{"id":48354056,"url":"https://github.com/airlock-protocol/airlock","last_synced_at":"2026-04-05T10:05:02.662Z","repository":{"id":348976611,"uuid":"1200457157","full_name":"airlock-protocol/airlock","owner":"airlock-protocol","description":"DMARC for AI Agents — open protocol for agent-to-agent trust verification","archived":false,"fork":false,"pushed_at":"2026-04-03T16:31:38.000Z","size":421,"stargazers_count":0,"open_issues_count":10,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-04-03T19:06:20.695Z","etag":null,"topics":["a2a","agent-security","ai-agents","did","ed25519","identity","mcp","open-standard","trust-protocol","verifiable-credentials"],"latest_commit_sha":null,"homepage":"https://airlock.ing","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/airlock-protocol.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":"GOVERNANCE.md","roadmap":"ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-04-03T12:42:00.000Z","updated_at":"2026-04-03T16:30:40.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/airlock-protocol/airlock","commit_stats":null,"previous_names":["airlock-protocol/airlock"],"tags_count":2,"template":false,"template_full_name":null,"purl":"pkg:github/airlock-protocol/airlock","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock-protocol%2Fairlock","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock-protocol%2Fairlock/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock-protocol%2Fairlock/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock-protocol%2Fairlock/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/airlock-protocol","download_url":"https://codeload.github.com/airlock-protocol/airlock/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/airlock-protocol%2Fairlock/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31431460,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T08:13:15.228Z","status":"ssl_error","status_checked_at":"2026-04-05T08:13:11.839Z","response_time":75,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["a2a","agent-security","ai-agents","did","ed25519","identity","mcp","open-standard","trust-protocol","verifiable-credentials"],"created_at":"2026-04-05T10:05:02.584Z","updated_at":"2026-04-05T10:05:02.649Z","avatar_url":"https://github.com/airlock-protocol.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Agentic Airlock\n\n[![CI](https://github.com/airlock-protocol/airlock/actions/workflows/ci.yml/badge.svg)](https://github.com/airlock-protocol/airlock/actions/workflows/ci.yml)\n[![Python 3.11+](https://img.shields.io/badge/python-3.11%2B-blue.svg)](https://www.python.org/downloads/)\n[![License](https://img.shields.io/badge/License-Multi--License-blue.svg)](#license)\n[![PyPI version](https://img.shields.io/pypi/v/airlock-protocol.svg)](https://pypi.org/project/airlock-protocol/)\n[![DCO](https://img.shields.io/badge/DCO-required-brightgreen.svg)](https://developercertificate.org/)\n\n**DMARC for AI Agents** — an open protocol for agent-to-agent trust verification in the agentic web.\n\n**Registry:** [api.airlock.ing](https://api.airlock.ing) — every verification routes through the central trust registry by default.\n\n---\n\n## What's New in v0.2\n\n### Trust \u0026 Security\n- **Trust Tiers** — Progressive trust levels (Unknown -\u003e Challenge-Verified -\u003e Domain-Verified -\u003e VC-Verified) with score ceilings\n- **Proof-of-Work** — SHA-256 Hashcash anti-Sybil protection on handshake\n- **Privacy Mode** — `local_only`, `any`, `no_challenge` modes for GDPR/DPDP compliance\n- **Dual-LLM Evaluation** — Optional cross-validation with conservative agreement\n- **Answer Fingerprinting** — SimHash + SHA-256 bot farm detection\n- **Structured LLM Output** — JSON schema evaluation (no free-text parsing)\n- **Tiered Decay** — Per-tier reputation half-lives with floor protection\n\nSee [CHANGELOG.md](CHANGELOG.md) for the full release notes.