When an AI agent calls execute_wire_transfer today, there's no cryptographic proof it happened, no proof who authorized it, and no tamper-evident record of the outcome. Editable logs and unverified timestamps don't cut it when real money or infrastructure is on the line.
I've been building TrustAgentAI — an open-source accountability layer that wraps MCP tool calls in a 3-phase signed receipt protocol:
Intent Envelope → Agent A signs: "I intend to call X with these exact args" Acceptance Receipt → Agent B signs: "I validated and accepted this intent" Execution Envelope → Agent B signs: "I executed it, here is the outcome hash"
Each receipt is signed with Ed25519 over a JCS (RFC 8785) canonical hash. All three are chained in a DAG ledger — causality is cryptographically enforced, not just logged. The ledger Merkle-batches entries and anchors roots externally (L2 blockchain), making retroactive tampering detectable even by a server admin.
The result is a Dispute Pack: a self-contained bundle that proves what happened, when, and who authorized it. Designed to satisfy auditors, insurers, and legal arbitrators — not just dashboards.
What's different from existing MCP security tools: ScopeGate, ai-runtime-guard, and similar tools focus on preventing unauthorized actions at the permission level. TrustAgentAI focuses on proving what happened after the fact — non-repudiation for the cases where permissions were granted but accountability is still needed. These approaches are complementary.
Technical stack:
Ed25519 via @noble/ed25519 (audited, zero-dependency) JCS canonicalization per RFC 8785 (deterministic hashing across platforms) DAG ledger with Merkle batching (each entry's hash includes parent hashes) Anti-replay via per-(did, nonce) uniqueness with TTL + 5s clock skew tolerance Risk budget enforcement (D4) at proxy level before execution HTTP server exposing /accept, /executed, /dispute/:traceId
The proxies are sidecars — they intercept existing MCP JSON-RPC traffic without changes to agents or tools. bashnpm install @trustagentai/a2a-core typescriptimport { ProxyAGateway, ProxyBGateway } from "@trustagentai/a2a-core/proxy"; import { DAGLedger } from "@trustagentai/a2a-core/ledger";
// Wrap your existing MCP tool call const result = await proxyA.forwardToolCall(mcpCall, executeTool); // result._a2a contains Intent + Acceptance + Execution envelopes // All cryptographically signed and recorded in tamper-evident ledger GitHub: https://github.com/kirbas/trustagent-a2a-protocol npm: https://www.npmjs.com/package/@trustagentai/a2a-core Protocol spec (v0.4): https://trustagentai.net/trustagentai-a2a-protocol Would love feedback on:
The JCS + SHA-256 hash target rule (spec §4) — is there a better canonicalization approach? L2 anchoring strategy — Base vs Arbitrum, and sync vs async anchoring? Whether the Dispute Pack format is sufficient for real legal/insurance use cases