1. Purpose

The SWT3 Trust Mesh Protocol defines how autonomous AI agents establish, verify, and enforce mutual trust before exchanging data, invoking tools, or delegating tasks. It is the authentication and authorization layer for agent-to-agent communication in regulated and unregulated environments.

The protocol operates independently of the SWT3 compliance witnessing pipeline. Compliance witnessing generates the evidence. The Trust Mesh consumes that evidence to make real-time trust decisions.

The Trust Mesh answers three questions:

  1. Who is this agent?
  2. Has this agent been attested?
  3. Should I allow this agent to act?

2. Trust Levels

The Trust Mesh defines five trust levels. Each level is a strict superset of the level below it.

Level 0 -- DENIED
Agent is explicitly blocked. All interactions refused. Causes: deny list match, revocation (AI-REV.1), policy violation.
Level 1 -- BASIC
Agent exists and presents a credential. No verification beyond format validity. This is the maximum level for unsigned credentials. Minimum requirement: valid agent_id and tenant_id.
Level 2 -- VERIFIED
Agent has recent anchors in a trusted ledger. Credential is HMAC-signed and signature has been verified against a registered key. Minimum requirement: HMAC signature + fresh anchor (within window).
Level 3 -- ATTESTED
Agent has HMAC-signed anchors, active guardrails, and hardware attestation (AI-HW.1). The physical execution environment is known. Minimum requirement: VERIFIED + guardrails + hardware attestation.
Level 4 -- SOVEREIGN
Agent has full procedure coverage, clearing level 2 or higher, and all ATTESTED requirements. Reserved for agents in classified or high-assurance environments. Minimum requirement: ATTESTED + clearing level >= 2.

Trust levels are evaluated locally by the verifying agent. The protocol does not require a central authority for level assignment. However, the evidence backing each level (anchors, signatures, hardware attestation) is verified against a trusted ledger.

3. Credential Format

A Trust Credential is the unit of identity exchange between agents. It contains evidence sufficient for the receiving agent to evaluate trust level.

FieldTypeRequiredDescription
agentIdstringyesUnique agent identifier
tenantIdstringyesTenant/organization scope
anchorFingerprintstringyesMost recent SWT3 anchor fingerprint
anchorTimestampMsintegeryesEpoch milliseconds of anchor mint
isSignedbooleannoWhether payload signing is enabled
proceduresstring[]noWitnessed procedure IDs
clearingLevelintegernoData clearing level (0-3)
hasHardwareAttestationbooleannoAI-HW.1 attestation present
hasGuardrailsbooleannoActive guardrail count > 0
credentialSignaturestringnoHMAC-SHA256 hex of credential

All fields except credentialSignature are included in the signature computation. Boolean fields default to false if absent.

4. Credential Signing

Credentials are signed using HMAC-SHA256 to prevent forgery, field tampering, and trust level escalation. The signing formula is locked for cross-language parity.

4.1 Signature Message Construction

Procedures are sorted alphabetically and joined by comma. The message is a colon-delimited string:

{agentId}:{tenantId}:{anchorFingerprint}:{anchorTimestampMs}:{isSigned?1:0}:{hasHardwareAttestation?1:0}:{hasGuardrails?1:0}:{clearingLevel}:{sortedProcedures}

4.2 Signature Computation

HMAC-SHA256(message, signingKey) -> hex string

4.3 Verification

The receiving agent reconstructs the message from the credential fields and computes the HMAC using the counterpart's registered signing key. Comparison is constant-time to prevent timing attacks.

4.4 Post-Quantum Signing

ML-DSA-65 (FIPS 204) post-quantum signing is available as an alternative to HMAC-SHA256 via the signing_algorithm: ml-dsa-65 configuration option in .swt3.yaml. This provides quantum-resistant credential signatures for deployments requiring long-term cryptographic assurance. The digest_algorithm field is a separate option that controls hash function selection (SHA-256 only in this version).

4.5 Trust Level Capping

ConditionMaximum Level
Unsigned credentialBASIC (level 1)
Signed, no registered keyDENIED
Signed, invalid signatureDENIED

This prevents self-elevation. An agent cannot claim ATTESTED status without a verifiable signature.