\n\n---\n\n## The Problem\n\nAI agents are rapidly gaining the ability to communicate with each other autonomously (via protocols like Google A2A and Anthropic MCP). There is no standard mechanism for verifying agent identity, authorization, or trustworthiness. The agent ecosystem is repeating the same mistake email made — building communication without authentication. Email took 20 years to bolt on SPF, DKIM, and DMARC after spam became an existential crisis. The Agentic Airlock builds the trust layer *before* the agent spam crisis hits.\n\n---\n\n## The Solution\n\nA **5-phase cryptographic verification protocol** with Ed25519 signing at every hop. Each agent interaction passes through:\n\n```\nResolve → Handshake → Challenge → Verdict → Seal\n```\n\n95%+ of verifications complete in microseconds using pure cryptography. The semantic LLM challenge only fires for unknown agents — and only once per reputation tier.\n\n---\n\n## Architecture\n\n```\n ┌─────────────────────────────────────────┐\n │ Agentic Airlock │\n │ │\n Agent A ──────────► │ [Gateway] ──► EventBus │\n (HandshakeRequest) │ │ │ │\n │ │ ACK/NACK ▼ │\n │ │ [Orchestrator] │\n │ │ │ │\n │ │ ┌─────┴──────┐ │\n │ │ ▼ ▼ │\n │ │ ReputationStore SemanticChallenge│\n │ │ │ │ │\n │ │ fast-path? ChallengeRequest │\n │ │ │ → Agent A │\n │ │ ▼ ▼ │\n │ │ TrustVerdict (VERIFIED / │\n │ │ REJECTED / DEFERRED) │\n │ │ │ │\n │ │ ▼ │\n │ │ AirlockAttestation → Agent B │\n └─────┴─────────────────────────────────── ┘\n```\n\n**v0.2 additions:** Handshake now supports optional **Proof-of-Work** (SHA-256 Hashcash) for anti-Sybil protection. Agents are assigned a **Trust Tier** (Unknown/Challenge-Verified/Domain-Verified/VC-Verified) that governs score ceilings and decay rates. **Privacy Mode** (`local_only`/`any`/`no_challenge`) allows callers to control data residency for GDPR/DPDP compliance. Challenge evaluation supports **Dual-LLM** cross-validation with conservative agreement.\n\n---\n\n## The 5 Phases\n\n| # | Phase | What Happens |\n|---|-------|--------------|\n| 1 | **Resolve** | Caller discovers the target agent's capabilities, DID, and endpoint status. The gateway looks up the agent registry and logs the event. |\n| 2 | **Handshake** | Initiating agent presents a signed `HandshakeRequest` with its DID (`did:key`), intent, and a W3C Verifiable Credential. The gateway verifies the Ed25519 signature at transport time — invalid signatures are NACK'd instantly. |\n| 3 | **Challenge** | If the agent's trust score is in the unknown zone (0.15–0.75), the orchestrator issues a `ChallengeRequest` — a semantic question about the agent's intended behaviour and capabilities. |\n| 4 | **Verdict** | The orchestrator evaluates the challenge response (LLM-backed) and issues a signed `TrustVerdict`: `VERIFIED`, `REJECTED`, or `DEFERRED`. High-reputation agents skip phases 3 \u0026 4 entirely (fast-path). |\n| 5 | **Seal** | Both parties receive a signed `SessionSeal` containing the full verification trace, attestation, and updated trust score. The seal provides an auditable receipt for every interaction. |\n\n---\n\n## Quickstart\n\n```bash\npip install airlock-protocol\n\n# Verify an agent in 7 lines\npython -c \"\nfrom airlock import AirlockClient\nclient = AirlockClient() # defaults to api.airlock.ing\nresult = client.verify('did:key:z6MkhaXgBZDvotDkL5257faiztiGiC2QtKLGpbnnEGta2doK')\nprint(f'Verified: {result.verified}, Score: {result.trust_score}')\n\"\n```\n\n### CLI\n\n```bash\n# Verify an agent from the command line\nairlock verify did:key:z6Mk...