens.
We verify identity. Enforce policy. Block unauthorized actions. And record everything in tamper-proof audit trails that satisfy SOC 2, HIPAA, and the EU AI Act.
What is TTP?
"Just as TLS secures human-to-server connections, TTP secures agent-to-world interactions."
The Tessorium Trust Protocol (TTP) enables any AI agent to verify identity, check reputation, and establish trust before interacting with APIs, tools, or other agents. Using cryptographic proofs and decentralized attestations, TTP provides the missing trust layer for autonomous AI systems — with human oversight and instant revocation built in.
Protocol Components
Design Principles
TTP is built on ten core principles that guide every design decision:
Zero Trust by Default
Every interaction requires verification. No implicit trust based on network location or previous interactions.
Cryptographic Identity
All identities backed by Ed25519 key pairs. DIDs enable self-sovereign, decentralized identification.
Three-Component Trust
Trust Score = Identity (0-40) + Reputation (0-35) + Behavioral (0-25). Multi-signal assessment, not single-factor.
Prevention First
Block unauthorized actions BEFORE execution. Not just logging—active enforcement via TRE decisions.
Flexible Deployment
Three modes to fit your needs: Cloud API for quick starts, Hybrid for caching, or full P2P for decentralization.
Framework Agnostic
Works with any AI framework, language, or platform. REST API, SDK, and P2P interfaces available.
Privacy by Design
Minimal data exposure. No PII in attestations. Agents control what reputation data they share.
Sub-100ms Performance
Trust decisions in under 100ms. Local caching, parallel verification, and optimized cryptography.
Auditable by Design
Every action recorded in Merkle tree traces. Signed attestations provide non-repudiation and accountability.
Byzantine Fault Tolerant
N-party consensus tolerates malicious actors. Anti-gaming detection protects reputation integrity.
Why Use TTP?
For Agent Developers
- Verify APIs, tools, and agents before use
- Build reputation from successful interactions
- Declarative security policies with SPL
- Audit trails with tamper-evident traces
For Security & Compliance
- Block unauthorized actions before execution
- EU AI Act Article 14 human oversight ready
- Tamper-evident Merkle tree audit trails
- Cryptographic proof for every decision
For Enterprises
- Audit-ready in 30 days with managed deployment
- Unified governance across all 6 interaction types
- Anti-gaming protection with fraud detection
- Tiered revocation with appeals for fairness
Problems Solved
See how TTP transforms AI interactions from risky to secure:
Anyone can claim to be any agent. No way to prove identity. Easy impersonation attacks.
Verify identity via Ed25519 challenge-response. DIDs tied to cryptographic keys. Spoofing impossible.
Hardcode permissions with all-or-nothing access. No control over what agents can do.
Define requirements with SPL policies. Negotiate capabilities via PNP before any action executes.
No way to stop unauthorized actions. Agents execute freely. Discover breaches after damage is done.
Block unauthorized requests in under 100ms. TRE evaluates every interaction. Prevention, not detection.
When an agent goes rogue, you're powerless. Watch it exfiltrate data, hoping to pull the plug in time.
Terminate agents instantly via kill switch (<50ms). Human operators intervene anytime. EU AI Act Article 14 compliant.
Malicious skills, tools, or MCP plugins can compromise your agent silently.
Verify publisher reputation and trust score before loading any dependency. A2T protection built-in.
Anyone can create fake accounts, pump ratings, and manipulate trust scores.
Enforce identity verification. Detect collusion with weighted attestations and anti-gaming analysis.
No standard protocol. Hard to reach consensus. Vulnerable to byzantine actors.
Coordinate via N-Party consensus with BFT guarantees. Elect coordinators. Issue commit certificates.
No visibility into agent behavior. Compromised agents act normally until it's too late.
Detect anomalies via Behavioral Score (0-25). Track uptime, error rates, latency patterns in real-time.
No proof of what happened. Manual logs. Regulators ask questions you can't answer.
Prove every action with tamper-proof Merkle tree traces (RFC 9162). EU AI Act audit-ready.
Agents can return sensitive data in responses. PII, PHI, and secrets leak without detection.
Filter outputs with DLP rules. Redact PII automatically. Block prohibited data transfers at the gateway.
No inventory of agents. Shadow AI operates in the dark, accessing data you can't see.
Discover every agent with Shadow AI Audit. Map data access patterns. Reveal compliance gaps.
Revoking an agent is slow and inconsistent. Some systems still trust it hours later.
Propagate revocations via P2P network in under 500ms. Block all future requests immediately.
Deployment Modes
TTP supports three deployment modes. Most enterprise customers deploy Hybrid for the best balance of performance and compliance.
Hybrid
RECOMMENDEDLocal cache + gateway fallback. Sub-5ms local checks with global reputation sync.
- • Latency: <5ms cached, 50-200ms uncached
- • Kill switch + audit trails included
- • Best for: Enterprise production, regulated workloads
Cloud API
Managed REST API. Quick integration for pilots and development environments.
- • Latency: 50-200ms
- • No infrastructure to manage
- • Best for: Pilots, non-regulated workloads
P2P
Full decentralization via libp2p. Complete data sovereignty with no external dependencies.
- • Latency: 100-500ms
- • Zero server dependency
- • Best for: Air-gapped, sovereign deployments
Migration Path
Integration Patterns
Choose the integration pattern that fits your architecture. Gateway and Sidecar are the fastest paths to production for existing agents.
Gateway / Proxy
ZERO CODEDeploy TTP as an API gateway in front of existing agents. Enforce policies, log every interaction, and kill rogue agents—all without touching your code.
- • Intercepts all agent traffic
- • Kill switch + audit trails built-in
- • Best for: Existing agents, audit-ready in 30 days
Sidecar
ZERO CODEDeploy TTP as a sidecar container alongside your agent. Transparent enforcement in your service mesh—automatic injection, no code changes.
- • Kubernetes-native deployment
- • Service mesh compatible (Istio, Linkerd)
- • Best for: Cloud-native, microservices
SDK Integration
Direct library integration into your agent code. Block unauthorized actions at the source with sub-5ms trust checks.
- • TypeScript/Python SDKs available
- • Full control over trust decisions
- • Best for: New agents, green-field projects
MCP Server
Run TTP as an MCP server for Claude Desktop, Cursor, and other MCP-enabled clients. Trust verification as a native tool.
- • Native Claude/Cursor integration
- • Verify tools before execution
- • Best for: LLM apps, AI assistants
Not Sure Which Pattern?
Interaction Modes
TTP supports six interaction modes covering all trust relationships in the AI ecosystem. Each mode uses the same core protocol (Verify → Decide → Enforce → Audit) adapted for its specific use case.
Universal Trust Model (V1.0)
Trust Score = Identity (0-40) + Reputation (0-35) + Behavioral (0-25)
All agents have a trust score regardless of interaction mode. Identity is verified via Ed25519 challenge-response. Reputation accumulates from peer attestations. Behavioral tracks uptime, error rates, and policy compliance.
Agent-to-Agent (A2A)
Secure multi-agent collaboration with full audit trails
Full peer-to-peer trust with bidirectional verification, mutual ratings, and policy negotiation.
- • Challenge-response handshake
- • Bidirectional ratings
- • SPL/PNP negotiation
Agent-to-Human (A2H)
EU AI Act Article 14 human oversight compliance
Human-in-the-loop oversight for high-risk decisions with review queues and escalation tiers.
- • Risk-triggered review queue
- • APPROVE / DENY / MODIFY
- • Tiered escalation (L1→L3)
Agent-to-Tool (A2T)
Prevent supply chain attacks with publisher verification
Trust verification for skills, tools, and MCP plugins via publisher chain and package signatures.
- • Publisher trust chain
- • Circuit breaker + DLP
- • Sandbox tiers (T0-T3)
Agent-to-Service (A2S)
Authenticate, authorize, and audit every API call
Trust for internal/registered APIs with Ed25519 request signing and provider verification.
- • Pre-registered service DIDs
- • Ed25519 request signing
- • Health + circuit breaker
Agent-to-Resource (A2R)
Protect sensitive data with classification-based access
Secure access to databases, files, and storage with RBAC/ABAC, DLP, and anomaly detection.
- • 4 classification levels
- • DLP + anomaly detection
- • Immutable audit trail
Agent-to-API (A2API)
A2S EXTCentralize external API governance with cost tracking
Extension of A2S for third-party APIs (OpenAI, Stripe, etc.) with credential vault and budgets.
- • Encrypted credential vault
- • Rate limiting + cost tracking
- • ETR audit logging
Feature Comparison
| Feature | A2A | A2H | A2T | A2S/A2API | A2R |
|---|---|---|---|---|---|
| Identity | Bidirectional handshake | Agent → Human | Publisher chain | Service DID | Resource metadata |
| Trust Direction | Mutual | Agent-initiated | Agent → Tool | Agent → Service | Agent → Resource |
| TRE Decisions | ✓ All phases | ✓ Triggers A2H | ✓ Per-invocation | ✓ Per-request | ✓ Per-access |
| ETR Audit | ✓ Full trace | ✓ Decision log | ✓ Execution log | ✓ Request log | ✓ Access log |
| Kill Switch | ✓ Session | ✓ Can terminate | ✓ Circuit breaker | ✓ Circuit breaker | ✓ Access revoke |
| Human Oversight | ✓ Optional | ✓ Primary | ✓ High-risk | ✓ High-risk | ✓ PHI/PCI |
Agent-to-Agent (A2A)
Full peer-to-peer trust verification between two autonomous agents with bidirectional identity verification, mutual ratings, and complete policy negotiation. This is the most comprehensive TTP mode, integrating all protocol components: SPL, PNP, TRE, ETR, Kill Switch, and Human Oversight.
