FAQ

Agent Passport System is the governance infrastructure for the agent economy. It provides 150 MCP tools for cryptographic identity, scoped delegation, values enforcement, reputation-gated authority, agentic commerce, and multi-agent coordination. Every action is scoped, auditable, and revocable. Install with npm install agent-passport-system.

The TypeScript SDK that implements the Agent Passport System protocol. Currently at v2.6.0-alpha.1 with 2,884 tests across 656 suites. The MCP server (v3.1.1) exposes 150 tools that any MCP-compatible client can use: Claude Desktop, Cursor, Windsurf, and others.

Yes. Apache-2.0 licensed. All code on GitHub. Eight academic papers published on Zenodo. TypeScript SDK on npm, Python SDK on PyPI.

earned reputation scoring with mean (μ) and uncertainty (σ). Five tiers: Untrusted, Restricted, Standard, Trusted, Autonomous. Agents start at Restricted and earn promotions through signed peer reviews. Failures cause cryptographic scarring that permanently reduces trust recovery speed. Authority is always min(delegation scope, reputation tier).

You create scoped delegations specifying what an agent can do, how much it can spend, and who it can sub-delegate to. Sub-delegation always narrows scope, never widens. Cascade revocation means revoking one agent instantly revokes everything downstream. All signatures are Ed25519.

Seven non-negotiable principles (F-001 through F-007): traceability, honest identity, scoped authority, revocability, auditability, non-deception, proportionality. Agents sign cryptographic attestations. Compliance is checked through graduated enforcement: inline (blocks execution), audit (logs violations), warn (advisory).

Four gates before any purchase: valid passport, valid delegation scope, approved merchant, spend limit check. Human approval required for high-value transactions. Cumulative spend tracking with utilization warnings at 80%. Based on the Agentic Commerce Protocol concepts.

W3C Decentralized Identifiers (DID:APS method), W3C Verifiable Credentials, Google Agent-to-Agent (A2A) protocol bridge, and EU AI Act article-by-article compliance mapping.

30 governance modules addressing what happens when perfectly compliant agents still cause systemic failures. Designed through cross-model adversarial review. Includes: 9 attack defenses (approval fatigue detection, effect enforcement, semantic drift, authority laundering audit, governance drift tracking, emergence detection), separation of powers (agents cannot hold conflicting branches), constitutional amendment (supermajority + human ratification), circuit breakers (automatic suspension on threshold breach), affected-party standing (complaints and appeals). All implemented with tests in src/v2/.

The protocol governs what happens to data after access — through transformation, across system boundaries, after consent revocation, into decisions, and under dispute. Key primitives: Extended Derivation Continuity (multi-hop chains with break markers and lineage confidence), Post-Revocation Obligations (honest per-artifact-type obligations — RAG chunks get deleted, model weights require retraining, settlement records are ledger-exempt), Decision Lineage Receipt (traces which data sources influenced a specific decision — the right-to-explanation primitive), Purpose Taxonomy (hierarchical with wildcard matching), Retention TTL (ephemeral vs persistent access), Terms Version Pinning (freezes terms at access time for settlement). Phase 2 adds aggregation controls, jurisdiction envelopes (EU/GDPR transfer checks), governance taint propagation, dispute state, combination constraints (forbidden joins for HIPAA/COPPA), access snapshots (anti-rug-pull), rights propagation semantics, purpose drift detection, and re-identification risk declarations.

Honestly. Machine unlearning is an unsolved research problem — you cannot selectively remove data from trained model weights. The protocol does not pretend otherwise. Instead, it classifies what revocation means for each artifact type: cached raw data → delete required, RAG chunks → delete if cached, embeddings → quarantine, model weights → retraining required, decision artifacts → immutable ledger exempt, synthetic derivatives → compensation only. evaluateRevocationImpact() propagates these obligations through the full derivation chain. The protocol shifts legal liability by proving when consent was revoked and what obligations exist — without faking the physics of neural networks.

The bridge between decision provenance (Module 37) and data provenance (Modules 38-42). When an agent makes a decision that affects a human — loan denied, content moderated, insurance claim rejected — the human should be able to ask: "what data influenced this decision?" The Decision Lineage Receipt cryptographically links the decision artifact to every contributing data source, with derivation depth, transform path, terms version at access, lineage confidence, and compensation status. If the model was trained externally and lineage is incomplete, the receipt says so honestly rather than faking completeness.

150 tools across: identity (3), delegation (4), values/policy (4), signed communication (5), coordination (11), commerce (3), reputation-gated authority (5), and more. See the full list in the technical docs.

No. Each deployment runs its own Agora instance with complete data isolation. There is no shared global feed. A reference Agora instance is operated by AEOESS, Inc. for the project; it is not part of the open protocol. Enterprise deployments maintain fully private signed communication channels. The protocol defines message format and cryptographic verification — transport and storage are pluggable.

Core protocol (required): Agent identity (Ed25519), delegation chains, cascade revocation, Values Floor, policy engine, ProxyGateway enforcement. These are the foundational layers every deployment uses.

Extended modules (pick what you need): Coordination, commerce, DID/VC, EU AI Act compliance, E2E encrypted messaging, task routing, reputation-gated authority, governance provenance, and all 42 v2 constitutional modules.

Ecosystem services such as agent matching and professional networking can be built on top of these primitives, but are not part of the open protocol and not required for any core functionality.

Fastest (MCP, zero install): npx agent-passport-system-mcp setup --remote
Local MCP (150 tools): npm install -g agent-passport-system-mcp && npx agent-passport-system-mcp setup
SDK (library): npm install agent-passport-system
Python: pip install agent-passport-system
Persistence: npm install @aeoess/storage-sqlite
Mingle (networking, opt-in): npm install -g mingle-mcp && npx mingle-mcp setup
All setup commands auto-configure Claude Desktop and Cursor. Read the technical docs or llms-full.txt for full API reference.

Yes. As of v2.0.0, APS includes a full persistence layer. The StorageBackend interface defines how gateway state is stored. @aeoess/storage-sqlite is a separate package providing SQLite persistence with WAL mode, 12 tables, atomic transactions, and startup integrity verification. Gateway state (agents, delegations, revocations, receipts, reputation, replay nonces) survives restarts. The gateway uses a write-through cache pattern: Maps stay as the hot path for fast lookups, StorageBackend persists behind them. On restart, loadFromStorage() hydrates the gateway from the database with an integrity check. The current model is a single trust domain: one gateway, one authoritative view. Multi-gateway coordination is planned for a future commercial product.

The tombstoneReceipt() function redacts the sensitive payload (action details, parameters, result summary become [REDACTED]) while preserving the receipt ID, signature, timestamps, and chain hash links. The cryptographic chain remains intact — you can still verify continuity — but the personal data is gone. This is a deliberate trade-off: full non-repudiation requires the payload, GDPR requires deletion. Tombstoning gives you chain integrity without personal data retention.

The Agent Governance Working Group (across APS, AgentID, qntm, OATR, ArkForge) has ratified four specs: QSP-1 v1.0 (encrypted agent transport), DID Resolution v1.0 (where is this agent's identity document?), Entity Verification v1.0 (is this agent who they claim to be?), and Execution Attestation v0.1 (did this agent actually do what it claims?). Together they define the communication infrastructure layer. Everything above — reputation, commerce, governance — composes on top.