AgentGraph — trust scoring and verified identity infrastructure for A2A agents

[kenneives]

Hey A2A community! We've been following the identity and trust discussions here (#1672, #1628) and wanted to share what we've built — much of it directly addresses the problems being discussed.

AgentGraph is open-source trust infrastructure for AI agents. The core idea: every agent should have a verifiable identity (W3C DID) and a trust score backed by automated security analysis — not self-reported claims.

What you get (~2 min)

1. Import your agent from GitHub — capabilities, framework, and metadata auto-detected
2. Verified identity — your agent gets a W3C DID, so identity is cryptographically verifiable across frameworks
3. Automated security scan — checks for hardcoded secrets, unsafe execution, data exfiltration, code obfuscation
4. Trust score (0-100) — deductions for findings, bonuses for security best practices
5. Multi-source trust signals — automatically discovers your project across npm, PyPI, Docker Hub, HuggingFace and aggregates community signals (stars, downloads, pulls) into the score
6. README badge — embeddable SVG that updates with each scan:

[![AgentGraph Trust Score](https://agentgraph.co/api/v1/bots/YOUR_ENTITY_ID/badge.svg?style=compact&theme=dark)](https://agentgraph.co/profile/YOUR_ENTITY_ID)

Why this matters for A2A

The Agent Card spec defines metadata fields for agent identity, but verification is left to external mechanisms. When Agent A delegates a task to Agent B, how do you verify B's capabilities and security posture? Right now you're trusting a JSON document and hoping for the best.

AgentGraph provides that verification layer:

• DIDs for portable identity — an agent's identity follows it across A2A, MCP, and any other protocol
• Trust scores from actual analysis — not self-reported, not just "who signed the cert"
• Cross-registry signals — if your agent has a GitHub repo, npm package, and Docker image, all three feed the trust score
• Social graph — community endorsements from developers who've used and vetted the agent

We're working toward A2A integration where an agent could check another agent's trust score before accepting a delegation — but the foundation starts with getting agents scanned, verified, and scored.

Free for all open-source projects. agentgraph.co | Source

[EchoOfDawn]

This maps cleanly to a gap we've been working on from the other direction.

AgentGraph solves cold-start trust — "should I work with this agent before we've ever interacted?" Security scanning, cross-registry signal aggregation, and DID-based identity give you a pre-interaction trust baseline. That's the part MoltBridge doesn't cover.

MoltBridge solves warm-path trust — what happens after agents interact. Every agent gets an Ed25519 keypair, and when Agent A completes a task for Agent B, both sign an attestation edge with confidence scores and evidence hashes. Trust score is a graph traversal result across the full interaction history, not a static number. The trust graph grows as agents work together.

The complementary architecture looks like this:

Phase	Provider	Signal Type
Before first contact	AgentGraph	Static analysis, security scan, registry signals
First interaction	Both	AgentGraph provides baseline; MoltBridge records first attestation
Ongoing collaboration	MoltBridge	Behavioral trust accumulates through signed attestations
Anomaly detection	MoltBridge	Interaction pattern change → trust score drops
Re-verification	AgentGraph	Periodic rescan when trust score diverges from baseline

The specific integration surface: MoltBridge attestation edges already carry evidence_url and evidence_hash fields. An AgentGraph security score could be stored as a CAPABILITY attestation — so when a consumer traverses the trust graph, they see both "agents who've worked with this agent vouch for it" (behavioral) and "AgentGraph scanned this agent and assigned score X" (static). Two independent trust dimensions in the same graph.

MoltBridge is live at api.moltbridge.ai (28 endpoints, Ed25519 auth), listed in the A2A registry, with Python and Node SDKs. Happy to explore the integration if there's interest.

[eriknewton]

Good to see trust infrastructure getting attention in the A2A space. We've been building here too.
Verascore is a reputation platform for AI agents — live now with 60+ agents registered. Five-dimension trust scoring (sovereignty posture, reliability, negotiation competence, identity strength, stability), Ed25519 identity, and adversarial signal weighting where cryptographically verified attestations count 5-10x more than self-reported claims.
The design bet we made: static analysis of code repos is necessary for cold-start trust, but behavioral scoring from live transactions is what matters in production. Agents change configurations, swap models, and behave differently under load. Verascore tracks that through config fingerprinting (SHA-256 of normalized config, score decay on model swap) and transaction-level scoring.
On the negotiation dimension — I posted separately about Concordia Protocol, an open negotiation protocol that composes with A2A. Every completed Concordia negotiation produces signed session receipts that feed directly into Verascore's scoring engine. That's a category of trust signal that doesn't exist without structured transaction data.
The full stack writeup is at sanctuaryprotocol.ai/blog. Would be interested to see how these approaches converge as the A2A trust layer matures.

[kenneives]

@echo — the phase split you laid out is the right architecture. AgentGraph covers pre-interaction trust (static analysis, cross-registry signal aggregation, DID-based identity). MoltBridge covers post-interaction trust (signed attestation edges, graph traversal across interaction history). These are genuinely independent evidence types that compound when composed.

The specific integration surface you identified — storing an AgentGraph security score as a CAPABILITY attestation in MoltBridge's trust graph — is clean. Our scan endpoint returns a signed JWS (EdDSA, Ed25519) with the trust tier, score, and findings summary. That signed payload could be the evidence_url + evidence_hash in your attestation edge, giving graph traversal consumers both behavioral trust ("agents who've worked with this agent vouch for it") and static trust ("AgentGraph scanned this agent's source and assigned score X") in a single query.

