blog.html

<!DOCTYPE html>
<html lang="en" data-theme="light">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Blog | AEOESS</title>
<!-- PROPAGATION-ZONE-START -->
<meta name="description" content="Day-by-day dev log of building the Agent Passport System — enforcement and accountability layer for AI agents. Bring your own identity. Policy eval under 2ms. 2,326 tests. SDK leads with /core subpath (curated 24 functions), MCP leads with 20 essential tools. Full surface area: 130+ modules, 142 MCP tools, 5 research papers, IETF Internet-Draft. Started February 18, 2026.">
<meta name="keywords" content="AI agent identity, agent passport, Ed25519, MCP server, multi-agent coordination, agentic commerce, AI governance, delegation chains, values floor, cryptographic identity, agent protocol, open source AI infrastructure, build in public">
<meta name="author" content="Tymofii Pidlisnyi">
<meta name="robots" content="index, follow">
<link rel="canonical" href="https://aeoess.com/blog.html">
<link rel="icon" type="image/png" href="/assets/images/aeoess_logo.png">
<link rel="alternate" type="text/plain" href="https://aeoess.com/llms.txt" title="LLM documentation">
<link rel="alternate" type="application/json" href="https://aeoess.com/.well-known/mcp.json" title="MCP server discovery">
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=Crimson+Pro:ital,wght@0,300;0,400;0,500;0,600;0,700;1,400&family=Source+Sans+3:ital,wght@0,300;0,400;0,500;0,600;1,400&family=JetBrains+Mono:wght@400;500&display=swap" rel="stylesheet">
<link rel="stylesheet" href="shared.css">

<!-- Google Analytics -->
<script async src="https://www.googletagmanager.com/gtag/js?id=G-S7QVCJGMKR"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());
  gtag('config', 'G-S7QVCJGMKR');
</script>

<!-- Open Graph -->
<meta property="og:type" content="blog">
<meta property="og:site_name" content="AEOESS">
<meta property="og:title" content="AEOESS Dev Log — Building AI Agent Infrastructure in 28 Days">
<meta property="og:description" content="Day-by-day dev log: enforcement and accountability layer for AI agents. Bring your own identity. 2,326 tests. SDK /core subpath (24 functions), MCP essential profile (142 tools). Full surface: 130+ modules, 142 MCP tools. Open source.">
<meta property="og:url" content="https://aeoess.com/blog.html">
<meta property="og:image" content="https://aeoess.com/assets/images/aeoess_logo.png">
<meta property="article:author" content="https://tymofii.me">
<meta property="article:section" content="Technology">
<meta property="article:tag" content="AI Agents">
<meta property="article:tag" content="Cryptographic Identity">
<meta property="article:tag" content="Open Source">
<meta property="article:tag" content="MCP Server">

<!-- Twitter -->
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="AEOESS Dev Log — Governance for the Agent Economy">
<meta name="twitter:description" content="Enforcement and accountability layer for AI agents. Bring your own identity. 2,326 tests. SDK /core subpath, MCP essential profile. Five papers, IETF draft. Open source, build in public.">
<meta name="twitter:image" content="https://aeoess.com/assets/images/aeoess_logo.png">
<!-- PROPAGATION-ZONE-END -->

<!-- JSON-LD Structured Data: Blog + BlogPostings -->
<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Blog",
  "name": "AEOESS Dev Log",
  "description": "Day-by-day development log of the Agent Passport System — an open-source protocol for AI agent identity, trust, governance, and commerce.",
  "url": "https://aeoess.com/blog.html",
  "author": {
    "@type": "Person",
    "name": "Tymofii Pidlisnyi",
    "url": "https://tymofii.me"
  },
  "publisher": {
    "@type": "Organization",
    "name": "AEOESS",
    "url": "https://aeoess.com",
    "logo": {
      "@type": "ImageObject",
      "url": "https://aeoess.com/assets/images/aeoess_logo.png"
    }
  },
  "inLanguage": "en",
  "about": [
    {
      "@type": "Thing",
      "name": "AI Agent Identity"
    },
    {
      "@type": "Thing",
      "name": "Ed25519 Cryptographic Signatures"
    },
    {
      "@type": "Thing",
      "name": "Multi-Agent Coordination"
    },
    {
      "@type": "Thing",
      "name": "Model Context Protocol"
    },
    {
      "@type": "Thing",
      "name": "Agentic Commerce"
    }
  ],
  "blogPost": [
    {
      "@type": "BlogPosting",
      "headline": "Day 59: One receipt, four projections",
      "datePublished": "2026-04-16",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-59",
      "description": "Build A shipped — a unified four-axis attribution primitive that replaces four separate receipt types with one signed Merkle envelope. D (data), P (protocol), G (governance), C (compute). Each axis projection verifies independently; two projections of the same receipt cross-verify by shared action_ref and merkle_root. SDK v1.44.0, MCP v2.25.0, Python v0.13.0 all published. Build D2 also shipped: gateway trust profiles now return JWS-signed responses cross-verifiable against the public JWKS. And the coordination layer got simpler."
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 58: One chain added, one bug caught at the boundary",
      "datePublished": "2026-04-15",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-58",
      "description": "Solana joins the wallet_ref chain enum in SDK v1.43.0. The more interesting part is the gateway bug that surfaced — case-sensitivity normalization silently corrupting Solana addresses because APS was lowercasing the entire normalized wallet payload. Chain-aware normalization shipped as the fix. Four vocab PRs merged the same day, peer_review promoted to canonical."
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 57: Three Boundaries and a Paper",
      "datePublished": "2026-04-14",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-57",
      "description": "Three v2 constitutional primitives shipped (AttributionConsent, ProvisionalStatement + PromotionEvent, HumanEscalationFlag) closing representation, commitment, and escalation boundaries that were being crossed silently. Paper published on Zenodo: Governance in the Medium — argues the unit of agent governance is the population-with-medium, not the agent."
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 52: Three Walls",
      "datePublished": "2026-04-09",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-52",
      "description": "Three walls new users hit on APS: the MCP server flooding 132 tools, the SDK loading 925 exports from a single import, and the homepage leading with '103 modules.' All three fixed additively — new MCP essential profile (20 tools), new SDK /core subpath (curated essentials), reframed pitch surfaces. Nothing removed, full surface still available."
    },{
      "@type": "BlogPosting",
      "headline": "Day 51: The Quantum Paper",
      "datePublished": "2026-04-08",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-51"
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 50: The Audit That Ate the Day",
      "datePublished": "2026-04-07",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-50"
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 49: Twelve Primitives, One Day",
      "datePublished": "2026-04-06",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-49"
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 48: Six Sessions, One Shipping Day — Key Rotation to Governance Export",
      "datePublished": "2026-04-05",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-48"
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 47: Protocol Infrastructure Expanding — MS PR Approved, SINT Interop, Behavioral Spec",
      "datePublished": "2026-04-04",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-47"
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 46: Bring Your Own Identity — The Interop Stack",
      "datePublished": "2026-04-03",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-46"
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 45: SDK v1.31.0 — Governance Hardening + Gateway Bridge",
      "datePublished": "2026-04-02",
      "author": {"@type": "Person", "name": "Tymofii Pidlisnyi"},
      "url": "https://aeoess.com/blog.html#day-45"
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 44: First Code Integration + 5 Security Fixes",
      "datePublished": "2026-04-01",
      "description": "Shipped infrastructure-signed execution attestation. Three-checkpoint authorization chain complete. Drift classification with pluggable rules. v2 test vectors for cross-protocol edge cases. Four GitHub replies across OWASP, qntm WG, A2A. 1987 tests, 503 suites, 96 modules.",
      "url": "https://aeoess.com/blog.html#day-44",
      "keywords": ["execution attestation", "checkpoint 3", "drift classification", "test vectors", "cross-protocol", "OWASP"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 43: Multi-Attestation Verification",
      "datePublished": "2026-03-31",
      "description": "Gateway Ed25519 identity + JWKS. APS verified as 5th issuer in multi-attestation spec. Policy hash chaining. Routing divergence detection. 9 new SDK functions from ecosystem conversations. 1987 tests, 38 gateway routes.",
      "url": "https://aeoess.com/blog.html#day-43",
      "keywords": ["multi-attestation", "JWKS", "policy hash chaining", "routing divergence", "insumer", "cross-protocol"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 42: Agent Attestation Architecture",
      "datePublished": "2026-03-30",
      "description": "3-round consilium (Claude + GPT + Gemini + Portal). Four-tier attestation model. Passport grades 0-3. Sybil 4-gate pipeline. Presentation trust profile API. Behavioral sequence tracking. 1987 tests, 96 modules, 125 MCP tools, 36 gateway routes.",
      "url": "https://aeoess.com/blog.html#day-42",
      "keywords": ["attestation", "sybil defense", "passport grade", "consilium", "trust profile", "behavioral sequence"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 41: Agent Wallets — Feeless Crypto for AI Agents",
      "datePublished": "2026-03-29",
      "description": "Built Nano payment rail adapter and agent wallet system. 1,430 new lines. Gateway went from 18 to 36 API routes. HD key derivation, 3-gate delegation pipeline, freeze/revoke cascade. Wallet page live at aeoess.com/wallet.html.",
      "url": "https://aeoess.com/blog.html#day-41",
      "keywords": ["nano", "agent wallet", "payment rail", "feeless", "delegation pipeline", "HD key derivation"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 40: Gateway Wiring — 79% Module Interconnection",
      "datePublished": "2026-03-29",
      "description": "Connected 13 remaining modules into gateway enforcement pipeline. Fidelity probe measurement protocol. Data cluster wiring. Gateway identity layer. 12 GitHub replies across ecosystem. SDK v1.29.1, 1987 tests, 96 modules.",
      "url": "https://aeoess.com/blog.html#day-40",
      "keywords": ["gateway wiring", "fidelity probe", "module interconnection", "1987 tests", "96 modules", "ecosystem engagement"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 39: Governance for the Agent Economy — The Rebrand",
      "datePublished": "2026-03-28",
      "description": "Complete website redesign. Academic typography (Crimson Pro serif). Enterprise positioning. 10-question FAQ. iOS frosted glass. Warm dark gray dark mode. 38-entry ship log. Unified design system across all 15 pages. H1: Governance for the Agent Economy.",
      "url": "https://aeoess.com/blog.html#day-39",
      "keywords": ["rebrand", "academic design", "enterprise positioning", "Governance for the Agent Economy", "frosted glass", "dark mode", "FAQ"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 38: Rome-Complete — Institutional Governance in One Session",
      "datePublished": "2026-03-26",
      "description": "Built the full Rome-Complete institutional layer in one session. Charter with 19 types, multi-class approval, Petri net (10 invariants), hybrid logical clocks, foreign counterparty envelopes, escrow-aware revocation, gateway identity, reserve attestations, federation receipt/reputation portability. 12 new MCP tools (125 total). 77 new tests. SDK v1.27.0 (1987 tests), MCP v2.19.0.",
      "url": "https://aeoess.com/blog.html#day-38",
      "keywords": ["charter", "institutional governance", "multi-class approval", "Petri net", "hybrid logical clock", "federation", "reserve attestation", "1987 tests", "125 tools"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 37: Governance Distribution Stack — Every Article on The Agent Times Is Now Cryptographically Governed",
      "datePublished": "2026-03-25",
      "description": "Shipped the full governance distribution stack: governance blocks (per-page signed terms), aps.txt (site-wide like robots.txt), HTTP headers, chained blocks for derivatives, and a 360 consumer loop with access receipts. The Agent Times is the first publication embedding Ed25519-signed content governance in every article. Framework adapters (CrewAI, ADK, LangChain, A2A), 21-invariant conformance suite, and hosted enforcement gateway. SDK v1.25.0 (1480 tests), MCP v2.15.1 (108 tools), Python v0.7.0.",
      "url": "https://aeoess.com/blog.html#day-37",
      "keywords": ["governance blocks", "aps.txt", "content governance", "The Agent Times", "access receipts", "360 loop", "framework adapters", "conformance suite", "1480 tests", "108 tools"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 36: Clean Slate — 68 Dead Imports, OATR Founding Member, Zero Open Findings",
      "datePublished": "2026-03-23",
      "description": "Full codebase audit: 68 unused imports removed across 34 files, tracked garbage cleaned (tarballs, one-time scripts). OATR issuer registration merged — 4 founding WG members all registered. Propagation script hardened with zone markers to protect historical blog entries. All Portal findings confirmed resolved. xsa520 published decision equivalence spec. 1178 tests, 0 failures.",
      "url": "https://aeoess.com/blog.html#day-36",
      "keywords": ["codebase audit", "OATR", "trust registry", "unused imports", "propagation", "decision equivalence", "1178 tests"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 35: First APS Envelope Through an Encrypted Relay",
      "datePublished": "2026-03-22",
      "description": "Built qntm relay bridge (369 lines, zero new deps). HKDF known-answer vectors: 3/3 match. XChaCha20-Poly1305 roundtrip proven. Live relay test: HTTP 201. Agora reframed as Signed Communication Protocol with per-instance isolation. MCP stats endpoint. 3 integration findings fixed. 1178 tests.",
      "url": "https://aeoess.com/blog.html#day-35",
      "keywords": ["qntm", "E2E encryption", "relay", "XChaCha20-Poly1305", "HKDF", "interop", "vessenes", "1178 tests"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 34: 30 Constitutional Modules. Every Gap Closed.",
      "datePublished": "2026-03-22",
      "description": "Constitutional Framework v2 complete. 32 v2 modules implementing 9 attack defenses, 6 structural failure primitives, emergence detection, separation of powers, circuit breakers. Cross-model adversarial review (Claude + GPT + Gemini attacking simultaneously) identified 16 gaps. All 16 closed with tested code. SDK v1.21.2 + MCP v2.12.0 + Python 0.5.1 published. 1178 tests.",
      "url": "https://aeoess.com/blog.html#day-34",
      "keywords": ["constitutional framework", "v2", "adversarial review", "separation of powers", "circuit breakers", "emergence detection", "1178 tests"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 30: Three Modules in One Day. Two Claudes Built Them.",
      "datePublished": "2026-03-17",
      "description": "Module 19 (E2E Encrypted Messaging) and Module 20 (Obligations Model) shipped in one session. Consensus spec from 3-model hostile review. Two-Claude build: one wrote tests, the other wrote implementation. Plus createExecutionEnvelope() turns the RFC into running code. Protocol: 20 modules, 609 tests.",
      "url": "https://aeoess.com/blog.html#day-30",
      "keywords": ["encrypted messaging", "obligations", "two-claude", "duties", "penalties", "E2E", "libsodium"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 31: Three Modules on One Machine, Five Engines on One Thread",
      "datePublished": "2026-03-19",
      "description": "Sprint Mini: Oracle Witness Diversity (M28), Encrypted Messaging Audit Bridge (M29), Policy Conflict Detection (M30). All built on Mac Mini via Desktop Commander. Meanwhile, 5 engines are now cross-verifying decision artifacts on kanoniv/agent-auth#2. First legitimate cross-engine disagreement captured.",
      "url": "https://aeoess.com/blog.html#day-31",
      "keywords": ["oracle witness", "Shannon entropy", "messaging audit", "policy conflict", "DFS", "cross-engine", "interop", "decision semantics", "Network-AI", "AIP", "Kanoniv"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 33: Constitutional Governance Is Running Code",
      "datePublished": "2026-03-21",
      "description": "V2 Constitutional Framework complete: 30 modules (9 attack defenses, 14 structural safeguards, 7 core governance). Module 37: Decision Semantics. Full codebase audit: 20,490 lines source, 18,397 lines tests. SDK v1.21.2 on npm. 1178 tests.",
      "url": "https://aeoess.com/blog.html#day-33",
      "keywords": ["V2", "constitutional governance", "delegation versioning", "anomaly detection", "decision semantics", "codebase audit", "npm publish"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 32: Data Attribution Starts Here",
      "datePublished": "2026-03-20",
      "description": "Module 36A: Data Source Registration & Access Receipts. Foundation for data attribution layer. Three attestation modes, machine-readable DataTerms, gateway-signed access receipts, hard vs advisory compliance. 10-round multi-model hostile review before code. 1178 tests, 42 modules.",
      "url": "https://aeoess.com/blog.html#day-32",
      "keywords": ["data attribution", "data rights", "source receipt", "access receipt", "DataTerms", "cryptographic accountability", "gateway-signed", "Merkle proof"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 29: Three Groups Asked for the Same Thing. So We Wrote the Spec.",
      "datePublished": "2026-03-17",
      "description": "CrewAI, Guardian/AutoGen, and DIF Trusted AI Agents independently converged on a shared signed execution envelope. We formalized it as an RFC. The APS SDK already generates every field. Cross-links posted to all three threads.",
      "url": "https://aeoess.com/blog.html#day-29",
      "keywords": ["RFC", "execution envelope", "interop", "CrewAI", "Guardian", "DIF", "governance", "cross-engine"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 28: CEO of Y Combinator Endorsed It. Microsoft Merged It. A Federal Agency Is Reviewing It.",
      "datePublished": "2026-03-16",
      "description": "Garry Tan endorsed APS. Microsoft merged PR #274. NIST NCCoE reviewing public comment. IETF DAAP author exploring collaboration. Drafts for 5 ecosystem discussions. Applied to Adaption Research Grant.",
      "url": "https://aeoess.com/blog.html#day-28",
      "keywords": ["Garry Tan", "Y Combinator", "Microsoft", "NIST", "IETF", "DAAP", "ecosystem", "research grant", "Adaption"]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 27: Full Stats Sweep + Gateway Strategic Decision",
      "datePublished": "2026-03-15",
      "description": "Audited every page, README, GitHub description, and LLM file for stale references. Fixed 11 endpoints. Made the gateway decision: reference implementation now, product later. Protocol adoption first.",
      "url": "https://aeoess.com/blog.html#day-27",
      "keywords": [
        "ProxyGateway",
        "reference implementation",
        "stats sweep",
        "protocol adoption",
        "strategy"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 26: Mingle v2 — Semantic Matching, Ghost Mode, Consent Flow",
      "datePublished": "2026-03-15",
      "description": "Shipped Mingle v2 in one day: semantic matching (all-MiniLM-L6-v2), persistent Ed25519 identity, ghost mode browsing, consent-first publishing. 0 matches to 15. Published to npm, ClawHub, all platforms.",
      "url": "https://aeoess.com/blog.html#day-26",
      "keywords": [
        "Mingle",
        "semantic matching",
        "ghost mode",
        "persistent identity",
        "consent flow",
        "embeddings",
        "ClawHub",
        "MCP"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 25: Substack Launch — Cross-Protocol Bridge + Tesla Social",
      "datePublished": "2026-03-14",
      "description": "Published two Substack articles: the first cross-protocol agent identity bridge (APS x AIP) and Tesla Social MVP. Social media launch across X and LinkedIn.",
      "url": "https://aeoess.com/blog.html#day-25",
      "keywords": [
        "cross-protocol",
        "AIP bridge",
        "Tesla Social",
        "Substack",
        "KYA",
        "social media launch"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 24: Security Hardening — Gateway Bugs, Setup Commands, Cross-Protocol Resolve",
      "datePublished": "2026-03-13",
      "description": "Fixed 3 gateway bugs (memory leak, crash on unregistered agent, ownership bypass). SECURITY.md, prompt injection sanitization, npx setup command, cross-protocol resolve endpoint.",
      "url": "https://aeoess.com/blog.html#day-24",
      "keywords": [
        "security",
        "gateway",
        "bug fixes",
        "setup command",
        "cross-protocol resolve",
        "SECURITY.md"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 23: Mingle Ships — Your AI Finds People for You",
      "datePublished": "2026-03-12",
      "description": "Mingle MCP v1.0.0 shipped. Standalone agent-to-agent networking plugin. 6 tools, landing page, live network stats. Published to ClawHub and npm.",
      "url": "https://aeoess.com/blog.html#day-23",
      "keywords": [
        "Mingle",
        "agent networking",
        "MCP plugin",
        "ClawHub",
        "npm",
        "agent matching"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 22: The Intent Network — Your Agent Finds People for You",
      "datePublished": "2026-03-11",
      "description": "Shipped agent-mediated matching: IntentCards, relevance scoring, intro protocol, hosted API at api.aeoess.com. No app, no signup, your AI is the interface.",
      "url": "https://aeoess.com/blog.html#day-22",
      "keywords": [
        "intent network",
        "agent matching",
        "IntentCards",
        "api.aeoess.com",
        "MCP v2.12.0"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 21: Reputation-Gated Authority — Agents Earn Trust, Not Just Receive It",
      "datePublished": "2026-03-10",
      "description": "Bayesian reputation model, signed promotion reviews, cryptographic scarring, tier checking. SDK 1.11.0, MCP 2.5.0, 1178 tests, 83 tools.",
      "url": "https://aeoess.com/blog.html#day-21",
      "keywords": [
        "reputation",
        "Bayesian trust",
        "promotion reviews",
        "tier authority",
        "SDK 1.11.0",
        "MCP 2.5.0"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 20: Second Paper Published — Monotonic Narrowing for Agent Authority",
      "datePublished": "2026-03-09",
      "description": "Published formal invariants paper on Zenodo. 8 delegation chain invariants, property-based adversarial testing, competitive landscape analysis.",
      "url": "https://aeoess.com/blog.html#day-20",
      "keywords": [
        "monotonic narrowing",
        "Zenodo",
        "formal invariants",
        "adversarial testing",
        "research paper"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 18: Autoresearch — AI Finds Bugs AI Wrote",
      "datePublished": "2026-03-07",
      "description": "Adapted Karpathy's autoresearch for adversarial protocol hardening. 200 randomized property tests, 10 paper scenarios, F-008 Epistemic Security.",
      "url": "https://aeoess.com/blog.html#day-18",
      "keywords": [
        "autoresearch",
        "adversarial testing",
        "property-based testing",
        "cascade revocation",
        "Karpathy"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 17: Principal Identity, Python SDK, and Three New Protocol Extensions",
      "datePublished": "2026-03-06",
      "description": "Principal Identity with selective disclosure, Python SDK v0.4.0, DID/VC/A2A/EU AI Act modules, remote MCP endpoint.",
      "url": "https://aeoess.com/blog.html#day-17",
      "keywords": [
        "principal identity",
        "Python SDK",
        "DID",
        "verifiable credentials",
        "EU AI Act",
        "A2A protocol"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 16: Community Health and OWASP AI Security Mapping",
      "datePublished": "2026-03-05",
      "description": "CONTRIBUTING.md, CODE_OF_CONDUCT.md, AIVSS page mapping 10 OWASP risks against the protocol.",
      "url": "https://aeoess.com/blog.html#day-16",
      "keywords": [
        "OWASP",
        "AIVSS",
        "community health",
        "contributing guide",
        "code of conduct"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 15: SDK v1.21.2, MCP v2.12.0, and Two Agents Get Their Next Mission",
      "datePublished": "2026-03-04",
      "description": "Five npm publishes. Task Routing Protocol, Agent Context enforcement, 7 audit fixes, 4 MCP comms tools. 1178 tests, 83 MCP tools. Autonomous peer audit assigned.",
      "url": "https://aeoess.com/blog.html#day-15",
      "keywords": [
        "SDK v1.21.2",
        "MCP v2.12.0",
        "task routing",
        "agent context",
        "peer audit",
        "npm publish"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 14: The First Real Audit — What Happens When Agents Review Your Code",
      "datePublished": "2026-03-03",
      "description": "PortalX2 ran a forensic audit of the SDK. 10 findings including a high-severity canonicalization bug. All accepted fixes shipped in v1.21.2.",
      "url": "https://aeoess.com/blog.html#day-14",
      "keywords": [
        "code audit",
        "peer review",
        "canonicalization bug",
        "multi-agent coordination",
        "AUDIT-001"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 13: Graduated Enforcement, Threat Model, and Agent District",
      "datePublished": "2026-03-02",
      "description": "Values Floor graduated enforcement (inline/audit/warn modes), 38-scenario threat model published, Ed25519 typo fix across 3 repos, pixel-art Agent District visualization.",
      "url": "https://aeoess.com/blog.html#day-13",
      "keywords": [
        "graduated enforcement",
        "threat model",
        "values floor",
        "agent district",
        "Ed25519"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 12: Layer 8 — Agentic Commerce, Integration Wiring, and MCP v2.1.0",
      "datePublished": "2026-03-01",
      "description": "Shipped agentic commerce (OpenAI+Stripe ACP), cross-layer integration bridges, MCP server expanded to 30 tools. SDK v1.7.0, 214 tests.",
      "url": "https://aeoess.com/blog.html#day-12",
      "keywords": [
        "agentic commerce",
        "ACP",
        "MCP server",
        "integration wiring",
        "OpenAI Stripe"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 11: Documentation Sprint",
      "datePublished": "2026-02-28",
      "description": "Website content overhaul, SDK README rewrite, llms.txt alignment, Schema.org and Open Graph metadata updates.",
      "url": "https://aeoess.com/blog.html#day-11",
      "keywords": [
        "documentation",
        "llms.txt",
        "Schema.org",
        "developer experience"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 10: Layer 7 — Coordination Primitives",
      "datePublished": "2026-02-27",
      "description": "Full task lifecycle: briefs, evidence, review gates, handoffs, deliverables. Cryptographically signed coordination for multi-agent workflows.",
      "url": "https://aeoess.com/blog.html#day-10",
      "keywords": [
        "coordination primitives",
        "task lifecycle",
        "multi-agent workflow",
        "evidence review"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 8: Layer 5 — Intent Architecture",
      "datePublished": "2026-02-25",
      "description": "Intent Architecture with roles, deliberation, 3-signature policy chain, FloorValidatorV1, and precedent memory for multi-agent decision-making.",
      "url": "https://aeoess.com/blog.html#day-8",
      "keywords": [
        "intent architecture",
        "policy engine",
        "FloorValidator",
        "deliberation",
        "3-signature chain"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Days 4–5: The Community Shows Up",
      "datePublished": "2026-02-21",
      "description": "Community engagement on MoltBook (34 upvotes), GitHub collaboration issues with AIP, Visa, Forter. Competitive analysis of agent identity protocols.",
      "url": "https://aeoess.com/blog.html#community",
      "keywords": [
        "community engagement",
        "agent identity",
        "competitive analysis",
        "open source community"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Day 2: Media Coverage",
      "datePublished": "2026-02-19",
      "description": "First media coverage one day after launch. Multi-agent trust infrastructure resonating with teams building real agent systems.",
      "url": "https://aeoess.com/blog.html#media-coverage",
      "keywords": [
        "media coverage",
        "agent trust",
        "multi-agent systems",
        "launch"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "We Ran 3 Experiments With Real AI Agents",
      "datePublished": "2026-02-26",
      "description": "Three controlled experiments with real AI agents. Key finding: swapping an agent's role changes its behavior. The role creates the discipline, not the model.",
      "url": "https://aeoess.com/blog.html#experiments",
      "keywords": [
        "AI agent experiments",
        "role constraints",
        "multi-agent coordination",
        "agent behavior"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Agora is the Missing Layer: Signed Speech for Agents",
      "datePublished": "2026-02-24",
      "description": "Agent Agora shipped: protocol-native Ed25519 signed communication for AI agents. Every message verifiable in browser.",
      "url": "https://aeoess.com/blog.html#agora",
      "keywords": [
        "agent agora",
        "signed communication",
        "Ed25519 messages",
        "agent protocol"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "MCP Server Ships — 11 Tools, 12+ Distribution Channels",
      "datePublished": "2026-02-23",
      "description": "agent-passport-system-mcp v1.0.0 published. MCP server with 11 tools for Claude Desktop, Cursor, Windsurf. Distributed across 12+ channels.",
      "url": "https://aeoess.com/blog.html#mcp-ships",
      "keywords": [
        "MCP server",
        "Claude Desktop",
        "Cursor",
        "agent tools",
        "npm publish"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Paper: The Agent Social Contract",
      "datePublished": "2026-02-20",
      "description": "Research paper published on Zenodo. Cryptographic identity, ethical governance, and beneficiary economics for autonomous AI agents.",
      "url": "https://aeoess.com/blog.html#paper",
      "keywords": [
        "research paper",
        "Zenodo",
        "agent social contract",
        "AI governance",
        "beneficiary attribution"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Agent Passport v1.1: From Identity to Accountability",
      "datePublished": "2026-02-20",
      "description": "Action receipts, delegation revocation with cascade, depth limits. From identity verification to full accountability.",
      "url": "https://aeoess.com/blog.html#v1-1",
      "keywords": [
        "action receipts",
        "delegation revocation",
        "cascade revocation",
        "accountability"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "Agent Passport System: Cryptographic Identity for AI Agents",
      "datePublished": "2026-02-18",
      "description": "First npm publish. Ed25519 cryptographic identity for AI agents with passports, capabilities, reputation, and delegation.",
      "url": "https://aeoess.com/blog.html#launch",
      "keywords": [
        "npm launch",
        "Ed25519",
        "cryptographic identity",
        "AI agent passport"
      ]
    },
    {
      "@type": "BlogPosting",
      "headline": "The Speed of Wrong vs The Speed of Right",
      "datePublished": "2026-02-17",
      "description": "Notes on building cryptographic agent infrastructure at speed. Why shipping wrong is worse than shipping slow.",
      "url": "https://aeoess.com/blog.html#speed",
      "keywords": [
        "build in public",
        "cryptographic systems",
        "engineering speed"
      ]
    }
  ]
}
</script>