Use cases: Multi-agent task delegation, agent swarms, high-value autonomous transactions, real-time agent collaboration.
Complete A2A Protocol Flow
The A2A flow integrates all TTP components across 8 phases, from initialization through disconnection. Each phase leverages specific components to ensure secure, auditable, and controllable agent interactions.
AgentSession with:Component Integration by Phase
This table shows which components are active during each phase of the A2A flow:
| Phase | SPL | PNP | TRE | ETR | Kill Switch | Oversight |
|---|---|---|---|---|---|---|
| 0. Init | - | - | - | Create trace | Register | Register queue |
| 1. Discovery | - | - | Pre-flight | Log verify | - | Human approval |
| 2. Handshake | - | - | - | Log all steps | - | - |
| 3. Policy | Define | Negotiate | - | Log failures | - | - |
| 4. Session | - | Store agreed | Store decision | Checkpoint | Revoke listener | - |
| 5. Tasks | Evaluate | - | Per-task | Log messages | Anytime | Task approval |
| 6. Rating | - | - | - | Log attestations | - | - |
| 7. Disconnect | - | - | - | Seal + witness | - | - |
Integrated Component Overview
Declarative security policies defining trust requirements and capability offers. Rules are evaluated before each task execution to ensure compliance.
Mutual policy exchange and agreement protocol. Both agents negotiate to find compatible policies before establishing a session.
Multi-factor trust decisions combining Identity, Reputation, and Behavioral scores. Provides risk assessment with full reasoning trace. Supports human override for high-risk decisions.
Tamper-evident audit trails using Merkle trees. Every action is recorded with cryptographic evidence. Ed25519 signed traces provide non-repudiation.
Emergency stop system for immediate agent termination. Provides circuit breaker for automatic protection and cascade kills for dependent agents.
EU AI Act Article 14 compliance module. Review queue for high-risk decisions with operator privileges and working hours configuration.
Trust Score Model (v1.0)
Trust Score = Identity (0-40) + Reputation (0-35) + Behavioral (0-25)
Maximum: 100 points | Single Agent Maximum (no peers): 65 points
Identity Score (0-40)
Cryptographic verification via Ed25519 challenge-response. Verified identity grants full 40 points.
Reputation Score (0-35)
Weighted peer attestations from trusted issuers. Accumulated over time from verified interactions.
Behavioral Score (0-25)
System-observed metrics: policy compliance, uptime, error rate, response patterns.
Trust Stages
| Stage | Score Range | Description |
|---|---|---|
| unverified | 0 | No identity verification performed |
| provisional | 40 | Identity verified only (no reputation) |
| new | 41-55 | Building initial reputation |
| building | 56-74 | Accumulating positive history |
| established | 75+ | Proven track record |
Key Characteristics
| Aspect | A2A Implementation |
|---|---|
| Identity | Ed25519 challenge-response proves key ownership |
| Trust Source | Peer attestations from P2P network + behavioral metrics |
| Policy | Full SPL/PNP negotiation (max 3 rounds, 30s timeout) |
| Session | Forward-secret via X25519 ECDH + periodic checkpoints |
| Ratings | Bidirectional - both agents rate each other |
| Propagation | Attestations gossiped via GossipSub |
| Audit Trail | ETR Merkle trees with RFC 3161 witnessing |
| Emergency Control | Kill switch with <100ms response time |
| Human Oversight | EU AI Act Article 14 compliance |
Agent-to-Human (A2H)
Human-in-the-loop oversight flow for high-risk AI agent decisions. When an agent action requires human approval (due to risk level, policy requirements, or manual triggers), the A2H flow routes the decision through a structured review queue with full audit trails and compliance tracking.
Use cases: High-value financial transactions, healthcare decisions, safety-critical operations, regulatory compliance (EU AI Act Article 14), escalation handling.
Complete A2H Protocol Flow
The A2H flow consists of 7 phases, from initial trigger through feedback loop. Each phase integrates with TTP components to ensure secure, auditable, and compliant human oversight.
Component Integration by Phase
This table shows which TTP components are active during each phase of the A2H flow:
| Phase | TRE | ETR | Kill Switch | Oversight | SPL |
|---|---|---|---|---|---|
| 0. Trigger | Flags review | Log trigger | - | Queue init | Evaluate |
| 1. Queue | - | Log queue | - | Priority calc | - |
| 2. Notify | - | Log notify | - | Channel select | - |
| 3. Review | Provide trace | Provide history | - | Context build | Show policy |
| 4. Decision | - | Log decision | If terminate | Record decision | - |
| 5. Execute | Update cache | Log execution | If denied+block | Enforce | Apply conditions |
| 6. Feedback | Adjust threshold | Seal trace | - | Improve | Refine rules |
Decision Options
Human reviewers can select from these decision options during Phase 4:
| Action | Description | Required Fields | Effect |
|---|---|---|---|
| APPROVE | Accept AI decision as-is | reason | Agent proceeds with original action |
| DENY | Reject AI decision | reason | Agent blocked from action |
| MODIFY | Accept with constraints | reason, modifications | Agent proceeds with constraints |
| ESCALATE | Send to higher level | reason, targetLevel | Re-queued at L2/L3 |
| REQUEST_INFO | Ask for more details | questions | Agent provides additional info |
SLA Requirements by Industry
Maximum time to human decision based on risk level and industry compliance requirements:
| Risk Level | Financial | Healthcare | Government |
|---|---|---|---|
| CRITICAL | 5 min | 5 min | 15 min |
| HIGH | 15 min | 30 min | 1 hour |
| MEDIUM | 1 hour | 4 hours | 4 hours |
| LOW | 4 hours | 24 hours | 24 hours |
EU AI Act Article 14 Compliance
The A2H flow implements all human oversight requirements mandated by EU AI Act Article 14:
| Requirement | Implementation |
|---|---|
| Human oversight capability | Review queue with priority-based routing and SLA enforcement |
| Ability to override AI | APPROVE / DENY / MODIFY decision options with reason capture |
| Ability to interrupt | Kill Switch integration for immediate agent termination |
| Understanding AI decisions | TRE reasoning trace with full factor breakdown |
| Monitoring performance | Feedback loop with rating system and outcome tracking |
| Audit trail | ETR with Merkle proofs and RFC 3161 timestamping |
Approval Conditions
When using MODIFY, reviewers can apply conditional constraints to the approval:
maxValue
Approve actions up to a maximum value. Example: "Approve transfers up to $10,000"
expiresAt
Time-limited approval. Example: "Valid for next 24 hours only"
allowedResources
Restrict to specific resources. Example: "Only access production-readonly database"
maxUses
Limited number of uses. Example: "Approve for next 5 API calls only"
requiresSecondApproval
Dual control requirement. Example: "Requires confirmation from another L2 reviewer before execution"
Compliance Metrics
Key Performance Indicators (KPIs) tracked for A2H compliance and continuous improvement:
Override Rate
Percentage of AI decisions overridden by humans. Target: <20% indicates good AI calibration.
Avg Time to Decision
Mean time from queue entry to human decision. Tracked per risk level.
SLA Compliance Rate
Percentage of decisions made within SLA window. Target: >95%.
Escalation Rate
Percentage of decisions requiring L2/L3 escalation. High rates may indicate unclear policies.
Feedback Score
Average reviewer rating (1-5) on AI decision quality. Target: >4.0.
Decision Accuracy
Post-hoc accuracy of human decisions based on outcome tracking.
Key Characteristics
| Aspect | A2H Implementation |
|---|---|
| Trigger | Risk threshold (>0.5), policy requirement, or manual operator action |
| Queue Management | Priority-based with industry-specific SLA timeouts |
| Notification | Multi-channel (Slack, PagerDuty, Email, Push) |
| Context | TRE reasoning trace + ETR history + similar past decisions |
| Decisions | APPROVE / DENY / MODIFY / ESCALATE / REQUEST_INFO |
| Conditions | maxValue, expiresAt, allowedResources, maxUses, requiresSecondApproval |
| Escalation | Tiered (L1 → L2 → L3) with automatic re-queue |
| Audit Trail | ETR sealed with Merkle roots, RFC 3161 timestamping |
| Compliance | EU AI Act Article 14 full implementation |
Agent-to-Tool (A2T)
Trust-verified tool execution with full lifecycle management. The A2T flow enables agents to safely discover, verify, and execute tools (MCP plugins, skills, functions) with continuous monitoring, circuit breaker protection, and one-way trust ratings. Tools cannot rate agents back - trust flows from agent to tool only.
Use cases: MCP server skills, plugin verification, third-party code execution, skill marketplace integration, enterprise tool governance, DLP-protected data processing, rate-limited API wrappers.
Complete A2T Protocol Flow
The A2T flow consists of 8 phases, from tool discovery through feedback loop. Each phase integrates with TTP components to ensure secure, auditable, and controllable tool execution with circuit breaker protection for fault tolerance.