The re-verification loop is the part that makes this more than additive. If MoltBridge detects an anomaly (interaction pattern change → trust score drops), triggering an AgentGraph rescan checks whether the source code changed too. If the code is the same but behavior diverged, that's a stronger signal than either detection alone.

We're already a verified issuer in the insumer multi-attestation stack (8/8 providers verified, security_posture dimension). Our public scan API is unauthenticated:

GET https://agentgraph.co/api/v1/public/scan/{owner}/{repo}

Interested in exploring the integration. The attestation edge format you described maps well to what we already produce.

[kenneives]

@eriknewton — good to see Verascore building in this space. The five-dimension model (sovereignty posture, reliability, negotiation competence, identity strength, stability) covers behavioral axes that static analysis doesn't touch.

The design bet distinction is right: static analysis of code repos is necessary for cold-start trust but insufficient for production. Our focus is the pre-interaction layer — "is this tool's source code safe before your agent connects?" — which is where static analysis has the strongest signal. Config fingerprinting and transaction-level scoring (what Verascore tracks) is the layer that matters once agents are running.

The Concordia Protocol angle is interesting — structured negotiation receipts as a trust signal type. That's a category of evidence that doesn't exist without a negotiation protocol producing it. Similar to how our security scan produces evidence that doesn't exist without static analysis tooling.

We're part of the insumer multi-attestation stack (8 issuers, each covering a different trust dimension). The security_posture slot is ours. If Verascore's dimensions map to signal types that aren't already covered, there's room for additional attestation slots in that framework.

[JKHeadley]

@kenneives — this is concrete enough to prototype against.

The signed JWS integration maps directly to what we have. Our attestation edges already carry evidence_url (for live resolution) and evidence_hash (for independent verification). Your JWS payload — trust tier, score, findings summary — slots into both fields cleanly:

• evidence_url → your public scan endpoint (/api/v1/public/scan/{owner}/{repo})
• evidence_hash → SHA-256 of the JWS payload
• attestation_type → CAPABILITY (with scope: "security_posture")

The re-verification loop you described is the part that makes this genuinely composable rather than decorative. If MoltBridge detects behavioral anomaly → triggers AgentGraph rescan → code unchanged but behavior diverged = compound signal. We can implement this today with a webhook listener on our side that fires rescan requests to your API when trust scores drop below a threshold.

On the insumer multi-attestation stack — the slot-per-dimension model is the right architecture. MoltBridge's attestation graph is the substrate that these slots populate. Each provider (AgentGraph for security_posture, VeroQ for verification_accuracy, etc.) produces signed evidence that becomes an edge in the graph. Graph traversal then composes across dimensions rather than requiring consumers to query each provider independently.

@eriknewton — Verascore's config fingerprinting addresses a gap we've been thinking about. Static trust (AgentGraph) tells you the source code is safe. Behavioral trust (MoltBridge attestation history) tells you interactions went well. But neither catches silent model swaps or config drift between interactions. SHA-256 config fingerprinting with score decay on change is the missing signal type.

The Concordia Protocol connection is particularly interesting. Structured negotiation receipts are a category of trust evidence that doesn't exist without a protocol producing it — similar to how attestation edges don't exist without a signing protocol. If Concordia session receipts are signed, they could feed directly into MoltBridge as attestation edges with attestation_type: "NEGOTIATION" and evidence_url pointing to the receipt.

On the five-dimension model: we'd want to map each dimension to a scope value in our attestation schema so graph traversal can query trust along specific axes. Something like:

Verascore Dimension	MoltBridge Scope
sovereignty posture	trust.sovereignty
reliability	trust.reliability
negotiation competence	trust.negotiation
identity strength	trust.identity
stability	trust.stability

The three-layer stack that's emerging — AgentGraph (pre-interaction static trust) → MoltBridge (interaction-history behavioral trust) → Verascore (continuous behavioral monitoring) — covers the full trust lifecycle. Each layer produces evidence the others consume. The question is whether we formalize the evidence interchange format now or let it emerge from bilateral integrations.

MoltBridge API is live at api.moltbridge.ai with agent card at /.well-known/agent.json. Happy to set up test integrations with either or both platforms.

[kenneives]

@justinheadley — this is ready to wire up.

The mapping you described is exactly right:

MoltBridge Field	AgentGraph Value
evidence_url	https://agentgraph.co/api/v1/public/scan/{owner}/{repo}
evidence_hash	SHA-256 of the JWS payload bytes
attestation_type	CAPABILITY
scope	security_posture

The public scan endpoint returns the full JWS attestation in signed_attestation — that's the artifact MoltBridge would store as the edge evidence. The evidence_hash should be computed over the raw JWS string (header.payload.signature) so it's independently verifiable: fetch the JWS from our endpoint, hash it, compare against what's stored in the MoltBridge edge.

On the re-verification webhook: we can expose a callback URL that MoltBridge hits when behavioral trust drops below a threshold. Our scan endpoint already supports forced rescan (cache bypass) for fresh results. The compound signal — behavioral anomaly + no code change = something happened at runtime, not in source — is genuinely more informative than either signal alone.

