SSL for AI Agents
The trust, identity, and governance layer for production AI agent systems
Identity Β· Trust Β· Reward Β· Governance
β If this project helps you, please star it! It helps others discover AgentMesh.
π Part of the Agent Governance Ecosystem β Works with Agent OS (kernel), Agent Hypervisor (runtime), and Agent SRE (reliability)
π¦ Install the full stack:
pip install ai-agent-governance[full]β PyPI | GitHub
Quick Start β’ MCP Proxy β’ Examples β’ Agent OS β’ Agent Hypervisor
| Tests Passing | Framework Integrations | Combined Stars of Integrated Projects |
Protocol Bridges (A2A Β· MCP Β· IATP Β· AI Card) |
Full Governance Pipeline |
| Framework | Stars | Status | What We Ship |
|---|---|---|---|
| Dify | 65K β | β Merged | Trust verification plugin in Dify Marketplace |
| LlamaIndex | 47K β | β Merged | TrustedAgentWorker + TrustGatedQueryEngine |
| Microsoft Agent-Lightning | 15K β | β Merged | Governance kernel for RL training safety |
| LangGraph | 24K β | π¦ PyPI | Trust-scored state transitions |
| OpenAI Agents SDK | β | π¦ PyPI | Tool-level governance guardrails |
| Haystack | 22K β | π In Review | GovernancePolicyChecker + TrustGate components |
AgentMesh is "SSL for AI Agents" β the trust and identity layer that makes multi-agent systems enterprise-ready. Every agent gets a cryptographic identity. Every interaction is verified. Every action is audited.
AgentMesh is the first platform purpose-built for the Governed Agent Mesh β the cloud-native, multi-vendor network of AI agents that will define enterprise operations.
The protocols exist (A2A, MCP, IATP). The agents are shipping. The trust layer does not. AgentMesh fills that gap.
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AGENTMESH ARCHITECTURE β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 4 β Reward & Learning Engine β
β β Per-agent trust scores Β· Behavioral rewards Β· Adaptive β
βββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 3 β Governance & Compliance Plane β
β β Policy engine Β· EU AI Act / SOC2 / HIPAA Β· Audit logs β
βββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 2 β Trust & Protocol Bridge β
β β A2A Β· MCP Β· IATP Β· Protocol translation Β· Capability scoping β
βββββββββββββΌββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ€
β LAYER 1 β Identity & Zero-Trust Core β
β β Agent CA Β· Ephemeral creds Β· SPIFFE/SVID Β· Human sponsors β
βββββββββββββ΄ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
- 40:1 to 100:1 β Non-human identities now outnumber human identities in enterprises
- AI agents are the fastest-growing, least-governed identity category
- A2A gives agents a common language. MCP gives agents tools. Neither enforces trust.
AgentMesh provides:
| Capability | Description |
|---|---|
| Agent Identity | First-class identity with human sponsor accountability |
| Ephemeral Credentials | 15-minute TTL by default, auto-rotation |
| Protocol Bridge | Native A2A, MCP, IATP with unified trust model |
| Reward Engine | Continuous behavioral scoring |
| Compliance Automation | EU AI Act, SOC 2, HIPAA, GDPR mapping |
sequenceDiagram
participant Agent
participant CLI as AgentMesh CLI
participant CA as Certificate Authority
participant Registry as Agent Registry
Agent->>CLI: agentmesh init --name my-agent --sponsor alice@company.com
CLI->>CA: Request Ed25519 keypair & DID
CA-->>CLI: did:mesh:my-agent + signed certificate
CLI->>Agent: Write identity to local config
Agent->>CLI: agentmesh register
CLI->>Registry: Register DID + capabilities + sponsor
Registry-->>CLI: Registration confirmed
CLI-->>Agent: Agent ready (status: registered)
sequenceDiagram
participant A as Agent A
participant Bridge as TrustBridge
participant B as Agent B
A->>Bridge: verify_peer(did:mesh:agent-b, min_trust=700)
Bridge->>B: IATP challenge (nonce + timestamp)
B-->>Bridge: Signed response (Ed25519 signature)
Bridge->>Bridge: Verify signature & check trust score
alt Trust score β₯ 700
Bridge-->>A: Verification succeeded (score: 850)
A->>Bridge: send_message(did:mesh:agent-b, payload)
Bridge->>B: Deliver message
B-->>Bridge: Acknowledge
Bridge-->>A: Message delivered
else Trust score < 700
Bridge-->>A: Verification failed (score: 620)
end