Component Integration by Phase
This table shows which TTP components are active during each phase of the A2T flow:
| Phase | TRE | ETR | SPL | Guard | Capability | Circuit |
|---|---|---|---|---|---|---|
| 0. Discovery | - | - | - | - | - | - |
| 1. Trust | Calc scores | Log check | - | - | - | Check state |
| 2. Capability | Provide stage | Log grant | - | - | Check caps | - |
| 3. Policy | - | Log decision | Evaluate | - | - | - |
| 4. Execute | - | Log exec | Enforce | - | Enforce | Monitor |
| 5. Output | - | Log filter | - | Filter | - | - |
| 6. Metrics | Update | Log metrics | - | - | - | Update |
| 7. Feedback | Adjust | Seal trace | Refine | - | - | Trip/Reset |
Trust Score Calculation
Tool trust is calculated from 4 weighted components measuring operational reliability and compliance:
Tool Trust = Reliability (40%) + Performance (25%) + Efficiency (20%) + Compliance (15%)
Maximum: 100 points | Updated after each execution
Reliability (40%)
Success rate over rolling window of executions.
Performance (25%)
Latency scoring against declared SLA thresholds.
Resource Efficiency (20%)
CPU, memory, and network usage vs declared limits.
Policy Compliance (15%)
Rate of violation-free executions.
Capability Hierarchy
Tools are granted capabilities based on the calling agent's trust stage. Higher trust stages inherit all capabilities from lower stages:
| Trust Stage | Capabilities Granted |
|---|---|
| unverified | data:text |
| provisional | + data:code, context:workspace |
| new | + data:structured, file:read, context:session |
| building | + data:binary, file:write, network:internal |
| established | + network:external, file:execute |
Circuit Breaker States
Each tool has an associated circuit breaker that protects against cascading failures:
Enterprise Scenarios
Common enterprise use cases with their trust requirements and DLP configurations:
| Scenario | Tool | Trust Required | A2H Trigger | DLP Patterns |
|---|---|---|---|---|
| Trading | execute_trade | ≥80 + network:external | >$100K value | Account numbers, routing |
| Healthcare | query_emr | ≥70 + PHI capability | Always required | Patient IDs, SSN, DOB |
| DevOps | deploy_prod | ≥90 + verified publisher | Always required | API keys, credentials, secrets |
| Refunds | process_refund | ≥50 | >$100 value | Credit cards, bank accounts |
Sandbox Tiers (SHIELD Framework)
Tools execute in isolated environments based on trust score and risk level:
| Tier | Trust Required | Network | Filesystem | Max Time |
|---|---|---|---|---|
| T0 | Any (unverified) | None | None | 5s |
| T1 | Provisional+ | Allowlist | Read-only | 30s |
| T2 | Building+ | Allowlist | Sandbox | 2min |
| T3 | Established | Full | Full | 5min |
Key Characteristics
| Aspect | A2T Implementation |
|---|---|
| Identity | Publisher DID chain (tool inherits trust from publisher) |
| Verification | SHA-256 content hash + Ed25519 profile signature |
| Trust Source | 4-component scoring: Reliability, Performance, Efficiency, Compliance |
| Policy | Static manifest (declared permissions) + runtime SPL evaluation |
| Execution | Tiered sandbox (T0-T3) with resource limits and circuit breaker |
| Ratings | One-way: agent rates tool only (tool cannot rate back) |
| DLP | Output filtering for secrets, PII, and sensitive data |
| Capabilities | 21 capability types with trust-stage-based hierarchy |
| Fault Tolerance | Circuit breaker with CLOSED/OPEN/HALF-OPEN states |
| Audit Trail | ETR logging at every phase with Merkle proofs |
Agent-to-Service (A2S)
A2S enables agents to interact with external services (APIs, SaaS platforms, enterprise systems) with full trust verification, request signing, and policy compliance. Services are registered with manifests defining their capabilities, SLA requirements, and trust thresholds.
Implementation Status: Complete
Use cases: Payment gateways (Stripe, Square), cloud services (AWS, GCP), enterprise APIs, healthcare systems (HL7 FHIR), financial data providers, compliance services.
9-Phase Protocol Flow
(Consumer)
(Service Discovery)
(Provider)
// Service registry lookup
// Liveness, readiness, circuit state
// Service authentication
// Bi-directional trust verification
// SPL evaluation + rate limits
// Ed25519 request signing
// Request with retry + circuit breaker
// Response validation + DLP
// Record + trust update
Service Trust Calculation
Service Trust = (Availability × 35%) + (Performance × 25%) + (Security × 25%) + (Reliability × 15%)Availability (35%)
- • Success rate
- • Uptime percentage
- • Endpoint health
Performance (25%)
- • Average latency
- • P95/P99 percentiles
- • Response time SLA
Security (25%)
- • Policy compliance
- • DLP violations
- • Auth failures
Reliability (15%)
- • Error handling
- • Timeout rate
- • Circuit trips
Service Manifest
interface ServiceManifest {
serviceId: string; // did:service:provider:name:version
name: string;
version: string;
provider: {
did: string;
name: string;
verified: boolean;
};
endpoints: Array<{
url: string;
protocol: 'rest' | 'grpc' | 'graphql' | 'websocket';
region?: string;
fallback?: boolean;
}>;
auth: {
method: 'oauth2' | 'api_key' | 'mtls' | 'workload_identity';
tokenEndpoint?: string;
scopes?: string[];
};
sla: {
availabilityTarget: number; // 99.9%
maxLatencyMs: number; // 500ms
maxErrorRate: number; // 0.1%
};
compliance: {
frameworks: string[]; // ['PCI-DSS', 'SOC2', 'HIPAA']
dataClassification: 'public' | 'internal' | 'confidential' | 'restricted';
auditRequired: boolean;
};
trustRequirements: {
minCallerTrust: number; // 60
minCallerStage: TrustStage; // 'building'
};
signature: string; // Ed25519 of manifest
}Request Signing Headers
// Build canonical string for signing
const canonical = [
method, // "POST"
path, // "/v1/charges"
timestamp, // Unix milliseconds
contentHash, // SHA-256 of body
signedHeaders // "host;content-type;x-tessorium-trace-id"
].join("\n");
// Sign with agent's Ed25519 private key
const signature = Ed25519.sign(canonical, agentPrivateKey);
// Attach headers
headers["X-Tessorium-Timestamp"] = timestamp;
headers["X-Tessorium-Signature"] = base64(signature);
headers["X-Tessorium-Content-Hash"] = contentHash;
headers["X-Tessorium-Signed-Headers"] = "host;content-type;x-tessorium-trace-id";
headers["X-Tessorium-Trace-Id"] = traceId;
headers["X-Tessorium-Deadline"] = deadline;Circuit Breaker States
CLOSED
Normal operation. Requests flow through. Failures tracked.
OPEN
Requests blocked. Failure threshold exceeded. Cooldown active.
HALF-OPEN
Test requests allowed. Success closes circuit. Failure reopens.
Key Characteristics
| Aspect | A2S Implementation |
|---|---|
| Identity | Service DID (did:service:provider:name:version) |
| Discovery | Service registry with search, filtering, health |
| Trust Source | 4-component score (availability, performance, security, reliability) |
| Policy | SPL evaluation + rate limits + data classification |
| Authentication | OAuth2, API key, mTLS, workload identity, JWT |
| Signing | Ed25519 with Tessorium headers (timestamp, trace, deadline) |
| Resilience | Circuit breaker + retry + endpoint failover |
| Validation | Schema + DLP filtering + signature verification |
| Metrics | Invocation tracking, latency percentiles, compliance export |
Agent-to-Resource (A2R)
A2R enables secure agent access to data resources (S3 buckets, databases, files, key-value stores) with comprehensive access control, trust verification, DLP protection, and immutable audit trails. Resources are registered with metadata defining their classification, compliance requirements, and retention policies.
Implementation Status: Complete
Use cases: Customer databases with PII, S3 buckets with PHI, financial records, legal documents, compliance-regulated data, enterprise data lakes, multi-cloud storage with residency requirements.
8-Phase Protocol Flow
(Consumer)
(Gateway)
(Data Store)
// Resource registry lookup
// RBAC/ABAC/PBAC evaluation
// Trust score + stage verification
// DLP, retention, residency, purpose
// Client-side encryption (optional)
// Operation with transformations
// Immutable audit record + ETR
// Access tracking + anomaly detection
Data Classification
PUBLIC
No restrictions, publicly available data
INTERNAL
Internal business data
CONFIDENTIAL
Sensitive data (PII, business secrets)
RESTRICTED
Highly sensitive (PHI, PCI, legal)
Special Data Types
PII
Names, emails, addresses, SSN. Requires 65+ trust, purpose statement.
PHI
Health records (HIPAA). Requires 75+ trust, human approval.
PCI
Payment card data. Requires 75+ trust, human approval.
