The SWT3 Trust Mesh Protocol defines how autonomous AI agents establish, verify, and enforce mutual trust before exchanging data, invoking tools, or delegating tasks. It is the authentication and authorization layer for agent-to-agent communication in regulated and unregulated environments.
The protocol operates independently of the SWT3 compliance witnessing pipeline. Compliance witnessing generates the evidence. The Trust Mesh consumes that evidence to make real-time trust decisions.
The Trust Mesh answers three questions:
The Trust Mesh defines five trust levels. Each level is a strict superset of the level below it.
Trust levels are evaluated locally by the verifying agent. The protocol does not require a central authority for level assignment. However, the evidence backing each level (anchors, signatures, hardware attestation) is verified against a trusted ledger.
A Trust Credential is the unit of identity exchange between agents. It contains evidence sufficient for the receiving agent to evaluate trust level.
| Field | Type | Required | Description |
|---|---|---|---|
agentId | string | yes | Unique agent identifier |
tenantId | string | yes | Tenant/organization scope |
anchorFingerprint | string | yes | Most recent SWT3 anchor fingerprint |
anchorTimestampMs | integer | yes | Epoch milliseconds of anchor mint |
isSigned | boolean | no | Whether payload signing is enabled |
procedures | string[] | no | Witnessed procedure IDs |
clearingLevel | integer | no | Data clearing level (0-3) |
hasHardwareAttestation | boolean | no | AI-HW.1 attestation present |
hasGuardrails | boolean | no | Active guardrail count > 0 |
credentialSignature | string | no | HMAC-SHA256 hex of credential |
All fields except credentialSignature are included in the signature computation. Boolean fields default to false if absent.
Credentials are signed using HMAC-SHA256 to prevent forgery, field tampering, and trust level escalation. The signing formula is locked for cross-language parity.
Procedures are sorted alphabetically and joined by comma. The message is a colon-delimited string:
{agentId}:{tenantId}:{anchorFingerprint}:{anchorTimestampMs}:{isSigned?1:0}:{hasHardwareAttestation?1:0}:{hasGuardrails?1:0}:{clearingLevel}:{sortedProcedures}
HMAC-SHA256(message, signingKey) -> hex string
The receiving agent reconstructs the message from the credential fields and computes the HMAC using the counterpart's registered signing key. Comparison is constant-time to prevent timing attacks.
ML-DSA-65 (FIPS 204) post-quantum signing is available as an alternative to HMAC-SHA256 via the signing_algorithm: ml-dsa-65 configuration option in .swt3.yaml. This provides quantum-resistant credential signatures for deployments requiring long-term cryptographic assurance. The digest_algorithm field is a separate option that controls hash function selection (SHA-256 only in this version).
| Condition | Maximum Level |
|---|---|
| Unsigned credential | BASIC (level 1) |
| Signed, no registered key | DENIED |
| Signed, invalid signature | DENIED |
This prevents self-elevation. An agent cannot claim ATTESTED status without a verifiable signature.
When Agent A wants to interact with Agent B:
| Code | Meaning | Source |
|---|---|---|
deny_listed | Agent or tenant is explicitly blocked | Local registry |
tenant_not_trusted | Tenant is not in the trust registry | Local registry |
anchor_expired | Anchor is older than the freshness window | Local verification |
timestamp_future | Anchor timestamp is more than 60 seconds in the future | Local verification |
signature_missing | Policy requires signing, none present | Local verification |
signature_invalid | HMAC does not match registered key | Local verification |
signature_unverifiable | No key registered for this agent | Local verification |
insufficient_procedures | Required procedures not covered | Local verification |
insufficient_trust_level | Evaluated trust level is below the registry's minimum threshold | Local verification |
rate_limited | Agent exceeded failure rate limit (sliding window) | Local registry |
anchor_not_found | No anchor in the ledger for this agent | Network verification (reserved) |
anchor_revoked | Anchor has been revoked (AI-REV.1) | Network verification (reserved) |
The first 10 codes are emitted by the local verifyCredential function. The last 2 (anchor_not_found, anchor_revoked) are reserved for network-level ledger verification and are not emitted by the local SDK.
Same-tenant agents trust each other by default. Cross-tenant trust requires explicit registration.
Agent B's registry adds Agent A's tenant as trusted:
registry.trustTenant("TENANT_A")
For finer control, trust a specific agent within a tenant:
registry.trustAgent("TENANT_A", "agent-007")
For signed credentials, Agent B registers Agent A's signing key:
registry.registerSigningKey("agent-007", sharedKey)
Deny lists take precedence over trust lists. A denied agent cannot be trusted regardless of tenant status.
For long-running agent sessions, a single anchor may not be sufficient. The chain verifier validates a sequence of anchors over time.
