The SWT3 Trust Mesh Protocol defines how autonomous AI agents establish, verify, and enforce mutual trust before exchanging data, invoking tools, or delegating tasks. It is the authentication and authorization layer for agent-to-agent communication in regulated and unregulated environments.
The protocol operates independently of the SWT3 compliance witnessing pipeline. Compliance witnessing generates the evidence. The Trust Mesh consumes that evidence to make real-time trust decisions.
The Trust Mesh answers three questions:
The Trust Mesh defines five trust levels. Each level is a strict superset of the level below it.
Trust levels are evaluated locally by the verifying agent. The protocol does not require a central authority for level assignment. However, the evidence backing each level (anchors, signatures, hardware attestation) is verified against a trusted ledger.
A Trust Credential is the unit of identity exchange between agents. It contains evidence sufficient for the receiving agent to evaluate trust level.
| Field | Type | Required | Description |
|---|---|---|---|
agentId | string | yes | Unique agent identifier |
tenantId | string | yes | Tenant/organization scope |
anchorFingerprint | string | yes | Most recent SWT3 anchor fingerprint |
anchorTimestampMs | integer | yes | Epoch milliseconds of anchor mint |
isSigned | boolean | no | Whether payload signing is enabled |
procedures | string[] | no | Witnessed procedure IDs |
clearingLevel | integer | no | Data clearing level (0-3) |
hasHardwareAttestation | boolean | no | AI-HW.1 attestation present |
hasGuardrails | boolean | no | Active guardrail count > 0 |
credentialSignature | string | no | HMAC-SHA256 hex of credential |
All fields except credentialSignature are included in the signature computation. Boolean fields default to false if absent.
Credentials are signed using HMAC-SHA256 to prevent forgery, field tampering, and trust level escalation. The signing formula is locked for cross-language parity.
Procedures are sorted alphabetically and joined by comma. The message is a colon-delimited string:
{agentId}:{tenantId}:{anchorFingerprint}:{anchorTimestampMs}:{isSigned?1:0}:{hasHardwareAttestation?1:0}:{hasGuardrails?1:0}:{clearingLevel}:{sortedProcedures}
HMAC-SHA256(message, signingKey) -> hex string
The receiving agent reconstructs the message from the credential fields and computes the HMAC using the counterpart's registered signing key. Comparison is constant-time to prevent timing attacks.
| Condition | Maximum Level |
|---|---|
| Unsigned credential | BASIC (level 1) |
| Signed, no registered key | DENIED |
| Signed, invalid signature | DENIED |
This prevents self-elevation. An agent cannot claim ATTESTED status without a verifiable signature.
When Agent A wants to interact with Agent B:
| Code | Meaning |
|---|---|
anchor_not_found | No anchor in the ledger for this agent |
anchor_expired | Anchor is older than the freshness window |
anchor_revoked | Anchor has been revoked (AI-REV.1) |
signature_missing | Policy requires signing, none present |
signature_invalid | HMAC does not match registered key |
signature_unverifiable | No key registered for this agent |
tenant_not_trusted | Tenant is not in the trust registry |
deny_listed | Agent or tenant is explicitly blocked |
insufficient_procedures | Required procedures not covered |
Same-tenant agents trust each other by default. Cross-tenant trust requires explicit registration.
Agent B's registry adds Agent A's tenant as trusted:
registry.trustTenant("TENANT_A")
For finer control, trust a specific agent within a tenant:
registry.trustAgent("TENANT_A", "agent-007")
For signed credentials, Agent B registers Agent A's signing key:
registry.registerSigningKey("agent-007", sharedKey)
Deny lists take precedence over trust lists. A denied agent cannot be trusted regardless of tenant status.
For long-running agent sessions, a single anchor may not be sufficient. The chain verifier validates a sequence of anchors over time.