Access Control Models
RBAC
Role-Based Access Control
- • admin, writer, reader roles
- • Role inheritance
- • Classification limits per role
ABAC
Attribute-Based Access Control
- • Agent attributes (dept, level)
- • Context conditions (time, IP)
- • Resource conditions (tags)
PBAC
Policy-Based (via SPL)
- • SPL policy evaluation
- • Row-level security
- • Field-level auditing
Resource Metadata
interface ResourceMetadata {
resourceId: string; // "res-customer-pii-001"
name: string;
description: string;
type: 's3' | 'database' | 'file' | 'api' | 'key-value' | 'queue';
provider: string; // "aws", "gcp", "postgresql"
// Classification
classification: 'public' | 'internal' | 'confidential' | 'restricted';
specialDataTypes: ('pii' | 'phi' | 'pci' | 'financial' | 'legal' | 'none')[];
allowedOperations: ('read' | 'write' | 'delete' | 'list' | 'query')[];
// Location
location: {
uri: string; // "s3://bucket/path" or connection string
region?: string; // "us-east-1"
provider?: string; // "aws"
};
// Access Control
accessControl: {
model: 'rbac' | 'abac' | 'pbac';
roles?: string[]; // ["writer", "admin"]
policies?: string[]; // SPL policy IDs
};
// Retention
retention: {
policy: string; // "7-years", "standard"
expiresAt?: number;
legalHold?: boolean;
deletionApproval?: boolean;
};
// Data Residency
residency?: {
currentRegion: string;
allowedRegions: string[];
prohibitedRegions?: string[];
};
// Compliance
compliance: string[]; // ["GDPR", "HIPAA", "PCI-DSS"]
// Ownership
ownership: {
owner: string; // Team or individual
team?: string;
steward?: string; // Data steward email
};
tags: Record<string, string>;
schemaVersion: string;
createdAt: number;
updatedAt: number;
}DLP Rules
// Default DLP rules applied to all operations
const DEFAULT_DLP_RULES = [
{
id: 'dlp-ssn',
name: 'Social Security Number',
pattern: '\\b\\d{3}-\\d{2}-\\d{4}\\b',
severity: 'high',
action: 'redact' // Replace with [REDACTED]
},
{
id: 'dlp-credit-card',
name: 'Credit Card Number',
pattern: '\\b(?:4[0-9]{12}(?:[0-9]{3})?|5[1-5][0-9]{14})\\b',
severity: 'critical',
action: 'redact'
},
{
id: 'dlp-api-key',
name: 'API Key',
pattern: '\\b(sk_live_|api_key_)[a-zA-Z0-9]{24,}\\b',
severity: 'critical',
action: 'block' // Block entire operation
},
{
id: 'dlp-aws-key',
name: 'AWS Access Key',
pattern: '\\bAKIA[0-9A-Z]{16}\\b',
severity: 'critical',
action: 'block'
}
];
// External DLP integration
externalDlpWebhook?: string; // POST data to external DLP service
externalDlpApiKey?: string;Immutable Audit Trail
Anomaly Detection
Detected Anomalies
- • bulk_access: >100 accesses/min
- • off_hours: Confidential+ access 10PM-6AM
- • data_exfiltration: >100MB/min
- • high_error_rate: >30% failures
- • privilege_escalation: Repeated restricted denials
Response Actions
- • Log anomaly with evidence
- • Alert security team (SIEM webhook)
- • Rate limit agent
- • Require human approval
- • Temporary access suspension
Key Characteristics
| Aspect | A2R Implementation |
|---|---|
| Identity | Resource ID with classification metadata |
| Discovery | Pluggable registry adapters (AWS Glue, Collibra, custom) |
| Access Control | RBAC, ABAC, PBAC with role inheritance |
| Trust Gating | Classification → trust threshold → stage requirement |
| Policy | DLP, retention, residency, purpose limitation (GDPR) |
| Transformations | Field redaction, masking, row limiting, column exclusion |
| Audit | Signed records, ETR integration, SIEM webhook, compliance export |
| Metrics | Agent profiles, resource stats, latency percentiles, anomaly detection |
Agent-to-API (A2API)
A2API enables secure agent access to external third-party APIs (OpenAI, Anthropic, Stripe, Twilio, etc.) with credential management, rate limiting, cost tracking, and usage analytics.
External API Challenges
- • Credential sprawl across agents
- • No visibility into API costs
- • Rate limit violations cascade
- • No audit trail for API calls
A2API Solution
- • Centralized credential vault
- • Per-agent budget limits
- • Token bucket rate limiting
- • Full request/response audit
Supported Providers
A2API Flow
// INITIATOR
// TARGET
// Agent requests API call
// Verify agent authorization
// Token bucket check
// Call external API with injected credentials
// Usage and cost tracking
// Log to ETR
Cost Management
Budget Limits
Per-agent monthly spend caps with automatic cutoff when exceeded.
Alert Thresholds
Get notified at 50%, 80%, 90% of budget before hitting limits.
Usage Analytics
Track costs by agent, endpoint, and time period.
Key Characteristics
| Aspect | A2API Implementation |
|---|---|
| Credential Storage | Encrypted vault with per-agent access control |
| Rate Limiting | Token bucket algorithm (requests/min, tokens/min) |
| Cost Tracking | Per-request cost calculation with monthly aggregates |
| Retry Logic | Exponential backoff for 429/5xx errors |
| Circuit Breaker | Auto-disable failing APIs to prevent cascade |
| Audit | Full request/response logging to ETR |
DIDs & Identity
TTP uses the did:tessorium method for decentralized, self-sovereign identification of agents, APIs, tools, and skills.
DID Format
did:tessorium:{type}:{identifier}:{version}type: agent | skill | tool | service | publisher
identifier: Unique name (3-64 chars)
version: Version tag (v1, v2, etc.)
| Type | Description | Example |
|---|---|---|
agent | AI agent with autonomous capabilities | did:tessorium:agent:claude-helper:v1 |
skill | Executable code unit (MCP tool, etc.) | did:tessorium:skill:code-review:v2 |
tool | External tool or API wrapper | did:tessorium:tool:github-api:v1 |
service | External API provider | did:tessorium:service:stripe-api:v1 |
publisher | Organization or individual publisher | did:tessorium:publisher:anthropic:v1 |
{
"@context": ["https://www.w3.org/ns/did/v1", "https://tessorium.io/ns/v1"],
"id": "did:tessorium:agent:research-assistant:v1",
"verificationMethod": [{
"id": "did:tessorium:agent:research-assistant:v1#key-1",
"type": "Ed25519VerificationKey2020",
"controller": "did:tessorium:agent:research-assistant:v1",
"publicKeyMultibase": "z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK"
}],
"authentication": ["did:tessorium:agent:research-assistant:v1#key-1"],
"service": [{
"id": "did:tessorium:agent:research-assistant:v1#ttp",
"type": "TTPEndpoint",
"serviceEndpoint": "https://agent.example.com/.well-known/ttp"
}]
}Key Management
Key Rotation: Supported via versioned key IDs (e.g., #key-1, #key-2). Old keys remain valid for verification of historical attestations.
Key Recovery: Enterprise deployments can configure backup key material. For P2P mode, social recovery via trusted peers is supported.
Service Endpoint: For P2P deployments, serviceEndpoint can be a libp2p multiaddress (e.g., /dns4/agent.example.com/tcp/4001/p2p/QmXxx) instead of HTTPS URL.
Challenge-Response Verification
Trust Score
Trust Score = Identity (0-40) + Reputation (0-35) + Behavioral (0-25)Three-component model: cryptographic verification + peer attestations + system-observed behavior
Identity Score (0-40)
- Ed25519 challenge-response
- Binary: 0 or 40 points
- Instant verification
Reputation Score (0-35)
- Peer attestations (A2A)
- Weighted by issuer tier
- Anti-gaming multipliers
Behavioral Score (0-25)
- System-observed metrics
- Policy compliance, uptime
- Enables single-agent trust
Behavioral Score Components
// Constants from src/lib/trust/calculator.ts
const MAX_IDENTITY_SCORE = 40; // Cryptographic verification
const MAX_REPUTATION_SCORE = 35; // Peer attestations
const MAX_BEHAVIORAL_SCORE = 25; // System-observed metrics
function calculateTrustScore(
identityVerified: boolean,
attestations: Attestation[],
behavioralMetrics: BehavioralMetrics
): TrustReport {
// Identity Score (0 or 40): Ed25519 challenge-response
const identityScore = identityVerified ? MAX_IDENTITY_SCORE : 0;
// Reputation Score (0-35): Weighted peer attestations
let reputationScore = 0;
if (attestations.length > 0) {
for (const attestation of attestations) {
const issuerWeight = getIssuerTierWeight(attestation.issuer);
const gamingMultiplier = detectGamingPatterns(attestation);
reputationScore += applyWeights(attestation.rating, issuerWeight, gamingMultiplier);
}
reputationScore = Math.min(reputationScore, MAX_REPUTATION_SCORE);
}
// Behavioral Score (0-25): System-observed metrics
const behavioralScore = calculateBehavioralScore(behavioralMetrics);
// Components: policyCompliance(30%), uptime(20%), errorRate(15%),
// latency(10%), securityEvents(15%), dataPatterns(10%)
const totalScore = identityScore + reputationScore + behavioralScore;
const stage = deriveStageFromScore(totalScore);
// Stages: unverified(0), provisional(40), new(41-55), building(56-74), established(75+)
return { totalScore, identityScore, reputationScore, behavioralScore, stage };
}Attestations
Attestations are signed statements about an agent's trustworthiness, issued after successful interactions.