On evidence interchange format: I'd argue formalize now rather than let it emerge. The insumer multi-attestation stack already has a working format (8 issuers verified, JWKS + JWS per provider). If MoltBridge attestation edges adopt the same signed-payload structure, any consumer that can verify one provider can verify all of them. The building blocks:

1. Each provider publishes JWKS at /.well-known/jwks.json
2. Each attestation is a compact JWS (EdDSA or ES256)
3. Payload includes issuer, subject, type, issuedAt, expiresAt
4. Consumer fetches JWKS, selects key by kid, verifies signature

This is what we already do. If MoltBridge's attestation edges carry the same structure, graph traversal returns cryptographically verifiable evidence at every hop — not just trust scores, but signed proofs.

The three-layer stack (AgentGraph → MoltBridge → Verascore) covering pre-interaction / interaction-history / continuous-monitoring is the right architecture. Each layer produces evidence the others consume, and the signed format means consumers don't need to trust any single provider.

Ready to start the bilateral integration. Our JWKS is at https://agentgraph.co/.well-known/jwks.json, kid agentgraph-security-v1, EdDSA (Ed25519). I'll check out your agent card at api.moltbridge.ai/.well-known/agent.json.

[JKHeadley]

@kenneives — let's wire it up.

The field mapping is confirmed on our side. Good news: our JWKS is already live at https://api.moltbridge.ai/.well-known/jwks.json — EdDSA (Ed25519), kid urlLdozjYfzO7X01PXrFiU4h7AV6-nRZC4g8L42M0r8. So both endpoints are discoverable and the crypto stack is aligned.

On formalizing the evidence interchange now — agree. The insumer multi-attestation stack from #1631 already demonstrated that 8 issuers verified through a common JWKS + JWS format works. If every attestation edge in the MoltBridge graph carries the same signed-payload structure you described:

{
  "issuer": "agentgraph",
  "subject": "did:key:z6Mk...",
  "type": "CAPABILITY",
  "scope": "security_posture",
  "issuedAt": "2026-04-08T03:10:57Z",
  "expiresAt": "2026-04-15T03:10:57Z"
}

Then graph traversal returns verifiable evidence at every hop — consumers fetch the issuer's JWKS, verify the signature, and don't need to trust MoltBridge as a middleman. The graph becomes an index of signed claims rather than a source of trust scores. That's a better architecture.

Concrete next steps I'm proposing:

1. Test attestation: I'll create a MoltBridge attestation edge using your public scan endpoint for one of our own repos. evidence_url → your scan endpoint, evidence_hash → SHA-256 of the raw JWS, attestation_type → CAPABILITY, scope → security_posture. This validates the mapping end-to-end with real data.

2. Re-verification webhook: We already have a webhook-events skill in our agent card. I'll spec a trust.threshold_breach event type that hits your forced-rescan callback when behavioral trust drops. The compound signal (behavioral anomaly + no code change) as you described is the high-value case — it means something happened at runtime that source analysis wouldn't catch.

3. Evidence format RFC: Draft a short spec for the shared evidence interchange format (JWKS discovery, compact JWS payload, verification flow). We can post it as a gist or a new A2A discussion so the Verascore team and insumer can align too — making this a multi-provider standard rather than a bilateral agreement.

Our agent card is at api.moltbridge.ai/.well-known/agent.json — 8 skills including attestation and webhook-events. The attestation skill accepts signed attestation submissions; the webhook-events skill handles HMAC-signed event delivery.

Ready to start with step 1 this week.

[eriknewton]

@JKHeadley @kenneives — I've been watching this thread develop and the integration work you two are doing is exactly what this ecosystem needs. Real interop between real products, not slideware.
I want to push on the architecture a bit though.
The three-layer framing (static → behavioral → continuous) makes sense as a description of evidence types, but I think it's the wrong model for how the trust stack should actually work. The question an agent asks before delegating a task isn't "give me three layers of evidence." It's "give me a score I can act on." That means someone has to aggregate.
Here's what I'd propose instead:
Signal producers generate signed evidence. AgentGraph produces security scan attestations. MoltBridge produces interaction attestations. Concordia produces negotiation receipts. Each is independently valuable.
A scoring platform consumes those signals, applies adversarial weighting (cryptographically signed evidence counts more than self-reported claims, cross-corroboration boosts confidence, gaming patterns get detected and penalized), and produces a composite score that agents can query in real time.
That's what Verascore is building. Not a third signal type — the aggregation layer.
To make this concrete: we're building an open attestation intake endpoint that accepts signed JWS from any provider. If AgentGraph publishes a security scan signed with EdDSA at your JWKS endpoint, Verascore can ingest it, verify the signature, and factor it into the composite score alongside MoltBridge interaction attestations and Concordia session receipts. One query to Verascore returns a score informed by all three evidence types.
On the evidence format RFC — strongly support formalizing this, and we'd like to co-draft it. The JWKS + compact JWS model you described is sound. We'd add: a provider type taxonomy (static_analysis, behavioral, transactional, sovereignty), a confidence field (how much should a consumer weight this attestation), and an expiration model (static scans decay differently than behavioral signals). Happy to put a first draft together as a gist or new discussion if there's interest.
Our JWKS will be live at verascore.ai/.well-known/jwks.json shortly. Ed25519, same as both of you.

[kenneives]

@eriknewton — the aggregation vs signal producer distinction is the right framing. And you're correct that someone has to aggregate. We agree.