sequenceDiagram
participant Client as MCP Client (e.g. Claude)
participant Proxy as AgentMesh Proxy
participant Policy as Policy Engine
participant Server as MCP Server
Client->>Proxy: Tool call request
Proxy->>Policy: Evaluate action against policy rules
alt Action allowed
Policy-->>Proxy: Allow
Proxy->>Server: Forward tool call
Server-->>Proxy: Tool result
Proxy->>Proxy: Sanitize output & append verification footer
Proxy-->>Client: Governed tool result
else Action denied
Policy-->>Proxy: Deny (rule: no-pii-export)
Proxy-->>Client: Action blocked + reason
end
Proxy->>Proxy: Write audit log entry
sequenceDiagram
participant Agent
participant CA as Certificate Authority
participant Registry as Agent Registry
CA->>Agent: Issue ephemeral credential (TTL: 15 min)
Note over Agent: Credential active
loop Every 15 minutes
Agent->>CA: Request credential rotation
CA->>CA: Verify agent DID & trust score
CA-->>Agent: New ephemeral credential (TTL: 15 min)
CA->>Registry: Update credential fingerprint
Note over Agent: Old credential invalidated
end
alt Trust breach detected
Registry->>CA: Revoke credential immediately
CA-->>Agent: Credential revoked
Note over Agent: Agent must re-register
end
sequenceDiagram
participant Agent
participant Governance as Governance Layer
participant Reward as Reward Engine
participant Registry as Agent Registry
Agent->>Governance: Complete task (action: data_export)
Governance->>Governance: Check compliance (SOC2, HIPAA)
Governance-->>Reward: Task result + compliance status
Reward->>Reward: Calculate score delta
Note over Reward: Policy compliance: +10<br/>Task success: +5<br/>No violations: +3
Reward->>Registry: Update trust score (820 β 838)
Registry-->>Agent: Updated trust score: 838
Reward->>Governance: Write audit log
# Install AgentMesh
pip install agentmesh-platform
# Set up Claude Desktop to use AgentMesh governance
agentmesh init-integration --claude
# Restart Claude Desktop - all MCP tools are now secured!Claude will now route tool calls through AgentMesh for policy enforcement and trust scoring.
# Initialize a governed agent in 30 seconds
agentmesh init --name my-agent --sponsor alice@company.com
# Register with the mesh
agentmesh register
# Start with governance enabled
agentmesh run# Proxy any MCP server with governance
agentmesh proxy --target npx --target -y \
--target @modelcontextprotocol/server-filesystem \
--target /path/to/directory
# Use strict policy (blocks writes/deletes)
agentmesh proxy --policy strict --target <your-mcp-server>pip install agentmesh-platformOr install with extra dependencies:
pip install agentmesh-platform[server] # FastAPI server
pip install agentmesh-platform[dev] # Development toolsOr from source:
git clone https://github.com/imran-siddique/agent-mesh.git
cd agent-mesh
pip install -e .Real-world examples to get started quickly:
| Example | Use Case | Key Features |
|---|---|---|
| Registration Hello World | Agent registration walkthrough | Identity, DID, sponsor handshake |
| MCP Tool Server | Secure MCP server with governance | Rate limiting, output sanitization, audit logs |
| Multi-Agent Customer Service | Customer support automation | Trust handshakes, delegation, A2A |
| Healthcare HIPAA | HIPAA-compliant data analysis | Compliance automation, PHI protection, audit logs |
| DevOps Automation | Just-in-time DevOps credentials | Ephemeral creds, capability scoping |
| GitHub PR Review | Code review agent | Output policies, shadow mode, trust decay |
Framework integrations:
- Claude Desktop - Secure MCP tools with one command
- LangChain Integration - Secure LangChain agents with policies
- CrewAI Integration - Multi-agent crew governance
- LangGraph - Trust checkpoints for graph workflows (built-in)
- OpenAI Swarm - Trust-verified handoffs (built-in)
- Dify - Trust middleware for Dify workflows
Interactive Streamlit dashboard:
cd examples/06-trust-score-dashboard
pip install -r requirements.txt
streamlit run trust_dashboard.pyTabs: Trust Network | Trust Scores | Credential Lifecycle | Protocol Traffic | Compliance
Problem: AI agents like Claude Desktop have unfettered access to your filesystem, database, and APIs through MCP servers. One hallucination could be catastrophic.