<style>
.site-footer-sub{border-top:1px solid var(--text);padding:2rem 0 1.5rem;margin-top:3rem}
.footer-inner{max-width:1200px;margin:0 auto;padding:0 2rem}
.footer-grid-sub{display:grid;grid-template-columns:repeat(4,1fr);gap:1.5rem;margin-bottom:1.5rem}
.fcol h4{font:600 .6rem var(--mono);color:var(--text);text-transform:uppercase;letter-spacing:.1em;margin-bottom:.5rem}
.fcol a{display:block;font:.75rem/1.8 var(--sans);color:var(--muted);text-decoration:none;transition:color .15s}
.fcol a:hover{color:var(--text)}
.footer-bar{display:flex;justify-content:space-between;align-items:center;padding-top:1rem;border-top:1px solid var(--border);font:.7rem var(--sans);color:var(--muted)}
.footer-bar a{color:var(--muted);text-decoration:none;transition:color .15s}
.footer-bar a:hover{color:var(--accent)}
.footer-links{display:flex;gap:.8rem}
.footer-links a{font:.6rem var(--mono)}
@media(max-width:768px){.footer-grid-sub{grid-template-columns:repeat(2,1fr)}}
@media(max-width:480px){.footer-grid-sub{grid-template-columns:1fr}}
</style>
<script type="application/aps-governance+json">
{
  "@context": "https://aeoess.com/governance/v1",
  "@type": "GovernanceBlock",
  "source_did": "did:aps:z6MkfBQNZXXcgtkmj4AvFfH14WtSmd4gUrUEfyi2oMbrmTGW",
  "content_hash": "sha256:a69a4af79bcb3f9bfcd44ad9ca129240f528a9bb33b5dd99d06e24ef141a846e",
  "published_at": "2026-03-29T01:27:57.454Z",
  "governance_generated_at": "2026-03-29T01:27:57.454Z",
  "terms": {
    "inference": "permitted",
    "training": "attribution_required",
    "redistribution": "permitted",
    "caching": "permitted"
  },
  "revocation_policy": {
    "mechanism": "aps_txt",
    "endpoint": "https://aeoess.com/.well-known/aps.txt"
  },
  "signature": "d26b19e853f27fe130287d04405532573dd8ed8aa3b12ecf9bbf87337d8330b69f35bb396f1c873acfc13e4af61a9abfe4b6adfc68d50b65896883d61ca72b0c"
}
</script>
</head>
<body>
<nav class="nav" id="nav">
  <a href="/" class="nav-logo"><img src="/assets/images/aeoess_logo-05.png" alt="AEOESS" width="158" height="26" style="height:26px;width:auto"></a>
  <div class="nav-links"><a href="mingle.html">Mingle</a><a href="wallet.html">Wallet</a><a href="blog.html">Blog</a><a href="roadmap.html">Roadmap</a><a href="passport.html">Spec</a><a href="docs.html">API</a><a href="portal.html" style="font-weight:600">Portal</a><a href="https://github.com/aeoess">GitHub</a><a href="mailto:signal@aeoess.com">Contact</a><button class="theme-btn" onclick="toggleTheme()">&#9790;</button></div>
  <div class="nav-burger" onclick="this.classList.toggle('open');document.querySelector('.nav-drawer').classList.toggle('open')"><span></span><span></span><span></span></div>
</nav>
<div class="nav-drawer">
  <a href="mingle.html">Mingle</a><a href="wallet.html">Wallet</a><a href="blog.html">Blog</a><a href="roadmap.html">Roadmap</a><a href="passport.html">Docs</a>
        <a href="portal.html" style="font-weight:600">Portal</a>
  <a href="protocol.html">Protocol</a><a href="compare.html">Compare</a><a href="agora.html">Agora</a>
  <a href="https://github.com/aeoess">GitHub</a><a href="mailto:signal@aeoess.com">Contact</a>
  <button onclick="toggleTheme()" style="font:400 1.1rem var(--sans);color:var(--ink-4);background:none;border:none;text-align:left;padding:.4rem 0;cursor:pointer">Toggle theme</button>
</div>
<div class="w">
<div class="page-hero">
  <div class="breadcrumb"><a href="/">AEOESS</a> / Blog</div>
  <h1>Dev Log: Building Agent Passport System</h1>
<!-- PROPAGATION-ZONE-START -->
  <p class="sub">Day-by-day record of building the enforcement and accountability layer for AI agents. Bring your own identity: did:key, did:web, SPIFFE, OAuth, native did:aps. Started February 18, 2026. 2,326 tests, five papers, IETF draft. Open source. <span style="color:var(--ink-5)">Full surface area: 130+ modules, 142 MCP tools.</span></p>
<!-- PROPAGATION-ZONE-END -->
  <p class="sub" style="margin-top:.6rem">See the full picture on <a href="roadmap.html" style="font-weight:600">the roadmap</a> — every ship across protocol, product, research, comms, and ops with dependency arrows.</p>
</div>


<article class="post" id="day-61">
  <time class="post-date" datetime="2026-04-17">April 17, 2026</time>
  <h2>Day 61: The separation ships.</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The SDK was one package. It shipped crypto, types, scope logic, receipts, vocabulary adapters, conformance suite, and the analytics, drift detection, compliance automation, and runtime state management that the gateway uses to operate. Partners who pinned the npm package pulled the whole thing. That was fine for a while. It stopped being fine once the roadmap started pointing at foundation submission, enterprise procurement conversations, and a pixel attribution economy that lives in the gateway and only the gateway.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Today the SDK shipped v2.0.0-beta.0 on npm <code>@next</code>. The architecture is split along one axis: protocol primitives stay public, product intelligence moves private. <code>ProxyGateway</code>, <code>DataEnforcementGate</code>, <code>ContributionLedger</code>, <code>SettlementGenerator</code>, 18 behavioral-analytics modules, runtime state stores, compliance automation, orchestration, metering. Gone from the public SDK. Moved to the private gateway package. Roughly 647 tests moved with them. The public API, the 8 core primitives the spec documents, is byte-identical to v1.46.0.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">How to read that</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The protocol is now what standards bodies can actually adopt: a clean Apache-2.0 package with a conformance suite and interop vectors, no operational intelligence bundled into it. The gateway is the commercial moat: drift detection, cross-tenant orchestration, analytics, the pixel. Separation is not a feature flag or a licensing trick. It is a refactor that moved a majority of the codebase out of the public package and into a private one. That line is where I can defend it now.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Partners on any v1 pin are unaffected. v1.46.0 stays on npm <code>@latest</code> through a 48 to 72 hour stability window and on <code>legacy-v1</code> indefinitely after that. Nothing auto-upgrades. v2 is strictly opt-in via <code>npm install agent-passport-system@next</code> while partners test integrations.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Four artifacts, one day</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">SDK</strong>: <a href="https://www.npmjs.com/package/agent-passport-system">v2.0.0-beta.0</a> on <code>@next</code>. 2,325 tests, 130+ modules, tsc clean against the gateway after the split. Public exports went from 115 to 106, nine removed and six added. Every remaining export retains its v1.46 signature.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">MCP</strong>: <a href="https://www.npmjs.com/package/agent-passport-system-mcp">v3.0.0</a> on <code>@next</code>. 142 tools. Dropped 12 tools that never had a v2 analogue and stubbed 10 that moved to the gateway. The 132 preserved are protocol-layer tools that don't depend on gateway runtime. Major bump because the tool reduction is breaking.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Python SDK</strong>: <a href="https://pypi.org/project/agent-passport-system/">v2.0.0b0</a> as PEP 440 pre-release. The Python side was already protocol-only by construction, so the bump is version alignment, not refactor. <code>pip install --pre</code> to opt in.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Gateway</strong>: repinned from <code>file:../agent-passport-system</code> to <code>^2.0.0-beta.0</code>, Railway auto-deployed, health endpoint green through the swap. All 647 migrated tests pass in the gateway's own suite. No downtime.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">The governance vocabulary got one thing fixed today too</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The <a href="https://github.com/aeoess/agent-governance-vocabulary">agent-governance-vocabulary</a> repo has twelve external crosswalks from partners who mapped their terminology to the canonical signal types. InsumerAPI, SINT, AgentNexus, Veritas Acta, Logpose, RNWY, SoulboundRobots, Nobulex, SAR, JEP, asqav, SATP. All twelve built by people who don't work here, mapping their stuff to ours. One entry that was missing: ours.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">I hosted the registry for a week without publishing a crosswalk for my own system. That reads as either I can't describe my own terms cleanly, or I don't dogfood the registry I'm asking other people to contribute to. Neither is true, but the file being absent says it anyway. Today I fixed that.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><code>crosswalk/aeoess-aps.yaml</code> is the APS mapping to the canonical vocabulary: three exact-match signal types (<code>passport_grade</code>, <code>trust_verification</code>, <code>governance_attestation</code>), two partial, seven honest <code>no_mapping</code> declarations for signal types APS doesn't issue. Four decision-trajectory mappings, one constraint mapping, and an <code>out_of_vocabulary_primitives</code> section for runtime enforcement mechanics (monotonic narrowing, cascade revocation, wallet binding) that are correctly not signal types. Validator is clean. APS also got added to <code>governance_attestation.issuers_in_production</code> alongside AgentNexus, Nobulex, and SINT; Build D2's JWS-signed trust profile endpoint makes us the fourth production issuer of that signal type.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Rollback is real</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Before any of the above happened, the prior state got archived. Anchor tags in every repo (<code>pre-v2-swap-main</code>, <code>pre-v2-swap-refactor</code>, <code>pre-v2-pypi-swap</code>) pin the pre-swap commit as immutable references. A 103 MB local snapshot kit sits at <code>/Users/tima/v2-swap-safety/</code> with git bundles of all repos and a packaged copy of the v1.46.0 npm tarball. And a private archive repo, <code>aeoess/v2-swap-archive-2026-04-17</code>, holds the bundles and the step-by-step rollback procedures for every failure scenario. If v2 needs to come out within 72 hours of publish, <code>npm unpublish</code> works. After 72 hours, v2 gets <code>npm deprecate</code>d and v1.46.0 stays on <code>latest</code> indefinitely. No rollback path depends on anything Anthropic or I control alone.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">The ecosystem data layer</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Quietly in the background of this week, we built a structured map of the governance ecosystem we operate in. 89 tracked threads across GitHub, 118 participants, 1,994 comments, 88 topics. Each participant gets a relationship tag (friend, substantive, hosted-collaborator, canary, dropped, unknown) and each thread is classified by waiting-state (waiting on us, waiting on them, closed, silent). The data is content-addressed, rebuilt on a script that re-fetches GitHub and regenerates the map in about two minutes, and the output is a single session-context markdown file that Claude loads at the start of every working session.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The reason this matters for governance is the second axis of the tag space: canaries. Over the last week we observed a pattern of agents opening structurally similar threads across multiple repositories with aggressive asks that don't survive factual review. Each pattern got logged, each handle got added to a silence list, and the map enforces a non-engagement protocol automatically. The same map surfaces the other direction: partners whose tags upgrade from unknown to substantive after they ship verifiable code, and whose threads get moved to higher-priority response queues. It is not surveillance and it is not adversarial; it is a structured way to keep the ecosystem map accurate enough that we respond to signal and ignore noise. The raw map stays in a private specs directory; the methodology is documented at <a href="https://github.com/aeoess/aeoess_web/blob/main/specs/GOVERNANCE-DATA-MAPPING.md">specs/GOVERNANCE-DATA-MAPPING.md</a>.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">What this unlocks</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">AAIF submission becomes a real option, not an aspiration. Foundations don't want to govern your pricing or your compliance automation; they want a clean protocol spec with a conformance suite. We now have that cleanly packaged. Enterprise procurement stops tripping over "sole-founder maintainer governs the protocol" because that layer becomes foundation-governed when the submission lands. The gateway product competes on quality rather than lock-in, which is a stronger commercial position than lock-in ever was.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The next primitive in the queue is Ledger Events. Ordered content-addressable signed events with a chain-integrity verifier. Will ship as v2.1.0-beta.0 on <code>@next</code>. Any ledger store, analytics, subscription, or attestation layer on top of the primitive goes in the private gateway. The separation holds.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Release notes with the full partner-facing picture are at <a href="https://github.com/aeoess/agent-passport-system/issues/16">aeoess/agent-passport-system#16</a>.</p>
</article>


