npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@trustagentai/a2a-core

v0.1.0-alpha.1

Published

Cryptographic accountability layer for MCP agent-to-agent interactions. Ed25519 receipts, DAG ledger, Merkle batching, Dispute Packs.

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

kirill.ostrovskiikirill.ostrovskii

Keywords

mcpai-agentscryptographynon-repudiationed25519merkleaccountabilitya2atrustaudit

Readme

TrustAgentAI · A2A Accountability Protocol

Your MCP agent just called execute_wire_transfer.
Can you prove it happened? Can you prove who authorized it? Can you prove the result wasn't tampered with?

Without TrustAgentAI — no.

The problem MCP doesn't solve

MCP connects AI agents to tools. It does not make those connections accountable.

When Agent A calls a tool on Agent B today:

| What you get | What you don't get | |---|---| | A log entry (editable by admins) | Cryptographic proof of authorization | | A timestamp (from a clock you control) | Proof that intent matched outcome | | An API response | Evidence admissible in a dispute | | Observability | Non-repudiation |

This gap doesn't matter for chatbots.
It matters enormously when agents move money, modify infrastructure, or act on behalf of legal entities.

The MCP ecosystem is moving fast toward exactly those use cases. TrustAgentAI is the accountability layer it's missing.

What TrustAgentAI does

We add a cryptographic receipt system to MCP tool calls — without changing your existing agents or tools.

Every high-stakes action produces three signed artifacts:

Intent Envelope      → Agent A signs: "I intend to call X with these args"
Acceptance Receipt   → Agent B signs: "I received and validated this intent"
Execution Envelope   → Agent B signs: "I executed it, here is the outcome hash"

These artifacts are:

  • Signed with Ed25519 — tamper-evident, verifiable without a server
  • Hashed with JCS (RFC 8785) — canonical, deterministic, cross-platform
  • Chained in a DAG ledger — causal order is cryptographically enforced
  • Batched into Merkle trees anchored on L2 — immutable after the fact

The result: a Dispute Pack — a self-contained bundle of cryptographic evidence that proves what happened, when, and who authorized it. Designed to satisfy auditors, insurers, and legal arbitrators.

Quick Start

npm install @trustagentai/a2a-core

Protect an MCP tool call in 3 steps

import { generateKeyPair } from "@trustagentai/a2a-core/crypto";
import { buildIntentEnvelope, buildExecutionEnvelope } from "@trustagentai/a2a-core/envelopes";
import { DAGLedger } from "@trustagentai/a2a-core/ledger";

// 1. Generate keys for your proxy (done once at setup)
const proxyKey = await generateKeyPair("did:workload:my-agent#key-1");
const ledger = new DAGLedger();

// 2. Before the tool call — build and sign Intent
const { envelope: intent } = await buildIntentEnvelope({
  initiatorDid: "did:workload:payment-agent-01",
  vcRef: "urn:credential:treasury-auth-099",
  targetDid: "did:workload:stripe-mcp-server",
  mcpDeploymentId: "stripe-prod-cluster-1",
  toolName: "execute_wire_transfer",
  toolSchemaHash: "e3b0c44298fc1c149afbf4c8996fb924",
  mcpSessionId: "sess_abc123",
  args: { amount_usd: 5000, destination: "IBAN:DE89..." },
  proxyKey,
});

// 3. After execution — sign the outcome and record everything
const execution = await buildExecutionEnvelope({
  intentEnvelope: intent,
  acceptanceReceipt: acceptance, // from Proxy B
  status: "COMPLETED",
  outputData: { transaction_id: "txn_001", status: "settled" },
  proxyKey,
});

ledger.append("INTENT_RECORD", intent);
ledger.append("EXECUTION_RECORD", execution);

// Generate a Dispute Pack for this transaction
const proof = ledger.getDisputePack(intent.trace_id);
// proof.inclusionProofs → Merkle path to anchored root
// proof.entries        → signed artifacts (Intent + Acceptance + Execution)

Run the full example locally

git clone https://github.com/kirbas/trustagent-a2a-protocol
cd trustagent-a2a-protocol
npm install
npm run example       # full A2A lifecycle with Merkle proof verification
npm run proxy:test    # Proxy A ↔ Proxy B: success, budget exceeded, replay attack, forbidden tool

How it fits into your MCP stack

┌─────────────────────────────────────────────────────┐
│                  Your MCP Orchestrator               │
└──────────────────────┬──────────────────────────────┘
                       │  tool_call (JSON-RPC)
              ┌────────▼────────┐
              │   Trust Proxy A  │  ← builds + signs IntentEnvelope
              │   (your side)    │
              └────────┬────────┘
                       │  IntentEnvelope (signed)
              ┌────────▼────────┐
              │   Trust Proxy B  │  ← verifies TTL, nonce, Ed25519 signature
              │   (tool side)    │  ← checks risk budget (D4)
              └────────┬────────┘  ← signs AcceptanceReceipt
                       │
              ┌────────▼────────┐
              │   Your MCP Tool  │  execute_wire_transfer / deploy / delete / etc.
              └────────┬────────┘
                       │  result
              ┌────────▼────────┐
              │   DAG Ledger     │  ← tamper-evident, Merkle-batched
              │ + Timestamp Reg  │  ← anchored to L2 blockchain
              └─────────────────┘
                       │
              ┌────────▼────────┐
              │   Dispute Pack   │  ← cryptographic evidence bundle
              └─────────────────┘

The proxies are sidecars — they intercept existing MCP JSON-RPC traffic.
No changes to your agents or tools required.