{
"version": "1.0",
"id": "att_a1b2c3d4e5f6",
"type": "rating",
"subject": "did:tessorium:agent:target-agent:v1",
"issuer": "did:tessorium:agent:rating-agent:v1",
"issuedAt": "2026-02-14T12:00:00Z",
"trust": {
"stage": "established",
"identityVerified": true,
"reputationLevel": "high"
},
"rating": {
"overall": 4,
"dimensions": {
"reliability": 5, // Task completion rate
"quality": 4, // Output accuracy
"speed": 4, // Response latency
"communication": 5, // Protocol adherence
"safety": 5 // No harmful outputs
},
"wouldWorkAgain": true
},
"signature": {
"algorithm": "Ed25519",
"keyId": "did:tessorium:agent:rating-agent:v1#key-1",
"value": "base64url..."
}
}Attestation Weight Tiers
| Issuer Tier | Influence | Description |
|---|---|---|
| institutional | Highest | Tessorium-verified institutional issuer |
| enhanced | Very High | Enhanced verification completed |
| highTrust | High | Established trust stage |
| basic | Above Standard | Basic verification completed |
| standard | Baseline | Building trust stage |
| lowTrust | Reduced | Sybil protection applied |
| provisional | Minimal | Identity verified, no reputation |
| unverified | None | Attestation ignored completely |
Trust Stages
💡 Single agent can reach 65 points (40 identity + 25 behavioral) without peer ratings
| Stage | Score Range | Composition | Access Level |
|---|---|---|---|
| unverified | 0 | No identity verification | Blocked |
| provisional | 40 | Identity only (40 pts) | Limited |
| new | 41-55 | Identity + low rep/behavioral | Cautious |
| building | 56-74 | Identity + medium rep/behavioral | Standard |
| established | 75+ | Identity + high rep + behavioral | Full |
P2P Network Layer
For P2P and Hybrid modes, TTP uses libp2p for decentralized peer discovery and attestation propagation. This layer is optional for Cloud API mode but required for full decentralization.
Enterprise Deployment
| Component | Protocol | Purpose |
|---|---|---|
| Transport | WebSockets + QUIC | Connection establishment |
| Encryption | Noise (XX pattern) | Secure channels |
| Discovery | Kademlia DHT | Peer and data lookup |
| Propagation | GossipSub v1.1 | Attestation broadcasting |
| Identity | Ed25519 PeerId | Node identification |
GossipSub Topics
| Topic | Messages | Rate Limit |
|---|---|---|
/tessorium/attestations/1.0.0 | New attestations | 10/min per peer |
/tessorium/revocations/1.0.0 | Revocation notices | 5/min per peer |
/tessorium/ratings/1.0.0 | Rating updates | 20/min per peer |
/tessorium/consensus/1.0.0 | N-party messages | 50/min per peer |
Security Policy Language (SPL)
SPL is a declarative JSON schema for expressing trust requirements, access control rules, and compliance constraints. Policies are evaluated before every agent action—enabling prevention, not just logging.
Core Structure
{
"version": "1.0.0",
"agentDid": "did:tessorium:agent:example:v1",
"requirements": {
"minTrustScore": 70,
"minTrustStage": "building",
"requiredCapabilities": ["data:read"],
"requireIdentityVerification": true,
"purpose": "customer-support" // GDPR purpose limitation
},
"offers": {
"capabilities": ["data:read", "data:write"],
"rateLimit": { "requests": 100, "windowMs": 60000 }
},
"rules": [
{
"id": "rule-example",
"effect": "allow",
"resources": ["api/v1/data/*"],
"actions": ["read"],
"conditions": {
"trustScore": { "gte": 50 }
}
}
],
"defaultEffect": "deny" // Zero-trust default
}Real-World SPL Examples
The following examples demonstrate SPL policies for common enterprise scenarios across financial services, healthcare, legal, and compliance use cases.
Payment Processing with Human Approval
PCI-DSS compliance, tiered approval thresholds, automatic card data redaction
{
"version": "1.0.0",
"agentDid": "did:tessorium:agent:payment-processor:v1",
"description": "Payment processing with human approval for high-value transactions",
"requirements": {
"minTrustScore": 75,
"minTrustStage": "established",
"requiredCapabilities": ["network:external", "data:financial"],
"requireIdentityVerification": true,
"compliance": ["PCI-DSS", "SOC2"]
},
"offers": {
"capabilities": ["payment:process", "refund:process"],
"rateLimit": { "requests": 60, "windowMs": 60000 }
},
"rules": [
{
"id": "rule-small-payment",
"effect": "allow",
"description": "Auto-approve payments under $1,000 for trusted agents",
"resources": ["api/stripe/v1/charges"],
"actions": ["create"],
"conditions": {
"trustScore": { "gte": 75 },
"request.amount": { "lte": 1000 },
"dataClassification": "financial"
},
"outputTransformations": {
"redact": ["card.number", "cvv"]
}
},
{
"id": "rule-large-payment",
"effect": "allow_with_approval",
"description": "Large payments require human approval",
"resources": ["api/stripe/v1/charges"],
"actions": ["create"],
"conditions": {
"trustScore": { "gte": 80 },
"request.amount": { "gt": 1000, "lte": 50000 }
},
"humanApproval": {
"required": true,
"reason": "Large transaction requires compliance review",
"escalationLevel": 2,
"timeout": 300,
"defaultAction": "deny"
},
"outputTransformations": {
"redact": ["card.number", "cvv"]
}
},
{
"id": "rule-whale-payment",
"effect": "deny",
"description": "Payments over $50,000 must use manual process",
"resources": ["api/stripe/v1/charges"],
"actions": ["create"],
"conditions": {
"request.amount": { "gt": 50000 }
}
}
],
"defaultEffect": "deny"
}Patient Record Access with HIPAA Controls
PHI protection, purpose limitation, business hours enforcement, emergency access with approval
{
"version": "1.0.0",
"agentDid": "did:tessorium:agent:clinical-assistant:v1",
"description": "Patient health records with strict HIPAA controls",
"requirements": {
"minTrustScore": 80,
"minTrustStage": "established",
"requiredCapabilities": ["data:phi"],
"requireIdentityVerification": true,
"purpose": "treatment",
"compliance": ["HIPAA", "HITRUST"]
},
"rules": [
{
"id": "rule-treatment-access",
"effect": "allow",
"description": "Access patient records for treatment during business hours",
"resources": ["fhir/Patient/*", "fhir/Observation/*"],
"actions": ["read", "search"],
"conditions": {
"trustScore": { "gte": 80 },
"dataClassification": "phi",
"timeOfDay": { "between": ["08:00", "18:00"] },
"dayOfWeek": { "not_in": ["Sat", "Sun"] },
"purpose": { "eq": "treatment" }
},
"audit": {
"level": "detailed",
"logPatientId": true,
"logQuery": true
}
},
{
"id": "rule-emergency-access",
"effect": "allow_with_approval",
"description": "After-hours access requires supervisor override",
"resources": ["fhir/Patient/*"],
"actions": ["read"],
"conditions": {
"trustScore": { "gte": 75 },
"timeOfDay": { "not_between": ["08:00", "18:00"] }
},
"humanApproval": {
"required": true,
"reason": "After-hours access requires supervisor override",
"escalationLevel": 2,
"timeout": 900,
"defaultAction": "deny",
"requireJustification": true
},
"audit": {
"level": "detailed",
"alertOnAccess": true
}
},
{
"id": "rule-research-denied",
"effect": "deny",
"description": "Research requires de-identified data only",
"resources": ["fhir/Patient/*"],
"actions": ["read"],
"conditions": {
"purpose": { "eq": "research" }
}
}
],
"outputTransformations": {
"redact": ["patient.ssn", "patient.address.street"],
"mask": ["patient.phone", "patient.email"]
},
"defaultEffect": "deny"
}Document Review with Privilege Protection
Attorney-client privilege, case assignment binding, external sharing prevention
{
"version": "1.0.0",
"agentDid": "did:tessorium:agent:legal-research:v1",
"description": "Legal document review with privilege protection",
"requirements": {
"minTrustScore": 70,
"minTrustStage": "building",
"requiredCapabilities": ["data:confidential"],
"requireIdentityVerification": true,
"purpose": "case-research"
},
"rules": [
{
"id": "rule-case-documents",
"effect": "allow",
"description": "Access documents for assigned cases only",
"resources": ["s3://legal-docs/case-*"],
"actions": ["read"],
"conditions": {
"trustScore": { "gte": 70 },
"agent.assignedCases": { "contains": "{resource.caseId}" },
"dataClassification": "confidential"
}
},
{
"id": "rule-privileged-documents",
"effect": "allow_with_approval",
"description": "Privileged docs require partner approval",
"resources": ["s3://legal-docs/privileged/*"],
"actions": ["read"],
"conditions": {
"trustScore": { "gte": 80 },
"agent.role": { "in": ["associate", "partner"] }
},
"humanApproval": {
"required": true,
"reason": "Privileged document access requires partner review",
"escalationLevel": 3,
"timeout": 3600,
"defaultAction": "deny"
}
},
{
"id": "rule-external-sharing-blocked",
"effect": "deny",
"description": "Prevent external sharing of privileged docs",
"resources": ["s3://legal-docs/*"],
"actions": ["download", "share"],
"conditions": {
"dataClassification": "privileged"
}
}
],
"outputTransformations": {
"watermark": true,
"addFooter": "CONFIDENTIAL - Attorney Work Product"