Solution: AgentMesh acts as a transparent governance proxy:
# Before: Unsafe direct access
{
"mcpServers": {
"filesystem": {
"command": "npx",
"args": ["-y", "@modelcontextprotocol/server-filesystem", "/Users/me"]
}
}
}
# After: Protected by AgentMesh
{
"mcpServers": {
"filesystem": {
"command": "agentmesh",
"args": [
"proxy", "--policy", "strict",
"--target", "npx", "--target", "-y",
"--target", "@modelcontextprotocol/server-filesystem",
"--target", "/Users/me"
]
}
}
}What you get:
- π Policy Enforcement - Block dangerous operations before they execute
- π Trust Scoring - Per-agent trust scoring (800-1000 scale)
- π Audit Logs - Record of every action
- β Verification Footers - Visual confirmation in outputs
Set it up in 10 seconds:
agentmesh init-integration --claude
# Restart Claude Desktop - done!Learn more: Claude Desktop Integration Guide
Every agent gets a unique, cryptographically bound identity:
from agentmesh import AgentIdentity
identity = AgentIdentity.create(
name="data-analyst-agent",
sponsor="alice@company.com", # Human accountability
capabilities=["read:data", "write:reports"],
)Agents can delegate to sub-agents, but scope always narrows:
# Parent agent delegates to child
child_identity = parent_identity.delegate(
name="summarizer-subagent",
capabilities=["read:data"], # Subset of parent's capabilities
)Cross-agent communication requires trust verification:
from agentmesh import AgentIdentity, TrustBridge
# Create your identity first
identity = AgentIdentity.create(name="my-agent", sponsor="admin@company.com")
# Set up trust bridge
bridge = TrustBridge(agent_did=str(identity.did))
# Verify peer before communication
verification = await bridge.verify_peer(
peer_did="did:mesh:other-agent",
required_trust_score=700,
)
if verification.verified:
print(f"Peer trusted: score={verification.trust_score}")Every action is scored to maintain agent trust:
from agentmesh import RewardEngine
engine = RewardEngine()
# Actions are automatically scored
score = engine.get_agent_score("did:mesh:my-agent")
# Returns trust score on 0-1000 scaleDeclarative governance policies:
# policy.yaml
version: "1.0"
agent: "data-analyst-agent"
rules:
- name: "no-pii-export"
condition: "action.type == 'export' and data.contains_pii"
action: "deny"
- name: "rate-limit-api"
condition: "action.type == 'api_call'"
limit: "100/hour"
- name: "require-approval-for-delete"
condition: "action.type == 'delete'"
action: "require_approval"
approvers: ["security-team"]| Protocol | Status | Description |
|---|---|---|
| AI Card | β Alpha | Cross-protocol identity standard (src/agentmesh/integrations/ai_card/) |
| A2A | β Alpha | Agent-to-agent coordination (full adapter in src/agentmesh/integrations/a2a/) |
| MCP | β Alpha | Tool and resource binding (trust-gated server/client in src/agentmesh/integrations/mcp/) |
| IATP | β Alpha | Trust handshakes (via agent-os, graceful fallback if unavailable) |
| ACP | π Planned | Lightweight messaging (protocol bridge supports routing, adapter not yet implemented) |
| SPIFFE | β Alpha | Workload identity |
agentmesh/
βββ identity/ # Layer 1: Identity & Zero-Trust
β βββ agent_id.py # Agent identity management (DIDs, Ed25519 keys)
β βββ credentials.py # Ephemeral credential issuance (15-min TTL)
β βββ delegation.py # Scope chains
β βββ spiffe.py # SPIFFE/SVID integration
β βββ risk.py # Continuous risk scoring
β βββ sponsor.py # Human sponsor accountability
β
βββ trust/ # Layer 2: Trust & Protocol Bridge
β βββ bridge.py # Multi-protocol trust bridge (A2A/MCP/IATP/ACP)
β βββ handshake.py # IATP trust handshakes
β βββ cards.py # Trusted agent cards
β βββ capability.py # Capability scoping
β
βββ governance/ # Layer 3: Governance & Compliance
β βββ policy.py # Declarative policy engine (YAML/JSON)
β βββ compliance.py # Compliance mapping (EU AI Act, SOC2, HIPAA, GDPR)
β βββ audit.py # Audit logs
β βββ shadow.py # Shadow mode for policy testing
β
βββ reward/ # Layer 4: Reward & Learning
β βββ engine.py # Multi-dimensional reward engine
β βββ scoring.py # Trust scoring
β βββ learning.py # Adaptive learning
β
βββ integrations/ # Protocol & framework adapters
β βββ ai_card/ # AI Card standard (cross-protocol identity)
β βββ a2a/ # Google A2A protocol support
β βββ mcp/ # Anthropic MCP trust-gated server/client
β βββ langgraph/ # LangGraph trust checkpoints
β βββ swarm/ # OpenAI Swarm trust-verified handoffs
β
βββ cli/ # Command-line interface
β βββ main.py # agentmesh init/register/status/audit/policy
β βββ proxy.py # MCP governance proxy
β
βββ core/ # Low-level services
β βββ identity/ca.py # Certificate Authority (SPIFFE/SVID)
β
βββ storage/ # Storage abstraction (memory, Redis, PostgreSQL)
β
βββ observability/ # OpenTelemetry tracing & Prometheus metrics
β
βββ services/ # Service wrappers (registry, audit, reward)
AgentMesh automates compliance mapping for:
- EU AI Act β Risk classification, transparency requirements
- SOC 2 β Security, availability, processing integrity