The verifier queries anchors by agent_id or cycle_id, sorted by epoch. The query path prioritizes speed:
| Path | Latency | Source |
|---|---|---|
| Fast path | Sub-millisecond | Redis in-memory index |
| Cold path | Variable | PostgreSQL ledger (authoritative) |
For each anchor in the chain:
Consecutive anchors must be within max_chain_gap_seconds of each other. Gaps indicate periods where the agent was unwitnessed. Default maximum gap: 60 seconds.
The chain verification returns a structured result including: validity status, anchor count, detected temporal gaps, revoked anchor fingerprints, and density policy violations.
The density policy engine enforces minimum attestation standards for agents interacting through the Trust Mesh.
| Rule | Default | Description |
|---|---|---|
min_anchors_per_1000_tokens | 1 | Minimum witness density |
required_providers | [] | Required infrastructure providers |
max_chain_gap_seconds | 60 | Maximum gap between consecutive anchors |
require_signing_key | false | HMAC required on every anchor |
min_trust_level | 1 (BASIC) | Floor for tool execution |
Any policy violation results in tool execution denial. The chain verifier mints an AI-TRUST.1 FAIL anchor recording the denial.
Key attestation binds a public key to an anchor fingerprint with an HMAC proof, allowing agents to prove possession of a signing key tied to a specific compliance state.
| Field | Type | Description |
|---|---|---|
agentId | string | Agent presenting the key |
publicKey | string | Public key being attested |
anchorFingerprint | string | Anchor binding the key to a compliance state |
keyPurpose | string | signing, encryption, or delegation |
timestampMs | integer | Epoch milliseconds of attestation |
attestationSignature | string | HMAC-SHA256 proof |
The verifier reconstructs the attestation message and validates the HMAC against the agent's registered signing key. Freshness is enforced: attestations older than the freshness window are rejected.
signing keys are used for credential and anchor signing. encryption keys protect data in transit between agents. delegation keys authorize sub-agent spawning (AI-DEL.1).
Challenge-response liveness proves an agent possesses its signing key at the moment of interaction, preventing credential relay attacks where a valid credential is forwarded by a compromised intermediary.
Liveness verification is optional and adds one round-trip of latency. It is recommended for: cross-tenant interactions at ATTESTED or SOVEREIGN trust levels, delegation chain establishment (AI-DEL.1), and any interaction where credential relay is a credible threat.
Agents and anchors can be revoked at any time through three mechanisms.
An AI-REV.1 anchor is minted targeting the revoked anchor's fingerprint. Seven reason codes are defined:
| Code | Reason |
|---|---|
| 0 | Unspecified |
| 1 | Model recall |
| 2 | Policy violation |
| 3 | Data contamination |
| 4 | Consent withdrawal |
| 5 | Regulatory order |
| 6 | Error correction |
Agents and entire tenants can be added to the deny list at runtime. Denial is immediate within the local registry.
Cross-tenant revocation propagation uses a defense-in-depth approach with three mechanisms at decreasing latency:
| Mechanism | Latency | Description |
|---|---|---|
| Direct notification | Seconds | Active push to all trusted tenants (Section 12.4) |
| Cache refresh | Minutes | Revocation discovered at next verification attempt |
| Freshness window | Hours | Stale credentials rejected automatically |
Any one mechanism is sufficient to prevent a revoked agent from maintaining access indefinitely. All three operate independently.
When an AI-REV.1 anchor is minted, the revoking agent SHOULD notify all tenants in its local trust registry that have an active trust relationship with the revoked agent or its tenant. The notification mechanism is transport-agnostic: HTTP webhooks, message queues, event streams, or any reliable delivery channel.
The notification payload contains: revocation type (anchor, agent, or tenant), the revoked identifier, reason code, the AI-REV.1 anchor fingerprint as proof, and the revoking tenant. If a signing key is registered with the receiving party, the payload SHOULD be signed using the same HMAC pattern as credential signing.
Notifications are fire-and-forget. Delivery failure does not block local revocation. The freshness window remains the ultimate backstop.