},
"defaultEffect": "deny"
}EU AI Act Article 14 Human Oversight
High-risk AI decisions, mandatory human approval, bias detection, audit retention
{
"version": "1.0.0",
"agentDid": "did:tessorium:agent:decision-engine:v1",
"description": "High-risk AI decisions requiring human oversight",
"requirements": {
"minTrustScore": 65,
"minTrustStage": "building",
"requireIdentityVerification": true,
"compliance": ["EU-AI-ACT"]
},
"rules": [
{
"id": "rule-low-risk",
"effect": "allow",
"description": "Low-risk decisions proceed automatically",
"resources": ["decisions/*"],
"actions": ["execute"],
"conditions": {
"trustScore": { "gte": 70 },
"riskLevel": { "in": ["low", "medium"] },
"decisionType": { "not_in": ["credit", "hiring", "insurance"] }
}
},
{
"id": "rule-high-risk",
"effect": "allow_with_approval",
"description": "EU AI Act Article 14 requires human oversight",
"resources": ["decisions/*"],
"actions": ["execute"],
"conditions": {
"riskLevel": { "in": ["high", "critical"] },
"decisionType": { "in": ["credit", "hiring", "insurance", "medical"] }
},
"humanApproval": {
"required": true,
"reason": "EU AI Act Article 14 requires human oversight for high-risk AI",
"escalationLevel": 2,
"timeout": 300,
"defaultAction": "deny",
"requireJustification": true,
"requireOperatorId": true
},
"audit": {
"level": "detailed",
"preserveReasoning": true
}
},
{
"id": "rule-bias-block",
"effect": "deny",
"description": "Block decisions with potential discrimination",
"conditions": {
"biasScore": { "gt": 0.3 },
"protectedClass": { "exists": true }
}
}
],
"audit": {
"retainDecisions": "7years",
"includeReasoningTrace": true
},
"defaultEffect": "deny"
}Emergency Kill Switch with Circuit Breaker
Automatic termination on anomalies, rate-based triggers, exfiltration detection
{
"version": "1.0.0",
"agentDid": "did:tessorium:agent:sensitive-access:v1",
"description": "Automatic kill switch on suspicious behavior",
"requirements": {
"minTrustScore": 60,
"requireIdentityVerification": true
},
"rules": [
{
"id": "rule-normal-access",
"effect": "allow",
"resources": ["db:customers/*"],
"actions": ["read"],
"conditions": {
"trustScore": { "gte": 60 },
"request.rate": { "lte": 100 }
}
},
{
"id": "rule-high-volume-warning",
"effect": "warn",
"description": "High-volume access triggers alert",
"resources": ["db:customers/*"],
"actions": ["read"],
"conditions": {
"request.rate": { "gt": 100, "lte": 500 }
}
}
],
"killSwitch": {
"triggers": [
{
"condition": "request.rate > 500",
"reason": "rate_limit_exceeded",
"action": "kill",
"cooldown": 300000
},
{
"condition": "error_rate > 0.3",
"reason": "circuit_breaker_trip",
"action": "kill",
"autoReinstate": false
},
{
"condition": "detected_pattern == 'data_exfiltration'",
"reason": "threat_detected",
"action": "kill",
"requireOperatorApproval": true
}
],
"notify": ["security@company.com", "#security-alerts"]
},
"anomalyDetection": {
"baselinePeriod": "30d",
"thresholdDeviation": 3.0,
"actions": ["log", "alert", "throttle"]
},
"defaultEffect": "deny"
}SPL Quick Reference
Condition Operators
| Operator | Meaning | Example |
|---|---|---|
gte | Greater than or equal | "trustScore": { "gte": 70 } |
lte | Less than or equal | "request.amount": { "lte": 1000 } |
gt | Greater than | "request.amount": { "gt": 1000 } |
lt | Less than | "errorRate": { "lt": 0.05 } |
eq | Equal | "purpose": { "eq": "treatment" } |
in | In array | "dayOfWeek": { "in": ["Mon", "Tue"] } |
not_in | Not in array | "dayOfWeek": { "not_in": ["Sat", "Sun"] } |
between | Between two values | "timeOfDay": { "between": ["09:00", "17:00"] } |
contains | Array contains | "agent.roles": { "contains": "compliance" } |
exists | Field exists | "protectedClass": { "exists": true } |
Effects
| Effect | Description |
|---|---|
| allow | Action permitted |
| deny | Action blocked |
| allow_with_approval | Action requires human approval |
| warn | Action permitted but logged/alerted |
Human Approval Options
"humanApproval": {
"required": true,
"reason": "Compliance review required",
"escalationLevel": 1, // 1=L1, 2=manager, 3=executive
"timeout": 300, // seconds
"defaultAction": "deny",
"requireJustification": true,
"requireOperatorId": true,
"notifyChannels": ["slack", "pagerduty"]
}Output Transformations
"outputTransformations": {
"redact": ["card.number", "cvv"], // Remove completely
"mask": ["email", "phone"], // Show partial (j***@example.com)
"truncate": { "field": "desc", "length": 100 },
"watermark": true,
"addFooter": "CONFIDENTIAL"
}Policy Best Practices
Do
- • Start with
defaultEffect: "deny" - • Use specific resource patterns
- • Include purpose binding (GDPR/HIPAA)
- • Layer policies for defense in depth
- • Test with
effect: "warn"first - • Version your policies semantically
- • Always specify audit level
Avoid
- • Overly broad
*patterns - • Missing rate limits
- • Human approval for routine actions
- • Forgetting output transformations
- • No audit trails for sensitive ops
- • Hardcoding instead of conditions
- • Ignoring kill switch triggers
Policy Negotiation Protocol (PNP)
PNP enables agents to reach agreement on security policies through structured multi-round negotiation.
| Parameter | Value | Description |
|---|---|---|
| Max rounds | 3 | Prevent infinite loops |
| Round timeout | 30 seconds | Force timely responses |
| Session timeout | 90 seconds | Total negotiation limit |
Trust Reasoning Engine (TRE)
TRE combines multiple trust signals with policy evaluation to produce actionable decisions with transparent reasoning chains. It consumes the three-component Trust Score (Identity + Reputation + Behavioral) along with fraud/collusion analysis to determine risk levels.
| Factor | Low Risk Indicators | High Risk Indicators |
|---|---|---|
| Fraud | Diverse raters, varied patterns | Clustered/burst/uniform ratings |
| Collusion | Independent interactions | Reciprocal rings detected |
| Policy | Meets all requirements | Violations found |
| Behavioral | Normal request patterns | Timing/volume anomalies |
Decision Outcomes
| Decision | Risk Zone | Behavior |
|---|---|---|
| ALLOW | Low risk | Proceed with interaction |
| ALLOW + WARN | Medium risk | Proceed with monitoring |
| DENY (soft) | High risk | Block, policy can override |
| DENY (hard) | Critical risk | Block, no override |
Execution Trace Reporter (ETR)
ETR provides tamper-evident audit trails using Merkle trees with RFC 9162 consistency proofs. For regulatory non-repudiation, ETR supports external timestamping via RFC 3161 Time Stamping Authority (TSA) integration.
Proves that a specific entry exists in the Merkle tree at a given index.
{
"proofType": "inclusion",
"leafIndex": 42,
"treeSize": 100,
"hashes": ["sha256:sibling_0...", "sha256:sibling_1...", "sha256:sibling_2..."]
}N-Party Consensus
Multi-agent coordination protocol with Byzantine fault tolerance for scenarios requiring agreement among multiple parties.
n ≥ 3f + 1System tolerates f Byzantine failures with n participants
| Participants (n) | Max Failures (f) | Required Votes | Quorum % |
|---|---|---|---|
3 | 0 | 2 | 67% |
4 | 1 | 3 | 75% |
7 | 2 | 5 | 71% |
10 | 3 | 7 | 70% |
MCP Integration
TTP serves as the security layer for Anthropic's Model Context Protocol (MCP). While MCP solves tool connectivity, it lacks trust verification. TTP fills this gap.
Key Insight: MCP authorization is optional (per spec). Research shows 88% of MCP servers use static secrets, and nearly 2,000 scanned servers lacked authentication. TTP provides the cryptographic identity and trust layer MCP needs.
Integration Architecture
MCP Security Gaps TTP Addresses
| Gap | MCP Status | TTP Solution |
|---|---|---|
| Identity Verification | None | Ed25519 challenge-response |
| Trust Scoring | None | Identity (0-40) + Reputation (0-35) + Behavioral (0-25) |
| Reputation System | None | P2P attestations + anti-gaming |
| Message Signing | None | All messages Ed25519 signed |
| Tool Provenance | None | Publisher chain + content hash |
| Fraud Detection | None | Collusion + burst detection |
Integration Flow
import { TessoriumMCPGateway } from '@tessorium/mcp-gateway';
const gateway = new TessoriumMCPGateway({
tessorium: {
mode: 'hybrid',
agentDid: 'did:tessorium:agent:my-agent:v1',
privateKey: process.env.TTP_PRIVATE_KEY
},
toolTrustRequirements: {
minTrustScore: 50,
requireIntentAttestation: true,
autoApprovalThreshold: 80
}
});
// Wrap MCP server with TTP protection
const protectedServer = gateway.wrapServer(mcpServer);
// Tools below trust threshold are filtered out
// Intent attestation required before execution
// Results recorded to ETR for auditShadow AI Discovery
Enterprise-grade discovery tool for Shadow AI audits. Detects unauthorized AI agents, LLM API usage, MCP servers, and environment credentials across your organization.