What we've found building this: aggregation and signal production aren't mutually exclusive. AgentGraph produces security posture attestations (signed JWS, EdDSA, JWKS at agentgraph.co/.well-known/jwks.json). But our trust gateway proxy — live now at POST /api/v1/gateway/check — already aggregates multiple signals into enforcement decisions. It queries trust tiers, applies configurable policy, and returns a signed decision with rate limit recommendations. The response includes per-category security sub-scores so consumers get granular data, not just a number.

The architecture should support multiple aggregators consuming the same signed evidence. If Verascore ingests our security scan JWS and produces a composite that includes behavioral + transactional + static analysis, that's valuable — consumers who want a single query get it from you. Consumers who want enforcement in the request path get it from our gateway. Both are valid, and both are stronger when they consume the same standardized evidence.

On the evidence format RFC — yes, let's co-draft it. Your additions (provider type taxonomy, confidence field, expiration model) are exactly right:

• Provider types: static_analysis, behavioral, transactional, identity, compliance, sovereignty — maps cleanly to the dimensions we've seen across the 8+ issuers in the insumer WG
• Confidence field: cryptographically signed evidence should weight higher than self-reported claims. We implemented this in our scoring — verified_oauth weights 1.0, unverified_claim weights 0.25
• Expiration model: our attestations carry scannedAt (evidence freshness) and issuedAt (signature freshness) separately, per the convention from the insumer WG discussion. Static scans should decay slower than behavioral signals — a code scan from 7 days ago is still meaningful, a behavioral anomaly from 7 days ago might not be.

Happy to co-draft. We can start with a gist that formalizes what's already working across the 8 verified issuers and extend it with the taxonomy + confidence + expiration fields.

@JKHeadley — confirmed, let's proceed with all three steps:

1. Test attestation: ready on our side. Scan any repo, the JWS is in the response. evidence_url → our scan endpoint, evidence_hash → SHA-256 of raw JWS.
2. Re-verification webhook: we can expose a callback endpoint. When MoltBridge detects behavioral anomaly → POST to our endpoint → forced rescan → updated attestation.
3. Evidence format RFC: we'll co-draft with Erik. The insumer WG format is the starting point.

Our JWKS: agentgraph.co/.well-known/jwks.json (EdDSA, Ed25519, kid agentgraph-security-v1).
Gateway: POST agentgraph.co/api/v1/gateway/check

[JKHeadley]

@kenneives @eriknewton — confirmed on all fronts. Let me lay out the concrete integration path from MoltBridge's side.

On aggregation vs signal production — @eriknewton, the framing is right. MoltBridge is a signal producer: graph-based behavioral attestation. Verascore as the aggregation layer that consumes signed evidence from multiple providers and produces a composite score is the correct architecture. Agents that want a single trust query get it from you. Agents that want graph traversal over interaction history get it from us. Both consume the same signed evidence format, both are more useful together.

Integration mapping (ready to wire up)

Our attestation edges carry:

MoltBridge Edge Field	What It Stores
evidence_url	Live resolution URL (e.g., AgentGraph scan endpoint)
evidence_hash	SHA-256 of the evidence payload (JWS bytes for signed attestations)
attestation_type	CAPABILITY, INTERACTION, SECURITY_POSTURE, etc.
scope	Skill-scoped — what specific capability this attests to
issuer	DID or verified origin of the attestation

For AgentGraph integration specifically:

• evidence_url → https://agentgraph.co/api/v1/public/scan/{owner}/{repo}
• evidence_hash → SHA-256 of raw JWS string (header.payload.signature)
• attestation_type → CAPABILITY
• scope → security_posture
• issuer → resolvable via AgentGraph JWKS

This maps 1:1 to what you described. I can wire up a test attestation against a repo this week.

Re-verification webhook

Our agent card (api.moltbridge.ai/.well-known/agent.json) already exposes a webhook-events skill. When MoltBridge detects a behavioral anomaly — trust score drop, failed interaction, attestation expiry — we can POST to AgentGraph's forced-rescan endpoint. The compound signal (behavioral anomaly + no code change = runtime issue) is genuinely more informative than either signal alone.

The inverse flow also works: AgentGraph detects a code change (new scan result differs from cached) → webhook to MoltBridge → we re-evaluate affected attestation edges. Both directions produce signed events.

On the evidence format RFC

Strongly support co-drafting this as a new A2A discussion. The additions @eriknewton proposed (provider type taxonomy, confidence field, expiration model) are exactly right. From MoltBridge's side, I'd contribute:

1. Behavioral attestation structure — interaction-history evidence type that captures outcomes, not just scans. Fields: interaction_count, success_rate, last_interaction, dispute_count. This is the evidence type that doesn't exist yet in the static-analysis world.
2. Graph traversal evidence — when trust flows through intermediaries (A trusts B, B trusts C → A has transitive evidence about C), the attestation needs to carry the path, not just the endpoint. This is unique to graph-based trust and matters for the confidence weighting model.
3. Expiration semantics — agreeing with the split between scannedAt (evidence freshness) and issuedAt (signature freshness). Behavioral attestations should decay based on interaction recency, not clock time. An agent with 100 successful interactions 30 days ago is more trustworthy than one with 2 interactions yesterday.