5. Verification Flow

When Agent A wants to interact with Agent B:

1
PRESENT
Agent A constructs a TrustCredential from its most recent anchor and sends it to Agent B.
2
EVALUATE
Agent B runs the credential through its TrustRegistry: deny list check, tenant trust, anchor freshness, signature presence, signature validity, and procedure coverage.
3
LEVEL ASSIGNMENT
If all checks pass, Agent B evaluates the trust level based on signing status, hardware attestation, guardrails, and clearing level.
4
DECIDE
Agent B compares the assigned trust level against its minimum requirement. If the level meets the threshold, the interaction proceeds. If not, the request is denied.
5
RECIPROCATE (optional)
Agent B presents its own credential to Agent A for mutual verification. Mutual trust is recommended for sensitive operations.

6. Denial Codes

CodeMeaningSource
deny_listedAgent or tenant is explicitly blockedLocal registry
tenant_not_trustedTenant is not in the trust registryLocal registry
anchor_expiredAnchor is older than the freshness windowLocal verification
timestamp_futureAnchor timestamp is more than 60 seconds in the futureLocal verification
signature_missingPolicy requires signing, none presentLocal verification
signature_invalidHMAC does not match registered keyLocal verification
signature_unverifiableNo key registered for this agentLocal verification
insufficient_proceduresRequired procedures not coveredLocal verification
insufficient_trust_levelEvaluated trust level is below the registry's minimum thresholdLocal verification
rate_limitedAgent exceeded failure rate limit (sliding window)Local registry
anchor_not_foundNo anchor in the ledger for this agentNetwork verification (reserved)
anchor_revokedAnchor has been revoked (AI-REV.1)Network verification (reserved)

The first 10 codes are emitted by the local verifyCredential function. The last 2 (anchor_not_found, anchor_revoked) are reserved for network-level ledger verification and are not emitted by the local SDK.

7. Cross-Tenant Trust

Same-tenant agents trust each other by default. Cross-tenant trust requires explicit registration.

7.1 Tenant Trust

Agent B's registry adds Agent A's tenant as trusted:

registry.trustTenant("TENANT_A")

7.2 Agent Trust

For finer control, trust a specific agent within a tenant:

registry.trustAgent("TENANT_A", "agent-007")

7.3 Key Exchange

For signed credentials, Agent B registers Agent A's signing key:

registry.registerSigningKey("agent-007", sharedKey)

7.4 Deny Override

Deny lists take precedence over trust lists. A denied agent cannot be trusted regardless of tenant status.

Cross-tenant trust is the foundation of multi-organization agent networks. The Trust Mesh does not require a central trust authority. Each agent maintains its own registry. Trust is bilateral, not hierarchical.

8. Anchor Chain Verification

For long-running agent sessions, a single anchor may not be sufficient. The chain verifier validates a sequence of anchors over time.

8.1 Chain Query

The verifier queries anchors by agent_id or cycle_id, sorted by epoch. The query path prioritizes speed:

PathLatencySource
Fast pathSub-millisecondRedis in-memory index
Cold pathVariablePostgreSQL ledger (authoritative)

8.2 Chain Checks

For each anchor in the chain:

8.3 Gap Detection

Consecutive anchors must be within max_chain_gap_seconds of each other. Gaps indicate periods where the agent was unwitnessed. Default maximum gap: 60 seconds.

8.4 Chain Result

The chain verification returns a structured result including: validity status, anchor count, detected temporal gaps, revoked anchor fingerprints, and density policy violations.

9. Density Policy

The density policy engine enforces minimum attestation standards for agents interacting through the Trust Mesh.

RuleDefaultDescription
min_anchors_per_1000_tokens1Minimum witness density
required_providers[]Required infrastructure providers
max_chain_gap_seconds60Maximum gap between consecutive anchors
require_signing_keyfalseHMAC required on every anchor
min_trust_level1 (BASIC)Floor for tool execution

Any policy violation results in tool execution denial. The chain verifier mints an AI-TRUST.1 FAIL anchor recording the denial.

10. Key Attestation

Key attestation binds a public key to an anchor fingerprint with an HMAC proof, allowing agents to prove possession of a signing key tied to a specific compliance state.

10.1 Attestation Structure

FieldTypeDescription
agentIdstringAgent presenting the key
publicKeystringPublic key being attested
anchorFingerprintstringAnchor binding the key to a compliance state
keyPurposestringsigning, encryption, or delegation
timestampMsintegerEpoch milliseconds of attestation
attestationSignaturestringHMAC-SHA256 proof

10.2 Verification

The verifier reconstructs the attestation message and validates the HMAC against the agent's registered signing key. Freshness is enforced: attestations older than the freshness window are rejected.