When implemented, revocation notifications SHOULD produce a three-anchor evidence chain:
| Anchor | Who Mints It | What It Proves |
|---|---|---|
AI-REV.1 | Revoking party | The revocation occurred |
AI-TRUST.1 | Revoking party | Affected parties were notified (Factor A: tenants notified, Factor B: delivered successfully) |
AI-TRUST.2 | Receiving party | Notification was received and applied (Factor B: 1 if applied, 0 if deferred) |
This evidence chain is independently verifiable by any auditor, Notified Body, or C3PAO without access to the notification transport or either party's internal systems. Under EU AI Act Art. 9, notification of affected parties is a risk mitigation measure; the anchor chain is the evidence.
applyRevocationEvent for local revocation processing and onDenyEvent for notification callbacks. Automatic minting of the AI-TRUST.1/AI-TRUST.2 notification anchors is the responsibility of the integrating application.| Property | Guarantee |
|---|---|
| No Self-Elevation | Unsigned credentials are capped at BASIC. An agent cannot claim a higher trust level without a verifiable HMAC signature. |
| No Cross-Tenant Spoofing | Tenant trust is verified before agent trust. An agent cannot present credentials claiming a different tenant without that tenant's signing key. |
| Tamper Detection | All credential fields (including booleans) are included in the HMAC computation. Modifying any field invalidates the signature. |
| Constant-Time Comparison | Signature verification uses constant-time string comparison to prevent timing side-channel attacks. |
| Replay Resistance | Anchor freshness checks (anchorTimestampMs within window) prevent replay of stale credentials. Default window: 24 hours. |
| Key Isolation | Signing keys are registered per-agent, not per-tenant. Compromise of one agent's key does not affect other agents in the same tenant. |
| Post-Quantum Resistance | ML-DSA-65 (FIPS 204) signing option ensures credential integrity against quantum-capable adversaries. Configurable per-deployment without protocol changes. |
| Liveness Proof | Challenge-response liveness (Section 11) prevents credential relay attacks by proving live key possession within a 5-second window. |
| Revocation Non-Repudiation | Revocation notifications are themselves witnessed (Section 12.5), creating cryptographic proof that affected parties were notified and acted on the revocation. Neither party can deny participation. |
The TrustRegistry exposes configuration methods beyond the core trust/deny operations documented in Section 7. These control verification behavior at the registry level.
| Method | Default | Description |
|---|---|---|
setFreshnessWindow(ms) | 86400000 (24h) | Maximum age for anchor timestamps before rejection |
setRequireSignature(bool) | false | Force signature requirement on all credentials |
setMinTrustLevel(level) | 1 (BASIC) | Minimum trust level for any interaction |
setRequiredProcedures(ids[]) | [] | Procedure IDs that must appear in credential |
setRateLimit(config) | disabled | Sliding-window failure rate limiting per agent |
setPerLevelFreshness(map) | global window | Per-trust-level freshness windows (stricter for higher levels) |
setRequireIntraTenantSigning(bool) | false | Disable same-tenant auto-trust; require signature even within tenant |
setVerifyBooleanClaims(bool) | false | Validate boolean claims (hasHardwareAttestation, hasGuardrails) against procedure list |
onDenyEvent(callback) | none | Register listener for denial notifications (revocation propagation) |
applyRevocationEvent(event) | n/a | Process external revocation event (adds to deny sets) |
Python equivalents use snake_case: set_freshness_window, set_require_signature, etc. All methods are available in both TypeScript and Python implementations.
| Component | Language | Package |
|---|---|---|
| TrustRegistry + Key Attestation + Liveness | TypeScript | @tenova/swt3-ai |
| TrustRegistry + Key Attestation + Liveness | Python | swt3-ai |
| Chain Verifier | TypeScript | @tenova/swt3-mcp |
| Density Policy Engine | TypeScript | @tenova/swt3-mcp |
| Credential Signing (HMAC + ML-DSA-65) | TypeScript | @tenova/swt3-ai |
| Credential Signing (HMAC + ML-DSA-65) | Python | swt3-ai |
All implementations maintain cross-language parity on the credential signing formula and trust level evaluation logic.
The SWT3 SDK is available in 7 languages (Python, TypeScript, Rust, C#, Ruby, Swift, MCP), but the Trust Mesh (TrustRegistry, credential exchange, liveness) is currently implemented in Python and TypeScript only. The remaining languages provide core witnessing primitives (fingerprint, signing, types) without Trust Mesh capabilities.
Install:
pip install swt3-ai # Python npm install @tenova/swt3-ai # TypeScript
The Trust Mesh consumes anchors minted by the SWT3 witnessing pipeline. It does not require the full witnessing pipeline to operate; only the anchor fingerprint and metadata are needed.
The Trust Mesh integrates with MCP via the @tenova/swt3-mcp server. Tool execution is gated by chain verification and density policy. Any MCP server can adopt the Trust Mesh by verifying credentials before processing tool calls.
The Trust Mesh provides evidence for Article 9 (risk management), Article 13 (transparency), and Article 15 (accuracy and robustness). Trust levels map to the risk-based approach: BASIC for minimal-risk agents, ATTESTED for high-risk, SOVEREIGN for critical infrastructure.
Trust levels align with the Govern and Measure functions. Credential exchange supports the Map function (understanding AI system context). Chain verification supports Manage (monitoring and response).