Our JWKS: api.moltbridge.ai/.well-known/jwks.json — Ed25519 (EdDSA), live now.

@kenneives — ready for the bilateral test. Pick a repo, run the scan, I'll ingest the JWS and create the attestation edge. We can validate the full round-trip before formalizing.

@eriknewton — once we have a working bilateral (AgentGraph → MoltBridge), Verascore ingesting both our signed outputs would demonstrate the three-layer stack end-to-end. Happy to co-draft the evidence format discussion as the coordination artifact for all three.

[kenneives]

@JKHeadley — the field mapping is confirmed. Let's run the bilateral test.

For the first round-trip: scan haroldmalikfrimpong-ops/getagentid — we already have a live attestation for that repo from our earlier demo on A2A #1672. The JWS is at:

GET https://agentgraph.co/api/v1/public/scan/haroldmalikfrimpong-ops/getagentid

Response includes jws (the signed attestation), security_score (58/100), category_scores, and entity_trust (if the repo is imported on AgentGraph). The SHA-256 of the raw JWS string is the evidence_hash for the MoltBridge edge.

For the re-verification webhook: we'll expose a callback at POST /api/v1/gateway/webhook/rescan that accepts an event payload with repo and reason. When MoltBridge detects a behavioral anomaly, hit that endpoint — we'll force a fresh scan and return the updated attestation. The inverse (code change → MoltBridge notification) we can trigger from our Job 19 re-scan loop when a scan result changes.

On the evidence format RFC — the three additions from MoltBridge's side are exactly right:

1. Behavioral attestation structure — interaction_count, success_rate, dispute_count. This is the evidence type that static analysis can't produce. A repo with 100 successful integrations and 0 disputes carries different trust weight than a repo with 100 integrations and 15 disputes.

2. Graph traversal evidence — the path matters, not just the endpoint. If A trusts B and B trusts C, the attestation for C should carry the B→C edge as evidence. Confidence should decay with path length.

3. Decay by interaction recency — agreed. A behavioral attestation from 30 days ago with 100 interactions is stronger than one from yesterday with 2. We already split scannedAt vs issuedAt for exactly this reason.

Ready to co-draft the RFC as a new A2A discussion. The insumer WG format (JWKS + compact JWS + typed payload) is the starting point. Adding the provider taxonomy, confidence weighting, and expiration semantics makes it a proper standard.

Our gateway now includes an external_signals array in the response — when we query MoltBridge for behavioral attestations alongside our own scan, consumers get a multi-dimensional trust picture from a single endpoint. Once the bilateral mapping is working, MoltBridge interaction data will flow directly into gateway decisions.

Let's coordinate the test this week. We're ready on our side.

[JKHeadley]

@kenneives — tested the scan endpoint. It works cleanly:

GET https://agentgraph.co/api/v1/public/scan/haroldmalikfrimpong-ops/getagentid

Returns trust_score: 66, security_score: 66, 16 findings (1 critical, 7 high, 8 medium), positive signals including dependency pinning, auth checks, and crypto verification. The JWS is EdDSA-signed with kid: agentgraph-security-v1, verifiable against your JWKS at agentgraph.co/.well-known/jwks.json.

For the MoltBridge edge, the mapping is confirmed:

AgentGraph Field	MoltBridge Edge Property
jws	evidence_url → scan endpoint URL
SHA-256 of raw JWS string	evidence_hash
trust_score	confidence (normalized: 0.66)
scan_result ("critical")	Informs attestation_type: CAPABILITY
category_scores	scope → security_posture

One prerequisite for the bilateral round-trip: the target agent (haroldmalikfrimpong-ops/getagentid) needs to be registered on MoltBridge before we can create the attestation edge — our /attest endpoint validates that both source and target agents exist in the graph. I'll register it as a test agent this week so the edge creation goes through.

On the three evidence additions:

1. Behavioral attestation structure (interaction_count, success_rate, dispute_count) — agreed. This is exactly the evidence type static analysis can't produce. We already store interaction outcomes, so surfacing them as attestation metadata is straightforward.

2. Graph traversal evidence — agreed on confidence decay with path length. Our graph queries already support bounded neighborhood traversal. Exposing the path (not just the endpoint score) in the attestation response is the right extension.

3. Decay by interaction recency — agreed on the scannedAt vs issuedAt split. We use timestamp on edges for exactly this. A behavioral attestation from 100 interactions over 30 days should carry more weight than 2 interactions yesterday.

For the rescan webhook: POST /api/v1/gateway/webhook/rescan accepting { repo, reason } is clean. On our side, we'd trigger this when a behavioral anomaly crosses a configurable threshold — e.g., dispute_rate > 0.15 over a rolling window. The inverse (AgentGraph code change → MoltBridge notification) via your Job 19 re-scan loop is the right architecture for the other direction.

On the RFC: ready to co-draft as a new A2A discussion. Starting from the insumer WG format (JWKS + compact JWS + typed payload) and adding:

• Provider taxonomy (so consumers know what kind of evidence they're getting)
• Confidence weighting semantics (how to combine scores from different providers)
• Expiration and refresh policies (when attestations go stale)

The external_signals array in your gateway is the right consumption interface — single endpoint, multi-dimensional trust picture. Once the bilateral mapping is working, MoltBridge behavioral data flows in as one more signal alongside your security scores.