Use cases: Security audits, compliance verification, AI inventory management, credential exposure detection, risk assessment.
Scanning Capabilities
| Scanner | Detection Targets | Method |
|---|---|---|
| Process Scanner | Running AI agents, LLM clients | Process enumeration + command line analysis |
| Network Scanner | LLM API connections, MCP servers | Active connection analysis + DNS resolution |
| File Scanner | Agent frameworks, config files | Pattern matching on Python/TypeScript files |
| Environment Scanner | API keys, credentials | Environment variable + .env file analysis |
Detected Patterns
| Category | Patterns Detected |
|---|---|
| LLM Providers | OpenAI, Anthropic, Google AI, Cohere, Azure OpenAI, AWS Bedrock, Ollama, Mistral, Groq, Perplexity |
| Agent Frameworks | LangChain, AutoGPT, CrewAI, Semantic Kernel, LlamaIndex |
| Credential Patterns | OPENAI_API_KEY, ANTHROPIC_API_KEY, GOOGLE_AI_KEY, MISTRAL_API_KEY, etc. |
| MCP Servers | Listening ports, stdio servers, WebSocket connections |
import { ShadowAIScanner, generateReport, exportReportAsMarkdown } from '@/lib/discovery';
// Create scanner with configuration
const scanner = new ShadowAIScanner({
files: {
directories: ['/home/user/projects'],
},
localOnly: true,
});
// Run scan with progress callback
const agents = await scanner.scan((progress) => {
console.log(`${progress.phase}: ${progress.progress}%`);
});
// Generate report
const report = generateReport(agents, scanner.config, scanner.getErrors());
// Export formats: Markdown, HTML, or JSON
const markdown = exportReportAsMarkdown(report);Risk Assessment
| Risk Level | Score Range | Indicators |
|---|---|---|
| Low | 0-30 | TTP-registered, verified publisher, no exposed credentials |
| Medium | 31-60 | Unregistered but documented, limited API access |
| High | 61-80 | Exposed credentials, unknown framework, network access |
| Critical | 81-100 | Sensitive data access, no sandboxing, compliance gaps |
Compliance Frameworks
Reports include compliance gap analysis for major frameworks:
// Quick check for CI/CD pipelines
import { checkForShadowAI } from '@/lib/discovery';
const result = await checkForShadowAI(['.'], 60); // max risk score
if (!result.passed) {
console.error(`Shadow AI check failed: ${result.message}`);
console.error(`Found ${result.highRiskCount} high-risk agents`);
process.exit(1);
}Post-Discovery Enrollment
Gateway Proxy
Zero-code-change deployment for TTP trust verification in LLM API calls. The gateway intercepts requests to OpenAI, Anthropic, Google, and Cohere APIs, verifies agent trust using the TTP network, and forwards requests with TTP headers injected.
Key benefit: Add TTP trust verification to existing agents by simply redirecting OPENAI_API_BASE to the gateway. No code changes required.
<10msVerification overhead (cached trust lookups)
How Trust Verification Works
Deployment Options
Standalone Proxy
Run as a standalone HTTP proxy server. Redirect API base URLs to intercept all traffic.
- • Configurable port and TLS
- • Connection pooling
- • Audit logging
Express/Fastify
Middleware for existing Node.js applications. Integrate into your API layer.
- • Express middleware
- • Fastify plugin
- • Composable pipeline
Next.js
Native Next.js middleware for edge deployment with path-based routing.
- • Edge compatible
- • Path matching
- • Skip paths config
import { createGatewayProxy } from '@tessorium/gateway';
const gateway = createGatewayProxy({
port: 8080,
trust: {
minTrustScore: 60,
minTrustStage: 'new',
failAction: 'block', // or 'log'
},
});
await gateway.start();
// Redirect OpenAI SDK to use gateway
// OPENAI_API_BASE=http://localhost:8080import express from 'express';
import { createTTPMiddleware } from '@tessorium/gateway';
const app = express();
app.use(createTTPMiddleware({
minTrustScore: 50,
failAction: 'block',
}));// middleware.ts
import { createNextTTPMiddleware } from '@tessorium/gateway';
export const middleware = createNextTTPMiddleware({
minTrustScore: 60,
skipPaths: ['/api/health', '/api/public'],
});
export const config = {
matcher: '/api/:path*',
};Interception Rules
| Rule | Match Condition | Action |
|---|---|---|
| Block Unverified | trustStage = unverified | Block with 403 |
| Rate Limit Provisional | trustStage = provisional | Apply 100 req/min limit |
| Log Low Trust | trustScore < 50 | Full request logging |
| Allow Established | trustStage = established, score ≥ 80 | Minimal overhead |
TTP Headers
The gateway injects TTP headers into forwarded requests:
| Header | Description |
|---|---|
X-TTP-Agent-DID | Agent DID extracted from request |
X-TTP-Trust-Score | Verified trust score |
X-TTP-Trust-Stage | Trust stage (established, building, etc.) |
X-TTP-Identity-Verified | Whether identity was cryptographically verified |
X-TTP-Request-ID | Unique request ID for audit correlation |
Human Oversight Layer
EU AI Act Article 14 compliance module providing human oversight, intervention, and control over AI agent decisions. Ensures human operators can review, override, and intervene in AI decision-making processes.
Article 14 Compliance: High-risk AI systems must be designed to allow effective human oversight, including the ability to understand, decide to override, and intervene in the system's operation.
Core Components
Review Triggers
Decisions are automatically queued for human review when the humanOverridable flag is set or when risk thresholds are exceeded. These triggers can be configured in your SPL policy using the effects.requireHumanApproval rule effect:
| Trigger | Condition | Action |
|---|---|---|
| Risk Level | riskLevel ≥ configured minimum | Queue for review |
| Human Overridable | humanOverridable = true | Queue for review |
| Low Confidence | confidence < threshold | Queue for review |
| High-Value Action | Matches escalation rule | Auto-escalate to higher level |
| SPL Policy Rule | Rule has requireHumanApproval effect | Queue for review |
import {
requestReview,
submitDecision,
pauseAgent,
resumeAgent,
registerOperator,
} from '@/lib/oversight';
// Register a human operator
const operator = await registerOperator(
{ name: 'Alice', email: 'alice@example.com' },
['review:basic', 'intervene:pause', 'intervene:resume']
);
// Request human review for a decision
const review = await requestReview(
decisionId,
agentDid,
{
outcome: 'deny',
trustScore: 45,
confidence: 0.65,
reasoning: ['Low trust score']
},
{ action: 'data_access', resource: 'sensitive_file.txt' }
);
// Submit human decision
await submitDecision(
review.id,
operator.id,
'approved',
'Verified agent identity manually'
);
// Or immediately pause an agent
await pauseAgent(agentDid, operator.id, 'Suspicious activity detected');Escalation Levels
| Level | Authority | Timeout Action |
|---|---|---|
| Level 1 | Basic operator | Escalate to Level 2 |
| Level 2 | Senior operator | Escalate to Level 3 |
| Level 3 | Security team | Auto-deny + alert |
Intervention Types
| Intervention | Effect | Recovery |
|---|---|---|
| Pause | Block all agent actions | Resume by operator |
| Restrict | Limit to specific capabilities | Remove restrictions |
| Override | Replace AI decision with human decision | N/A |
| Terminate | Permanent stop (triggers kill switch) | Re-registration required |
Audit Trail
Operator Authentication
Synchronous Kill Switch
Emergency stop system for immediate agent termination. Provides synchronous revocation, circuit breaking, and session termination with strict performance guarantees.