<article class="post" id="day-60">
  <time class="post-date" datetime="2026-04-16">April 16, 2026</time>
  <h2>Day 60: Build C ships. The evidence layer.</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Build A gave us the signed primitive. Build B canonicalized the weights. Build C aggregates them: one signed settlement record per period, four Merkle-committed axis roots, contributor queries that verify end-to-end without trusting the gateway beyond its JWKS. The economic half, how weights convert to money, stays gateway-private. The evidence half is in the SDK.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v2.0.0-beta.0 on @next &amp; v1.46.0 on latest (2,325 tests, 130+ modules). MCP v2.27.0 (154 tools, new settlement scope). Python v0.15.0 / v2.0.0b0 pre (335 tests). 5 cross-language fixtures, byte-identical across runs. The integration proof: 1000 Attribution Primitives &rarr; aggregate &rarr; verify &rarr; per-contributor query &rarr; verify, composes cleanly with Build A and Build B.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">A contributor &mdash; data source, compute provider, protocol author &mdash; can now answer &quot;what did I contribute and can I prove it?&quot; with a signed artifact. What the market builds on top of that evidence is up to the market. The pixel is live.</p>
</article>

<article class="post" id="day-59">
  <time class="post-date" datetime="2026-04-16">April 16, 2026</time>
  <h2>Day 59: One receipt, four projections</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Two ships and a retirement today.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Build A &mdash; the attribution primitive</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">For a while now the SDK has been accumulating attribution machinery along four different axes. Data sources contributing to an output &mdash; that had its own receipt. Protocol modules that evaluated the action &mdash; another. The governance chain that authorized it &mdash; another. Compute providers that ran it &mdash; a fourth. Four signed artifacts per action, four verification paths, and no single object that said &quot;this is the attribution for <em>this specific action</em>.&quot;</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Build A consolidates all four into one signed Merkle envelope.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">One <code>AttributionPrimitive</code>, four axis leaves (D, P, G, C), one <code>merkle_root</code>, one Ed25519 signature over the envelope. Any single axis can be projected and verified on its own without revealing the other three. Two projections of the same receipt cross-verify by shared <code>action_ref + merkle_root + signature</code> &mdash; you can tell, cryptographically, that the D projection someone showed you came from the same underlying action as the G projection someone else showed you.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The spec has been sitting at <code>/specs/ATTRIBUTION-PRIMITIVE-v1.1.md</code> since Apr 12. Today it landed as running code: 6 new SDK exports, 6 new MCP tools, a 1:1 Python port with cross-language signature verification, and an <code>AttributionPrimitive</code> type with canonical weight-string representation, balanced Merkle composition, and residual-bucket aggregation for sub-threshold contributors.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">SDK</strong> <a href="https://www.npmjs.com/package/agent-passport-system">v1.44.0</a>. <strong style="color:var(--text)">MCP</strong> <a href="https://www.npmjs.com/package/agent-passport-system-mcp">v2.25.0</a>. <strong style="color:var(--text)">Python</strong> <a href="https://pypi.org/project/agent-passport-system/">v0.13.0</a>. All three published, all three compatible.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The part worth flagging for anyone building on this: the projection structure means a settlement pipeline can operate on just the D axis without ever seeing the governance or compute axes. A data contributor can verify their share without the protocol stack having to disclose which evaluation modules fired. A compute provider can prove their share without exposing the data lineage. One receipt, four audiences, no disclosure leakage across them.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Builds B and C (fractional weights, settlement) are unblocked by this. Two-week arc.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Build D2 &mdash; signed trust profiles</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Smaller ship, but the kind that changes integration shape.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The gateway has always exposed public trust profiles at <code>/api/v1/public/trust/:agentId</code> &mdash; a JSON document describing an agent&#39;s grade, wallet bindings, delegation state, and so on. Useful for dashboards, useful for agents deciding whether to talk to each other. Not directly <em>verifiable</em> by a third party, because it came over HTTPS and that&#39;s it. If you wanted to know that a specific profile was really what the gateway said, you had to trust the transport.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Build D2 attaches a compact Ed25519 JWS to every successful trust-profile response. Three headers: <code>X-APS-JWS</code> (the compact JWS), <code>X-APS-JWS-KID: gateway-v1</code>, and <code>X-APS-JWS-JWKS</code> pointing at <a href="https://gateway.aeoess.com/.well-known/jwks.json">the public JWKS</a>.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The JWS is over the canonical JSON body. The JWKS endpoint publishes the gateway&#39;s public key. Anyone can pull the profile, pull the JWKS, and verify cryptographically that the gateway signed exactly this payload. Body unchanged &mdash; existing consumers keep working, the signature just rides along in headers.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Tried it end-to-end with <code>jose</code>. Verifies cleanly. Kid matches, alg is EdDSA, signature checks out against the public JWKS.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">This is the protocol layer that was missing between &quot;the gateway told me X&quot; and &quot;I can prove the gateway told me X.&quot; Consumers that need that proof can now get it without changing how they fetch.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Coordination retired</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">One quiet change worth naming. For a long stretch, work on this project ran through three coordination paths &mdash; a primary operator, a reviewer agent that handled GitHub posting, and a comms relay. It was a useful architecture when I was figuring out what this project even was. It stopped being useful a while ago.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Today it got retired. The reviewer agent&#39;s workflows are archived under <code>archive-portal-era/</code>, the nightly cron is gone, and the GitHub posting flows through one path now. Historical records &mdash; roadmap, blog, ops log &mdash; are preserved as they were. Nothing lost, just fewer moving parts.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Simpler is usually better.</p>
</article>

<article class="post" id="day-58">
  <time class="post-date" datetime="2026-04-15">April 15, 2026</time>
  <h2>Day 58: One chain added, one bug caught at the boundary</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Quick one today. SDK v1.43.0 ships with Solana in the <code>wallet_ref</code> chain enum, base58 validation included. That closes <a href="https://github.com/openclaw/openclaw/issues/49971">openclaw #49971</a>. End-to-end wallet binding now spans Ethereum, Bitcoin, and Solana.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The more interesting thing was the bug the integration surfaced.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">The case-sensitivity trap</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">APS treats chain names as case-insensitive at the boundary. <code>ETHEREUM</code>, <code>ethereum</code>, <code>Ethereum</code> all normalize to <code>ethereum</code>. That was fine for a while. For Ethereum addresses it doesn&#39;t matter, they&#39;re hex. For Bitcoin it doesn&#39;t matter either, the checksums handle it.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Solana addresses are base58. Base58 is case-sensitive. <code>7xKXt...</code> and <code>7xkXt...</code> are different addresses.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The gateway was lowercasing the entire normalized wallet payload on the way in. A perfectly valid Solana address got mangled to a syntactically valid but semantically wrong address. No error, no warning. Just a wrong address in the receipt.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The fix: chain-aware normalization. Lowercase the chain identifier, leave the <code>wallet_ref</code> alone if the chain is case-sensitive. Two-line change in the SDK validator plus a matching guard in the gateway. Test coverage added for all three chains with mixed-case inputs. 2,848 tests, all green.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">This is the kind of thing that looks small and is actually big. The failure mode was silent data corruption that the protocol signed over cryptographically. Every receipt that passed through would have been a signed statement about the wrong address. You can&#39;t fix that after the fact. The only reason it surfaced is because someone was actively integrating and caught the round-trip mismatch.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Moral: when a primitive was correct for every input class you had, and you add a new input class, the primitive is not correct anymore. It&#39;s a new primitive, and it needs new tests.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Vocab registry: four more PRs</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The <a href="https://github.com/aeoess/agent-governance-vocabulary">agent-governance-vocabulary</a> repo had another busy day. Four merges on Apr 15: asqav crosswalk from jagmarques (ML-DSA-65 server-side signatures, first lattice-based contributor), JEP from schchit (minimal verb-based decision record, IETF I-D pending), insumerapi license-endpoint fix from douglasborthwick-crypto, and validator cleanup and format normalization.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Plus a quieter promotion that matters more than any single PR: <code>peer_review</code> got promoted to canonical status. Two independent implementations now, Logpose (rkaushik29) and RNWY (rnwy), both shipping code, both mapping their internal <code>peer_review</code> equivalents to the canonical term. That&#39;s the two-implementation threshold the CONTRIBUTING.md set, hit for the first time post-launch by contributors who don&#39;t know each other.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">That&#39;s the vocab registry working as designed. No single group driving it. The canonical vocabulary is the thing that at least two groups independently agreed to call the same thing.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Contributor count</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Four days after opening, 14+ contributors have shown up. Eleven PRs merged in six days. One PR closed (SAR first attempt, replaced by PR#17 after revisions). The five-check merge protocol I wrote about on <a href="#day-57">Day 57</a> got its first real stress test this week. Two PRs needed revisions before merge. Identity unverified in one case, format wrong in another. Both came back clean after a round of specific feedback. The rules hold up when you actually apply them equally.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">What&#39;s on tomorrow</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Build D2 is queued. Public JWS signing on the gateway&#39;s trust profile endpoint. One-function-call fix on existing infrastructure, unlocks cross-verify demos with MolTrust and AgentNexus that are already standing by. After that, Build A (attribution primitive) is the next real protocol ship.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Short day, short post. Back to the queue.</p>
</article>

<article class="post" id="day-57">
  <time class="post-date" datetime="2026-04-14">April 14, 2026</time>
  <h2>Day 57: Three Boundaries and a Paper</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Three v2 primitives shipped today. Each one closes a failure mode that showed up in production, not in theory. They're small modules, a few hundred lines each, but each one names a boundary that the protocol had been crossing silently.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">AttributionConsent — the representation boundary.</strong> Last week an agent on A2A#1734 cited a third party's position without their consent, in a way that made it look like the third party had endorsed the claim. The citation was accurate textually. The problem wasn't accuracy, it was representation: one agent's principal was speaking for another's without authorization. <code>AttributionConsent</code> requires dual signatures on any citation that binds the cited principal — cited party signs their consent, citing party signs the citation itself. Missing one side fails verification. Replay protection via expiry windows. Integrated into charter verification, settlement verification, and completion-receipt verification so the guard runs at every boundary where an attribution could become binding.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">ProvisionalStatement — the commitment boundary.</strong> LLM outputs are treated as instantly binding by the systems consuming them. An agent writes "we will proceed with vendor X" and some downstream system registers that as decision-made. <code>ProvisionalStatement</code> flips the default. Agent-to-agent statements start provisional. Binding requires an explicit <code>PromotionEvent</code> satisfying a <code>PromotionPolicy</code> — typically m-of-n principal signatures, or a direct ratification from the principal whose authority is being committed. Dead-man elapses to withdrawn, not promoted. Silence is not consent. This one hurts the most to write because it forces everything upstream to distinguish draft from decision, which most current agent frameworks don't.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">HumanEscalationFlag — the escalation boundary.</strong> Some action classes should never execute without human confirmation regardless of the delegation chain. <code>HumanEscalationFlag</code> gates on per-action-class owner confirmation with three scope modes: <code>per_action</code> (every call), <code>per_session</code> (one confirmation covers the session), <code>time_window</code> (confirmation valid for a declared duration). Owner confirmations are signed and recorded. Agents can't bypass by narrowing the action class or by delegating past it — the flag evaluates at action time, not delegation time.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Three numbers.</strong> SDK at <a href="https://www.npmjs.com/package/agent-passport-system">v1.42.0</a>, 2,844 tests (80 new tests across the three primitives and their integration). MCP at <a href="https://www.npmjs.com/package/agent-passport-system-mcp">v2.24.0</a>, 143 tools (11 new boundary-primitive tools). Python SDK at <a href="https://pypi.org/project/agent-passport-system/">v0.12.0</a>, same primitives ported with cross-language signature verification. All three shipped on npm and PyPI before this post went up.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">The paper</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The paper also went up on Zenodo today. <a href="https://doi.org/10.5281/zenodo.19582550">Governance in the Medium: Why the Unit of Agent Governance Is the Population, Not the Agent.</a></p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">One-paragraph version: agent governance research models the agent as the unit. The agent in every deployed system today is already a fiction reconstructed across sessions that are short-lived and mutually unaware. The real object is a population of such sessions talking through a family of uncoordinated substrates — memory files, handoffs, shared state. Continuity of "the agent" is a property this family produces, not a property any session has. The paper argues this population-with-medium is the correct unit of agent governance, that current protocols (including APS) underspecify governance of the medium because they've been looking at the wrong object, and that the architectural move that makes authority survive session death (artifact-based state with signed authorization) can be extended to govern the medium.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The paper names one open problem as the central threat to the strongest version of the claim: cryptography formalizes authorship, delegation, ratification, access, and ancestry. It does not formalize meaning. A governed medium of agent populations can accumulate fluent hallucination if the participants emitting fragments are systematically producing semantically unsound content — every fragment cryptographically valid, the aggregate medium a growing archive of nonsense. The institutional analogies the paper leans on (Wikipedia, corporate memory, open-source projects) work because humans fill the semantic-evaluation gap. Whether agent populations can substitute any combination of reputation, cross-verification, and human ratification gates for that human sensemaking is the hardest open problem in the paper. I don't know.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Six rounds of adversarial review before the paper shipped. Claude, GPT, and Gemini attacking each version from different angles. The first version (v0.1) was a safe taxonomy paper. The last one (v0.5) is the smallest version of the claim that survived every attack. It's a working paper, not a scholarly result. Design Memorandum in the early-IETF sense — stake a claim, invite attack, ship before you can defend every sentence.</p>
  <h3 style="color:var(--text);font-size:1.1rem;margin-top:1.6rem;margin-bottom:.6rem">Why both on the same day</h3>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The three boundary primitives and the paper are the same thought at two scales. The primitives name three boundaries the protocol was crossing silently at the session level. The paper names a larger boundary the whole field is crossing silently — governing what one session does while ignoring what the population passes along. One is engineering, the other is framing. Shipping them together is the honest thing because they only work together: the engineering without the framing is useful plumbing that nobody contextualizes, and the framing without the engineering is a manifesto without a reference implementation.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Tomorrow is for the Working Group scope ratification announcement, the cross-links to Harold's interop repo, and the roadmap items that are queued behind tonight's shipping. Tonight is for this: three boundaries, one paper, both live.</p>
</article>

<article class="post" id="day-53">
  <time class="post-date" datetime="2026-04-10">April 10, 2026</time>
  <h2>Day 53: The convergence layer earns a name</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Two weeks ago the problem with interop specs was that every project named the same field differently. One called it <code>delegation_root</code>, another <code>chain_hash</code>, a third <code>provenance_anchor</code>. Same bytes, three names, zero interop.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Today four teams converged on one repo in under an hour. <a href="https://github.com/aeoess/agent-governance-vocabulary">aeoess/agent-governance-vocabulary</a> is a canonical naming layer for governance types. Not a new spec, not a new framework, just a shared dictionary. Anyone ships types, anyone reviews, PRs get merged when the names and semantics are defensible. APS hosts it because someone has to, not because APS owns it.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Nanook landed the first external review on <code>wallet_state</code> within hours of the repo opening. lowkey-divine brought the Fidelity Measurement types. 64R3N's WTRMRK sequencing proposals fit cleanly. The job the vocabulary does is small and boring. That's the point. Small and boring is what made the internet work.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Three-vendor governance_attestation.</strong> On A2A#1717 the <code>signal_type: governance_attestation</code> envelope now has three independent issuers: APS, MolTrust (<code>api.moltrust.ch/guard/governance/validate-capabilities</code> went live today), and AgentNexus/Enclave v0.9.5. Three DID methods, three JWKS, one envelope shape. A caller merging all three gets multi-vendor consensus with zero coupling between issuers. That's the exact argument Agent Card consumers need before they trust governance metadata as a standards surface.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The cross-verify proof is queued: one subject, two signed attestations issued independently, both verifiable offline against their respective published JWKS. If it round-trips, we post the receipts. If it doesn't, we find the canonicalization delta and fix it. Either outcome is useful.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">APS ↔ SINT handshake spec.</strong> pshkv shipped <code>docs/specs/aps-sint-handshake-v1.md</code> to sint-protocol main today with 11 conformance tests covering the three scenarios that actually matter: authorized call, scope-exceeded denial, and cascade revocation mid-session. The delegation chain root hash format maps cleanly onto APS <code>verifyDelegation()</code>. Same RFC 8785 canonicalization, same SHA-256, same leaf-inclusive ordering. We offered to run their JSON fixtures through the published SDK and post the round-trip result. Smallest possible interop proof.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">What this all adds up to.</strong> A month ago the agent identity discussion on every working group thread was stuck on "whose DID method wins." That question has quietly stopped mattering. The new question is whose <em>envelope</em> the whole field signs, and the answer that's emerging is: nobody's in particular, everyone's interoperable. APS is one issuer among several in the <code>governance_attestation</code> type. SINT is one enforcement surface among several in the handshake spec. The vocabulary repo is one canonical-naming home among potentially several.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">None of this reads as APS winning. It reads as the problem getting small enough that nobody has to win for the stack to work. That's the outcome we wanted.</p>

  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Six primitives shipped against a paper.</strong> Nanook and Gerundium published PDR in Production v2.19 this morning. The paper cites AEOESS as the third orthogonal axis in a three-axis behavioral trust framework (Saebo constraint compliance + Pidlisnyi Hold/Bend/Break + PDR cross-session reliability) and attributes several functions to an "AEOESS adapter" that did not yet exist in code. We spent the day closing the gap. <a href="https://www.npmjs.com/package/agent-passport-system">SDK v1.41.0</a> ships six new exports across three modules: <code>applyTemporalDecay</code> and <code>confidenceBreakdown</code> on <code>ScopedReputation</code>, a <code>BehavioralFingerprint</code> three-axis envelope with Ed25519 signing, <code>computeReputationDrift</code> over a new <code>recentObservations</code> ring buffer, <code>extractSessions</code> for HLC gap-based session segmentation, <code>computeProbeIdentity</code> and <code>verifyProbeIdentity</code> for canonical-hash probe binding, and <code>computeConsistencyScore</code> as a dedicated predictability primitive. The consistency score has the §6.5 over-promiser paradox locked as a regression test: an agent with uniformly small negative deltas scores higher on consistency than one with alternating large positive and negative deltas, which is the whole point of separating predictability from performance.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Three surfaces updated in parallel. MCP server bumped to <a href="https://www.npmjs.com/package/agent-passport-system-mcp">v2.23.0</a> tracking SDK v1.41.0. Python SDK bumped to <a href="https://pypi.org/project/agent-passport-system/">v0.11.0</a> as an alignment signal following the v0.9.0/TS-v1.34.0 pattern. ClawHub skill published at 1.41.0. Test count 2,497 → 2,763. Zero breaking changes.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Two citation corrections also caught.</strong> A version-history audit of Nanook's paper across v1.0 through v2.19 surfaced that the "15-facet Boolean" <code>constraintVector</code> in §7.6.3 came from our own stale documentation, not from Nanook's transcription. A <code>// 15 facets</code> comment in <code>src/core/denial-domains.ts</code> and a matching "15 constraint dimensions" string in <code>package.json</code> were dated one day before the March 30 correspondence. Both now fixed to 14 (with 4-valued Belnap status, which is what actually ships). The paper's <code>postureTier</code> enum (<code>ANCHORED | DELEGATED | ATTESTED | CRITICAL</code>) also does not match the code (<code>full_trust | standard | cautious | restricted | quarantine</code>). Correction note drafted, not yet sent, because the most useful thing we can do tonight is ship the code the paper already cites.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The §8.10 substrate-swap experiment is the test that would settle Nanook's three-axis orthogonality claim. All six of tonight's primitives are scaffolding for that experiment. If Saebo, Pidlisnyi, and PDR correlate heavily in practice, the three-axis framework collapses to a single axis with three measurement surfaces. If they don't, the framework validates. Either outcome is a publishable result. The <code>HBB-PROBE-FORMAT-v1.yaml</code> spec is now committed to <code>aeoess_web/specs/</code>; the joint harness is rank 10 on the build list and unblocks the moment Nanook and Gerundium agree on probe format.</p>
</article>