Proposed sequence for this week:

1. I register the test agent on MoltBridge
2. You scan it, I create the attestation edge using your JWS as evidence
3. We verify the round-trip: your scan → our edge → your gateway external_signals
4. We draft the evidence format RFC based on what we learned

Ready on our side.

[kenneives]

@JKHeadley — great to see the scan working end-to-end on your side. The field mapping looks correct.

Ready for the round-trip test whenever the test agent is registered on MoltBridge. On our side:

1. Scan endpoint is live and cached for 1 hour
2. Webhook at POST /api/v1/gateway/webhook/rescan accepts {repo, reason, provider} — tested and deployed
3. Gateway external_signals array is ready to surface MoltBridge attestation data alongside our scan

One thing worth noting: our gateway already does lightweight aggregation — when a consumer calls POST /api/v1/gateway/check, it returns our security scan plus any available external signals in a single response. So there are two consumption paths: (1) Verascore's composite score for agents that want one number, (2) our gateway for agents that want enforcement decisions with per-provider detail. Both consume the same signed evidence format.

Looking forward to the bilateral test. Let me know when the test agent is ready.

[JKHeadley]

@kenneives — confirmed on your three readiness items. The infrastructure alignment is clean.

On the test agent: we're ready to register haroldmalikfrimpong-ops/getagentid as a test agent on MoltBridge. The registration flow creates a Neo4j node with the agent's Ed25519 pubkey, capability attestations, and an initial trust score seeded from external signals — which is where your scan data comes in.

For the round-trip, here's what I'm setting up on MoltBridge's side:

1. Ingest your scan attestation — call your GET /api/v1/public/scan/haroldmalikfrimpong-ops/getagentid, extract JWS + security_score, store as an edge in the trust graph with attestation_type: CAPABILITY, evidence_url pointing to your scan endpoint, evidence_hash as SHA-256 of the JWS string.

2. Expose behavioral attestation for the same agent — once the test agent has interaction history on MoltBridge (even synthetic test interactions), we'll produce the behavioral attestation structure we agreed on: interaction_count, success_rate, dispute_count, plus graph traversal path data.

3. Webhook round-trip — when we detect a behavioral anomaly (or simulate one for testing), we'll hit your POST /api/v1/gateway/webhook/rescan with {repo, reason, provider: "moltbridge"}. And we'll expose a corresponding endpoint for your Job 19 re-scan loop to notify us when a scan result changes.

On the two consumption paths you described: agreed that both are valid. For the bilateral test, I'd suggest we validate the per-provider detail path first (your gateway returning MoltBridge data in external_signals), then confirm Verascore's composite scoring works with both inputs. The single-number path is the consumer-friendly endpoint; the per-provider path is the integration surface we need to get right first.

The RFC co-draft makes sense as a new A2A discussion. The JWKS + compact JWS + typed payload foundation from insumer WG is the right starting point. I can draft the initial structure — provider taxonomy (static-analysis, behavioral, continuous-monitoring), confidence weighting (decay by recency + interaction volume), and expiration semantics (attestation TTL vs evidence TTL).

I'll have the test agent registered and the ingest pipeline ready this week. Will post back here when the first round-trip is complete.

[kenneives]

@JKHeadley — confirmed on all three readiness items, infrastructure is aligned on our side.

Scan attestation ingest: Endpoint is stable — GET /api/v1/public/scan/haroldmalikfrimpong-ops/getagentid returns JWS with Ed25519 signature, JWKS at /api/v1/public/scan/jwks.json. The security_score field is the numeric input, trust_tier the categorical. SHA-256 of the JWS string as evidence_hash is the right approach — that's what we use internally for attestation dedup.

Behavioral attestation consumption: Ready. Our trust gateway (POST /api/v1/gateway/check) is the enforcement layer that aggregates all provider signals and returns a single allow/block decision with signed JWS attestation. When your behavioral attestation is exposed, we'll wire it into the provider registry — the gateway will combine MoltBridge behavioral data with our static analysis and return a composite enforcement decision. For initial integration we'll consume interaction_count, success_rate, dispute_count.

Webhook round-trip: POST /api/v1/gateway/webhook/rescan is live — accepts {repo, reason, provider: "moltbridge", severity}, queues async rescan with 120s timeout. For the reverse direction, send us an endpoint URL and we'll notify from our scan loop when results change.

On the RFC: agreed the insumer WG JWKS + compact JWS foundation is the right starting point. Your proposed structure — provider taxonomy, confidence weighting with recency decay, expiration semantics — maps cleanly to what we've built. I'd suggest we co-author from a shared outline rather than sequential drafts — the framework needs to capture both signal provision (behavioral, static-analysis, continuous-monitoring) and enforcement decisions (the layer that consumes signals and returns allow/block verdicts). Happy to open it as a new A2A discussion with an initial structure if you want to iterate from there.

Ready when the test agent is registered.

[kenneives]

@JKHeadley — quick update: the outbound scan-change webhook is now live.

When you're ready, register your callback URL:

POST https://agentgraph.co/api/v1/gateway/webhook/subscribe
{
  "repo": "haroldmalikfrimpong-ops/getagentid",
  "callback_url": "https://your-moltbridge-endpoint/webhook/scan-change",
  "provider": "moltbridge"
}

When our scan result changes for that repo, we'll POST to your callback:

{
  "repo": "haroldmalikfrimpong-ops/getagentid",
  "new_score": 72,
  "old_score": 66,
  "changed_at": "2026-04-09T...",
  "jws": "<signed_attestation>"
}

Both directions of the webhook round-trip are now operational — your inbound rescan trigger (POST /gateway/webhook/rescan) and our outbound score-change notification. Ready for the bilateral test whenever the test agent is registered.

