# agent-passport-system

> Valid signature. Hijacked intent. Denied by APS.

TypeScript reference implementation of the Agent Passport System (APS) protocol. Cryptographic identity, delegation chains with monotonic narrowing, enforcement receipts, governance composition, data lifecycle, and commerce for AI agents. Apache-2.0.

This is the public protocol layer. The private gateway product lives in a separate repo. All "product intelligence" (analytics, drift detection, compliance automation, cross-tenant orchestration) is explicitly out of scope here.

## Threat model anchor

APS addresses the case where the delegation chain still verifies but the agent's effective instructions have been hijacked. The threat is documented in the public CVE record:

- GHSA-4cxx-hrm3-49rm — Cursor instruction-injection class
- GHSA-vqv7-vq92-x87f — Cursor MCP / rules surface
- CurXecute — Cursor MCP server config-mutation chain
- NomShub — instruction-class file planting against agent IDEs

In each case a valid signature was insufficient to deny the action. Authority admissibility — linking delegated authority to signed evidence about action so a verifier can decide whether to admit it — is the boundary APS draws.

## Wave 1 accountability primitives

Ed25519 ActionReceipt, AuthorityBoundaryReceipt, CustodyReceipt, ContestabilityReceipt, APSBundle. RFC 8785 JCS canonicalization for cross-implementation receipts and conformance fixtures, content-addressed, byte-match across implementations.

## Install

- npm: `npm install agent-passport-system`
- Also available as Python SDK (byte-parity) and MCP server

## Canonical references

- [README.md](README.md): quick start and public API surface
- [AGENTS.md](AGENTS.md): instructions for AI coding agents working on this repo
- [CONTRIBUTING.md](CONTRIBUTING.md): contribution process
- [MIGRATION.md](MIGRATION.md): version migration notes
- [CHANGELOG.md](CHANGELOG.md): release history

## Related projects

- MCP server: https://github.com/aeoess/agent-passport-mcp
- Python SDK: https://github.com/aeoess/agent-passport-python
- Vocabulary: https://github.com/aeoess/agent-governance-vocabulary
- Website: https://aeoess.com
- Full project reference (machine-readable): https://aeoess.com/llms-full.txt

## Papers

- The Agent Social Contract: https://doi.org/10.5281/zenodo.18749779
- Monotonic Narrowing: https://doi.org/10.5281/zenodo.18932404
- Faceted Authority Attenuation: https://doi.org/10.5281/zenodo.19260073
- Behavioral Derivation Rights: https://doi.org/10.5281/zenodo.19476002
- Physics-Enforced Delegation: https://doi.org/10.5281/zenodo.19478584
- Governance in the Medium: https://doi.org/10.5281/zenodo.19582550
- Cognitive Attestation: https://doi.org/10.5281/zenodo.19646276
- The Evidence-Safety Gap: https://doi.org/10.5281/zenodo.19914628
- IETF Internet-Draft: draft-pidlisnyi-aps-01