10.3 Key Purposes

signing keys are used for credential and anchor signing. encryption keys protect data in transit between agents. delegation keys authorize sub-agent spawning (AI-DEL.1).

11. Challenge-Response Liveness

Challenge-response liveness proves an agent possesses its signing key at the moment of interaction, preventing credential relay attacks where a valid credential is forwarded by a compromised intermediary.

11.1 Flow

1
CHALLENGE
Verifier generates a random nonce and sends it to the presenting agent with a deadline (default: 5 seconds).
2
RESPOND
Agent signs the nonce with its signing key and returns the HMAC.
3
VERIFY
Verifier checks the HMAC against the registered key and confirms the response arrived within the deadline.

11.2 When to Use

Liveness verification is optional and adds one round-trip of latency. It is recommended for: cross-tenant interactions at ATTESTED or SOVEREIGN trust levels, delegation chain establishment (AI-DEL.1), and any interaction where credential relay is a credible threat.

12. Revocation

Agents and anchors can be revoked at any time through three mechanisms.

12.1 Anchor Revocation

An AI-REV.1 anchor is minted targeting the revoked anchor's fingerprint. Seven reason codes are defined:

CodeReason
0Unspecified
1Model recall
2Policy violation
3Data contamination
4Consent withdrawal
5Regulatory order
6Error correction

12.2 Agent and Tenant Denial

Agents and entire tenants can be added to the deny list at runtime. Denial is immediate within the local registry.

12.3 Revocation Propagation

Cross-tenant revocation propagation uses a defense-in-depth approach with three mechanisms at decreasing latency:

MechanismLatencyDescription
Direct notificationSecondsActive push to all trusted tenants (Section 12.4)
Cache refreshMinutesRevocation discovered at next verification attempt
Freshness windowHoursStale credentials rejected automatically

Any one mechanism is sufficient to prevent a revoked agent from maintaining access indefinitely. All three operate independently.

12.4 Revocation Notification (RECOMMENDED)

When an AI-REV.1 anchor is minted, the revoking agent SHOULD notify all tenants in its local trust registry that have an active trust relationship with the revoked agent or its tenant. The notification mechanism is transport-agnostic: HTTP webhooks, message queues, event streams, or any reliable delivery channel.

The notification payload contains: revocation type (anchor, agent, or tenant), the revoked identifier, reason code, the AI-REV.1 anchor fingerprint as proof, and the revoking tenant. If a signing key is registered with the receiving party, the payload SHOULD be signed using the same HMAC pattern as credential signing.

Notifications are fire-and-forget. Delivery failure does not block local revocation. The freshness window remains the ultimate backstop.

12.5 Notification Witnessing (RECOMMENDED)

When implemented, revocation notifications SHOULD produce a three-anchor evidence chain:

AnchorWho Mints ItWhat It Proves
AI-REV.1Revoking partyThe revocation occurred
AI-TRUST.1Revoking partyAffected parties were notified (Factor A: tenants notified, Factor B: delivered successfully)
AI-TRUST.2Receiving partyNotification was received and applied (Factor B: 1 if applied, 0 if deferred)

This evidence chain is independently verifiable by any auditor, Notified Body, or C3PAO without access to the notification transport or either party's internal systems. Under EU AI Act Art. 9, notification of affected parties is a risk mitigation measure; the anchor chain is the evidence.

Sections 12.4 and 12.5 describe the recommended protocol-level behavior. The SDK provides applyRevocationEvent for local revocation processing and onDenyEvent for notification callbacks. Automatic minting of the AI-TRUST.1/AI-TRUST.2 notification anchors is the responsibility of the integrating application.