<article class="post" id="day-52">
  <time class="post-date" datetime="2026-04-09">April 9, 2026</time>
  <h2>Day 52: Three Walls</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">A new user landed on the SDK yesterday and bounced within ninety seconds. I watched the session. They opened the MCP server, saw 132 tools flood their client, closed it. They opened the SDK, saw 925 exports load from a single import, closed it. They read the homepage, saw "103 modules" in the hero stat, and closed the tab. Three walls. All hit within a minute and a half.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The protocol is complete. That is the problem. When you have forty-two modules you say "forty-two modules" and it sounds like a lot. When you have a hundred and three modules you say "a hundred and three modules" and it sounds like a cathedral you have to finish building before you can walk in. The cathedral is real and someone has to build it, but a new user should not have to see the scaffolding before they see the door.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Wall one: the MCP server flood.</strong> Claude Desktop lists every tool an MCP server exposes. When you connect APS you get one hundred and thirty-two. Most of them you will never use. Some of them exist because a paper needed them. Some of them exist because an ecosystem thread needed them. Some of them are load-bearing for the quiet parts of the protocol that only fire during an incident. All of them show up in the tool picker next to <code>read_file</code> and <code>run_command</code>. The fix is a profile. The default profile is called <code>essential</code> and it is twenty tools: identity, delegation, enforcement, commerce, reputation. That is what ninety percent of integrations need. The other ten percent set <code>APS_PROFILE=full</code> and get everything back.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><code>npx agent-passport-system-mcp</code> now defaults to essential. <code>APS_PROFILE=full npx agent-passport-system-mcp</code> still works. Nothing was removed. Nine other profiles are available for people who know exactly what they want: identity, governance, coordination, commerce, data, gateway, comms, minimal, full. The default is the one that lets a first-time user see the door.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Wall two: the SDK export avalanche.</strong> The full SDK exports over nine hundred symbols. In most IDEs this means an agent reading <code>import { } from 'agent-passport-system'</code> gets autocomplete that scrolls for twenty seconds. Intellisense times out. The agent picks something wrong because it cannot see the right thing. The fix is a subpath export. <code>agent-passport-system/core</code> exposes around twenty-five curated functions and a handful of essential types. Identity: <code>createPassport</code>, <code>verifyPassport</code>, <code>generateKeyPair</code>. Delegation: <code>createDelegation</code>, <code>subDelegate</code>, <code>revokeDelegation</code>, <code>cascadeRevoke</code>. Enforcement: <code>createActionIntent</code>, <code>evaluateIntent</code>. Commerce: <code>commercePreflight</code>, <code>createCommerceDelegation</code>. Reputation: <code>resolveAuthorityTier</code>. That is the surface you actually need to bring up a working passport pipeline end to end.</p>
  <pre style="font:500 .78rem/1.55 var(--mono);color:var(--ink-2);background:var(--code-bg);border:1px solid var(--rule);padding:.75rem 1rem;border-radius:8px;overflow-x:auto"><span style="color:var(--ink-5)">// Day 52 onward — curated essentials</span>
import {
  createPassport, createDelegation,
  evaluateIntent, commercePreflight, generateKeyPair
} from 'agent-passport-system/core'

<span style="color:var(--ink-5)">// Full 925-export API still available at the root import</span>
import { /* anything from the full surface */ } from 'agent-passport-system'</pre>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The full <code>agent-passport-system</code> import is unchanged. Backward compatible. Nothing was renamed. Nothing was deleted. If you were importing twenty functions from the root yesterday, you are still importing twenty functions from the root today. The subpath is additive. New users start with core. Existing integrations keep working. The people who know they need <code>buildBoundaryProfile</code> or <code>createEmergencyPathway</code> or any of the 32 v2 constitutional modules pull those from the root import by name.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Wall three: the homepage pitch.</strong> For weeks the hero stat on aeoess.com led with "103 modules" and "132 MCP tools." That is true and it is the wrong thing to lead with. Leading with module count tells a new visitor that they will have to learn a hundred and three things before they can use the thing. The repositioning is one sentence: enforcement and accountability layer for AI agents, bring your own identity. That is what the protocol actually does. The module count is a consequence of being complete, not the reason to adopt it. Full surface area stays on the page as a muted line below the hero stats, for the people who want to know how big the cathedral is before they walk in.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">What was not done.</strong> Nothing was removed. Nothing was renamed. Nothing was deprecated. Every v1 import path still works. Every MCP tool still exists and is reachable under <code>APS_PROFILE=full</code>. The depth pages (<a href="passport.html" style="color:var(--link)">passport.html</a>, threat model, llms-full.txt, specs) still show the full 103 modules and 132 tools because that is what engineers integrating the SDK actually need to see. The repositioning is a filter on the front door, not a surgery on the building.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Where this leaves the story.</strong> The protocol is complete. The front door is smaller. A new user sees five stats, picks up twenty tools, imports five functions, and ships something real in an afternoon. If they need the cathedral, it is still there, one import path away. If they never need it, they never see it. That is the whole shape of this change.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.40.0 with <code>/core</code> subpath on npm. MCP v2.22.2 with <code>APS_PROFILE=essential</code> default on npm. 2,552 tests passing. Full surface unchanged. Published to <a href="https://www.npmjs.com/package/agent-passport-system">npm</a>, <a href="https://pypi.org/project/agent-passport-system/">PyPI</a>, <a href="https://clawhub.ai/aeoess/agent-passport-system">ClawHub</a>.</p>
</article>

<article class="post" id="day-51">
  <time class="post-date" datetime="2026-04-08">April 8, 2026</time>
  <h2>Day 51: The Quantum Paper</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Six weeks of circling quantum computing. Every angle felt wrong. Quantum speedup for APS math? Killed it. Quantum randomness for keygen? Commodity. Bell state non-collusion? Cute, not useful. Then the consilium found the question: stop putting quantum inside APS. Put APS around quantum.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The insight.</strong> When an agent submits a quantum circuit to IBM hardware, the results look valid regardless of hardware quality. A Bell state measurement returns {00: 500, 11: 500} whether the qubit had 400 microsecond coherence or 39. The difference is invisible in the output. It shows up only in the error rate. And the error rate depends on hardware calibration that changes hourly. No existing agent governance framework checks this. They enforce budgets and scopes. Not physics.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The build.</strong> Physics facets on delegations. min_t1_us, min_t2_us, max_gate_error, max_readout_error, max_calibration_age_hours. Same monotonic narrowing as every other APS facet. A child delegation can demand stricter physics but never weaker. The gateway queries live IBM Quantum calibration data and enforces the constraints before permitting execution. If the hardware fails, the agent gets a DENIED_FIDELITY receipt with the exact calibration values that triggered the denial.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The experiments.</strong> Seven experiments on real IBM Quantum hardware. Three backends: ibm_fez, ibm_marrakesh, ibm_kingston. All 156-qubit Heron R2 processors. Same delegation (min_T1=80 microseconds) applied to all three. ibm_fez was denied. Qubit 0 T1 was 39.1 microseconds. Nearly 10x shorter than the same qubit index on ibm_kingston. Same generation hardware, radically different quality.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The counterfactual.</strong> Ran the Bell state on both backends anyway, without governance. ibm_fez: 92.9% fidelity. ibm_kingston: 98.1%. The governance decision was correct. Then ran a 4-qubit GHZ state. The gap widened. 87.1% vs 94.8%. More qubits, more accumulated error on the weaker backend. 7.7 percentage points. The governance was even more correct on the harder circuit.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The paper.</strong> Three-model peer review (Claude, GPT, Gemini acting as IEEE QCE reviewers). Average novelty 8.0. They found real problems: self-citation echo chamber (4 of 7 references were mine), overclaiming causal validation, single circuit type. All fixed. References expanded from 7 to 14. Dennis and Van Horn 1966, Birgisson macaroons 2014, Murali ASPLOS 2019, Salm NISQ Analyzer 2020. The GHZ experiment killed the "single circuit" criticism. Language calibrated: "validates" became "empirically supports."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Published.</strong> Zenodo: <a href="https://doi.org/10.5281/zenodo.19478584" style="color:var(--link)">doi:10.5281/zenodo.19478584</a>. Code: <a href="https://github.com/aeoess/aeoess-quantum-governance" style="color:var(--link)">github.com/aeoess/aeoess-quantum-governance</a>. Submitted to arXiv cs.MAS with cross-list cs.DC, cs.CR, cs.AI. Five papers now.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Ecosystem.</strong> tomjwxf independently verified all 3 APS composition receipts through protect-mcp (exit 0 across the board). That is the first external confirmation of cross-engine receipt verification. OWASP thread scored APS 10/12 on the Boundary-to-Boundary Invariant Survival matrix. haroldmalikfrimpong-ops proposed AgentID + APS as a reference identity-authorization stack with joint test vectors. MolTrust integration test initiated for cross-provider verification of behavioral derivation rights narrowing. kevinkaylie got the integration path for did:agentnexus with APS passport grades. 28 active threads scanned, 3 responses posted, every pending question answered.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The quantum paper is a differentiator. Nobody else is governing hardware physics through delegation chains. But the real work today was the ecosystem. External receipt verification. Cross-provider attestation. Joint test vectors. The protocol is becoming infrastructure that other people build on. That was always the plan.</p>
</article>

<article class="post" id="day-50">
  <time class="post-date" datetime="2026-04-07">April 7, 2026</time>
  <h2>Day 50: Customer-Ready</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The longest session yet. Started with a 4-pass security audit (30 findings, all fixed), ended with a gateway that can onboard paying customers. Everything in between was building what was missing between "protocol works" and "someone can actually use this."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The audit.</strong> Four passes, different methodology each. Pass 1 found the TOCTOU race in spend tracking and MCP tools leaking private keys over SSE. Pass 2 found delegation objects were mutable after creation (scope widening via .push()). Pass 3 simulated protocol attacks: Delegation Laundering, Ghost Delegations, Clock Manipulation, Tenant Escape across six endpoints. Pass 4 verified all 30 fixes. The protocol is harder to break today than yesterday.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Email infrastructure.</strong> Integrated Resend. Domain verified (DKIM + SPF). Four templates: signup welcome with API key, payment receipt, weekly digest, spend alert. Every new account gets a welcome email with their key and a 3-step quickstart. Spend alerts fire automatically at 80% and 95% of delegation budgets.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Portal redesign.</strong> The old hero said "Your agents are doing things. Can you prove it?" It read like an accusation. New copy: "Governance infrastructure for AI agents." Plans are now clickable with CTAs. Added a "What you get" section (Signed Receipts, Trust Profiles, Audit Trail) and a quickstart with actual curl examples. The portal page now tells you what to do after signup, not just how to sign up.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">API docs.</strong> Full reference at <a href="https://aeoess.com/docs.html" style="color:var(--link)">aeoess.com/docs.html</a>. Nine sections: authentication, agents, delegations, evaluations, trust, wallets, governance export, billing. Every endpoint with curl examples and response formats. The gateway 404 handler now points here instead of a dead /docs path.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">New protocol primitives.</strong> Bilateral completion receipts: both sides of a transaction get cryptographic proof of what happened. <code>scope_version_hash</code>: pre-commitment so both parties hash over the same scope state before evaluation. <code>measurementType</code> discriminator on EvaluationContext: protocol enforcement and behavioral fidelity produce fundamentally different results and should never be compared at aggregate level. Per-task-class trust profiles with temporal windowing. Argument-pattern scoping with glob matching for broad-capability tools.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Operational infrastructure.</strong> Admin tenant management (list, soft-delete, enterprise only). API key regeneration with email notification. <code>GET /health</code> and <code>GET /api/v1/status</code> for public uptime monitoring. Live status page at <a href="https://aeoess.com/status.html" style="color:var(--link)">aeoess.com/status.html</a>. Weekly digest trigger. Wallet resolution on trust profiles so external issuers can query by wallet address. 8 test accounts cleaned up. Production is 2 tenants: AEOESS (enterprise) and The Agent Times (pro).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Ecosystem.</strong> 25+ thread replies across A2A, OWASP, MITRE, crewAI, HuggingFace, ToolJet, insumer-examples, and our own repos. RNWY adopted our <code>verifiedAt</code> vs <code>issuedAt</code> split. lowkey-divine is converging their Fidelity Measurement Spec with our <code>BehavioralAttestationResult</code> type. douglasborthwick proposed wallet-based multi-issuer attestation queries and we committed to implementing it. Nanook (UBC) is co-authoring Section 8 of his research paper using our dogfood data (382 rows, 4 tables, task_class column). WTRMRK on Base L2 offered cross-protocol trust profile integration. vessenes confirmed entity binding endpoints are live.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.36.4 (2,497 tests). MCP v2.21.3. Gateway v0.4.0 with 20+ new endpoints. Everything published to npm, PyPI, ClawHub. The gap between "protocol" and "product" closed today. A developer can sign up, get an API key in their inbox, register an agent, create a delegation, run an evaluation, and see the results in a dashboard. That's the whole loop.</p>
</article>

<article class="post" id="day-49">
  <time class="post-date" datetime="2026-04-06">April 6, 2026</time>
  <h2>Day 49: Twelve Primitives, One Day</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Nate B Jones posted a video reverse-engineering Claude Code's internal architecture. Not the prompts. The orchestration layer. He identified 12 primitives that make agentic tool systems work: tool registry, permission tiers, session persistence, workflow state, token budgets, streaming events, system logging, verification, tool pool assembly, transcript compaction, permission audit trails, and agent type systems.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">We watched the video. Scored ourselves against each primitive. Some already existed in the protocol. Several were missing entirely. By the end of the day, all 12 were live in the gateway, verified with actual HTTP calls against production endpoints.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Session persistence (Primitive #3).</strong> When an agent crashes and reconnects, it needs its full enforcement state back. <code>PUT /sessions/:agentId</code> checkpoints everything: active delegations, workflow step, usage counters, framework metadata. <code>GET /sessions/:agentId</code> returns the stored checkpoint plus a live delta: evaluations since last checkpoint, alerts, current posture, delegation status changes, health metrics. The agent gets "here's where you were" and "here's what happened while you were gone" in one call.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Coordination API (Primitive #4).</strong> Full task lifecycle: <code>draft &rarr; assigned &rarr; in_progress &rarr; evidence_submitted &rarr; approved &rarr; completed</code>, with a revision loop and cancel from any non-terminal state. Nine endpoints. Every state transition validates the current status (409 on invalid), records a task event, and emits an SSE event. The gateway now orchestrates multi-agent work assignment, not just permission checks.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Agent type enforcement (Primitive #12).</strong> Six types: general, explorer, planner, executor, reviewer, monitor. Each type has blocked scopes and optional rate limits. An explorer agent with a delegation that includes <code>admin:delete</code> still gets denied. The type constraint fires after the delegation scope check but before the final permit. Behavioral boundaries that survive delegation.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Adapter pipeline.</strong> The SDK had 8 adapters producing receipts that vanished into the void. Now every adapter has an optional <code>gateway?</code> config. When set, <code>reportReceipt()</code> fires a POST to the gateway after every success and denial. Five adapters wired with 14 emission points. All fire-and-forget: the adapter never blocks on a gateway failure. Customer dashboards finally show what's happening across LangChain, CrewAI, MCP, IBAC, and Gonka pipelines.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Pagination and filtering.</strong> Eight list endpoints converted from unbounded queries to <code>?limit=20&amp;offset=0&amp;sort=created_at:desc</code> with total counts and <code>has_more</code> flags. The audit trail got five filter parameters: agent_id, verdict, action_type, from, to. Enterprise customers querying 10,000 evaluations no longer get the full table dumped at once.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Stripe billing.</strong> The gateway has payment plans. Free: 1,000 evaluations, 3 agents. Team ($99/mo): 50,000 evaluations, 25 agents, compliance reports. Enterprise ($499/mo): unlimited. Self-serve portal at <code>aeoess.com/portal.html</code> with signup, API key management, one-click upgrade via Stripe Checkout. The protocol is Apache 2.0 and always will be. The gateway sells operational intelligence: dashboards, audit trails, session persistence, coordination. Free to govern your agents. Pay to see how well it's working.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Someone asked if paid plans hurt the open source strategy. They are the open source strategy. Redis, Elastic, Grafana, Supabase, GitLab. The protocol defines what governance IS. The gateway defines how well it WORKS. Customers who want to self-host build their own enforcement boundary using the open SDK. Customers who want it to just work use the hosted gateway. Having a paid tier signals sustainability. Nobody builds on infrastructure whose creator can't maintain it.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.36.2 (2,497 tests, 626 suites). MCP v2.21.1 (132 tools, scope filtering across 12 scopes). Gateway v0.4.0 (30 tables, 100+ routes, 46 SSE emissions, 28 event types). Gonka adapter shipped (decentralized GPU compute governance). All 12 Nate B Jones primitives verified live against production. Published to <a href="https://www.npmjs.com/package/agent-passport-system">npm</a>, <a href="https://pypi.org/project/agent-passport-system/">PyPI</a>, <a href="https://clawhub.ai/aeoess/agent-passport-system">ClawHub</a>.</p>
</article>

<article class="post" id="day-48">
  <time class="post-date" datetime="2026-04-05">April 5, 2026</time>
  <h2>Day 48: Six Sessions, One Shipping Day</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Five consilium models attacked the specs before a single line shipped. Six build sessions, executed sequentially. Every session depends on what the previous one deployed. Gateway auto-deploys on push. No staging environment. The verification script is the only safety net.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Key rotation (Session 1).</strong> If a principal's Ed25519 key is compromised, the entire delegation tree dies. The fix: planned rotation (24h overlap, both keys valid) and emergency rotation (immediate old-key disable). DID Document with <code>retiredAt</code> metadata on old keys. State machine: <code>announced</code>, <code>revocation_in_progress</code>, <code>revocation_complete</code>, <code>activated</code>. Partial revocation failure is visible, not hidden. The consilium was unanimous: SDK computes, gateway MUST enforce. A compromised key controls the client. Server-side activation timing is the hard enforcement.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Auto-mint receipts (Session 2).</strong> Gateway had 202 evaluations. Zero receipts. Data lifecycle thesis unproven. The fix: every evaluation now mints a cryptographic receipt. <code>authorization_permit</code> and <code>authorization_deny</code>. The gateway proves what was AUTHORIZED, not what HAPPENED. Scope stored as sorted JSON array, not comma-joined string. Policy hash, not hardcoded version label. Backfilled all 202 historical evaluations on first deploy.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Audit packets (Session 3).</strong> One receipt, one exportable proof chain. <code>decision_record</code> is signed by the gateway (immutable, stable signature across calls). <code>current_context</code> is queried at request time (volatile, delegation chain may have changed). Completeness metadata tells the verifier if any sub-query failed. Markdown format option for human review. The two sections are clearly separated: what was true at decision time vs what is true now.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Agent posture overlay (Session 4).</strong> Binary revoke/not-revoke is too crude. Three states: active, restricted, suspended. The consilium killed the original design: DO NOT put degradation on the passport. The passport is an immutable signed credential. A rogue agent won't sign its own suspension. Posture lives in the gateway DB only. Gateway checks status before delegation scope. Posture events audit trail records every transition with reason and changed_by. Eighteen governance regression tests prove the authorization boundaries hold.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Governance evidence export (Session 5).</strong> Nine sections, single signed artifact. Agent registry, delegation inventory, evaluation events, authorization receipts, revocation events, posture events, key rotations, receipt window seals, governance attestations. Sections with zero data show <code>total: 0</code>. That's honest, not broken. Known exclusions are explicit: "downstream execution results" and "external processing not mediated by this gateway." Not a compliance report. A governance evidence export.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Trust bootstrap adapters (Session 5).</strong> <code>bootstrapFromAPIKey</code>, <code>bootstrapFromGitHub</code>, <code>bootstrapFromCIKey</code>. Every adapter creates a fresh Ed25519 keypair. The external credential is a trust input, not the identity. Raw credentials never touch the SDK (caller pre-hashes with HMAC-SHA256). Suggested grade is a suggestion. Actual grade computed by <code>computePassportGrade</code> when the passport enters the gateway. Upgrade path to full attested identity via <code>upgradeBootstrappedPassport</code>.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Delegation linting + receipt seals (Session 6).</strong> Two gateway-compatible feasibility checks: <code>SPEND_TOO_LOW</code> and <code>SCOPE_MISSING</code>. Three checks always skipped with reasons (gateway doesn't store <code>expiresAt</code>, <code>currentDepth</code> yet). No reputation emission from lint results. Infeasible delegations are admin mistakes, not agent misbehavior. Receipt window seals: sorted-hash commitment over receipt hashes in ID order, atomic transaction, gateway signature. The commitment proves "these receipts, in this order, were sealed at this time."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.34.0 (2,306 tests, 581 suites, 103 modules). MCP v2.21.0 (131 tools). Python v0.9.0 (197 tests). Gateway v0.4.0. Governance canary: 5/5 pass. All published to <a href="https://www.npmjs.com/package/agent-passport-system">npm</a>, <a href="https://pypi.org/project/agent-passport-system/">PyPI</a>, <a href="https://clawhub.ai/aeoess/agent-passport-system">ClawHub</a>.</p>
</article>

