Mutual compliance verification between AI agents. 4 lines to start. Zero infrastructure sharing required.
Audience: Platform engineers, AI developers, and DevOps teams integrating multi-agent systems. Assumes familiarity with the SWT3 AI Witness SDK. No specific framework required.
Modern AI systems are not single models. They are networks of agents: a classifier passes output to a summarizer, which invokes a tool, which queries a retrieval system. Each handoff is an opportunity for contamination, policy drift, or unauthorized access.
Today, most multi-agent systems operate on implicit trust. Agent A calls Agent B because someone configured a URL. There is no verification that Agent B has active guardrails, fresh compliance attestations, or valid signing credentials. If Agent B is compromised, stale, or misconfigured, Agent A has no way to know.
The SWT3 Trust Mesh solves this by adding mutual verification at every handoff. Before two agents exchange data, invoke tools, or share context, each presents a cryptographic credential proving its compliance posture. The receiving agent verifies the credential locally, with zero network calls and zero shared infrastructure. Trust is earned, not assumed.
The simplest Trust Mesh integration requires four lines. One agent presents a credential; the other verifies it.
TypeScript
import { TrustRegistry, verifyCredential, signCredential } from "@tenova/swt3-ai"; // Agent B creates a registry and trusts Agent A's tenant const registry = new TrustRegistry(); registry.trustTenant("acme-prod"); // Agent A presents its credential const credential = { agentId: "agent-classifier", tenantId: "acme-prod", anchorFingerprint: "a1b2c3d4e5f6", anchorTimestampMs: Date.now(), procedures: ["AI-INF.1", "AI-GRD.1"], }; // Agent B verifies const result = verifyCredential(registry, credential); console.log(result.granted); // true console.log(result.trustLevel); // 1 (BASIC)
Python
from swt3_ai import TrustRegistry, TrustCredential import time # Agent B creates a registry and trusts Agent A's tenant registry = TrustRegistry() registry.trust_tenant("acme-prod") # Agent A presents its credential credential = TrustCredential( agent_id="agent-classifier", tenant_id="acme-prod", anchor_fingerprint="a1b2c3d4e5f6", anchor_timestamp_ms=int(time.time() * 1000), procedures=["AI-INF.1", "AI-GRD.1"], ) # Agent B verifies result = registry.verify(credential) print(result.granted) # True print(result.trust_level) # 1 (BASIC)
That is a working trust verification. Agent B now knows that Agent A claims membership in the acme-prod tenant with active attestations for inference provenance and guardrail enforcement. The credential was verified locally with no network calls.
Trust Mesh assigns a numeric trust level (0-4) based on the evidence an agent provides. Higher levels require progressively stronger proof.
| Level | Name | What It Means | How to Earn It |
|---|---|---|---|
| 0 | DENIED | Verification failed. Do not proceed. | Automatic when any check fails (expired anchor, wrong tenant, deny-listed agent). |
| 1 | BASIC | Identity claimed but not proven. | Present a valid credential from a trusted tenant. No signature required. |
| 2 | VERIFIED | Identity proven via cryptographic signature. | Sign the credential with a registered HMAC-SHA256 key. |
| 3 | ATTESTED | Identity proven with hardware or key attestation backing. | VERIFIED + hardware attestation flag or bound key attestation. |
| 4 | SOVEREIGN | Maximum assurance. Identity, signing, hardware, and guardrails all verified. | ATTESTED + active guardrails confirmed. |
The progression is additive. Each level includes all the checks from the level below it. You choose the minimum trust level for your use case. A data analytics pipeline might accept BASIC. A financial decisioning agent should require VERIFIED or higher.
Unsigned credentials cap at BASIC because anyone can claim to be any agent. Signing proves the credential was created by someone who possesses the shared secret.