13. Security Properties

PropertyGuarantee
No Self-ElevationUnsigned credentials are capped at BASIC. An agent cannot claim a higher trust level without a verifiable HMAC signature.
No Cross-Tenant SpoofingTenant trust is verified before agent trust. An agent cannot present credentials claiming a different tenant without that tenant's signing key.
Tamper DetectionAll credential fields (including booleans) are included in the HMAC computation. Modifying any field invalidates the signature.
Constant-Time ComparisonSignature verification uses constant-time string comparison to prevent timing side-channel attacks.
Replay ResistanceAnchor freshness checks (anchorTimestampMs within window) prevent replay of stale credentials. Default window: 24 hours.
Key IsolationSigning keys are registered per-agent, not per-tenant. Compromise of one agent's key does not affect other agents in the same tenant.
Post-Quantum ResistanceML-DSA-65 (FIPS 204) signing option ensures credential integrity against quantum-capable adversaries. Configurable per-deployment without protocol changes.
Liveness ProofChallenge-response liveness (Section 11) prevents credential relay attacks by proving live key possession within a 5-second window.
Revocation Non-RepudiationRevocation notifications are themselves witnessed (Section 12.5), creating cryptographic proof that affected parties were notified and acted on the revocation. Neither party can deny participation.

14. Registry Configuration

The TrustRegistry exposes configuration methods beyond the core trust/deny operations documented in Section 7. These control verification behavior at the registry level.

MethodDefaultDescription
setFreshnessWindow(ms)86400000 (24h)Maximum age for anchor timestamps before rejection
setRequireSignature(bool)falseForce signature requirement on all credentials
setMinTrustLevel(level)1 (BASIC)Minimum trust level for any interaction
setRequiredProcedures(ids[])[]Procedure IDs that must appear in credential
setRateLimit(config)disabledSliding-window failure rate limiting per agent
setPerLevelFreshness(map)global windowPer-trust-level freshness windows (stricter for higher levels)
setRequireIntraTenantSigning(bool)falseDisable same-tenant auto-trust; require signature even within tenant
setVerifyBooleanClaims(bool)falseValidate boolean claims (hasHardwareAttestation, hasGuardrails) against procedure list
onDenyEvent(callback)noneRegister listener for denial notifications (revocation propagation)
applyRevocationEvent(event)n/aProcess external revocation event (adds to deny sets)

Python equivalents use snake_case: set_freshness_window, set_require_signature, etc. All methods are available in both TypeScript and Python implementations.

15. Implementations

ComponentLanguagePackage
TrustRegistry + Key Attestation + LivenessTypeScript@tenova/swt3-ai
TrustRegistry + Key Attestation + LivenessPythonswt3-ai
Chain VerifierTypeScript@tenova/swt3-mcp
Density Policy EngineTypeScript@tenova/swt3-mcp
Credential Signing (HMAC + ML-DSA-65)TypeScript@tenova/swt3-ai
Credential Signing (HMAC + ML-DSA-65)Pythonswt3-ai

All implementations maintain cross-language parity on the credential signing formula and trust level evaluation logic.

The SWT3 SDK is available in 7 languages (Python, TypeScript, Rust, C#, Ruby, Swift, MCP), but the Trust Mesh (TrustRegistry, credential exchange, liveness) is currently implemented in Python and TypeScript only. The remaining languages provide core witnessing primitives (fingerprint, signing, types) without Trust Mesh capabilities.

Install:

pip install swt3-ai          # Python
npm install @tenova/swt3-ai  # TypeScript

16. Relationship to Other Standards

SWT3 Spec v1.0

The Trust Mesh consumes anchors minted by the SWT3 witnessing pipeline. It does not require the full witnessing pipeline to operate; only the anchor fingerprint and metadata are needed.

Model Context Protocol (MCP)

The Trust Mesh integrates with MCP via the @tenova/swt3-mcp server. Tool execution is gated by chain verification and density policy. Any MCP server can adopt the Trust Mesh by verifying credentials before processing tool calls.

EU AI Act (Regulation 2024/1689)

The Trust Mesh provides evidence for Article 9 (risk management), Article 13 (transparency), and Article 15 (accuracy and robustness). Trust levels map to the risk-based approach: BASIC for minimal-risk agents, ATTESTED for high-risk, SOVEREIGN for critical infrastructure.

NIST AI RMF

Trust levels align with the Govern and Measure functions. Credential exchange supports the Map function (understanding AI system context). Chain verification supports Manage (monitoring and response).

This guide is provided for informational purposes only and does not constitute legal, regulatory, or compliance advice. Regulatory mappings and crosswalk interpretations reflect the publisher's analysis and may not address all obligations applicable to your organization. Consult qualified legal counsel before making compliance decisions based on this content.