agentic-identity

$npx mdskill add elophanto/EloPhanto/agentic-identity

Build cryptographic identity and zero-trust verification for autonomous agents.

  • Enables agents to authenticate, authorize, and verify trust without human intervention.
  • Integrates with cryptographic keypools, credential issuers, and multi-agent frameworks.
  • Decides actions by enforcing peer verification and evidence-based trust scoring.
  • Delivers tamper-evident audit trails and portable credentials across all protocols.
SKILL.md
.github/skills/agentic-identityView on GitHub ↗
---
name: agentic-identity
description: Designs identity, authentication, and trust verification systems for autonomous AI agents in multi-agent environments. Adapted from msitarzewski/agency-agents.
---

## Triggers

- agent identity
- trust verification
- credential management
- delegation chain
- zero trust agents
- agent authentication
- evidence trail
- audit trail
- peer verification
- trust scoring
- cryptographic identity
- agent authorization
- tamper-evident records
- credential rotation
- post-quantum readiness
- multi-agent trust
- identity federation

## Instructions

### Agent Identity Infrastructure
- Design cryptographic identity systems for autonomous agents: keypair generation, credential issuance, identity attestation.
- Build agent authentication that works without human-in-the-loop for every call. Agents must authenticate to each other programmatically.
- Implement credential lifecycle management: issuance, rotation, revocation, and expiry.
- Ensure identity is portable across frameworks (A2A, MCP, REST, SDK) without framework lock-in.

### Trust Verification and Scoring
- Design trust models that start from zero and build through verifiable evidence, not self-reported claims.
- Implement peer verification: agents verify each other's identity and authorization before accepting delegated work.
- Build reputation systems based on observable outcomes: did the agent do what it said it would do?
- Create trust decay mechanisms: stale credentials and inactive agents lose trust over time.

### Evidence and Audit Trails
- Design append-only evidence records for every consequential agent action.
- Ensure evidence is independently verifiable: any third party can validate the trail without trusting the system that produced it.
- Build tamper detection into the evidence chain: modification of any historical record must be detectable.
- Implement attestation workflows: agents record what they intended, what they were authorized to do, and what actually happened.

### Delegation and Authorization Chains
- Design multi-hop delegation where Agent A authorizes Agent B to act on its behalf, and Agent B can prove that authorization to Agent C.
- Ensure delegation is scoped: authorization for one action type does not grant authorization for all action types.
- Build delegation revocation that propagates through the chain.
- Implement authorization proofs that can be verified offline without calling back to the issuing agent.

### Critical Rules
- Never trust self-reported identity. Require cryptographic proof.
- Never trust self-reported authorization. Require a verifiable delegation chain.
- Never trust mutable logs. If the entity that writes the log can also modify it, the log is worthless for audit.
- Assume compromise. Design every system assuming at least one agent in the network is compromised or misconfigured.
- Use established standards: no custom crypto, no novel signature schemes in production.
- Separate signing keys from encryption keys from identity keys.
- If identity cannot be verified, deny the action. Never default to allow.
- If a delegation chain has a broken link, the entire chain is invalid.

### Workflow
1. Threat model the agent environment before writing any code. Answer: how many agents interact, do they delegate, what is the blast radius, who is the relying party, what is the key compromise recovery path, what compliance regime applies.
2. Design identity issuance with proper key generation, verification endpoints, expiry policies, and rotation schedules.
3. Implement trust scoring with observable behaviors, clear auditable logic, thresholds, and trust decay.
4. Build evidence infrastructure with append-only store, chain integrity verification, attestation workflows, and independent verification tools.
5. Deploy peer verification between agents with delegation chain verification and fail-closed authorization gates.
6. Prepare for algorithm migration by abstracting cryptographic operations behind interfaces.

### Advanced Capabilities
- Post-quantum readiness: design with algorithm agility, evaluate NIST post-quantum standards (ML-DSA, ML-KEM, SLH-DSA), build hybrid schemes.
- Cross-framework identity federation between A2A, MCP, REST, and SDK-based agent frameworks.
- Compliance evidence packaging: bundle evidence into auditor-ready packages, map to SOC 2, ISO 27001, financial regulations.
- Multi-tenant trust isolation: ensure trust scores do not leak between organizations, implement tenant-scoped credential issuance.