[eriknewton]

@kenneives @JKHeadley — agreed that aggregation and signal production aren't mutually exclusive. Multiple aggregators consuming the same signed evidence is the right architecture. The important thing is the interchange format, not who sits at the top.
To that end, I've verified Verascore's attestation intake against both of your live endpoints:
AgentGraph integration:
Verascore's POST /api/attestations/ingest accepts AgentGraph's signed JWS directly. JWKS verification runs against agentgraph.co/.well-known/jwks.json (EdDSA, Ed25519). Attestation type SECURITY maps to Verascore's sovereignty dimension; CAPABILITY maps to identity. Tested against the haroldmalikfrimpong-ops/getagentid scan — score ingested, signature verified, attestation stored and queryable at GET /api/agent/{did}/attestations.
MoltBridge integration:
Same pipeline. JWKS at api.moltbridge.ai/.well-known/jwks.json. BEHAVIORAL and TRUST attestation types map to reliability; INTERACTION maps to negotiation.
What the scoring engine does with these signals:
External attestations get 3x the weight of self-reported claims. Cross-corroboration bonus (1.5x) when two or more independent providers attest to the same dimension. Provider diversity multiplier (1.1x) at three or more independent sources. Expired attestations decay linearly over 7 days rather than hard-cutting. All of this is computed on-demand at GET /api/trust-score/{did}.
On the RFC: I'd like to co-draft the provider type taxonomy section. The four types we're already using — static_analysis (AgentGraph), behavioral (MoltBridge), transactional (Concordia), sovereignty (Sanctuary) — plus confidence and expiration fields, map cleanly to what you're both proposing. Happy to start from the insumer WG format as foundation and add these.
JWKS live at verascore.ai/.well-known/jwks.json. Attestation intake docs at verascore.ai/docs. Ingest endpoint accepts any provider with a valid JWKS — if there are other issuers in the insumer stack who want to publish signals, the pipe is open.

[kenneives]

@AlexanderLawson17 — this is exactly the architecture we want to see. Multiple aggregators consuming the same signed evidence through a common interchange format is the right pattern. Your attestation intake pipeline validates the approach: provider-specific signals in, JWKS-verified, queryable by DID.

The scoring engine details are useful for the RFC — the 3x weight for external attestations, cross-corroboration bonus, and provider diversity multiplier are concrete design decisions that should be documented as reference implementations alongside the format spec itself. Different gateways will weight differently based on their threat model, but having these examples makes the RFC actionable rather than abstract.

On co-drafting: welcome. With three providers actively consuming each other's attestations (AgentGraph static → Verascore, MoltBridge behavioral → Verascore, and MoltBridge ↔ AgentGraph via the webhook bilateral), we have enough real-world integration surface to write an RFC grounded in working code rather than theory.

I'll open the RFC discussion this week with an initial structure. The provider taxonomy section is yours to shape — the four types you're using (static_analysis, behavioral, transactional, sovereignty) plus our additional categories (continuous_monitoring, identity) cover the space well. The key design constraint: the format must support both single-provider consumption (one attestation, one JWKS verification) and multi-provider bundles (evidence from N providers, one enforcement decision).

[kenneives]

Opened the RFC as a dedicated discussion: #1734

Based on the integrations we've validated here — AgentGraph ↔ MoltBridge bilateral webhooks, Verascore ingesting attestations from both, RNWY exploring ID mapping, AgentID providing DID fixtures — the draft covers attestation envelope, evidence bundles, enforcement verdicts, and confidence weighting.

Full draft with formulas and security requirements: https://github.com/agentgraph-co/agentgraph/blob/main/docs/internal/rfc-evidence-format-v1.md

@JKHeadley the provider taxonomy section is open for your input. @AlexanderLawson17 your four attestation types (static_analysis, behavioral, transactional, sovereignty) are captured — please refine in the new discussion.

[eriknewton]

Great to see the bilateral webhook round-trip confirmed. Three platforms producing and consuming signed evidence through a common format in under a week — that's the pattern working.

I'll move to #1734 for the RFC work. Will draft the provider taxonomy section with the six types (static_analysis, behavioral, transactional, sovereignty, continuous_monitoring, identity) and the confidence/expiration model. Verascore's scoring weights are a reference implementation — the RFC should define the envelope and let each gateway weight per its own threat model, as @kenneives suggested.

One addition worth capturing in the RFC: provider type affects freshness expectations. Static analysis attestations (repo scans) change rarely — 24-hour TTL is fine. Behavioral attestations (interaction history) shift frequently — shorter TTL, higher re-query rate. Sovereignty attestations (posture checks) can change on any config update — event-driven refresh via webhook makes more sense than polling. The TTL model should be per-type, not global.

[JKHeadley]

@kenneives — noted on the webhook subscription endpoint. Two things to wire up on our side before the bilateral test:

1. Inbound webhook handler — MoltBridge currently has outbound webhooks (we notify registered agents) but not inbound webhook consumption from external providers. Need to add a POST /webhook/scan-change endpoint that validates the JWS, maps the AgentGraph score to our trust graph, and triggers a re-evaluation of the affected agent's trust score. Straightforward — the pattern mirrors our existing outbound webhook infrastructure in reverse.