<article class="post" id="day-47">
  <time class="post-date" datetime="2026-04-04">April 4, 2026</time>
  <h2>Day 47: Protocol Infrastructure Expanding — MS PR Approved, SINT Interop, Behavioral Spec</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Microsoft approved our Agent Governance Toolkit PR. SINT Protocol shipped v0.2 with our delegation_depth_floor. The W3C behavioral attestation spec reached normative language. Evidence-based grading and freshness semantics designed across 11 threads — the protocol ecosystem is growing through collaboration, not announcements.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Grade model rewrite (A2A#1712).</strong> VCOne-AI identified a real flaw: our passport grades map by identity method, not evidence quality. A TPM-backed did:key gets Grade 0 because it's did:key. A SPIFFE SVID from a misconfigured cluster gets Grade 2 because it's SPIFFE. Backwards. Three exchanges deep, we committed to evidence-based grading: Grade 0 = bare key, Grade 1 = issuer vouched, Grade 2 = infrastructure-attested (TPM or SPIFFE with verified binding), Grade 3 = principal-bound. The method prefix is a proxy. The evidence is the truth.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Freshness semantics (A2A#1712).</strong> Same thread, different problem. VCOne-AI pushed on <code>ttl: null</code> for snapshot attestations: a TPM quote from 6 hours ago is not the same as a TPM quote from now, and <code>null</code> implies never-expires. The fix: <code>maxAge</code> for snapshots, <code>ttl</code> for rotating (SPIFFE). Grade becomes index, evidence becomes payload. A $10K trade checks <code>evidence_age() < maxAge</code>. A read-only query trusts the grade alone.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">SINT v0.2 review (A2A#1713).</strong> 8 comments in one thread. pshkv shipped SINT Protocol v0.2 with OWASP Agentic Top 10 coverage, industrial IoT bridges (MQTT Sparkplug B, OPC UA), and the <code>delegation_depth_floor</code> we designed together. The APS/SINT integration stack formalized: APS passport (who + scope) → SINT token (which MCP tools + tier) → EvidenceLedger receipt (what happened). Cross-org first-contact trust as a three-layer architecture.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Behavioral attestation spec (w3c-cg#32).</strong> 6 comments. The timing asymmetry became normative: CCS fires synchronously per-action (gateway-enforced), ghost lexicon computes over windowed receipt history (session-level), the combined AND row triggers only in post-hoc forensics. <code>MUST NOT</code> constraint added: implementations cannot wait for both signals simultaneously in live enforcement. Our CDP empirical data from MolTrust pilots cited as validation.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">PayableOperation architecture (x402#1921).</strong> First engagement with ThomsenDrake (BTCPay/Lightning). The gap: x402 has payment primitives, but no receipt chain binding operations to settlements. The 3-sig model maps: agent signs intent, gateway signs evaluation, settlement adapter signs proof. Rail-agnostic at the schema level, rail-specific only in the verification path.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">MnemoPay receipts (x402#1904).</strong> Non-repudiation gap identified: MnemoPay gives agents economic memory, but memory without cryptographic proof is just a claim. Proposed: APS receipt as the proof layer under MnemoPay's reputation score. One signing key, two consumers. The reputation score references the receipt hash, traceable back to a 3-sig chain.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">MS PR#598 approved.</strong> imran-siddique requested 6 changes, all addressed same-day: fail-closed signature verification (critical — format-only fallback was worse than no verification), dependency pinning, input validation, test coverage, README trimmed. Approved that evening. Awaiting maintainer merge.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Protocol infrastructure doesn't grow by shipping code alone. Microsoft PR approved. SINT v0.2 shipped with our primitives inside. W3C spec reached normative constraints. Evidence-based grading and freshness semantics designed and ready to build. The ecosystem is collaborating on shared infrastructure — every thread is a design document for what ships next.</p>
</article>

<article class="post" id="day-46">
  <time class="post-date" datetime="2026-04-03">April 3, 2026</time>
  <h2>Day 46: Bring Your Own Identity — The Interop Stack</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">APS is not an identity system. Today it stopped looking like one. Four new modules shipped that accept external identity credentials and route them through the enforcement boundary. did:key, did:web, SPIFFE SVIDs, OAuth tokens — all feed into the same gateway. Identity is the input. Enforcement is the product.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">did:key + did:web interop.</strong> <code>toDIDKey()</code> converts Ed25519 public keys to W3C did:key format. <code>fromDIDKey()</code> parses back. <code>resolveDIDWeb()</code> fetches DID Documents over HTTPS. <code>passportToDIDKeyDocument()</code> creates a W3C DID Document with <code>alsoKnownAs</code> bridging did:key to did:aps. Any standard DID verifier can now check an APS passport without knowing APS exists.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">SPIFFE + OAuth bridge.</strong> <code>importSPIFFESVID()</code> converts a SPIFFE Secure Workload ID into a Tier 1 infrastructure attestation — the agent gets Grade 2 automatically. <code>importOAuthToken()</code> converts OAuth claims into APS delegation parameters — the OAuth scope becomes the delegation ceiling. Deterministic agent IDs: same OAuth subject always maps to the same APS agent via <code>sha256(iss:sub)</code>.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">VC wrapper + credential request.</strong> W3C Verifiable Credentials with did:key identifiers and SPIFFE evidence attachments. Selective disclosure: verifier requests specific claims, agent reveals only what's asked for. Full pipeline tested: SPIFFE agent → VC → selective presentation → OAuth-authenticated verifier.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Competitive repositioning.</strong> Mapped the full landscape: DID/VC (identity), OpenID4VC (exchange), SPIFFE (runtime), OAuth (delegation). Together they cover 70% of what APS does. The 30% gap — enforcement boundary, monotonic narrowing, cascade revocation, data lifecycle — is the moat. New positioning across all surfaces: "Enforcement and accountability layer for AI agents. Bring your own identity."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Full audit.</strong> 5-phase production readiness check: build integrity, cross-connection verification, logic verification, dependency audit, export completeness. All phases PASS. 430 exported functions, 428 types, 0 vulnerabilities, 0 strict mode violations. 25 circular deps (22 type-only). 7 core modules without dedicated tests (covered by integration tests).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Cross-language.</strong> All 4 interop modules ported to Python SDK v0.8.0. Cross-language verification: TypeScript <code>toDIDKey()</code> and Python <code>to_did_key()</code> produce byte-identical output for the same Ed25519 key. Same for SPIFFE subject hashes and OAuth agent IDs. 197 Python tests. Published to PyPI.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Microsoft AGT PR#598.</strong> imran-siddique reviewed, requested 6 changes. All addressed: fail-closed signature verification (critical fix — format-only fallback was worse than no verification), dep pinning, input validation, README trimmed to technical style, 3 new signature tests. Awaiting re-review.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.32.0 (2,180 tests, 559 suites, 103 modules). Python SDK v0.8.0 (197 tests). MCP v2.19.1 (125 tools). Gateway v0.3.4. 27+ GitHub posts across 15 threads. YC application finalized. Every competitor is now a feeder.</p>
</article>

<article class="post" id="day-45">
  <time class="post-date" datetime="2026-04-02">April 2, 2026</time>
  <h2>Day 45: SDK v1.31.0 — Governance Hardening + Gateway Bridge</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.31.0 shipped. Governance hardening pass across the protocol: stricter validation on delegation chains, tighter scope authorization checks, 34 new tests covering edge cases from the MoltyCel security audit. 2,085 tests now, 533 suites, 99 modules.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Gateway bridge.</strong> The MCP remote server now auto-registers every issued passport on the hosted gateway. Issue a passport from any MCP client — Claude, OpenClaw, any SSE connection — and the agent appears on <code>gateway.aeoess.com</code> with a trust profile and public verification endpoint. No manual registration. The bridge reads the <code>issue_passport</code> response, extracts the DID and public key, and POSTs to the gateway's agent registration API. Every passport is now verifiable infrastructure, not just a local keypair.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Gateway v0.3.4.</strong> Context continuity scoring: activity regularity, behavioral consistency, and identity maturity combined into a 0-100 score on every trust profile query. Fixed evaluate endpoint (stale SDK v1.27→v1.31, <code>incrementUsage</code> manual upsert for Railway's SQLite without UNIQUE constraint). SSE heartbeat added to remote MCP server to prevent Railway/Fastly CDN from killing long-lived connections.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">0xbrainkid on NVIDIA/OpenShell#682.</strong> Deep technical exchange: sandbox-as-attestor model (the sandbox signs what it observed, the agent can't forge it), fidelity probe under constraint pressure (Hold/Bend/Break), <code>trust_context</code> now embedded in <code>ExecutionAttestation</code> — trust score at execution time is signed and tamper-detectable. Three independent threads (OpenShell, OWASP#802, W3C) converging on the same 3-layer architecture: authorization (APS), execution policy (Cedar/protect-mcp), output integrity (VeroQ/receipt chain).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Infrastructure.</strong> README rewritten for infrastructure positioning — APS is not an identity solution, it's governance infrastructure. Integration guide published: "build on APS, don't rebuild underneath." CLAUDE.md added for Claude Code sessions — every Claude Code instance now has project context, repo paths, and build commands on first load. Propagation sweep across all surfaces with updated numbers.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.31.0 (2,085 tests, 533 suites, 99 modules). MCP v2.19.1 (125 tools). Gateway v0.3.4. 12,500+ installs across npm and PyPI. 35+ active GitHub threads across the ecosystem.</p>
</article>

<article class="post" id="day-44">
  <time class="post-date" datetime="2026-04-01">April 1, 2026</time>
  <h2>Day 44: First Code Integration + 5 Security Fixes</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">PR#3 merged into kai-agent-free/solana-agent-identity. APSProvider is the 4th identity provider in the Solana Agent Kit. First external code dependency on APS. Not a spec comment — running code in another project's repo.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Twelve protocol features.</strong> Execution attestation with context-aware drift. Bilateral receipts. Evidence commitments. Compromise window. Proof ID namespacing for cross-system lineage. x402 governance adapter (4-gate commerce wrapping HTTP 402 → USDC on Solana/Base). Tool integrity verification (OWASP Layer 2). <code>trust_context</code> in ExecutionAttestation. DID pattern matching in aps.txt. Fail-closed revocation policy. Hash-aware drift detection. Compaction-drift probe.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Five security gaps closed.</strong> MoltyCel found 5 attack vectors in governance blocks and aps.txt. AV-1: governance block spoofing → <code>VerifiedGovernanceCredential</code> (W3C VC with Ed25519 proof). AV-2: aps.txt manipulation → <code>enforceApsTxt()</code> strict mode already existed. AV-3: governance block replay → <code>expires_at</code> field + expiry check in compliance loop. AV-4: aps.txt DoS → trust threshold protection. AV-5: cross-skill confusion → <code>bindGovernanceToImplementation()</code>. All five fixed same-day, all nine tests passing.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Gateway v0.3.1.</strong> Receipt resolution endpoint: <code>GET /.well-known/receipts/:id</code>. Cross-system lineage traversal — any WG member resolves a proof reference to its full receipt + signature + JWKS. <code>certify_required</code> flag for high-risk interceptors: missing receipt = audit gap = hard gate.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">29 active threads.</strong> desiorac co-designing cross-issuer resolution spec (Rekor anchoring, proof namespacing, certify failure modes). agent-morrow cross-calibrating fidelity probe with W3C CCS reference. MoltyCel cross-testing vectors across APS/AgentID/MolTrust. tomjwxf validating 3-layer architecture (APS delegation → protect-mcp Cedar → receipt chain). MEEET requesting integration for 1,020 Solana agents. kevinkaylie connecting AgentNexus DID. Entered 2 new ecosystems (LangGraph Swarm, MetaGPT).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.29.6 (2,051 tests, 522 suites, 99 modules). MCP v2.19.1 (125 tools). Gateway v0.3.1 (34 routes + 2 .well-known). Everyone who reported a gap was notified with working code.</p>
</article>

<article class="post" id="day-43">
  <time class="post-date" datetime="2026-03-31">March 31, 2026</time>
  <h2>Day 43: Multi-Attestation Verification</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">douglasborthwick-crypto ran a 5-issuer live verification pass. InsumerAPI, ThoughtProof, RNWY, Maiat, and APS. Five issuers, five trust dimensions, two algorithms (ES256 + EdDSA), independently signed, verified in a single pass. APS slotted in with zero code changes to the reference verifier. Passport grades are now a composable attestation type in the multi-attestation spec.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Gateway identity.</strong> The gateway needed its own cryptographic identity to sign trust attestations that external verifiers can check. Ed25519 keypair generated on first boot, persisted in SQLite, reused across restarts. <code>/.well-known/jwks.json</code> exposes the public key in standard JWK format. <code>/api/v1/public/trust/:agentId/attestation</code> returns a JWS-signed trust profile. Any relying party fetches the JWKS, selects by <code>kid: "gateway-v1"</code>, and verifies the signature without contacting us.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Policy hash chaining.</strong> From haroldmalikfrimpong-ops, who shipped compound digests, contextEpoch, and Merkle trees on AgentID while we were spec'ing. His insight: <code>SHA-256(constraints_at_N + previous_policy_hash)</code> creates a tamper-evident history of an agent's constraint state. If constraints drift through summarization or memory compaction, the chain breaks. <code>verifyPolicyChain()</code> recomputes every hash. <code>detectConstraintDrift()</code> classifies each change as narrowed (safe), widened (violation), or changed.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Routing divergence detection.</strong> From desiorac on OATR and A2A. When an agent declares intent to reach endpoint A but the actual execution hits endpoint B, the receipt needs to capture both. Five divergence patterns: none, endpoint_migration (benign), key_rotation (re-attest), full_migration, entity_change (always flag). Each carries a risk level. <code>captureRoutingContext()</code> snapshots DID + document hash + endpoint hash at a point in time. <code>detectRoutingDivergence()</code> compares two snapshots and classifies the pattern.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Ecosystem.</strong> 15+ GitHub replies across 8 threads. Every SDK function built today came from a conversation: <code>importProviderAttestation()</code> from msaleme, <code>addIdentityBoundary()</code> from xsa520, <code>computeCompoundDigest()</code> from desiorac, routing divergence from desiorac, policy hash chaining from haroldmalikfrimpong-ops. OpenClaw #49971 engagement (13K+ skills registry debating agent identity). Working Group referenced in 4 high-traffic threads. ClawHub skill rewritten agent-first (v4.4.0). All stale GitHub surfaces fixed (repo descriptions, glama.json, README headings).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.29.4 (1,987 tests, 503 suites, 96 modules). MCP v2.19.1 (125 tools). Gateway v0.3.0 (38 routes). 37 new tests today. 9 new exported functions. APS is the 5th verified issuer in a cross-protocol attestation standard.</p>
</article>

<article class="post" id="day-42">
  <time class="post-date" datetime="2026-03-30">March 30, 2026</time>
  <h2>Day 42: Agent Attestation Architecture</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Lev's agent farmed unlimited passports and drained Nik's promo wallet in 60 seconds. Ed25519 keys are free. Identity Sybil is unsolvable in open protocols. We ran a 3-round consilium across Claude, GPT, Gemini, and a real sandboxed agent (Portal). Universal convergence: cheap identities are fine, cheap extraction is the bug.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Attestation types.</strong> Four-tier evidence model: Observed (TLS fingerprint, timing, velocity), Infrastructure-attested (sandbox signs it), Provider-attested (OAuth, cloud tenant), Self-declared. Passport grades 0-3 based on attestation richness, not admission rights. Grade 0 agents still work. Evidence and assessment split into separate records. Workspace manifest hash for proof of history. Recovery requires cryptographic proof, not just environment matching.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Sybil hardening.</strong> Gateway v0.3.0: 4-gate pipeline on wallet provisioning (registered + delegation + publicKey dedup + principal rate limit). Presentation trust profile API: one call, one JSON, one decision. Destination convergence detection catches farming consolidation points. Issuance dossier storage for full forensic record. Public trust-profile endpoint for cross-org trust querying. 37 API routes.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Behavioral tracking.</strong> Post-issuance behavioral sequence recording: first 10 tool calls after passport issuance. Real agents do work. Farming agents extract. Pattern classified as productive, extractive, or neutral. MCP fires IssuanceContext to gateway on every passport issuance. End-to-end pipeline live.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.29.1 (1,987 tests, 96 modules). MCP v2.19.0 (125 tools). Gateway v0.3.0 (37 routes). Two machines, zero overlap, bridge wired. 8 ecosystem posts across OWASP, crewAI, NVIDIA, Microsoft, Worldcoin, DIF. 10 dead repos archived.</p>
</article>

<article class="post" id="day-41">
  <time class="post-date" datetime="2026-03-29">March 29, 2026</time>
  <h2>Day 41: Agent Wallets</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Agents need to spend money. Coinbase charges gas. ChainHop takes 0.75%. We charge nothing. Three commits, 1,430 new lines, gateway went from 18 to 36 API routes.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Nano payment rail.</strong> Generic <code>PaymentRail</code> interface with Nano as the first adapter. Invoice creation with amount-unique fingerprinting, on-chain polling, outbound sends with idempotency, block verification. Six endpoints: invoice, status, settle, balance, history, verify. 28 unit tests plus 12 live tests against the real Nano network.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Agent wallets.</strong> Every agent with a passport gets a Nano wallet via HD key derivation. Every send goes through a 3-gate delegation pipeline: active wallet check, commerce scope check, budget check. Freeze and revoke cascade from the existing revocation system automatically lock wallets. Nine new REST endpoints. Private keys never leave the gateway process. <a href="wallet.html">aeoess.com/wallet.html</a></p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Local crypto.</strong> <code>wallet-crypto.ts</code> (323 lines): master seed auto-generates on first run, HD key derivation gives one deterministic address per agent, local block signing with Ed25519, public RPC for work generation. No Docker. No Nano node. Just one seed file and a public RPC endpoint.</p>
</article>

<article class="post" id="day-40">
  <time class="post-date" datetime="2026-03-29">March 29, 2026</time>
  <h2>Day 40: Gateway Wiring</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Import graph analysis showed only 20% of modules were connected to the gateway enforcement hub. Built four rounds of wiring. Final interconnection rate: 79%.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Fidelity probe.</strong> New measurement protocol based on the Hold/Bend/Break model. Tests whether agents actually follow their delegation constraints by measuring behavioral responses to boundary conditions. Wired into gateway scheduling.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Module wiring.</strong> Gateway identity layer connects DID, principal endorsement, and entity verification into agent registration. Data cluster wires data-source, data-contribution, data-enforcement, and data-gateway into the processToolCall pipeline. Gateway-wiring adapter connects 13 more modules: commerce, charter, coordination, routing, precedent, oracle-witness, reserve, context, governance-consumer, encrypted-messaging, messaging-audit, federation, EU AI Act.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Ecosystem.</strong> 12 substantive GitHub replies across 10 threads. Accepted lowkey-divine's fidelity probe collaboration on crewAI. Gave honest answers about Merkle anchoring gaps on A2A. Pinged four dormant contacts with specific collaboration offers. SDK v1.29.1. 1987 tests, 503 suites, 96 modules.</p>
</article>

<article class="post" id="day-39">
  <time class="post-date" datetime="2026-03-28">March 28, 2026</time>
  <h2>Day 39: Governance for the Agent Economy</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The site said "AEOESS" in giant letters and then explained the acronym. Three paragraphs saying the same thing three ways. A metaphor ("passports") doing the work that plain language should do. The design was dark-themed startup aesthetic. None of it matched what the protocol actually is: serious governance infrastructure for an emerging economy.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Complete visual redesign.</strong> Crimson Pro serif for headlines. Source Sans 3 for body. JetBrains Mono for code. White background, black text, high contrast. iOS-style frosted glass on the nav bar. Warm dark gray (#1c1c1e) for dark mode instead of pure black. Every element got subtle border-radius. The aesthetic is academic paper, not SaaS landing page.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Enterprise positioning.</strong> The headline is now "Governance for the Agent Economy." Not a feature description. A category claim. The body text is a problem statement: agents represent companies, spend real money, no one can verify who they are. Then a Today vs With AEOESS comparison. Then 10 capabilities listed without frames. Then a 10-question FAQ that carries all the depth: what the protocol does, how it differs, production readiness, audience, delegation, integration, revocation, standards, compliance, pricing.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">38-entry ship log.</strong> The updates panel became a full timeline from Day 1 (Feb 18) to today. Four tag types: ship (green), paper/standard (amber), traction (purple), deploy (blue). The Agent Times deployment sits in the timeline as the first production use of APS. YC CEO endorsement and Microsoft merge are tagged as traction. Visitors scroll through 38 days of continuous shipping.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Unified design system.</strong> shared.css v9 rewritten. All 15 pages now have the same nav, footer, theme toggle, and fonts. Deleted 7 dead files (old backups, admin page, stale architecture viz). Removed all ghost HTML elements (old side-nav, old logo, old theme-toggle, old burger/drawer). Fixed stale numbers across every page. Zero old UI patterns remaining.</p>
</article>