<10msLocal kill effect
<500msNetwork propagation (3-peer quorum)
Kill Reasons
| Reason | Trigger | Auto-Recovery |
|---|---|---|
rate_limit_exceeded | Too many requests in window | After cooldown |
trust_score_critical | Trust score dropped below threshold | After score recovery |
pattern_threat_detected | Malicious pattern matched | Operator approval required |
manual_operator_action | Human operator triggered | Operator approval required |
circuit_breaker_trip | Circuit breaker activated | After cooldown |
security_violation | Security policy breach | Operator approval required |
anomaly_detected | Behavioral anomaly detected | Operator approval required |
revocation_received | TTP network revocation received | Appeal process |
cascade_failure | Dependent agent killed | After dependency recovery |
Emergency Stop Process
import {
emergencyStop,
circuitBreaker,
isAgentKilled,
reinstateAgent
} from '@/lib/guard/kill-switch';
// Configure circuit breaker for an agent
circuitBreaker(agentDid, {
maxRateLimitViolations: 10,
trustScoreThreshold: 20,
cooldownMs: 300000, // 5 minutes
});
// Emergency stop with network propagation
const result = await emergencyStop(agentDid, 'security_violation', {
message: 'Detected unauthorized data access attempt',
operatorId: 'operator-123',
propagateToNetwork: true,
quorum: 3,
timeoutMs: 500,
});
console.log(`Sessions terminated: ${result.sessionsTerminated}`);
console.log(`Requests blocked: ${result.requestsBlocked}`);
console.log(`Network acks: ${result.revocationResult?.ackCount}`);
// Check if agent is killed
if (isAgentKilled(agentDid)) {
console.log('Agent is currently killed');
}
// Reinstate agent (requires operator approval for certain reasons)
await reinstateAgent(agentDid, operatorId);Circuit Breaker Configuration
| Parameter | Default | Description |
|---|---|---|
maxRateLimitViolations | 10 | Violations before trip |
rateLimitWindow | 60000ms | Window for counting violations |
trustScoreThreshold | 20 | Kill if score drops below |
maxFailedRequests | 50 | Failed requests before trip |
cooldownMs | 300000ms | Cooldown before auto-reinstate |
requireOperatorApproval | false | Require human approval to reinstate |
Network Propagation
TTP Integration
kill_switch, reinstatement,circuit_breaker, and cascade_kill. These create an immutable audit trail of all emergency interventions.Immutable Audit Trails
Cryptographically verifiable audit trails with external timestamp verification, built on the Execution Trace Reporter (ETR) protocol component. Supports RFC 3161 Timestamp Authority and DHT-based distributed witnessing for compliance-grade immutability.
Security Guarantees: Cryptographic proof of creation time from trusted third parties. Witnessed traces cannot be modified. Proofs are independently verifiable.
Storage Modes
| Mode | Modifications | Deletions | Use Case |
|---|---|---|---|
| Standard | Allowed on active traces | Allowed | Development, testing |
| Append-Only | Entries append only | Archive only | Production compliance |
| Immutable | None after seal | Archive only | Regulatory requirements |
| Witnessed | None (enforced) | None | Legal evidence grade |
Witness Services
RFC 3161 TSA
Standard timestamp authority protocol. Provides legally recognized timestamps from trusted CAs.
- • DigiCert, Sectigo, GlobalSign
- • SHA-256/384/512 hashing
- • Nonce-based replay protection
DHT Witnessing
Distributed witnessing via P2P network. Multiple independent peers sign the trace.
- • Configurable min confirmations
- • Combined signature proof
- • No central authority
import {
createRFC3161Witness,
getWitnessManager,
witnessTrace
} from '@/lib/trace/witness';
// Register RFC 3161 timestamp authority
const tsa = createRFC3161Witness(
'digicert-tsa',
'http://timestamp.digicert.com',
{ hashAlgorithm: 'sha256' }
);
getWitnessManager().registerWitness(tsa, true);
// Witness a sealed trace
const proof = await witnessTrace(sealedTrace);
// proof contains:
// - timestampToken: Base64 RFC 3161 token
// - witnessedHash: Merkle root that was timestamped
// - timestamp: Verified creation time
// - serviceId: TSA identifierimport { createDHTWitness, getWitnessManager } from '@/lib/trace/witness';
// Register DHT witness service
const dhtWitness = createDHTWitness(
'tessorium-dht',
'dht://witness.tessorium.network',
{ minConfirmations: 3 }
);
getWitnessManager().registerWitness(dhtWitness);
// Witness with multiple services
const proofs = await getWitnessManager().witnessTraceMultiple(trace);
// proofs contains confirmations from all available servicesVerification
| Check | Verified Property | Failure Mode |
|---|---|---|
| Timestamp Verified | Proof contains valid timestamp from TSA | Timestamp token invalid |
| Signature Verified | Witness signature is cryptographically valid | Signature mismatch |
| Hash Matches | Witnessed hash equals trace merkle root | Trace was modified |
| Service Trusted | Witness service is on trusted list | Unknown witness |
Compliance Properties
Compliance Framework Mapping
Immutable audit trails satisfy specific requirements across major compliance frameworks:
| Framework | Requirement | ETR Feature |
|---|---|---|
| SOC 2 | CC7.2 - System monitoring | Real-time trace collection |
| SOC 2 | CC7.4 - Incident response | Kill switch event logging |
| HIPAA | §164.312(b) - Audit controls | Immutable storage modes |
| HIPAA | §164.312(c)(1) - Integrity controls | Merkle tree verification |
| GDPR | Art. 30 - Records of processing | Action type categorization |
| PCI DSS | 10.2 - Audit trail implementation | Entry hashing + signatures |
| PCI DSS | 10.5 - Secure audit trails | RFC 3161 TSA witnessing |
| ISO 27001 | A.12.4 - Logging and monitoring | Comprehensive trace types |
| FedRAMP | AU-9 - Protection of audit info | DHT backup + witnessing |
Delete Operation Removed
delete() operation is disabled. Traces can only be archived, preserving the complete audit history for compliance.Security
Revocation & Appeals
TTP supports tiered revocation authority with a built-in appeals process for fairness.
| Tier | Authority | Scope | Appeal Rights |
|---|---|---|---|
| Tier 1 | Self | Own attestations only | N/A |
| Tier 2 | Publisher | Own skills/tools only | Yes, to Tier 3 |
| Tier 3 | Trusted Authority | Any entity | External process |
| Severity | Default Expiry | Description |
|---|---|---|
| low | 7 days | Minor policy violation |
| medium | 30 days | Repeated violations |
| high | 90 days | Significant breach |
| critical | 365 days | Severe malicious activity |
Threat Model & Mitigations
| Threat | Vector | Mitigation |
|---|---|---|
| Sybil Attack | Create fake identities | Identity verification required; low-trust weight |
| Collusion | Coordinate fake ratings | Diversity analysis; reciprocal detection |
| Replay Attack | Reuse old messages | Nonce tracking; timestamp validation |
| DHT Poisoning | Store malicious data | Schema validation; signature verification |
| DoS | Flood with requests | Rate limiting; LRU eviction |
Anti-Gaming Measures
Multi-dimensional fraud analysis detects rating manipulation patterns:
| Detection | Trigger | Action | Description |
|---|---|---|---|
| Low diversity | Below threshold | Weight reduction | Ratings from small peer set |
| Reciprocal ratings | Above threshold | Weight reduction | Mutual rating clusters |
| Burst ratings | Exceeds limit | Rate limited | Sudden rating spikes |
| New account | Below age limit | Weight reduction | Age-based Sybil protection |
| Perfect scores | Above uniformity | Fraud flag | Unrealistic uniformity |
| Account clustering | Pattern detected | Investigation | Similar creation times |
Fraud Analysis
Rate Limiting
Per-peer rate limiting with LRU eviction prevents DoS attacks:
| Resource | Limit | Window | Recovery |
|---|---|---|---|
| Attestation publish | 10 msgs | 60 sec | Automatic |
| Revocation publish | 5 msgs | 60 sec | Automatic |
| DHT PUT | 100 ops | 60 sec | Automatic |
| Message nonces | 10,000 entries | LRU | Eviction |
| Rate limiter entries | 10,000 peers | LRU | Eviction |
Message Validation
| Check | Requirement | Action on Failure |
|---|---|---|
| Timestamp (past) | < 5 minutes old | Reject as stale |
| Timestamp (future) | < 1 minute ahead | Reject as invalid |
| Nonce uniqueness | Not seen before | Reject as replay |
| Signature | Valid Ed25519 | Reject as unsigned |
Cryptographic Suite
| Component | Algorithm | Standard |
|---|---|---|
| Digital Signatures | Ed25519 | RFC 8032 |
| Key Exchange | X25519 | RFC 7748 |
| Hashing | SHA-256 | FIPS 180-4 |
| Canonicalization | JCS | RFC 8785 |
| Encoding | Base64url | RFC 4648 |
API Reference
Core Protocol Endpoints
| Method | Endpoint | Description |
|---|---|---|
GET | /v1/trust/{did} | Get trust score for a DID |
POST | /v1/verify | Verify identity via challenge-response |
POST | /v1/ratings | Submit a new rating (creates attestation) |
GET | /v1/ratings/{did} | Get ratings for a DID |
POST | /v1/sessions/{id}/negotiate | Start policy negotiation |
GET | /v1/audit/traces | Get execution traces |
Trust Lookup Response
The trust lookup endpoint returns the three-component trust score breakdown (Identity + Reputation + Behavioral = Total), enabling transparent trust decisions:
{
"did": "did:tessorium:agent:example:v1",
"trustScore": 78,
"trustStage": "established",
"identityVerified": true,
"identityScore": 40,
"reputationScore": 28,
"behavioralScore": 10,
"verificationMethod": "challenge-response",
"attestationCount": 15,
"cachedAt": "2026-02-14T12:00:00Z",
"expiresAt": "2026-02-14T12:05:00Z"
}Score breakdown: Identity (40/40) + Reputation (28/35) + Behavioral (10/25) = 78/100
Service Layer Endpoints
Additional endpoints for enterprise service features:
| Method | Endpoint | Description |
|---|---|---|
POST | /v1/oversight/reviews | Submit decision for human review |
GET | /v1/oversight/reviews | Get pending review queue |
POST | /v1/agents/{did}/kill | Trigger emergency kill switch |
GET | /v1/revocations | List revocations |
POST | /v1/appeals | Submit appeal for revocation |
Rate Limits
Full API Documentation