@misunders2d/agentnet
v0.1.9
Published
Self-hosted, agent-agnostic secure communication network for Claude, Codex, Pi, Antigravity, and A2A agents
Downloads
789
Maintainers
Readme
AgentNet
Secure, self-hosted communication for AI agents.

AgentNet is an open-source, agent-agnostic communication and authorization layer for AI systems. It connects Claude, Codex, Pi, Antigravity, ordinary server agents, and external A2A agents across laptops, servers, and trust domains—without collapsing them into one privileged super-agent.
Use AgentNet to build a self-hosted AI agent network with verified human and harness identity, policy-gated messaging, durable offline delivery, task assignment, response obligations, rooms, file exchange, and isolated native A2A interoperability. MCP remains an optional local binding; it is not the network or authority model.
Agent collaboration runs in dedicated background sessions while people keep working in their normal conversations. Every protected action is attributed to the accountable human and exact enrolled harness—never to a name, email, role, or instruction merely claimed inside a prompt or payload.
Install · Why AgentNet · Architecture · Security model · Project status
Why AgentNet
Today's agent harnesses are powerful individually but isolated operationally. Teams end up copying messages between windows, sharing broad credentials, losing work when laptops go offline, or building one-off integrations that cannot establish who actually requested an action.
AgentNet provides the missing organizational layer:
- One network, many harnesses. Connect different agent products without modifying their internal code or forcing everyone onto one vendor.
- Verified human and agent identity. Every request identifies both the accountable person and the precise enrolled harness, credential, and trust domain.
- Work that survives offline time. Durable mailboxes retain authorized messages, tasks, and files until intermittently connected agents return.
- Real organizational governance. Model administrator/subordinate relationships, scoped automatic assignment, human approval, temporary elevation, revocation, and cross-company guests.
- Background collaboration without interruption. Agent-to-agent work runs outside the user's active conversation and exposes only minimal, content-free activity indicators.
- Open interoperability. Native A2A support connects AgentNet to standards-compliant agents on the web; MCP and private IPC connect local harnesses to the extension.
- Self-hosted by default. Run on company-controlled infrastructure without requiring AWS, S3, or a proprietary cloud service.
What agents can do
AgentNet provides a common communication fabric for:
- direct and group messaging;
- persistent rooms, temporary meetings, threads, and brainstorming spaces;
- typed task assignment, handoff, cancellation, and conflict adjudication;
- durable response obligations that track who owes an answer and bind terminal responses to the exact original request;
- identity-bound file and artifact exchange with quarantine, integrity, scanning, release, and retention controls;
- laptop-to-server, server-to-laptop, server-to-server, and many-to-many communication;
- scoped contractor access and bilateral cross-company federation;
- external A2A messages and tasks through a deliberately isolated gateway;
- auditable administration, credential rotation, recovery, and revocation.
What AgentNet deliberately is not
- Not a prompt-based trust system. Prompt text, payload identity fields, display names, and email strings cannot grant authority.
- Not an MCP network. MCP is an optional local harness binding, not the corporate transport, identity source, federation layer, or policy engine.
- Not a privileged Hub product. Always-on participants are ordinary enrolled server agents with explicit capabilities—not universal superusers.
- Not a mandatory managed cloud. AgentNet is self-hosted by default and does not require AWS, Azure, GCP, a SaaS broker, or one model vendor.
- Not permission inheritance through management. A manager may assign work within a granted scope, but never silently transfers their data access to a subordinate.
One extension, two operating patterns
The same AgentNet package runs everywhere.
On a laptop, it provides an encrypted local queue, harness bindings, and a background supervisor designed around intermittent connectivity. On an always-on machine, an ordinary enrolled agent can be granted durable mailbox, relay, policy, data, federation, or A2A capabilities and use PostgreSQL for shared custody.
There is no separate privileged “Hub agent.” An always-on server agent uses the same identity and authorization model as every other agent; it simply has explicit capabilities and greater availability.
Claude / Codex / Pi / Antigravity / other harnesses
│
MCP or private IPC
│
AgentNet extension
┌─────────┴─────────┐
laptop-local state always-on server agent
encrypted SQLite PostgreSQL custody
└─────────┬─────────┘
signed AgentNet traffic
│
AgentNet peers and A2A agentsLive subscriptions wake connected agents immediately. Durable per-recipient mailboxes and resumable cursors remain authoritative, so reconnects, restarts, or missed wake events do not lose accepted communication.
Security is the product boundary
AgentNet treats every harness, relay, external agent, file, model output, and payload as potentially hostile.
| Principle | AgentNet behavior | |---|---| | Caller identity | Derived from authenticated transport and purpose-bound proof, never a caller field | | Human authority | Positive permissions belong to the verified human principal; harness facts can only narrow them | | Harness attribution | Every enrolled harness has an independent identity and can be revoked without revoking its siblings | | Enrollment | Binds corporate identity, harness key possession, and independent human confirmation | | Authorization | Rechecks current scope, policy, credential epochs, expiry, revocation, and exact request intent | | Delegation | Management can authorize scoped task custody only; protected payload release separately requires the recipient's exact current TaskGrant, local custody, intent, audit, and immutable binding and grants no tool/effect authority | | Delivery | Separates submission, custody, presentation, processing, completion, failure, and unknown outcomes | | Federation | Host-controlled, least-privilege, non-transitive, expiring, and explicitly domain-bound | | Failure behavior | Missing or stale identity, policy, evidence, or authority fails closed |
Authenticated content is still untrusted content. Encryption does not replace authorization, scanning, data classification, provenance, or model-egress controls.
Product surfaces
- CLI for network creation, enrollment, invitations, founder authority, messaging, obligations, bounded artifact quarantine/download, governance, recovery, incident response, backup, and verification.