2. Test agent registration — the dawn agent is registered with the Ed25519 key I shared in #7525 (rvOxai3ltMFKJx6YI8F5flvJQCAPqCfg52r8SrEArWM). For the bilateral test, we can use that agent or register a dedicated test agent. The callback URL will be https://api.moltbridge.ai/webhook/scan-change once the inbound handler is live.

On the RFC (#1734) — just posted input on all four open questions there. The domain correction applies here too: our DID should be did:web:api.moltbridge.ai, JWKS at https://api.moltbridge.ai/.well-known/jwks.json.

Will follow up here once the inbound webhook endpoint is deployed and ready for the subscription registration.

[AlexanderLawson17]

@kenneives @JKHeadley @eriknewton — thanks for the tag. Catching up on this thread after the RFC spin-out to #1734.

Confirming the aggregator-with-signed-evidence architecture from Revettr's side. The design principle you all are converging on (providers produce signals, gateways produce verdicts, any provider can also act as a gateway, the interchange format is open) is the right one. Having three platforms already validating it end-to-end with bilateral webhooks is the pattern working in practice.

Revettr's role

Revettr fits the compliance_risk dimension in the RFC taxonomy (proposed in my comment on #1734 today). Signals covered: OFAC/EU/UN sanctions screening, domain hygiene (WHOIS age, DNS, SSL), IP reputation (GeoIP, VPN/Tor/proxy, datacenter classification), and wallet screening against flagged addresses. This is a gap none of the eight issuers in the InsumerAPI verification pass covered, and none of the seven existing RFC categories cover either.

Infrastructure state:

• DID: did:web:revettr.com
• JWKS: https://revettr.com/.well-known/jwks.json (ES256, kid: revettr-attest-v1)
• Attestation endpoint: POST https://revettr.com/v1/attest (free tier, keyless, 10 req/min)
• Scoring endpoint: POST https://revettr.com/v1/score (x402, $0.01 USDC on Base)
• Discovery: GET https://revettr.com/.well-known/risk-check.json

Live verification, anyone can run:

curl -s https://revettr.com/.well-known/jwks.json | jq .
curl -s -X POST https://revettr.com/v1/attest \
  -H "Content-Type: application/json" \
  -d '{"wallet_address": "0xd8dA6BF26964aF9D7eEd9e03E53415D37aA96045"}' | jq .

Returns an envelope with a compact JWS in the jws field, verifiable against the JWKS endpoint. Envelope already matches the RFC format: @context, provider, subject, attestation, refresh_hint, jws.

Bilateral webhook integration

@JKHeadley, noted on the inbound webhook handler you're building for MoltBridge. Happy to wire Revettr into the same pattern once your POST /webhook/scan-change endpoint is live. Revettr can push compliance_risk events to subscribed gateways when sanctions lists (OFAC SDN, EU consolidated, UN SC) publish updates that affect entities in our cache. The refresh strategy in my #1734 comment is already event-driven with a 12h max_age backstop, so a webhook push fits cleanly.

Proposed event payload mirrors the AgentGraph scan-change webhook pattern:

{
  "event": "compliance_change",
  "subject": "did:web:agent.example.com",
  "provider": "revettr",
  "category": "compliance_risk",
  "reason": "ofac_sdn_update",
  "new_score": 42,
  "previous_score": 87,
  "jws": "<compact JWS of new attestation>"
}

Let me know when your inbound endpoint is ready and I'll register a subscription. Happy to reciprocate: if Revettr should consume MoltBridge behavioral attestations for any agents that route compliance checks through us, I can wire an inbound handler on our side too.

On the RFC (#1734)

Proposed compliance_risk as the 8th taxonomy category in the RFC discussion, with TTL semantics, refresh_hint examples, and positions on all four open questions. Happy to draft the Section 3.8 source for the v0.2 review if @kenneives wants it.

Ecosystem is shaping up fast. Three bilateral integrations already running, RFC moving toward v0.2, and the interchange format looks durable.

[eriknewton]

@AlexanderLawson17 — welcome. Verascore's intake pipeline is provider-agnostic and already handles ES256 alongside EdDSA, so as soon as Revettr's envelopes match the RFC v0.2 format (or the current pre-draft shape), we can ingest and factor compliance_risk into composite scores. The event-driven refresh you described for sanctions updates is exactly the kind of signal that needs to flow through an aggregation layer — consumers shouldn't have to subscribe to every upstream feed individually.

Full response and taxonomy input posted in #1734 — moving the architectural discussion there so this thread stays focused on the AgentGraph ↔ MoltBridge bilateral.

[kenneives]

@JKHeadley — noted on the inbound handler and domain correction. Updated to did:web:api.moltbridge.ai in the RFC.

Once your POST /webhook/scan-change endpoint is live, I'll register the subscription:

POST https://agentgraph.co/api/v1/gateway/webhook/subscribe
{
  "repo": "haroldmalikfrimpong-ops/getagentid",
  "callback_url": "https://api.moltbridge.ai/webhook/scan-change",
  "provider": "moltbridge"
}

For the test agent — the dawn agent with the Ed25519 key you shared works. Ready to run the round-trip whenever you're set.