TypeScript
import { TrustRegistry, signCredential, verifyCredential } from "@tenova/swt3-ai"; // Both sides share this key (distribute via secrets manager) const SHARED_KEY = "your-256-bit-shared-secret"; // Agent A signs its credential const credential = { agentId: "agent-classifier", tenantId: "acme-prod", anchorFingerprint: "a1b2c3d4e5f6", anchorTimestampMs: Date.now(), isSigned: true, procedures: ["AI-INF.1", "AI-GRD.1"], }; credential.credentialSignature = signCredential(credential, SHARED_KEY); // Agent B registers the key and verifies const registry = new TrustRegistry(); registry.trustTenant("acme-prod"); registry.registerSigningKey("agent-classifier", SHARED_KEY); registry.setRequireSignature(true); const result = verifyCredential(registry, credential); console.log(result.trustLevel); // 2 (VERIFIED)
Python
from swt3_ai import TrustRegistry, TrustCredential from swt3_ai.trust import sign_credential import time SHARED_KEY = "your-256-bit-shared-secret" # Agent A signs its credential credential = TrustCredential( agent_id="agent-classifier", tenant_id="acme-prod", anchor_fingerprint="a1b2c3d4e5f6", anchor_timestamp_ms=int(time.time() * 1000), is_signed=True, procedures=["AI-INF.1", "AI-GRD.1"], ) credential.credential_signature = sign_credential(credential, SHARED_KEY) # Agent B registers the key and verifies registry = TrustRegistry() registry.trust_tenant("acme-prod") registry.register_signing_key("agent-classifier", SHARED_KEY) registry.set_require_signature(True) result = registry.verify(credential) print(result.trust_level) # 2 (VERIFIED)
The signature is HMAC-SHA256 over a canonical message that includes the agent ID, tenant, fingerprint, timestamp, and procedure list. Constant-time comparison prevents timing attacks. The key never leaves your secrets manager.
Every Trust Mesh setting can be declared in a .swt3.yaml file at your project root. This makes trust policy auditable, version-controlled, and consistent across environments.
# .swt3.yaml - minimal trust mesh
trust_mesh:
mode: permissive
trusted_tenants:
- acme-prod
# .swt3.yaml - production hardened trust_mesh: mode: strict min_trust_level: 2 require_signature: true freshness_window: 86400 # 24 hours require_intra_tenant_signing: true verify_boolean_claims: true rate_limit_max_failures: 10 rate_limit_window_seconds: 60 per_level_freshness: sovereign: 300 # 5 minutes for SOVEREIGN attested: 3600 # 1 hour for ATTESTED verified: 86400 # 24 hours for VERIFIED trusted_tenants: - acme-prod - partner-org trusted_agents: - tenant: acme-prod agent: agent-classifier deny_agents: - compromised-agent-id required_procedures: - AI-INF.1 - AI-GRD.1 signing_keys: - agent: agent-classifier key: ${CLASSIFIER_SIGNING_KEY}
The SDK loads this configuration automatically via loadFullConfig(). Environment variable interpolation (the ${...} syntax) is supported for signing keys so secrets stay out of version control.
| Field | Default | Purpose |
|---|---|---|
mode | permissive | strict blocks on failure, permissive logs warnings, monitor records only |
min_trust_level | 1 | Minimum acceptable trust level (0-4) |
require_signature | false | Reject unsigned credentials |
freshness_window | 86400 | Maximum anchor age in seconds |
require_intra_tenant_signing | false | Require signatures even for same-tenant agents |
verify_boolean_claims | false | Downgrade if claimed procedures are missing |
rate_limit_max_failures | 0 (off) | Max failed verifications before auto-deny |
per_level_freshness | null | Stricter freshness for higher trust levels |
Key attestation binds a signing key to a specific SWT3 anchor. This proves the key was registered while the agent had a valid compliance posture. If the anchor expires or is revoked, the key attestation becomes invalid.
TypeScript
import { generateKeyAttestation, verifyKeyAttestation } from "@tenova/swt3-ai"; // Agent generates attestation binding its key to an anchor const attestation = generateKeyAttestation({ agentId: "agent-classifier", tenantId: "acme-prod", anchorFingerprint: "a1b2c3d4e5f6", publicKeyHash: "sha256-of-public-key", keyPurpose: "signing", signingKey: SHARED_KEY, }); // Verifier checks the attestation const valid = verifyKeyAttestation(attestation, SHARED_KEY); console.log(valid); // true
Python
from swt3_ai.trust import generate_key_attestation, verify_key_attestation attestation = generate_key_attestation( agent_id="agent-classifier", tenant_id="acme-prod", anchor_fingerprint="a1b2c3d4e5f6", public_key_hash="sha256-of-public-key", key_purpose="signing", signing_key=SHARED_KEY, ) valid = verify_key_attestation(attestation, SHARED_KEY) print(valid) # True
Key purposes include signing, encryption, and delegation. The attestation includes a timestamp, and isKeyAttestationFresh() / is_key_attestation_fresh() checks whether the bound anchor is still within the freshness window.