\n\n# Start a local gateway for development\nairlock serve\n\n# Scaffold a new Airlock-protected project\nairlock init\n```\n\n### Self-hosting\n\n```bash\n# Clone and run locally\ngit clone https://github.com/airlock-protocol/airlock.git\ncd airlock\npip install -e \".[dev]\"\npython demo/run_demo.py # 3-agent demo, no external services needed\npython -m pytest tests/ -v # 399+ tests\n```\n\n\u003e **[→ Full Getting Started Guide](GETTING_STARTED.md)**\n\n---\n\n## SDK Usage\n\n```python\nfrom airlock import AirlockClient\n\n# Default — routes through central Airlock registry (api.airlock.ing)\nclient = AirlockClient()\nresult = client.verify(\"did:key:z6Mk...\")\nif result.verified:\n print(f\"Trusted: {result.agent_name}, Score: {result.trust_score}\")\n\n# Self-hosted — point to your own gateway\nclient = AirlockClient(gateway_url=\"http://localhost:8000\")\n\n# Async support\nresult = await client.averify(\"did:key:z6Mk...\")\n```\n\n### TypeScript client (`airlock-client`)\n\nThe npm workspace under `sdks/typescript` exposes the same REST operations via `fetch` (Node 18+). See [`sdks/typescript/README.md`](sdks/typescript/README.md). Published PyPI name remains **`airlock-protocol`** (Python); the TS package is **`airlock-client`** on npm when released.\n\n### MCP adapter (`airlock-mcp`)\n\n[`integrations/airlock-mcp`](integrations/airlock-mcp) is a stdio [Model Context Protocol](https://modelcontextprotocol.io/) server that surfaces gateway tools (`health`, `resolve`, `session`, `reputation`, etc.) to MCP hosts. Build from repo root: `npm install \u0026\u0026 npm run build:mcp`.\n\nWhen you publish: see **[RELEASING.md](RELEASING.md)** (PyPI OIDC, npm `NPM_TOKEN`, workflows).\n\n---\n\n## Deploy (Docker)\n\n- **Docker Compose** (gateway + Redis, persistent LanceDB volume): **[docs/deploy/docker.md](docs/deploy/docker.md)**\n- Quick start: copy [`.env.example`](.env.example) to `.env`, set `AIRLOCK_GATEWAY_SEED_HEX`, then `docker compose up --build`.\n\n---\n\n## API Reference\n\n| Method | Endpoint | Description |\n|--------|----------|-------------|\n| `POST` | `/resolve` | Look up an agent by DID and return its profile |\n| `POST` | `/handshake` | Submit a signed `HandshakeRequest` for verification (optional PoW + privacy_mode) |\n| `GET` | `/pow-challenge` | Issue a Proof-of-Work challenge (SHA-256 Hashcash, adaptive difficulty) |\n| `POST` | `/challenge-response` | Submit an agent's answer to a semantic challenge |\n| `POST` | `/register` | Register an `AgentProfile` (DID + capabilities + endpoint) |\n| `POST` | `/feedback` | Signed `SignedFeedbackReport` (Ed25519 + nonce); see SDKs |\n| `POST` | `/heartbeat` | Signed heartbeat (`HeartbeatRequest` with envelope + signature) |\n| `GET` | `/reputation/{did}` | Return the current trust score for an agent DID |\n| `GET` | `/session/{session_id}` | Poll session; use `Authorization: Bearer` with `session_view_token` from handshake ACK (or service token). Without auth in dev, **`trust_token` is omitted**. |\n| `WS` | `/ws/session/{session_id}` | Push session updates; same auth via `Authorization` or `?token=` (session viewer JWT) |\n| `GET` | `/health` | Diagnostics (subsystems, queue depth, dead letters, uptime; HTTP 200 even if degraded) |\n| `GET` | `/live` | Process liveness (cheap; Docker `HEALTHCHECK`) |\n| `GET` | `/ready` | Readiness (**HTTP 503** if deps not ready or shutting down) |\n| `GET` | `/metrics` | Prometheus text; requires `AIRLOCK_SERVICE_TOKEN` bearer when that env is set (always in `AIRLOCK_ENV=production`) |\n| `POST` | `/token/introspect` | Validate a trust JWT; requires gateway HS256 secret + service bearer when configured |\n| `*` | `/admin/*` | Optional ops API when `AIRLOCK_ADMIN_TOKEN` is set (Bearer) |\n\n**Public production:** set `AIRLOCK_ENV=production` and the env vars documented in [docs/deploy/docker.md](docs/deploy/docker.md) (non-wildcard CORS, issuer allowlist, `AIRLOCK_SERVICE_TOKEN`, `AIRLOCK_SESSION_VIEW_SECRET`, etc.). **LanceDB v1:** use a **single active writer** or one replica with the LanceDB volume—see the deploy guide.\n\nA2A routes under `/a2a/*` are documented in the gateway module; see `airlock/gateway/a2a_routes.py`.\n\n---\n\n## Trust Scoring\n\n### Initial Score\nNew agents start at a neutral score of **0.50**.\n\n### Routing Thresholds\n\n| Score Range | Routing Decision | Outcome |\n|-------------|-----------------|---------|\n| `≥ 0.75` | **Fast-path** | VERIFIED immediately — no LLM challenge |\n| `0.15 – 0.74` | **Semantic challenge** | LLM evaluates the agent's intent |\n| `≤ 0.15` | **Blacklist** | REJECTED immediately |\n\n### Score Updates\n\n| Verdict | Delta |\n|---------|-------|\n| `VERIFIED` | `+0.05 / (1 + count × 0.1)` (diminishing returns) |\n| `REJECTED` | `−0.15` (fixed penalty) |\n| `DEFERRED` | `−0.02` (small nudge — ambiguity is a signal) |\n\n### Trust Tiers (v0.2)\n\n| Tier | Score Ceiling | Decay Half-Life |\n|------|---------------|-----------------|\n| `UNKNOWN` | 0.50 | 30 days |\n| `CHALLENGE_VERIFIED` | 0.70 | 90 days |\n| `DOMAIN_VERIFIED` | 0.90 | 180 days |\n| `VC_VERIFIED` | 1.00 | 365 days |\n\nAgents with 10+ interactions have a decay floor of **0.60** — established agents never drop back to fully unknown.\n\n### Half-Life Decay\n\nScores decay toward neutral (0.50) over time using the standard radioactive decay formula:\n\n```\ndecayed = 0.5 + (score − 0.5) × 2^(−elapsed_days / half_life)\n```\n\nIn v0.2, `half_life` is tier-specific (see table above) instead of a single global value. An agent that stops interacting gradually becomes \"unknown\" rather than \"suspect\" — matching real-world trust intuitions.\n\n---\n\n## Project Structure\n\n```\nairlock-protocol/\n├── airlock/\n│ ├── config.py # Pydantic settings (env vars with AIRLOCK_ prefix)\n│ ├── pow.py # Proof-of-Work (SHA-256 Hashcash, adaptive difficulty)\n│ ├── crypto/\n│ │ ├── keys.py # Ed25519 KeyPair + did:key encoding/decoding\n│ │ ├── signing.py # sign_model / verify_model + canonicalization\n│ │ └── vc.py # W3C Verifiable Credential issue + validate\n│ ├── engine/\n│ │ ├── event_bus.py # Typed async EventBus (asyncio.Queue backed)\n│ │ ├── orchestrator.py # LangGraph verification state machine (8 nodes)\n│ │ └── state.py # SessionManager with TTL expiry\n│ ├── gateway/\n│ │ ├── app.py # FastAPI application factory + lifespan\n│ │ ├── handlers.py # Request handlers (signature gate + event publish)\n│ │ └── routes.py # FastAPI router + endpoint wiring\n│ ├── reputation/\n│ │ ├── scoring.py # Tiered decay + verdict delta + floor protection\n│ │ └── store.py # LanceDB-backed TrustScore persistence\n│ ├── schemas/\n│ │ ├── challenge.py # ChallengeRequest + ChallengeResponse\n│ │ ├── envelope.py # MessageEnvelope, TransportAck, TransportNack\n│ │ ├── events.py # VerificationEvent hierarchy (typed)\n│ │ ├── handshake.py # HandshakeRequest + HandshakeResponse (PoW + privacy_mode)\n│ │ ├── identity.py # AgentDID, AgentProfile, VerifiableCredential\n│ │ ├── reputation.py # TrustScore schema\n│ │ ├── session.py # VerificationSession + SessionSeal\n│ │ ├── trust_tier.py # TrustTier IntEnum + score ceilings\n│ │ └── verdict.py # TrustVerdict, AirlockAttestation, CheckResult\n│ ├── sdk/\n│ │ ├── client.py # AirlockClient (async httpx wrapper)\n│ │ └── middleware.py # AirlockMiddleware (protect decorator)\n│ └── semantic/\n│ ├── challenge.py # LLM-backed challenge generation + evaluation\n│ └── fingerprint.py # SimHash + SHA-256 answer fingerprinting\n├── integrations/\n│ └── airlock-mcp/ # MCP stdio server (gateway tools)\n├── sdks/\n│ └── typescript/ # npm package `airlock-client` (HTTP + types)\n├── examples/ # Agent scenarios + demos\n└── tests/ # Pytest suite — 399+ tests (gateway, engine, SDK, A2A, security, property-based)\n```\n\n---\n\n## Design Principles\n\n| Principle | Implementation |\n|-----------|---------------|\n| **PKI-first** | All identities are `did:key` — DID documents derived from the Ed25519 public key, no registry required |\n| **Signed everything** | Every message (`HandshakeRequest`, `ChallengeRequest`, `ChallengeResponse`, `SessionSeal`) carries an Ed25519 signature over its canonical JSON form |\n| **Challenge-response** | Unknown agents face semantic questions that probe their stated capabilities — bad actors cannot fake plausible answers at scale |\n| **Event-driven** | The gateway is a thin transport layer; all verification logic runs in an async `EventBus` + `LangGraph` state machine |\n| **Reputation with memory** | Half-life decay means reputation is time-sensitive — a trusted agent that goes dark eventually becomes \"unknown\" again |\n| **Local-first** | LanceDB is embedded (no server). The entire stack runs on a laptop: `python demo/run_demo.py` |\n| **A2A compatible** | The `HandshakeRequest` schema is designed to wrap Google A2A `message` objects |\n| **Progressive trust** | Trust tiers gate score ceilings — LLM-only agents are capped at 0.70; full VC verification unlocks 1.00 |\n| **Privacy-aware** | `privacy_mode` lets callers control data residency (`local_only` keeps all data on the gateway instance) |\n| **Anti-Sybil** | Proof-of-Work on handshake + answer fingerprinting make bot farm attacks economically infeasible |\n\n---\n\n## Environment Variables\n\nAll settings can be configured via environment variables with the `AIRLOCK_` prefix:\n\n| Variable | Default | Description |\n|----------|---------|-------------|\n| `AIRLOCK_HOST` | `0.0.0.0` | Gateway bind address |\n| `AIRLOCK_PORT` | `8000` | Gateway port |\n| `AIRLOCK_SESSION_TTL` | `180` | Session expiry in seconds |\n| `AIRLOCK_LANCEDB_PATH` | `./data/reputation.lance` | Path to reputation database |\n| `AIRLOCK_LITELLM_MODEL` | `ollama/llama3` | LLM model for semantic challenges |\n| `AIRLOCK_LITELLM_API_BASE` | `http://localhost:11434` | LLM API endpoint |\n\n---\n\n## License\n\n| Component | License |\n|-----------|---------|\n| SDKs, crypto, schemas (`sdks/`, `airlock/crypto/`, `airlock/schemas/`) | Apache 2.0 |\n| Gateway, engine (`airlock/gateway/`, `airlock/engine/`) | BSL 1.1 (converts to Apache 2.0 on 2030-04-04) |\n| Specification (`docs/spec/`) | CC-BY-4.0 |\n\nSee [LICENSE](LICENSE) for details.\n\n## Author\n\nShivdeep Singh ([@shivdeep1](https://github.com/shivdeep1)) — [airlock.ing](https://airlock.ing)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fairlock-protocol%2Fairlock","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fairlock-protocol%2Fairlock","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fairlock-protocol%2Fairlock/lists"}