Security properties

| Property | How it's achieved | |---|---| | Non-repudiation (D1) | Bilateral Ed25519 signatures on every phase | | Intent binding | args_hash + tool_schema_hash locked in the signed envelope | | Anti-replay | Per-(did, nonce) uniqueness with TTL and clock skew tolerance | | Tamper-evident history (D5) | Merkle-batched DAG entries anchored to L2 blockchain | | Agent drift prevention (D4) | Risk budget enforced at proxy level before execution | | Dual-signature support | Agent + Proxy countersign for high-value actions (TEE-ready) | | Privacy | Only args_hash and output_hash on-chain — raw args stay off-chain | | Dispute-grade proof (D2) | Dispute Pack: Merkle path + signed artifacts + L2 anchor ref |

What's in this repo

src/
  crypto.ts           Ed25519 signing · JCS hashing · key generation
  envelopes.ts        Intent, Acceptance, Execution envelope builders
  ledger.ts           DAG ledger · Merkle tree · Timestamp Registry · Dispute Pack
  nonce-registry.ts   Anti-replay store with TTL
  risk-budget.ts      Per-agent policy enforcement (D4)
  trust-proxy.ts      ProxyAGateway + ProxyBGateway (MCP middleware)
  proxy-server.ts     HTTP server: /accept · /executed · /dispute/:id

example.ts            End-to-end lifecycle: keygen → Intent → Acceptance → Execution → Merkle proof
proxy-test.ts         Integration test: 4 security scenarios

docs/
  spec-v0.4.md        Full protocol specification
  architecture.md     Component diagram and design decisions
  dispute-pack.md     Dispute Pack format and verification guide

Protocol specification

The full A2A Accountability Protocol v0.4 is published at:
trustagentai.net/trustagentai-a2a-protocol

Key sections:

  • §3 Transaction Lifecycle — the 3-phase cryptographic handshake
  • §4 Data Formats — Hash Target Rule (JCS + SHA-256), envelope schemas
  • §5 Validation Rules — TTL, anti-replay, dual-signature policy
  • §6 Streaming Ledger — DAG architecture, Merkle leaf definition
  • §8 Dispute Resolution — Dispute Pack format, inclusion proof, L2 anchor

Roadmap

Now · v0.4 RFC phase

  • [x] Protocol specification v0.4
  • [x] TypeScript reference implementation
  • [x] Ed25519 signing + JCS canonicalization
  • [x] DAG ledger + Merkle batching + Timestamp Registry
  • [x] Trust Proxy A + B (MCP middleware)
  • [x] Risk budget engine (D4)
  • [x] Dispute Pack generation + Merkle inclusion proof
  • [x] HTTP server with /accept, /executed, /dispute/:id

Next · v0.5

  • [ ] Publish @trustagentai/a2a-core to npm
  • [ ] Python SDK
  • [ ] L2 anchoring integration (Base / Arbitrum)
  • [ ] Verifiable Credential (VC) policy loader
  • [ ] Native MCP SDK integration
  • [ ] good first issue tasks — see Issues

Later

  • [ ] Rust implementation (performance-critical proxy path)
  • [ ] Hosted Timestamp Registry (cloud, SLA-backed)
  • [ ] Dispute Console UI (compliance dashboard)
  • [ ] TEE attestation (SGX / TDX) for agent identity

Contributing

Accountability infrastructure must be open. We welcome:

  • Protocol feedback — open a Discussion or comment on open RFCs
  • SDK ports — Python, Go, Rust implementations
  • MCP integrations — connect TrustAgentAI to existing MCP servers and tools
  • Security review — cryptography, replay attack vectors, edge cases in the spec

Getting started:

  1. Read CONTRIBUTING.md
  2. Read ARCHITECTURE.md for design context
  3. Pick a good first issue

All contributors must sign the CLA.
This protects both contributors and the project's ability to sustain open-core development long-term.

Why open source?

Trust infrastructure only works if it's auditable.
A closed "trust layer" is a contradiction in terms.

The core protocol, SDK, and reference proxy are open under Apache 2.0 — permanently.
We plan to build sustainable funding through hosted infrastructure and enterprise tooling on top of this foundation.

License

Apache License 2.0

Apache 2.0 includes an explicit patent grant — important for cryptographic protocols used in regulated industries.

Links