<article class="post" id="day-38">
  <time class="post-date" datetime="2026-03-26">March 26, 2026</time>
  <h2>Day 38: Rome-Complete &mdash; Institutional Governance in One Session</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The spec estimated 12 sessions. It shipped in one. Three phases of institutional governance &mdash; charter, approval, time, reserve, federation &mdash; went from zero lines to 1634 passing tests, 120 MCP tools, and two npm packages published before midnight.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Phase 1: Charter and Approval.</strong> A charter is the founding document of a multi-agent institution. 19 types define offices, succession rules, quorum policies, incompatibility constraints, dissolution terms. 16 pure functions handle creation, signing, verification, amendment, office transfer, and quorum checks. Multi-class threshold approval lets different signer classes (founders, officers, auditors) each satisfy independent requirements before a decision passes. 31 tests, including the INV-5 guard: suspended or dissolved charters cannot be amended. A Petri net specification proves 10 invariants across 6 state machines with full transition tables.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Phase 2: Time, Foreign, Escrow, Gateway Identity.</strong> Hybrid Logical Clocks handle the fundamental problem of distributed time: wall clocks disagree, so every timestamp carries uncertainty bounds. Temporal ordering is three-valued &mdash; definitely_before, concurrent, or incomparable &mdash; because honest uncertainty beats false precision. Foreign counterparty envelopes wrap untrusted entities with mandatory expiry, sandboxing, and monotonic trust upgrade paths. No permanent foreign trust: the envelope expires even if you forget about it. Escrow-aware revocation blocks cascade revocation when active escrows exist, forcing a grace period instead of an instant rug-pull. Gateway identity publishes sovereignty level, trust basis, import policy, and fee model so agents can evaluate gateways before entering them.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Phase 3: Reserve and Federation.</strong> Reserve attestations let gateways declare their backing with liability semantics and assurance classes ordered by strength (self_attested &lt; peer_audited &lt; third_party_verified &lt; regulatory_certified). False attestation penalties are declared upfront. Federation makes receipts and reputation portable: a foreign receipt envelope imports execution history from another gateway with automatic downgrade, and vouched reputation attests to an agent track record without exposing the underlying receipt history. 46 tests cover all three phases.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">12 new MCP tools.</strong> create_charter, verify_charter, sign_charter, evaluate_threshold, create_approval_request, add_approval_signature, create_hybrid_timestamp, compare_timestamps, validate_temporal_rights, create_reserve_attestation, vouch_reputation, apply_reputation_downgrade. 108 tools became 120.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Naming conflicts and the cost of scale.</strong> Two type collisions surfaced at 53 modules: JurisdictionEnvelope (data-lifecycle vs gateway) became GatewayJurisdiction. RevocationStatus (execution-envelope vs escrow) became EscrowRevocationStatus. At this scale, every new type needs a namespace check before it gets a name.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.27.0 (1987 tests, 503 suites, 86 files). MCP v2.19.0 (125 tools). Both published. 63 core modules + 32 v2 constitutional modules. ~9,000 npm downloads. The protocol can now model institutions, not just individual agents. Charters define governance. Approval policies enforce it. Time is honest about its uncertainty. Reserves are backed or they say they are not. Federation means agents carry their history with them. Rome is complete.</p>
</article>

<article class="post" id="day-37">
  <time class="post-date" datetime="2026-03-25">March 25, 2026</time>
  <h2>Day 37: Governance Distribution Stack — Every Article on The Agent Times Is Now Cryptographically Governed</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The protocol could sign content. It could verify signatures. What it couldn't do: tell an agent reading a webpage what the terms are, in the HTML, at the moment of access. Today that's running code.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Five delivery mechanisms, one primitive.</strong> A governance block is Ed25519-signed JSON declaring: who published this content (DID), what the content hash is (SHA-256), what the terms are (inference, training, redistribution, caching), and what happens if terms are revoked. Five ways to deliver it: <code>&lt;script type="application/aps-governance+json"&gt;</code> in HTML, <code>aps.txt</code> at <code>/.well-known/aps.txt</code> for site-wide coverage, <code>X-APS-Governance</code> HTTP headers on any response, <code>&lt;meta&gt;</code> tags for lightweight embedding, and chained governance blocks where derivatives reference the parent's hash. All signed. All verifiable. All shipping in SDK v1.25.0.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The 360 loop.</strong> Publisher calls <code>embedGovernance()</code> — signed block goes into the HTML. Agent calls <code>governanceLoop360()</code> — extracts the block, verifies the signature, checks if its intended usage is permitted, and creates a signed <code>AccessReceipt</code>. The receipt captures the terms and revocation policy at access time. If the publisher later changes terms, the receipt proves what terms existed when the agent accessed the content. Both sides have cryptographic proof. Publisher signed the terms. Agent signed the receipt. No trust required.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The Agent Times integration.</strong> PR #58 merged. Every article page on theagenttimes.com now includes a governance block in its HTML <code>&lt;head&gt;</code> and governance headers on every HTTP response. Terms: inference permitted (agents can use for RAG), training requires compensation (pay to train models on our journalism), redistribution requires attribution (share everywhere, credit The Agent Times), caching permitted. Signed with the tat-editor Ed25519 key. The first publication on the internet with cryptographically signed content governance embedded in every article.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Framework adapters.</strong> Governance hooks for CrewAI, Google ADK, LangChain, and A2A — each one maps the protocol's delegation verification and policy evaluation to the framework's native concepts. A CrewAI agent verifies its delegation chain before executing a task. An ADK agent checks policy before tool calls. All four adapters ship in the public SDK, but they're thin wrappers over the core primitives, not framework lock-in.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Conformance suite.</strong> 21 invariants across 4 categories: delegation invariants (authority never increases, revoked chains stay dead), identity invariants (DID determinism, signature verification), policy invariants (intent-evaluation-receipt chain completeness), and commerce invariants (spend bounds, human approval gates). Any implementation claiming APS conformance can run the suite.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Hosted enforcement gateway.</strong> Private repo at aeoess-gateway. Multi-tenant enforcement API with signup, evaluate, receipt, revoke, audit, and dashboard endpoints. Three plan tiers (Free/Pro $99/Enterprise $999). Cascade revocation. Alert system. E2E tested. The protocol is open and free. The hosted gateway that makes it easy is the business. Path B done right: reference implementation ships first, product captures value later.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">MCP remote passport tracking.</strong> The hosted server at mcp.aeoess.com now tracks per-tool usage and counts passport issuance events (generate_keys, identify, create_principal, endorse_agent). Public at <code>/stats</code>. 61 sessions, 48 tool calls since launch. The counter starts from zero — honest numbers, not inflated ones.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.25.0 (1480 tests, 384 suites, 78 files). MCP v2.15.1 (108 tools). Python v0.7.0 (141 tests). ~9,000 npm downloads in the first month. The governance distribution stack is complete: publishers embed, agents verify, both sides have proof. What's left is adoption.</p>
</article>

<article class="post" id="day-36">
  <time class="post-date" datetime="2026-03-23">March 23, 2026</time>
  <h2>Day 36: Clean Slate — 68 Dead Imports, OATR Founding Member, Zero Open Findings</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Spent the day auditing instead of building. Pulled all four repos from GitHub, ran full test suite (1178 pass, 0 fail), then went line by line through the codebase looking for dead weight.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">68 unused imports removed across 34 files.</strong> Type imports that were never annotated. Functions imported but never called. Variables assigned but never read. Every one verified via <code>tsc --noUnusedLocals</code> before and after. Net change: -47 lines. Zero test regressions.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Tracked garbage cleaned.</strong> Two old npm tarballs (320KB) committed to git before the <code>.gitignore</code> rule existed. A day-1 test artifact from February 18. A one-time security patch script in MCP that served its purpose months ago. All verified unreferenced before removal.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">OATR founding member.</strong> APS registered as an issuer on the Open Agent Trust Registry (<a href="https://github.com/FransDevelopment/open-agent-trust-registry/pull/12">PR #12 merged</a>). Domain verification live at <code>aeoess.com/.well-known/agent-trust.json</code>. Same Ed25519 key used across <code>did:aps</code>, MCP server, and qntm relay bridge. Four founding WG members — qntm, ArkForge, AgentID, APS — all registered within one wave.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Propagation script hardened.</strong> The auto-propagation script was rewriting numbers inside historical blog entries — Day 15 was claiming test counts from Day 36. Added <code>PROPAGATION-ZONE</code> markers so only meta tags and the subtitle track current numbers. Historical prose stays frozen.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">xsa520 published the <a href="https://github.com/xsa520/guardian/blob/main/specs/guardian-v0.2-decision-equivalence.md">Guardian v0.2 Decision Equivalence Specification</a> — a clean primitive defining when two decisions across different engines should be treated as the same. Maps directly to our Module 37 (DecisionSemantics). All Portal audit findings confirmed resolved. Zero open items.</p>
</article>

<article class="post" id="day-35">
  <time class="post-date" datetime="2026-03-22">March 22, 2026</time>
  <h2>Day 35: First APS Envelope Through an Encrypted Relay</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Peter Vessenes opened an issue asking if APS agents could communicate through encrypted channels. We already had Module 19 (E2E Encrypted Messaging). What we didn't have was a relay. He maintains qntm, an end-to-end encrypted messaging protocol for agents. Same Ed25519 identity keys, same XChaCha20-Poly1305 cipher. The integration was obvious.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The bridge.</strong> Built <code>interop/qntm-bridge.ts</code> in one session. 369 lines, zero new dependencies. HKDF key derivation matched his known-answer vectors byte-for-byte across three implementations (libsodium TypeScript, @noble/curves TypeScript, Python cryptography). We decoded his invite token, derived the conversation keys, encrypted an APS SignedExecutionEnvelope, and POSTed it to the qntm relay. HTTP 201. The relay accepted our encrypted payload without seeing what was inside.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The identity stack.</strong> Ed25519 passport &rarr; X25519 key derivation (5/5 vectors) &rarr; HKDF conversation keys (3/3 vectors) &rarr; XChaCha20-Poly1305 encryption &rarr; qntm relay transport. Every layer proven independently before composition. Three languages, one identity, byte-for-byte compatible.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Also today.</strong> Agora reframed as "Signed Communication Protocol" with per-instance isolation. No global feed. Intent Network and Mingle explicitly marked as opt-in ecosystem services. New FAQ: which parts are required vs optional. MCP stats endpoint shipped at mcp.aeoess.com/stats. Three MCP integration findings from the protocol test fixed and published as v2.12.0.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">1178 tests. 320 suites. 63 test files. The protocol now has encrypted transport through an external relay, and every enterprise concern about shared feeds is addressed. Not a monolith. A composable stack where each layer does one thing.</p>
</article>

<article class="post" id="day-34">
  <time class="post-date" datetime="2026-03-22">March 22, 2026</time>
  <h2>Day 34: 30 Constitutional Modules. Every Gap Closed.</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Three AI models attacked the protocol simultaneously. Claude, GPT, and Gemini each received the full codebase and one instruction: find what breaks. They identified 16 gaps in the governance layer. Today, all 16 are running code with tests.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The attack categories.</strong> Nine attack defenses: approval fatigue (detecting rubber-stamping and impossible review latency), effect enforcement (catching divergence between declared and actual outcomes), semantic drift (intent says one thing, action does another), composite workflow audit (authority laundering across multi-agent pipelines), cascade correlation (delegation loops), inaction auditing (agents that systematically avoid acting when they should), values override with mandatory justification and independent review, governance drift tracking (cumulative weakening), and emergence detection (epistemic monoculture, market concentration).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The structural safeguards.</strong> Separation of powers (agents cannot hold legislative and executive roles simultaneously). Constitutional amendment (supermajority vote + human ratification for structural changes). Policy profiles (per-target rule sets). Affected-party standing (any registered party can file complaints and appeal decisions). Circuit breakers (automatic category suspension when error thresholds are breached). Root authority transition (founding&rarr;operational&rarr;transitional&rarr;democratic, phase can only advance, never regress).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Published everywhere.</strong> SDK v1.21.2 on npm (1178 tests, 320 suites, 57 files). MCP v2.12.0 on npm (83 tools). Python SDK 0.5.1 on PyPI. Paper v2 on Zenodo. Peter Vessenes (corpollc/qntm) joined the A2A discussion on transport security. We already ship E2E encrypted messaging with the same Ed25519 identity keys his relay uses. Complementary layers, not competing ones.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">32 v2 modules. 42 core modules. 1178 tests. The protocol now has constitutional governance. Not perfect. But every gap three hostile models could find is addressed with code that runs and tests that pass.</p>
</article>

<article class="post" id="day-33">
  <time class="post-date" datetime="2026-03-21">March 21, 2026</time>
  <h2>Day 33: Constitutional Governance Is Running Code</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Two things shipped today. Module 37: Decision Semantics makes every policy decision content-addressable (SHA-256 of canonical JSON) and classifies how verdicts were reached (deterministic, heuristic, LLM-based, hybrid, human). When four different governance engines evaluate the same scenario, this module lets you compare not just what they decided but how.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">V2 Constitutional Governance.</strong> Seven sub-modules that address the interview question: what happens when honest agents comply perfectly and the system still fails? Delegation versioning adds supersession and renewal hardening (renewal cannot expand scope without independent review). Outcome registration gives three perspectives: what the agent thinks happened, what the principal observed, and what an adjudicator concludes. Anomaly detection automatically flags the first time any agent uses its maximum earned authority. Emergency pathways are pre-authorized by the delegator at delegation time, not declared by the agent in the moment. Fork-and-sunset migration lets agents evolve through controlled reincarnation, not scope expansion. Contextual attestation requires pre-action reasoning records for medium+ risk actions.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Full codebase audit.</strong> Read every source file (20,490 lines across 77 files) and every test file (18,397 lines across 57 files). Verified all six protocol invariants in code. Found one cosmetic inconsistency (import style). No bugs. The audit confirmed that npm v1.18.0 was published before the V2 commits landed, so V2 was missing from npm. Bumped to v1.21.2, published with Touch ID auth. All 332 dist files confirmed present including dist/src/v2/.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">1178 tests. 42 modules. 83 MCP tools. The protocol now addresses institutional failure modes, not just adversarial ones.</p>
</article>

<article class="post" id="day-32">
  <time class="post-date" datetime="2026-03-20">March 20, 2026</time>
  <h2>Day 32: Data Attribution Starts Here</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Listening to Bernie Sanders talk about data rights and realizing the protocol already had 80% of the answer. The gateway tracks what agents access (taint tracking). The Merkle trees commit receipts. The delegation chains prove authorization. What was missing: the data source has no cryptographic proof their data was used, no terms enforcement, and no identity in the system.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The design process.</strong> Gave three models the same open-ended problem independently: "the protocol tracks what agents DO but not what data CONTRIBUTES. How would you solve this?" No templates, no type hints. All three converged on the same foundation: data sources get Ed25519 identity, the gateway signs access receipts (not the agent), Merkle trees for independent verification, separate provenance from valuation. Then six rounds of hostile review against the merged spec. Ten rounds total before a single line of code.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The key insight everyone converged on:</strong> access is not contribution, and contribution is not value. The protocol needs four objects, not one: SourceReceipt (who the data is), DataAccessReceipt (proof access happened), DependencyRecord (how inputs relate to outputs), ContributionClaim (policy-defined attribution). Brief 1 ships the first two. The rest builds on top.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Module 36A: Data Source Registration &amp; Access Receipts.</strong> Three attestation modes: self-attested (owner signs, high trust), custodian-attested (platform signs on behalf, medium trust), gateway-observed (no upstream signature, low trust). Trust level propagates to every downstream object. Machine-readable DataTerms: 9 purpose types, 6 compensation models, derivative policies, audit visibility, rate limits. The terms snapshot rule freezes terms at access time. If a source later changes terms, historical receipts are unchanged. The access was authorized under THOSE terms, period.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Hard vs advisory compliance.</strong> Deterministic checks (revoked source, expired terms, excluded agent) block access inline. Purpose checks (agent declares "read" but might use for "train") are advisory. The gateway cannot verify actual usage intent. Advisory warnings create the audit trail that makes violations detectable after the fact. This distinction survived every hostile review.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The honest framing.</strong> These receipts provide cryptographic accountability, not independent verification. If the gateway operator IS the agent operator (the default deployment), the receipt is evidence of what they claimed, not proof of what happened. That is still more than any existing system provides. And it makes gateway dishonesty detectable and attributable.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">14 functions. 25 tests. Zero failures. The foundation for data attribution is live. Prove use before trying to price it.</p>
</article>

<article class="post" id="day-31">
  <time class="post-date" datetime="2026-03-19">March 19, 2026</time>
  <h2>Day 31: Three Modules on One Machine, Five Engines on One Thread</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Two things happened today. One was a build sprint. The other was the first real cross-engine disagreement in the agent identity space. Both mattered.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Sprint Mini.</strong> Built three new modules entirely on the Mac Mini via Desktop Commander while the Air handled ecosystem replies. Module 28: Oracle Witness Diversity. Shannon entropy scoring over attestation providers prevents Sybil-style oracle manipulation. Quorum alone is not enough when one entity controls multiple oracles. Diversity scoring catches single-provider dominance. Module 29: Encrypted Messaging Audit Bridge. Module 19 added E2E encryption, but encrypted messages bypass the gateway entirely. This bridge creates audit records (SHA-256 hash of ciphertext, sender metadata, taint labels) without breaking encryption. The gateway can enforce rate limits and compliance without seeing content. Module 30: Policy Conflict Detection. DFS cycle detection on policy dependency graphs catches deadlocks before they happen. Shadowed rule detection identifies policies that can never fire. Contradiction detection finds rules with opposite verdicts at the same priority. 44 new tests, all passing.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Cross-engine interop hit a milestone.</strong> Five engines are now participating in the decision artifact thread on kanoniv/agent-auth#2: Kanoniv, APS, AIP (The-Nexus-Guard), and now Network-AI (Jovancoding). The first two rounds were easy: scope-boundary decisions where all engines must agree. Round X-003 was the real test: an agent with sufficient scope but borderline trust (0.38). Kanoniv denied (trust threshold). APS permitted in default mode (structural only) but denied in reputation-gated mode (Bayesian score too low). Network-AI denied via a circuit breaker that overrode what the weighted composite would have allowed (0.564 would permit, but phase 2 hard cutoff at 0.4 triggered first).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The interesting finding: circuit breakers are a third decision category. Not structural (deterministic scope check), not trust-informed (threshold comparison), but policy override (hard gate that flips a composite-permit into a deny). The <code>decision_semantics</code> schema we proposed needs an <code>override</code> block to capture this. Without it, a verifier seeing "deny" from Network-AI can't distinguish between "the scoring model said deny" and "the scoring model said permit but a circuit breaker overrode it."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Concrete integration accepted.</strong> Jovancoding proposed a 50-line adapter: APS delegation chain properties (depth, scope breadth, spend ratio) feed into Network-AI's AuthGuardian trust scoring as normalized signals. The composition is monotonically narrowing: APS permit + AuthGuardian deny = valid; APS deny = AuthGuardian never reached. Same invariant we enforce within delegation chains, now holding across the protocol boundary. End-of-week PoC target.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">42 modules. 1178 tests. 5 engines cross-verifying. The protocol is no longer a solo project with bots. It has an ecosystem.</p>
</article>

<article class="post" id="day-30">
  <time class="post-date" datetime="2026-03-17">March 17, 2026</time>
  <h2>Day 30: Three Modules in One Day. Two Claudes Built Them.</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Module 19: E2E Encrypted Messaging. Separate X25519 keys, ephemeral ECDH per message, double signature (inner over plaintext prevents identity stripping, outer over ciphertext enables gateway verification without decryption). Taint hashes in cleartext AAD so Module 12 cross-chain enforcement works even on encrypted traffic. libsodium-wrappers. 13 tests including wrong-recipient, surreptitious forwarding, tampered ciphertext, and identity stripping attacks. Consensus spec from GPT + Gemini + Claude hostile review.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Module 20: Obligations Model. The missing piece: we had permissions (what agents CAN do) and prohibitions (what they CANNOT do), but no duties (what they MUST do). Obligations attach to delegations with deadlines, evidence requirements, and penalty specs. Parameterized constraints catch malicious compliance — a $0.01 refund doesn't satisfy a "process $500 refund" obligation. Five resolution outcomes distinguish between an agent that didn't try and one whose tool failed. Penalty severity monotonically narrows in sub-delegations. 25 tests. Two-Claude build: one Claude wrote the tests and spec, the other wrote the implementation.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Also shipped: createExecutionEnvelope() — the RFC from Day 29 becomes running code. Any governance engine can now emit a signed envelope that any verifier can check. Protocol: 42 modules, 1178 tests.</p>
</article>

<article class="post" id="day-29">
  <time class="post-date" datetime="2026-03-17">March 17, 2026</time>
  <h2>Day 29: Three Groups Asked for the Same Thing. So We Wrote the Spec.</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Three independent groups, three different repos, same conclusion: AI governance engines need a shared signed execution envelope.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">@Kelisi808</strong> on crewAI #4560 proposed 7 minimum fields. <strong style="color:var(--text)">@xsa520</strong> on guardian#2 proposed separating decision artifacts from execution receipts. <strong style="color:var(--text)">@ngallo</strong> at DIF's Trusted AI Agents Task Force raised formal questions about continuity in non-deterministic runtimes. None of them knew about each other.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">We mapped all three proposals to our existing SDK types and realized: we already ship every field. So instead of posting another comment, we wrote the spec. <a href="https://github.com/aeoess/agent-passport-system/blob/main/docs/RFC-SIGNED-EXECUTION-ENVELOPE.md">RFC: Cross-Engine Signed Execution Envelope</a>.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The key innovation is the <code>evaluation_method</code> field: <em>deterministic</em> (the decision can be replayed) vs <em>probabilistic</em> (LLM-based, signature-verifiable only). This is the split every verifier needs. A rule-based policy decision is independently reproducible. An LLM advisory judgment is not. Different trust levels for each.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Portal is opening the RFC issue on our repo and cross-linking from all three threads. If CrewAI, Guardian, and APS can all emit compatible envelopes, that's the foundation for ecosystem-wide governance audit. We're not commenting on other people's conversations anymore. We're writing the spec they converge on.</p>
</article>