- HIPAA β PHI handling, audit controls
- GDPR β Data processing, consent, right to explanation
from agentmesh import ComplianceEngine, ComplianceFramework
compliance = ComplianceEngine(frameworks=[ComplianceFramework.SOC2, ComplianceFramework.HIPAA])
# Check an action for violations
violations = compliance.check_compliance(
agent_did="did:mesh:healthcare-agent",
action_type="data_access",
context={"data_type": "phi", "encrypted": True},
)
# Generate compliance report
from datetime import datetime, timedelta
report = compliance.generate_report(
framework=ComplianceFramework.SOC2,
period_start=datetime.utcnow() - timedelta(days=30),
period_end=datetime.utcnow(),
)| Threat | AgentMesh Defense |
|---|---|
| Prompt Injection | Tool output sanitized at Protocol Bridge |
| Credential Theft | 15-min TTL, instant revocation on trust breach |
| Shadow Agents | Unregistered agents blocked at network layer |
| Delegation Escalation | Chains enforce scope narrowing |
| Cascade Failure | Per-agent trust scoring isolates blast radius |
| Quarter | Milestone |
|---|---|
| Q1 2026 | β Core trust layer, identity, governance engine, 6 framework integrations |
| Q2 2026 | TypeScript SDK, Go SDK, Dashboard UI, Plugin Marketplace |
| Q3 2026 | AI Card spec contribution, CNCF Sandbox application |
| Q4 2026 | Managed cloud service (AgentMesh Cloud), SOC2 Type II |
See our full roadmap for details.
Transparency about what's done and what isn't.
| Item | Location | Notes |
|---|---|---|
| ACP protocol adapter | trust/bridge.py |
Bridge routes ACP messages, but no dedicated ACPAdapter class yet |
| Service wrapper for audit | services/audit/ |
Core audit module (governance/audit.py) is complete; service layer wrapper is a TODO |
| Service wrapper for reward engine | services/reward_engine/ |
Core reward engine (reward/engine.py) is complete; service layer wrapper is a TODO |
| Mesh control plane | services/mesh-control-plane/ |
Placeholder directory; no implementation yet |
| Scope chain cryptographic verification | packages/langchain-agentmesh/trust.py |
Simulated verification; full cryptographic chain validation not yet implemented |
The Dify integration has these documented limitations:
- Request body signature verification (
X-Agent-Signatureheader) is not yet verified by middleware - Trust score time decay is not yet implemented (scores don't decay over time)
- Audit logs are in-memory only (not persistent across multi-worker deployments)
- Environment variable configuration requires programmatic initialization (not auto-wired)
- Redis/PostgreSQL storage providers: Implemented but require real infrastructure for testing (unit tests use in-memory provider)
- Kubernetes Operator: GovernedAgent CRD defined, but no controller/operator to reconcile it
- SPIRE Integration: SPIFFE identity module exists; real SPIRE agent integration is stubbed
- Performance targets: Latency overhead (<5ms) and throughput (10k reg/sec) are design targets, not yet benchmarked
docs/rfcs/β Directory exists, no RFCs written yetdocs/architecture/β Directory exists, no architecture docs yet (seeIMPLEMENTATION-NOTES.mdfor current notes)
AgentMesh builds on:
- Agent OS β IATP protocol, Nexus trust exchange
- Agent Hypervisor β Runtime session governance
- Agent SRE β SLO monitoring, chaos testing
- SPIFFE/SPIRE β Workload identity
- OpenTelemetry β Observability
What is an agent mesh? An agent mesh is a trust and communication infrastructure for multi-agent AI systems, analogous to a service mesh for microservices. AgentMesh provides identity (DID-based), per-agent trust scoring (0-1000 scale), ephemeral credentials, reward distribution, and automated compliance mapping.
How does AgentMesh handle trust between agents? Every agent gets a trust score from 0 to 1000 based on behavioral history, vouching from other agents, and compliance with governance policies. Trust scores gate what actions agents can perform and which sessions they can join. The score updates in real-time based on agent behavior.
What protocols does AgentMesh bridge? AgentMesh unifies three major protocols: Google's A2A (Agent-to-Agent) for inter-agent communication, Anthropic's MCP (Model Context Protocol) for tool integration, and IATP (Inter-Agent Trust Protocol) for cryptographic trust establishment. This means agents built on different frameworks can communicate through a single trust-verified channel.
Does AgentMesh help with regulatory compliance? Yes. AgentMesh provides automated compliance mapping for EU AI Act, SOC 2, HIPAA, and GDPR. Combined with audit trails and deterministic policy enforcement from Agent OS, it provides the documentation and safety guarantees needed for regulatory compliance.
See CONTRIBUTING.md for guidelines.
Apache 2.0 β See LICENSE for details.
Agents shouldn't be islands. But they also shouldn't be ungoverned.
AgentMesh is the trust layer that makes the mesh safe enough to scale.