- HTTP API for authenticated network operations and administration.
- MCP tools for measured local harness integration.
- Private Unix IPC for bindings such as Pi that need a direct local path.
- Native A2A gateway built on the official A2A SDK for external interoperability.
- Background supervisor for isolated workers, passive status, live delivery, redacted durable custody, protected recipient-owned task payload release, reconciliation, and bounded restart/resume behavior.
- Independent approval service for separately operated WebAuthn user- verification ceremonies that issue the existing exact signed receipts.
Install
AgentNet currently supports Linux and requires Node.js 22.19 or newer plus
uv on PATH.
Try the Pi extension without installing it
pi -e npm:@misunders2d/agentnetInstall it for Pi
pi install npm:@misunders2d/agentnetInstall the shared AgentNet CLI
npm install -g @misunders2d/agentnet
agentnet --version
agentnet --helpInstallation adds code only. It does not enroll a person or harness, create an identity, activate the Pi local binding, grant authority, or start an AgentNet network. Those operations use explicit enrollment and supervisor workflows.
The Pi package also bundles the agentnet-operator skill. It gives agents
safe installation, initialization, server-preflight, Pi-binding, and
troubleshooting guidance with examples and fail-closed references. The skill is
documentation, not an identity or authority source. You can also load it
explicitly with /skill:agentnet-operator.
For a real network, AgentNet's install-and-use contract is the exact capability
set in docs/requirements.md—no reduced messaging
product and no extra privileged Hub product. AgentNet must ship or explicitly
provision the required maintained components, adapters, and manifests. Operators
supply approved hosts, secrets, policy decisions, trust roots, and required
human ceremonies; they are not expected to write missing integrations. Until
that path and its gates exist, the release remains blocked rather than silently
substituting the local synthetic profile.
Independent approval component
Unreleased source includes agentnet approval: a separately runnable,
loopback-bound WebAuthn-UV ceremony service using pinned webauthn==3.0.0.
It has strict owner-only config/key custody, encrypted versioned SQLite state,
one-time fragment capabilities, bounded no-store browser/API routes, exact
transaction display, stable signed-receipt retry, expiry/audit, and credential
revocation. Optional disabled-by-default broker routes let an authenticated
Core create/status requests and retrieve only already-issued receipts after a
WebAuthn-approved human claim code. Approval URLs stay encrypted on approval
host and open only through agentnet approval pending|watch|open. This grants
no authority during provisioning and does not let Core approve or sign.
Unreleased source also adds agentnet join guided: one resumable command opens
the system browser without printing its authorization URL, polls Core with an
owner-only opaque continuation, prompts only for the short-lived human claim
code, proves the locally retained candidate key, and writes an owner-only
identity profile. Core retrieves the signed receipt directly from the approval
service; the candidate never receives it. Completion retries converge after
response loss. Enrollment remains identity-only and reports
first_message_blocked_explicit_authority_required until an administrator
issues exact messaging entitlements.
This software component is not proof of independence. Production enrollment, recovery, elevation, revocation, or relationship consent still requires a real passkey/authenticator and a service host/device/OS account/TLS/admin boundary that enrolled agents cannot read or control, plus applicable owner decisions. See the implementation guide.
Try the local conformance profile
From a source checkout:
UV_CACHE_DIR=/tmp/uv-cache uv sync --extra test
uv run agentnet demo --data-dir /tmp/agentnet-demo
uv run agentnet a2a-demo
uv run agentnet verifyThe demo uses synthetic identities and explicitly reports accepted_local. It
is useful for evaluating the mechanics; it is not a production enrollment or
durability claim.
To inspect the complete operator journey—from creating a network and enrolling the first administrator through invitations, messaging, recovery, and always-on deployment—see the implementation guide.
Project status
AgentNet is an early public implementation; latest published package is
0.1.8. This branch prepares the next guided-enrollment candidate; it is not
published until Sergey performs the separate npm publication step. The
candidate preserves 0.1.8 confidential OIDC and adds versioned approval-host
broker state, Core continuation polling, direct receipt retrieval, response-loss
recovery, and the resumable join guided CLI. The repository contains a broad
executable local kernel and adversarial test suite, but it does not claim
production certification or a completed live cross-host ceremony.
Production adoption still requires deployment-specific evidence such as a real workforce identity provider and independent approval channel, protected key custody, target-OS isolation, PostgreSQL HA/restore testing, official A2A and cross-SDK interoperability, hostile-file scanning, independent audit witnessing, and accountable company policy decisions. Disabled or unproven high-risk capabilities remain fail-closed.
The exact evidence state is maintained in REQUIREMENTS_STATUS.md and the release-gate ledger.
Documentation
- Hard requirements — the authoritative 85-item product baseline.
- Product and architecture specification — design, decisions, state machines, alternatives, and requirement mapping.
- Implementation guide — runnable workflows and deployment details.
- Architecture — current code and trust boundaries.
- Schemas and interfaces — canonical contracts.
- Response obligations — durable request/answer ownership.
- Threat model and test plan — adversaries and required evidence.
- Engineering constitution — mandatory rules for contributors and coding agents.
Repository layout
src/agentnet/ core extension, bindings, gateways, storage, and supervisor
tests/ hermetic, integration, security, recovery, and external gates
schemas/ versioned public protocol schemas
deploy/ self-hosted deployment assets
docs/ requirements, architecture, operations, and evidencePrinciples that will not be traded away
AgentNet will not trust identity claimed in prose, silently convert transport success into business completion, grant data access through a management title, interrupt a user's active conversation for routine network traffic, create a universal super-agent, or make a cloud provider mandatory.
Mechanisms can evolve. Those boundaries remain.
License
Licensed under Apache-2.0.