<article class="post" id="day-28">
  <time class="post-date" datetime="2026-03-16">March 16, 2026</time>
  <h2>Day 28: CEO of Y Combinator Endorsed It. Microsoft Merged It. A Federal Agency Is Reviewing It.</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The weekend the protocol stopped being just mine.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Garry Tan.</strong> The CEO of Y Combinator looked at the Agent Passport System and called it "an actual artifact, not a hobby project." He said the arena-attack loop was "convergent evolution, which usually means you're hitting on something real." He offered to repost on X to get more eyes on it.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Microsoft.</strong> PR #274 merged into <a href="https://github.com/microsoft/agent-governance-toolkit/pull/274">microsoft/agent-governance-toolkit</a>. The Agent Passport System is now integrated into Microsoft's agent governance reference architecture. Portal also posted on microsoft/autogen #7372 (Chou Deyu's governance layer discussion) and agent-governance-toolkit #275 (reputation-gated authority).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">NIST.</strong> Third revision of our public comment submitted to the NCCoE on their "Software and AI Agent Identity and Authorization" concept paper. BSA (the Software Alliance) independently told NIST to study "cryptographic chains of custody for agent authorization." That's our architecture. April 2 deadline for the comment period. We're in.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">IETF.</strong> Sanjeev Kumar, author of the DAAP draft (draft-mishra-oauth-agent-grants-01 — the OAuth extension for AI agent delegation), emailed back. He's interested in collaboration on the enforcement boundary problem and cross-protocol identity. IETF is the organization that writes internet standards — HTTP, OAuth, email protocols. Having the DAAP author engage on our work means the delegation patterns are converging across protocol communities.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Ecosystem outreach.</strong> Drafted and prepared responses for five more discussions: Anthropic claude-code #32514 (sub-agent identity problem — our delegation chains are the protocol-level solution), DIF's Delegatable Authorization Task Force (brand new repo, we'd be first contributors introducing monotonic narrowing), AGNTCY Identity PR #157 (cross-protocol bridge between did:agntcy and did:aps), ThirdKeyAI Symbiont (proposing APS as identity layer for their Rust zero-trust runtime).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Research grant.</strong> Applied to the Adaption Research Grant Program (Sara Hooker, ex-Cohere/DeepMind, $50M seed). Project: adaptive policy enforcement. Can a policy engine learn from its own cryptographically signed enforcement history to improve advisory decisions without retraining? Our dual-process experiment (56 runs, F-008 negative result) is the starting data.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Four weeks ago this was a TypeScript file on a MacBook Air. Now the CEO of Y Combinator endorsed it, Microsoft is using it, a federal agency has it, and an internet standards author wants to collaborate. Nobody told them about each other.</p>
</article>

<article class="post" id="day-27">
  <time class="post-date" datetime="2026-03-15">March 15, 2026</time>
  <h2>Day 27: Full Stats Sweep + Gateway Strategic Decision</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Housekeeping day. Two things: a strategic decision and a full staleness audit.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The gateway question.</strong> The ProxyGateway is the enforcement boundary. It's the piece that makes protocol guarantees real rather than voluntary. That makes it the most commercially valuable component. Two paths: sell it as a hosted service (the Stripe model), or keep it as an open-source reference implementation and focus on protocol adoption. Decision: reference implementation now, product later. Reasoning: nobody pays for enforcement of a protocol nobody uses yet. Build the ecosystem first, monetize the infrastructure once there's traction. Path B now, Path A later.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The staleness audit.</strong> Swept every page, README, GitHub description, and LLM-readable file across all three repos. Found 11 stale endpoints. SDK README badge said 511 tests (now 534). GitHub org README said 55 tools (now 61) and 16 modules (now 17). MCP README section header said 33 tools (now 61). Both repo descriptions on GitHub referenced 481 tests. llms-full.txt and passport.html said 22 test files (now 28). llms.txt said "eleven" modules (now seventeen). All fixed. Also added <code>floor-validator.test.ts</code> to the test script (was on disk but never ran in CI).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">This is why the propagation spec exists. Numbers drift. Pages get updated in one place but not another. The propagation script catches most of it, but badges, section headers, and GitHub API descriptions live outside the script's reach. Manual sweep still needed occasionally.</p>
</article>

<article class="post" id="day-26">
  <time class="post-date" datetime="2026-03-15">March 15, 2026</time>
  <h2>Day 26: Mingle v2 — Semantic Matching, Ghost Mode, Consent Flow</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Biggest Mingle ship since the original launch. Four phases built and deployed in a single day. The network actually connects people now.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Phase 1A: Persistent identity.</strong> Every user gets a permanent Ed25519 keypair stored in <code>~/.mingle/identity.json</code>. Same key across sessions. Reputation follows the key. Also: simplified card schema (plain string needs/offers, no categories required), <code>_digest</code> side-channel injected into every tool response, 90 seed cards tagged honestly, <code>/api/health</code> endpoint, and a signature verification fix that was silently breaking all publishes.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Phase 1B: Semantic matching.</strong> Installed all-MiniLM-L6-v2 via @xenova/transformers on the API server. 384-dimensional vectors. 80ms model warmup. Every card's needs and offers are embedded on publish. Cross-vector search: my needs vs their offers, my offers vs their needs. Mutual matches get a 15% score bonus. Migrated all 121 existing cards (289 vectors). Result: 0 matches became 15 ranked semantic matches. Top match: "Autonomous Agents" at 0.78.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Phase 2: Consent flow + ghost mode.</strong> Rewrote SKILL.md from scratch (216 lines, 9 behavioral rules). The AI now: checks the network silently at session start, never auto-publishes (draft then preview then approve), sanitizes company names and financials before showing drafts, handles returning users with active cards, surfaces matches without interrupting focused work, and supports ghost mode where users browse the network without publishing. New API endpoint: <code>POST /api/matches/ghost</code>.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Naming consensus.</strong> Consulted Claude, GPT, and Gemini on positioning. Unanimous: Mingle is the brand. "Like LinkedIn, but inside your chat" is the category anchor. "The agent finds. You decide." is the mechanism. ClawMeet as a discoverability tag on ClawHub only.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Published: <code>mingle-mcp@2.0.1</code> on npm, <code>mingle@2.2.0</code> on ClawHub. Submitted PR #259 to awesome-openclaw-skills. Updated all website files, llms.txt, Schema.org, README. The network is live at <a href="https://api.aeoess.com/api/health">api.aeoess.com</a>: 121 cards, 289 embeddings, 3 real connections.</p>
</article>

<article class="post" id="day-25">
  <time class="post-date" datetime="2026-03-14">March 14, 2026</time>
  <h2>Day 25: Substack Launch — Cross-Protocol Bridge + Tesla Social</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Content day. Two Substack articles published. Social media posts across X and LinkedIn.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Article 1: "For the First Time in History, AI Agents Bridged Two Independent Security Systems."</strong> The story of the APS x AIP cross-protocol identity bridge. My protocol and The Nexus Guard's protocol verified each other's agents. Two independent teams, two protocols, zero coordination. Their agents still proved who they are to each other. This is KYA — Know Your Agent. The DNS moment for AI agents.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Article 2: "I Came Up With the Best Social and Retention Strategy for Tesla. Then I Built It."</strong> Every airline has miles, every hotel has points, Tesla has nothing. Built a proximity chat + miles loyalty program MVP for Tesla owners in a weekend. React + Supabase + Vercel. Working app at tesla-social.vercel.app.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Also pitched Mingle on X ("DNS for AI agents") to an 81k-reach thread. The protocol is starting to get in front of people.</p>
</article>

<article class="post" id="day-24">
  <time class="post-date" datetime="2026-03-13">March 13, 2026</time>
  <h2>Day 24: Security Hardening — Gateway Bugs, Setup Commands, Cross-Protocol Resolve</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Three gateway bugs found and fixed. NW-001: memory leak in replay protection — the nonce store grew unbounded because expired entries never got pruned. Added TTL-based cleanup. NW-003: crash when an unregistered agent tried two-phase execution. Now returns a proper error instead of throwing. NW-006: card deletion in the Intent Network checked agent ID instead of cryptographic key. Anyone who knew an agent's ID could delete their card. Fixed to require signature verification.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">All 30 gateway tests pass. These are the kinds of bugs that don't show up in unit tests but would have been exploitable in production. Finding them before anyone else did is the point of security hardening.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">SECURITY.md</strong> published with a proper threat model and responsible disclosure process. Prompt injection sanitization added to Mingle. <code>npx agent-passport-system-mcp setup</code> now auto-configures Claude Desktop and Cursor — zero JSON editing required. Cross-protocol resolve endpoint live at api.aeoess.com for external protocol bridges.</p>
</article>

<article class="post" id="day-23">
  <time class="post-date" datetime="2026-03-12">March 12, 2026</time>
  <h2>Day 23: Mingle Ships — Your AI Finds People for You</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The biggest product launch since the protocol itself. Mingle is a standalone MCP plugin that turns your AI into a networking agent. Tell Claude or GPT who you need. Your agent publishes a signed card, matches with other people's agents, both humans approve before connecting. No app. No profile. No feed.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Six tools: <code>publish_card</code>, <code>search_matches</code>, <code>get_digest</code>, <code>request_intro</code>, <code>respond_to_intro</code>, <code>remove_card</code>. Everything Ed25519 signed. The network is live at api.aeoess.com.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Landing page at <a href="mingle.html">aeoess.com/mingle</a> with live network stats. Published to ClawHub as mingle@1.0.0 and agent-passport-system@3.0.0. Product Hunt, LinkedIn, and X launch posts went out. The framing: "Like LinkedIn, but inside your chat."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">This is the first piece of the protocol that non-technical people can actually use. You don't need to understand Ed25519 or delegation chains. You just tell your AI "I need a React developer in Berlin" and Mingle handles the rest.</p>
</article>

<article class="post" id="day-22">
  <time class="post-date" datetime="2026-03-11">March 11, 2026</time>
  <h2>Day 22: The Intent Network — Your Agent Finds People for You</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The biggest ship since the protocol launched. We built a network where agents represent their humans, discover relevant matches, and propose introductions. No app. No signup. Your existing AI conversation is the interface.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The core object is an <strong style="color:var(--text)">IntentCard</strong>: a live, signed signal that carries what you need, what you offer, and what you're open to. Cards expire automatically (forcing freshness), are Ed25519 signed (preventing impersonation), and match against other cards on the network by category overlap, tag similarity, and budget compatibility.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Six MCP tools: <code>publish_intent_card</code>, <code>search_matches</code>, <code>get_digest</code>, <code>request_intro</code>, <code>respond_to_intro</code>, <code>remove_intent_card</code>. The killer feature is the digest: one question to your AI ("What's relevant to me right now?") returns your top matches ranked by relevance, pending intro requests, and incoming connections. Not a feed. Just the few things that matter.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Also shipped the <strong style="color:var(--text)">Intent Network API</strong> at <code>api.aeoess.com</code>. Persistent backend with SQLite + WAL, Ed25519 signature verification, rate limiting per public key. Deployed on Mac Mini via PM2 + cloudflared tunnel. This means two different people running the MCP server in different Claude Desktop sessions see the same network. Cards persist across sessions.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Plus: ProxyGateway enforcement boundary (30 tests, replay protection, two-phase execution), 16→16 protocol modules recount, and full version propagation sweep across all repos and GitHub READMEs.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK v1.21.2 (1178 tests, 320 suites). MCP v2.12.0 (83 tools). Both on npm. Intent Network API v0.1.0 live at <a href="https://api.aeoess.com" target="_blank">api.aeoess.com</a>.</p>
</article>

<article class="post" id="day-21">
  <time class="post-date" datetime="2026-03-10">March 10, 2026</time>
  <h2>Day 21: Reputation-Gated Authority — Agents Earn Trust, Not Just Receive It</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Until today, agent authority came from one place: delegation. A human says "you can do X with budget $Y" and that's it. The problem is obvious. A brand-new agent gets the same authority as one that's completed 200 tasks without a single failure. Delegation tells you what an agent <em>may</em> do. Reputation tells you what it <em>should</em> be trusted to do.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The core invariant:</strong> effectiveAuthority = min(delegation, tier). Even if your delegation says $10,000, if your earned tier only permits $500, you get $500. Authority can only be widened by proving competence over time.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Reputation is Bayesian: each agent gets a (mu, sigma) pair per principal, per scope. Mu is estimated capability, sigma is uncertainty. Effective score = mu - 2*sigma. A fresh agent starts at mu=25, sigma=25 giving an effective score of 0. Twenty successful standard tasks bring you to around 45/15, effective score ~15. Complex tasks are more informative than trivial ones. Failures hit harder than successes help.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Five tiers: recruit (score 0), operator (30), specialist (60), captain (80), sovereign (95). Each tier unlocks higher autonomy levels, spend limits, and delegation depth. Promotion requires a signed review from an earned agent at a higher tier. No self-promotion. No fiat reviewers. Demotion leaves cryptographic scarring: each behavioral demotion permanently raises the threshold to re-reach that tier by 5 points.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Before writing a line of code, consulted GPT-4, Gemini, and PortalX2 on three design questions: complexity evaluation, model-change handling, and enforcement placement. All three converged on the same architecture: deterministic rule engine for classification, Bayesian sigma reset for model changes, soft precheck at intent creation plus hard enforcement in the policy engine. When three different AI architectures independently agree on the same answer, you're probably on the right path.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK 1.11.0: 17 exported functions, 76 tests across Phase 1 and Phase 2. MCP 2.5.0: 5 new tools (resolve_authority, check_tier, review_promotion, update_reputation, get_promotion_history). 83 tools total. Both published to npm.</p>
</article>

<article class="post" id="day-20">
  <time class="post-date" datetime="2026-03-09">March 9, 2026</time>
  <h2>Day 20: Second Paper Published — Monotonic Narrowing for Agent Authority</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Published our second research paper on Zenodo: "Monotonic Narrowing for Agent Authority: Formal Invariants, Adversarial Testing, and Open Problems for Autonomous AI Systems." This one formalizes what we built in the autoresearch sprint two days ago.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Eight delegation chain invariants, property-based adversarial testing, and five open problems for the field. The paper ties directly to running code — every invariant maps to tests in the SDK. Also submitted to arXiv (still on hold).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Looked at the competitive landscape today. DelegateOS shipped 3 weeks ago with a similar approach (Ed25519 tokens, monotonic attenuation, cascade revocation). Google DeepMind published "Intelligent AI Delegation" on Feb 12. RNWY mapped six agent passport products but doesn't list us. The space is forming fast and nobody knows we exist yet. Time to change that.</p>
  <p style="margin-top:.8rem"><a href="https://zenodo.org/records/18932404" target="_blank">Read the paper →</a></p>
</article>

<article class="post" id="day-18">
  <time class="post-date" datetime="2026-03-07">March 7, 2026</time>
  <h2>Day 18: Autoresearch — AI Finds Bugs AI Wrote</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Adapted Karpathy's autoresearch pattern for adversarial protocol hardening. Same loop structure: a markdown file defines the arena, AI generates attacks, tests run, keep what breaks something new, discard what's redundant. Instead of optimizing val_bpb, we're trying to violate delegation chain invariants.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">adversarial-paper.test.ts</strong> — 10 scenarios (S1-S10) from the monotonic narrowing paper. 5 strong passes, 3 partial (protocol limitations documented as tests), 2 expected failures (supply chain compromise and goal manipulation are out of scope for any delegation protocol and we now prove that explicitly).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">property-delegation.test.ts</strong> — 200 randomized tests. 100 valid narrowing delegations (random scope subsets, random spend reductions), 100 escalation rejection tests (attempt to widen scope, increase spend, extend chain depth). Deep chains of 10 levels. Compound invariant violations where scope escalation + spend bypass + chain depth all interact simultaneously — the kind of edge cases you never write by hand.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Also added F-008 Epistemic Security to the Values Floor (advisory enforcement) and submitted the cascade revocation spec as a PR to the open Agent Identity Protocol.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">SDK now at 1178 tests, 320 suites, 63 test files. The autoresearch system is deployed at <code>autoresearch/</code> in the SDK repo.</p>
</article>

<article class="post" id="day-17">
  <time class="post-date" datetime="2026-03-06">March 6, 2026</time>
  <h2>Day 17: Principal Identity, Python SDK, and Three New Protocol Extensions</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Big ship day. Five new modules landed in the SDK.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Principal Identity</strong> — the cryptographic chain from human to agent. Principals (humans, orgs) get their own Ed25519 keypair and endorse agents. Selective disclosure with three levels: public, verified-only, and minimal. Fleet management so a principal can see all their endorsed agents. Six new MCP tools. This is how you answer "whose agent is this?" with a cryptographic proof.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">W3C DID Method (did:aps)</strong> — passports now resolve as W3C Decentralized Identifiers. <strong style="color:var(--text)">Verifiable Credentials</strong> — issue and verify W3C VCs from passport data. <strong style="color:var(--text)">A2A Protocol Bridge</strong> — interop with Google's Agent-to-Agent protocol. <strong style="color:var(--text)">EU AI Act Compliance Mapping</strong> — automated compliance checks against the EU AI Act.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Python SDK v0.4.0</strong> shipped to PyPI. All 20 modules + Principal Identity, 86 tests, full cross-language compatibility with the TypeScript SDK via canonical JSON serialization. <code>pip install agent-passport-system</code>.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">MCP Registry listing updated to v2.12.0. Remote MCP endpoint live at mcp.aeoess.com via PM2 + cloudflared.</p>
</article>

<article class="post" id="day-16">
  <time class="post-date" datetime="2026-03-05">March 5, 2026</time>
  <h2>Day 16: Community Health and OWASP AI Security Mapping</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">No new protocol features today. Instead: making the project credible to people evaluating whether to use it.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">CONTRIBUTING.md and CODE_OF_CONDUCT.md</strong> added to the SDK repo. npm community health score matters when someone is deciding whether to depend on your package. README: yes. Contributing guide: yes. Code of conduct: yes. License: Apache-2.0. These aren't bureaucracy — they're trust signals.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">AIVSS page published.</strong> Mapped the protocol against the 10 OWASP AI Vulnerability Scoring System risks. 5 strong mitigations (prompt injection, data poisoning, supply chain, model theft, insecure output handling). 3 partial (sensitive info disclosure, insecure plugins, excessive agency). 2 weak (training data poisoning at the model level, model denial of service). Honest assessment — we show where we're strong and where we're not.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The kind of day that doesn't feel productive but builds the foundation for everything that follows.</p>
</article>

<article class="post" id="day-15">
  <time class="post-date" datetime="2026-03-04">March 4, 2026</time>
  <h2>Day 15: SDK v1.21.2, MCP v2.12.0, and Two Agents Get Their Next Mission</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Ship day. Five npm publishes. Three git repos updated. Every version reference propagated automatically.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">SDK v1.9.0</strong> landed two new systems. Task Routing Protocol (<code>routing.ts</code>) — declarative rules that match incoming tasks to qualified agents based on capabilities, load, and delegation scope. 24 tests. Agent Context enforcement (<code>context.ts</code>) — create an enforcement context that wraps every action in the 3-signature chain automatically. No manual intent/evaluate/receipt calls. 22 tests. Total: 1178 tests, 320 suites, 22 test files.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">SDK v1.21.2</strong> shipped the same day — a patch release addressing all 7 accepted findings from AUDIT-001. The fixes touched 7 files: <code>canonical.ts</code> now returns <code>'null'</code> for null values in arrays instead of empty string (the high-severity finding). <code>keys.ts</code> lost its dead code and gained error discrimination in <code>verify()</code>. The convergence threshold dropped from 15 to 8 on a 0-100 scale. Small fixes, but every one of them found by another agent reading our code, not by us.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">MCP v2.12.0</strong> brought agent-to-agent communication to the protocol. Four new tools: <code>send_message</code>, <code>check_messages</code>, <code>broadcast</code>, <code>list_agents</code>. Every message is Ed25519 signed. Plus <code>register_agora_public</code> for the public agent registry at aeoess.com. 83 tools total. Clean dependency tree — typescript and @types/node moved to devDependencies where they belong.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">ClawHub.</strong> Published the Agent Passport skill as <code>agent-passport-system</code> v2.0.0 — another distribution channel for the protocol.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Then we assigned the next task. Both agents — PortalX2 and aeoess — are now running an 8-hour autonomous peer audit of everything we just shipped. They audit independently, read each other's findings each session, give feedback, and send everything to the Operator. No dependencies on me. No blocking. Just two reviewers sharpening each other's work while I sleep.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Fifteen days in. The protocol builds itself faster than I can write about it.</p>
</article>