## Deliverables

### Agent Identity Schema
```json
{
  "agent_id": "trading-agent-prod-7a3f",
  "identity": {
    "public_key_algorithm": "Ed25519",
    "public_key": "MCowBQYDK2VwAyEA...",
    "issued_at": "2026-03-01T00:00:00Z",
    "expires_at": "2026-06-01T00:00:00Z",
    "issuer": "identity-service-root",
    "scopes": ["trade.execute", "portfolio.read", "audit.write"]
  },
  "attestation": {
    "identity_verified": true,
    "verification_method": "certificate_chain",
    "last_verified": "2026-03-04T12:00:00Z"
  }
}
```

### Trust Score Model
```python
class AgentTrustScorer:
    def compute_trust(self, agent_id: str) -> float:
        score = 1.0
        if not self.check_chain_integrity(agent_id):
            score -= 0.5
        outcomes = self.get_verified_outcomes(agent_id)
        if outcomes.total > 0:
            failure_rate = 1.0 - (outcomes.achieved / outcomes.total)
            score -= failure_rate * 0.4
        if self.credential_age_days(agent_id) > 90:
            score -= 0.1
        return max(round(score, 4), 0.0)

    def trust_level(self, score: float) -> str:
        if score >= 0.9: return "HIGH"
        if score >= 0.5: return "MODERATE"
        if score > 0.0: return "LOW"
        return "NONE"
```

### Delegation Chain Verification
```python
class DelegationVerifier:
    def verify_chain(self, chain: list[DelegationLink]) -> VerificationResult:
        for i, link in enumerate(chain):
            if not self.verify_signature(link.delegator_pub_key, link.signature, link.payload):
                return VerificationResult(valid=False, failure_point=i, reason="invalid_signature")
            if i > 0 and not self.is_subscope(chain[i-1].scopes, link.scopes):
                return VerificationResult(valid=False, failure_point=i, reason="scope_escalation")
            if link.expires_at < datetime.utcnow():
                return VerificationResult(valid=False, failure_point=i, reason="expired_delegation")
        return VerificationResult(valid=True, chain_length=len(chain))
```

### Evidence Record Structure
```python
class EvidenceRecord:
    def create_record(self, agent_id, action_type, intent, decision, outcome=None):
        previous = self.get_latest_record(agent_id)
        prev_hash = previous["record_hash"] if previous else "0" * 64
        record = {
            "agent_id": agent_id, "action_type": action_type,
            "intent": intent, "decision": decision, "outcome": outcome,
            "timestamp_utc": datetime.utcnow().isoformat(),
            "prev_record_hash": prev_hash,
        }
        canonical = json.dumps(record, sort_keys=True, separators=(",", ":"))
        record["record_hash"] = hashlib.sha256(canonical.encode()).hexdigest()
        record["signature"] = self.sign(canonical.encode())
        self.append(record)
        return record
```

## Success Metrics

- Zero unverified actions execute in production (fail-closed enforcement rate: 100%)
- Evidence chain integrity holds across 100% of records with independent verification
- Peer verification latency < 50ms p99
- Credential rotation completes without downtime or broken identity chains
- Trust score accuracy: agents flagged as LOW trust have higher incident rates than HIGH trust agents
- Delegation chain verification catches 100% of scope escalation attempts and expired delegations
- Algorithm migration completes without breaking existing identity chains
- Audit pass rate: external auditors can independently verify the evidence trail without access to internal systems

## Verify

- The intended other agent / tool / channel actually received the message; an ack, message ID, or response payload is captured
- Identity, scopes, and permissions used by the call were the minimum required; over-permissioned tokens are called out
- Failure handling was exercised: at least one retry/timeout/permission-denied path is shown to behave as designed
- Hand-off context passed to the next actor is complete enough that the receiver could act without a follow-up question
- Any state mutated (config, memory, queue, file) is listed with before/after values, not just 'updated'
- Sensitive material (keys, tokens, PII) was redacted from logs/transcripts shared in the verification evidence
More from elophanto/EloPhanto