The verifier queries anchors by agent_id or cycle_id, sorted by epoch. The query path prioritizes speed:
| Path | Latency | Source |
|---|---|---|
| Fast path | Sub-millisecond | Redis in-memory index |
| Cold path | Variable | PostgreSQL ledger (authoritative) |
For each anchor in the chain:
Consecutive anchors must be within max_chain_gap_seconds of each other. Gaps indicate periods where the agent was unwitnessed. Default maximum gap: 60 seconds.
The chain verification returns a structured result including: validity status, anchor count, detected temporal gaps, revoked anchor fingerprints, and density policy violations.
The density policy engine enforces minimum attestation standards for agents interacting through the Trust Mesh.
| Rule | Default | Description |
|---|---|---|
min_anchors_per_1000_tokens | 1 | Minimum witness density |
required_providers | [] | Required infrastructure providers |
max_chain_gap_seconds | 60 | Maximum gap between consecutive anchors |
require_signing_key | false | HMAC required on every anchor |
min_trust_level | 1 (BASIC) | Floor for tool execution |
Any policy violation results in tool execution denial. The chain verifier mints an AI-TRUST.1 FAIL anchor recording the denial.
Agents and anchors can be revoked at any time through three mechanisms.
An AI-REV.1 anchor is minted targeting the revoked anchor's fingerprint. Seven reason codes are defined:
| Code | Reason |
|---|---|
| 0 | Unspecified |
| 1 | Model recall |
| 2 | Policy violation |
| 3 | Data contamination |
| 4 | Consent withdrawal |
| 5 | Regulatory order |
| 6 | Error correction |
Agents and entire tenants can be added to the deny list at runtime. Denial is immediate within the local registry.
Cross-tenant revocation requires the revoking party to notify affected counterparts. The protocol does not define a broadcast mechanism; this is left to the deployment topology.
| Property | Guarantee |
|---|---|
| No Self-Elevation | Unsigned credentials are capped at BASIC. An agent cannot claim a higher trust level without a verifiable HMAC signature. |
| No Cross-Tenant Spoofing | Tenant trust is verified before agent trust. An agent cannot present credentials claiming a different tenant without that tenant's signing key. |
| Tamper Detection | All credential fields (including booleans) are included in the HMAC computation. Modifying any field invalidates the signature. |
| Constant-Time Comparison | Signature verification uses constant-time string comparison to prevent timing side-channel attacks. |
| Replay Resistance | Anchor freshness checks (anchorTimestampMs within window) prevent replay of stale credentials. Default window: 24 hours. |
| Key Isolation | Signing keys are registered per-agent, not per-tenant. Compromise of one agent's key does not affect other agents in the same tenant. |
| Component | Language | Package |
|---|---|---|
| TrustRegistry | TypeScript | @tenova/swt3-ai |
| TrustRegistry | Python | swt3-ai |
| Chain Verifier | TypeScript | @tenova/swt3-mcp |
| Density Policy Engine | TypeScript | @tenova/swt3-mcp |
| Credential Signing | TypeScript | @tenova/swt3-ai |
| Credential Signing | Python | swt3-ai |
All implementations maintain cross-language parity on the credential signing formula and trust level evaluation logic.
Install:
pip install swt3-ai # Python npm install @tenova/swt3-ai # TypeScript
The Trust Mesh consumes anchors minted by the SWT3 witnessing pipeline. It does not require the full witnessing pipeline to operate; only the anchor fingerprint and metadata are needed.
The Trust Mesh integrates with MCP via the @tenova/swt3-mcp server. Tool execution is gated by chain verification and density policy. Any MCP server can adopt the Trust Mesh by verifying credentials before processing tool calls.
The Trust Mesh provides evidence for Article 9 (risk management), Article 13 (transparency), and Article 15 (accuracy and robustness). Trust levels map to the risk-based approach: BASIC for minimal-risk agents, ATTESTED for high-risk, SOVEREIGN for critical infrastructure.
Trust levels align with the Govern and Measure functions. Credential exchange supports the Map function (understanding AI system context). Chain verification supports Manage (monitoring and response).