A signed credential proves the key was valid when the credential was created. But what if the key was compromised after that? Challenge-response liveness proves the agent possesses its key right now.
TypeScript
import { generateChallenge, respondToChallenge, verifyLivenessResponse } from "@tenova/swt3-ai"; // Verifier generates a challenge const challenge = generateChallenge("agent-classifier"); // Agent responds by signing the nonce with its key const response = respondToChallenge(challenge, SHARED_KEY); // Verifier validates the response const valid = verifyLivenessResponse(challenge, response, SHARED_KEY); console.log(valid); // true
Python
from swt3_ai.trust import generate_challenge, respond_to_challenge, verify_liveness_response # Verifier generates a challenge challenge = generate_challenge("agent-classifier") # Agent responds by signing the nonce response = respond_to_challenge(challenge, SHARED_KEY) # Verifier validates valid = verify_liveness_response(challenge, response, SHARED_KEY) print(valid) # True
The challenge contains a cryptographically random nonce and a timestamp. Responses expire after 30 seconds by default. This defeats credential replay attacks at the ATTESTED and SOVEREIGN trust levels.
Trust Mesh ships with seven opt-in hardening layers. All are disabled by default so existing integrations work unchanged.
| Layer | Config Key | What It Does |
|---|---|---|
| Intra-Tenant Signing | require_intra_tenant_signing | Requires signatures even for agents within the same tenant. Prevents lateral movement if one agent is compromised. |
| Rate Limiting | rate_limit_max_failures | Sliding-window limiter. After N failed verifications from the same source, auto-denies further attempts. |
| Per-Level Freshness | per_level_freshness | Higher trust levels require fresher anchors. SOVEREIGN agents need 5-minute anchors. BASIC can be 24 hours old. |
| Boolean Claim Verification | verify_boolean_claims | If an agent claims hardware attestation or guardrails but lacks the supporting procedures, trust level is capped at BASIC. |
| Deny Lists | deny_agents / deny_tenants | Explicit blocklist. Denied agents receive TRUST_DENIED (0) immediately. Supports programmatic propagation via onDenyEvent(). |
| Key Attestation | See Section 6 | Binds signing keys to compliance anchors. Key validity is tied to anchor freshness. |
| Challenge-Response | See Section 7 | Proves live key possession. Defeats replay attacks and detects compromised agents. |
Enable layers progressively based on your threat model. A startup with three agents does not need the same hardening as a bank running 200 agents across four cloud providers.
An orchestrator dispatches work to specialist agents. Before sending data, the orchestrator verifies each specialist.
// Orchestrator verifies each specialist before dispatch for (const agent of specialists) { const result = verifyCredential(registry, agent.credential); if (!result.granted) { console.log(`Skipping ${agent.id}: ${result.denialReason}`); continue; } dispatch(agent, task); }
An agent must prove compliance before executing a sensitive tool (database write, API call, file operation).
# Gate tool execution on trust level result = registry.verify(caller_credential) if result.trust_level < TRUST_VERIFIED: raise PermissionError("Tool execution requires VERIFIED trust level") execute_tool(tool_name, params)
Two organizations share agents. Each trusts the other's tenant but requires signed credentials.
// Organization A trusts Organization B registry.trustTenant("org-b-tenant"); registry.setRequireSignature(true); registry.setMinTrustLevel(2); // VERIFIED minimum // Organization B's agent presents a signed credential const result = verifyCredential(registry, orgBCredential); // Trust level 2+ only if signature is valid
Trust Mesh is designed for incremental adoption. You do not need to implement everything at once.
require_signature: true. Trust level jumps from BASIC to VERIFIED.For the full protocol specification including the canonical credential message format, denial code reference, and security properties, see the Trust Mesh Protocol Reference.