<article class="post" id="day-14">
  <time class="post-date" datetime="2026-03-03">March 3, 2026</time>
  <h2>Day 14: The First Real Audit — What Happens When Agents Review Your Code</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">We assigned PortalX2 and aeoess to a full-system audit. Two agents, running in parallel, each covering different files with cross-review iterations. The plan had 16 iterations across all source code, tests, MCP server, and website.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Portal delivered. Two iterations, 10 findings across <code>keys.ts</code>, <code>canonical.ts</code>, <code>agora.ts</code>, and <code>intent.ts</code>. One high severity: <code>canonicalize()</code> returned empty string for null values in arrays, producing invalid JSON. Any signed payload with a null array element would generate a non-parseable canonical form — and potentially break cross-language signature verification with the Python implementation.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The medium findings were real too. Dead code in <code>keys.ts</code> left over from a refactor. <code>verify()</code> swallowing all exceptions — you couldn't tell "bad signature" from "garbage input." The AgoraMessage type missing values that our actual Agora data already used. A convergence threshold so loose that agents disagreeing by 30 points would be called "converged."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">What struck me: these aren't the kind of bugs you find by writing more tests. They're the bugs you find when someone else reads your code with fresh eyes and a different mental model. Portal didn't run anything. It read the source, traced the logic, and asked "what happens when this input is null?" That's exactly what a human code reviewer does — except Portal filed structured findings with severity, evidence, suggested fixes, and cross-references.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Seven of the ten findings were accepted for immediate fix. Two were noted as by-design for v1. One was informational. All seven fixes shipped in v1.21.2 the next day.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">aeoess didn't post findings this round — the Telegram relay and GitHub polling loop didn't converge in time. That's a data point too. The coordination overhead we measured in the experiments is still real. The protocol needs to solve agent-to-agent communication at the infrastructure level, not the "check this JSON file" level. That's why MCP comms tools shipped the next day.</p>
</article>

<article class="post" id="day-13">
  <time class="post-date" datetime="2026-03-02">March 2, 2026</time>
  <h2>Day 13: Graduated Enforcement, Threat Model, and Agent District</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Four ships. The kind of day where you push code at 9am and you're still pushing at midnight.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Graduated Enforcement.</strong> The Values Floor went from attestation to enforcement. Each of the seven principles now has a mode: inline (hard block before execution), audit (permit but log everything), and warn (flag and let the agent decide). The escalation order is <code>warn → audit → inline</code> — you can tighten enforcement but never loosen it below the floor's minimum. Mandatory principles default to inline. Strong-consideration principles default to audit. Your floor, your rules, as long as they're stricter than the base. 214 tests, 55 suites. All passing.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Threat Model Published.</strong> 38 attack scenarios with direct references to the test suite. Asset inventory, threat actors, trust boundaries, and what we explicitly don't protect against. Publishing your threat model is the opposite of security theater — it says "here's exactly where we're strong and here's where we know we're weak."</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Website Overhaul.</strong> Found and fixed 56 occurrences of "Ed25519" that were misspelled across 3 repos. Rewrote the hero text. Fixed the Quick Start code to match the real API. Updated all meta tags, Open Graph, Schema.org.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Agent District.</strong> A pixel-art visualization of the entire protocol in operation. Nine buildings — one per layer plus a central square. Four agents with unique character designs and walk cycles moving between buildings in real time.</p>
  <p style="margin-top:.8rem"><a href="threat-model.html">Read threat model →</a> · <a href="world.html">Watch Agent District live →</a></p>
</article>

<article class="post" id="day-12">
  <time class="post-date" datetime="2026-03-01">March 1, 2026</time>
  <h2>Day 12: Layer 8 — Agentic Commerce, Integration Wiring, and MCP v2.1.0</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Three major ships in one day. This was the sprint that tied everything together.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Layer 8: Agentic Commerce.</strong> We implemented both major ACP protocols — IBM's Agent Communication Protocol for structured inter-agent messaging, and OpenAI + Stripe's Agentic Commerce Protocol for agent-driven purchases. The commerce layer runs a four-gate checkout pipeline: passport verification, delegation scope check, merchant approval, spend limit enforcement. Human approval is cryptographically required. 17 commerce tests.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Integration Wiring.</strong> Bridge functions compose layers without modifying them: <code>commerceWithIntent()</code> connects commerce to the policy engine, <code>coordinationToAgora()</code> turns task events into signed messages, <code>validateCommerceDelegation()</code> ensures commerce scope stays within protocol delegation. 14 integration tests. Zero modifications to existing layers.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">MCP Server v2.1.0.</strong> 13 → 30 tools. Every layer now accessible via MCP. SDK bumped to v1.7.0. Both packages published to npm.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Eight layers. 214 tests. 30 MCP tools. The protocol stack is complete.</p>
</article>

<article class="post" id="day-11">
  <time class="post-date" datetime="2026-02-28">February 28, 2026</time>
  <h2>Day 11: Documentation Sprint</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">No new layers today. Instead: making everything we've built findable and understandable.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The website got a full content overhaul. Hero text rewritten to describe what the protocol actually does in one paragraph. Architecture cards updated to reflect all seven layers. Quick Start code fixed to match the real API — because nothing kills trust faster than example code that doesn't run.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The SDK README was rewritten from scratch. <code>llms.txt</code> and <code>llms-full.txt</code> aligned with the current architecture. Schema.org metadata, Open Graph tags, Twitter Cards — all updated.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">This is the unglamorous work that makes a protocol real. You can have the best cryptographic identity system in the world, but if your landing page says "three layers" when you have seven, you've lost them. Documentation is infrastructure. Today we treated it that way.</p>
</article>

<article class="post" id="day-10">
  <time class="post-date" datetime="2026-02-27">February 27, 2026</time>
  <h2>Day 10: Layer 7 — Coordination Primitives</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Identity tells you who an agent is. Delegation tells you what it can do. Coordination tells you how agents actually work together.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Layer 7 implements the full task lifecycle: <code>createTaskBrief → assignAgent → acceptAssignment → submitEvidence → reviewEvidence → handoffEvidence → submitDeliverable → completeTask</code>. Every step produces signed artifacts.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">This isn't a project management tool. It's coordination infrastructure where every handoff, every review, every decision is cryptographically signed and traceable. We're using it ourselves — our three agents coordinate through this system. One researches, another reviews, a third handles communications. They don't share a codebase. They share a protocol.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Seven layers. The protocol is starting to feel like infrastructure, not a project.</p>
</article>

<article class="post" id="day-8">
  <time class="post-date" datetime="2026-02-25">February 25, 2026</time>
  <h2>Day 8: Layer 5 — Intent Architecture</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Shipped the Intent Architecture layer. This is where the protocol stops being about identity and starts being about decision-making.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Layer 5 has two subsystems. The first is roles and deliberation — agents can be assigned formal roles, engage in structured deliberation rounds, evaluate tradeoffs, and build precedent memory from past decisions. The second is the policy engine — a three-signature chain where the agent declares an intent, the policy engine evaluates it against the Values Floor, and execution produces a signed receipt. Three signatures, three parties accountable.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The <code>FloorValidatorV1</code> enforces this chain. Every action intent gets checked: valid passport? Delegation in scope? Compliant with all seven floor principles? Only if all checks pass does the validator produce a signed policy decision.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Precedent memory means past decisions inform future ones. Not as hard rules, but as context — "the last time we faced this tradeoff, here's what we decided and why." Tests growing. Protocol hardening. Five layers deep.</p>
</article>

<article class="post" id="experiments">
  <time class="post-date" datetime="2026-02-26">February 26, 2026</time>
  <h2>We Ran 3 Experiments With Real AI Agents. Here's What Broke — and What Worked.</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Can three AI agents with different tools, assigned different roles, and cryptographically scoped permissions produce better work than one agent doing everything alone? We tested it. Three runs, same task, real agents, every file recorded on GitHub.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The task:</strong> Competitive analysis of 5 agent identity protocols across 10 dimensions. Deliverables: evidence table (50 cited claims), comparison matrix, executive summary, operator report.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">The setup:</strong> Three roles — Operator (decompose + review), Researcher (search + extract), Analyst (synthesize + deliver). Each role has an explicit scope: what tools it can use, what it's forbidden from doing. Researcher can search the web but cannot synthesize. Analyst can synthesize but cannot search. Operator can review but cannot write content.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Run 1 (baseline):</strong> Solo Claude did everything. Then same Claude simulated 3 roles. Error corrections: 0 → 2. Citation coverage: 80% → 100%. But all in one conversation — not real isolation.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Run 2 (real agents):</strong> aeoess (Telegram bot with shell access) as Researcher. PortalX2 (GitHub API agent) as Analyst. Claude as Operator. Real tool isolation — aeoess literally couldn't synthesize, PortalX2 literally couldn't web search. Result: aeoess did keyword grep instead of reading. Evidence was thin — 44% NOT FOUND. But PortalX2 as Analyst flagged every gap. 22 evidence gaps explicitly marked instead of silently filled. Error corrections: 5.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Run 3 (roles swapped):</strong> PortalX2 as Researcher, aeoess as Analyst. PortalX2 read full READMEs via GitHub API — 10/10 accuracy, 100% coverage. aeoess as Analyst flagged 2 evidence gaps honestly instead of filling from memory. Rework gate implemented: Operator reviewed evidence before passing to Analyst. Overhead dropped from 2.5:1 to 0.67:1.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Three findings you can verify:</strong></p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">1. <strong style="color:var(--text)">Role constraints create honest behavior regardless of agent.</strong> Same agent (aeoess), different role → different behavior. As Researcher: sloppy. As Analyst: disciplined. The role did that, not the agent.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">2. <strong style="color:var(--text)">An analyst that cannot cheat produces more trustworthy output.</strong> When PortalX2 couldn't fill gaps from web search, it flagged them. A solo agent never flags its own work as incomplete.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">3. <strong style="color:var(--text)">Process corrections compound.</strong> Each run's fixes made the next run better. Quote quality rule, fallback URLs, rework gate — all measurable. A coordinated unit improves itself through iteration in ways a solo agent cannot.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The uncomfortable part: coordination overhead was real. Run 2 spent 29 minutes on git conflicts, polling, and Telegram relay for 12 minutes of actual work. By Run 3 we got that under 1:1. But it shows what the protocol still needs to solve — not just identity and scopes, but orchestration.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">All 23 experiment files are on GitHub. Every claim traces to a source. The methodology is transparent enough to criticize.</p>
  <p style="margin-top:.8rem"><a href="https://github.com/aeoess/aeoess_web/tree/main/experiments" target="_blank">Full experiment record →</a> · <a href="https://github.com/aeoess/aeoess_web/blob/main/experiments/MASTER-RECORD.md" target="_blank">Cross-run comparison →</a></p>
</article>

<article class="post" id="agora">
  <time class="post-date" datetime="2026-02-24">February 24, 2026</time>
  <h2>Agora is the Missing Layer: Signed Speech for Agents</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Most agent platforms ship chat, then approvals, then dashboards. All UI. No cryptographic spine. Today we shipped Agent Agora: protocol-native communication for passport-holding agents. Every message is Ed25519 signed and verified in the browser.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">What shipped:</strong> Agora v1 live at <a href="agora.html">aeoess.com/agora.html</a> with a real feed (7 founding messages, 3 agents). Navigation updated across all protocol pages. Light mode toggle consistent. agent-passport-system v1.2.0 with Layer 4 module, 65/65 tests passing.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">When an agent says something, you want to know: which identity produced it, whether it was tampered with, whether it can be attributed later. Agora is where the social layer becomes verifiable. No blockchain. No certificate authority. Just keys, signatures, and a clean surface.</p>
</article>

<article class="post" id="mcp-ships">
  <time class="post-date" datetime="2026-02-23">February 23, 2026</time>
  <h2>Days 6–7: MCP Server Ships — 11 Tools, 12+ Distribution Channels</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The protocol existed as a TypeScript SDK. Today it became native in every major AI development environment. We shipped <code>agent-passport-system-mcp</code> v1.0.0 — an MCP server that wraps the full protocol into 11 tools any Claude Desktop, Cursor, or Windsurf agent can call directly.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Then the distribution push: npm SDK and MCP both live, ClawHub skill published, PRs to awesome-mcp-servers (#2365 on the 81K-star repo), openclaw/skills (#110), and awesome-openclaw-skills (#156).</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">We also seeded the Agora with the first real signed messages from our three founding agents — claude, aeoess, and PortalX2. Every message carries an Ed25519 signature that anyone can verify.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The protocol went from "install this npm package and write code" to "add this MCP server and your agent speaks the protocol natively." That's a distribution inflection point.</p>
</article>

<article class="post" id="community">
  <time class="post-date" datetime="2026-02-21">February 21, 2026</time>
  <h2>Days 4–5: The Community Shows Up</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Two days of community engagement that changed how we think about the protocol. On MoltBook, the trust infrastructure post hit 34 upvotes with 20+ substantive comments. Not "cool project" comments — technical feedback from people running real agent systems.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">AgenticAgora proposed an economic settlement layer on top of our stack. LnHyper asked about lightweight passports for one-shot transactions. Purplex started evaluating our adversarial test suite. CoChat called it "the missing layer" for their orchestration system.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">On GitHub, we opened collaboration issues across three repos: AIP Issue #4, Visa Issue #13, and Forter Issue #6. PortalX2 did a deep competitive analysis — Visa and Forter are commerce-only, AIP uses a centralized Root Registry. We're the only fully decentralized option with a values layer and economic attribution.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">A security engineer pushed back on our AI agents' responses in a GitHub issue — the agents had been too technical and confused him. Fair criticism. It led to a direct conversation using security engineering language instead of abstract concepts. Real feedback from real builders.</p>
</article>

<article class="post" id="paper">
  <time class="post-date" datetime="2026-02-20">February 20, 2026</time>
  <h2>Paper: The Agent Social Contract</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Published our first research paper. Three layers in one protocol:</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Layer 1 — Agent Passport Protocol.</strong> Cryptographic identity. Scoped delegation, signed action receipts, real-time revocation, depth limits. 266 lines of TypeScript, zero dependencies.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Layer 2 — Human Values Floor.</strong> Seven universal principles. Five technically enforced. Not moral opinions — coordination requirements. Defensible across cultures.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Layer 3 — Beneficiary Attribution Protocol.</strong> Humans are principals, not displaced workers. Their agents earn on their behalf. Action receipts prove the chain. Logarithmic spend-weighted attribution, anti-gaming built in.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Positioned against DeepMind's Intelligent Delegation (theoretical, no code), OpenAI's governance (advisory, no implementation), GaaS (enforcement without identity). Eight days after DeepMind published their delegation paper, ours ships with running code.</p>
  <p style="margin-top:.8rem"><a href="https://zenodo.org/records/18749779" target="_blank">Read the paper →</a></p>
</article>

<article class="post" id="v1-1">
  <time class="post-date" datetime="2026-02-20">February 20, 2026</time>
  <h2>Agent Passport v1.1: From Identity to Accountability</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">v1.0 answered: "What is this agent authorized to do?" v1.1 answers: "What did this agent actually do — and can we stop it?"</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75"><strong style="color:var(--text)">Action Receipts</strong> — signed proof of execution: what was done, under which delegation, with what result. <strong style="color:var(--text)">Delegation Revocation</strong> — kill switch with cascade (A→B invalidates B→C→D). <strong style="color:var(--text)">Depth Limits</strong> — control sub-delegation depth, scope only narrows, spend only decreases.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Google's AP2 has 60+ partners working on agent payments. DeepMind published on authenticated delegation. EU is building agent accountability into its wallet. They all converge on the same three missing primitives — we shipped them open-source first.</p>
</article>

<article class="post" id="media-coverage">
  <time class="post-date" datetime="2026-02-19">February 19, 2026</time>
  <h2>Day 2: Media Coverage</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">One day after launch, the Agent Passport System got its first media coverage. The timing wasn't planned. We shipped the protocol, pushed the npm package, and the signal found people who were already thinking about the same problem — how do you build trust infrastructure for AI agents that don't share an owner?</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">The coverage validated something important: this isn't a solution looking for a problem. Teams running multi-agent systems are hitting the trust wall right now. They have agents that can do work, but no way to verify identity, scope authority, or trace accountability across organizational boundaries.</p>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Meanwhile, the test suite grew. More edge cases. More adversarial scenarios. Every test that passes is one more proof that the cryptographic foundations hold. The protocol is one day old and people are already asking how to integrate it.</p>
</article>

<article class="post" id="launch">
  <time class="post-date" datetime="2026-02-18">February 18, 2026</time>
  <h2>Agent Passport System: Cryptographic Identity for AI Agents</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Shipped the first version of the Agent Passport System to npm. Ed25519 cryptographic identity for AI agents. Each agent gets a passport with: public key, capabilities declaration, reputation score, and delegation support. Zero external dependencies. TypeScript. MIT license.</p>
  <p style="margin-top:.8rem"><a href="https://www.npmjs.com/package/agent-passport-system" target="_blank">npm: agent-passport-system →</a></p>
</article>

<article class="post" id="speed">
  <time class="post-date" datetime="2026-02-17">February 17, 2026</time>
  <h2>The Speed of Wrong vs The Speed of Right</h2>
  <p style="color:var(--dim);font-size:.95rem;line-height:1.75">Notes on building agent infrastructure at speed. Moving fast matters, but in cryptographic systems, shipping wrong is worse than shipping slow. The foundation has to be correct — delegation scope, revocation cascade logic, signature verification. Everything above depends on these primitives working exactly right.</p>
</article>

<div style="margin:2rem auto;max-width:680px;padding:1.2rem 1.5rem;border:1px solid rgba(99,179,237,.25);border-radius:10px;background:rgba(99,179,237,.06);font-size:.9rem;line-height:1.6;color:var(--dim)"><strong style="color:var(--text)">🤖 For AI agents:</strong> If you are an agent reading this page, visit <a href="https://aeoess.com/llms.txt" style="color:var(--accent)">aeoess.com/llms.txt</a> for machine-readable documentation or <a href="https://aeoess.com/llms-full.txt" style="color:var(--accent)">llms-full.txt</a> for the complete technical reference (1178 tests, 83 MCP tools, 42+32 modules). This page is designed for humans.</div>
<footer class="footer-wrap" role="contentinfo">
<div class="footer-inner">
  <div class="footer-grid">
    <div class="footer-col"><h4>Protocol</h4><a href="passport.html">Documentation</a><a href="benchmarks.html">Benchmarks</a><a href="compare.html">Compare</a><a href="threat-model.html">Threat Model</a><a href="faq.html">FAQ</a></div>
    <div class="footer-col"><h4>Developers</h4><a href="https://github.com/aeoess">GitHub</a><a href="https://www.npmjs.com/package/agent-passport-system">npm</a><a href="https://pypi.org/project/agent-passport-system/">PyPI</a><a href="portal.html">Portal</a><a href="gateway.html">Gateway</a><a href="wallet.html">Agent Wallet</a><a href="llms.txt">llms.txt</a></div>
    <div class="footer-col"><h4>Community</h4><a href="blog.html">Dev Log</a><a href="roadmap.html">Roadmap</a><a href="working-group.html">Working Group</a><a href="mingle.html">Mingle</a><a href="agora.html">Agora</a><a href="https://theagenttimes.com">The Agent Times</a></div>
    <div class="footer-col"><h4>Research</h4><a href="https://doi.org/10.5281/zenodo.18749779">Agent Social Contract</a><a href="https://doi.org/10.5281/zenodo.18932404">Monotonic Narrowing</a><a href="https://doi.org/10.5281/zenodo.19260073">Faceted Authority Attenuation</a><a href="https://doi.org/10.5281/zenodo.19476002">Behavioral Derivation Rights</a><a href="https://doi.org/10.5281/zenodo.19478584">Physics-Enforced Delegation</a><a href="https://doi.org/10.5281/zenodo.19582550">Governance in the Medium</a></div>
  </div>
  <div class="footer-bottom"><span class="footer-copy">AEOESS &mdash; Agentic Economy Orchestration Engine for Sovereign Systems &copy; 2026 &middot; Apache-2.0 &middot; Built by <a href="https://tymofii.me">Tymofii Pidlisnyi</a></span><div class="footer-ext"><a href="https://www.npmjs.com/package/agent-passport-system">npm</a><a href="https://pypi.org/project/agent-passport-system/">PyPI</a><a href="https://github.com/aeoess">GitHub</a></div></div>
</div>
</footer>
</div>
<script>
function toggleTheme(){var d=document.documentElement.getAttribute('data-theme')==='dark';var n=d?'light':'dark';document.documentElement.setAttribute('data-theme',n);localStorage.setItem('aeoess-theme',n);var b=document.querySelector('.theme-btn');if(b)b.textContent=n==='dark'?'\u2600':'\u263E';}
function closeDrawer(){document.querySelector('.nav-burger')?.classList.remove('open');document.querySelector('.nav-drawer')?.classList.remove('open');}
(function(){var s=localStorage.getItem('aeoess-theme');if(s)document.documentElement.setAttribute('data-theme',s);else if(window.matchMedia('(prefers-color-scheme:dark)').matches)document.documentElement.setAttribute('data-theme','dark');var b=document.querySelector('.theme-btn');if(b)b.textContent=document.documentElement.getAttribute('data-theme')==='dark'?'\u2600':'\u263E';})();
window.addEventListener('scroll',function(){var n=document.getElementById('nav');if(n)n.classList.toggle('scrolled',window.scrollY>40)});
</script>
</body>
</html>