Agent Trust Framework

May 18, 2026 · View on GitHub

Open-source reference implementation maintained by Tyche Institute. The canonical public mirror is tyche-institute/eatf; file issues and discussions there.

External name: EATF — Agent Trust Framework.
Internal codename: Aletheia AI (repository and implementation name).

Current status: early-stage trust platform with production-style architecture and explicitly experimental surfaces. Not legal advice.

Java Spring Boot License Context PQC

CI Open issues Open PRs Last commit

EATF is an early-stage, pilot-oriented trust and governance layer for agent actions in regulated or high-consequence workflows. It is built for operators, integrators, auditors, and platform teams who need a concrete answer to five questions:

  1. how to control sensitive agent actions;
  2. how to require human approval when risk is high;
  3. how to issue signed evidence for what happened;
  4. how to verify that evidence independently;
  5. how to integrate those controls into existing systems.

The core product chain is simple:

  1. control sensitive agent actions;
  2. require human approval where risk is high;
  3. generate signed evidence for what happened;
  4. verify that evidence independently;
  5. integrate those controls into existing systems.

The architecture question underneath that product promise is PKI-native: where do agent output and governed action sit in a trust stack you already know (X.509 path logic, signature verification, revocation, timestamps, audit discipline under eIDAS and ETSI EN 319 xxx)? From there we map how that reference architecture relates to EU AI Act traceability and integrity language without treating the Act as a PKI spec.

PKI / QTSP experience informs the design; this repository is not a QTSP product.

The repository combines:

  • a working product surface for governed actions, evidence, verification, audit, and partner integration;
  • a set of demo and showcase flows used for presentations and exploration;
  • research and vision material that explains why the architecture exists.

That distinction matters. Some surfaces are suitable for pilot-style evaluation; others remain explicitly experimental or explanatory. The primary product jobs are:

  • Operator — govern actions, inspect trust state, review audit outcomes;
  • Integrator — connect agents, manifests, APIs, and partner systems;
  • Auditor — verify evidence, inspect disclosures, and export reports;
  • Admin — manage tenant controls, identities, and safety levers.

The core implementation argument in code is still the same: hash → sign → optional RFC 3161 timestamp → evidence package, plus path validation, OCSP/CRL, and hybrid classical + post-quantum signing where enabled.

Primary law (AI Act): Regulation (EU) 2024/1689 — EUR-Lex (consolidated EN) · Navigator (unofficial, convenient): artificialintelligenceact.eu — use EUR-Lex for authoritative text.

Want to plug an agent in? partner-integrations/QUICKSTART.md is the five-minute, copy-paste path: mint a key → eatf initeatf doctoreatf agents synceatf sign --downloadeatf verify. End state is a real, offline-verifiable .aep evidence bundle — no UI clicks beyond the API key, no curl. See the AEP profile v1 spec (docs/specs/aep-profile-v1.md) for the manifest pattern design.

Why this prototype exists

From a PKI and trust-architecture perspective, the interesting question is whether high-risk AI obligations (logging, transparency, robustness “in places”) can be grounded in artefacts you already understand: CMS/CAdES-style or equivalent signing, X.509 path validation, revocation (OCSP, CRL), TSA (RFC 3161), and policy aligned with EN 319 102 / 401 / 411—i.e. the same trust-service toolbox as under eIDAS.

The AI Act (especially Chapter III, Section 2) frames what deployers may need to show in terms of logging, transparency, oversight, and robustness. This codebase is an implementation hypothesis stated in PKI terms: bind agent outputs and sensitive actions to signed, timestamped, verifiable evidence, policy, and human steps—so engineers and architects can inspect the chain and challenge the design, not only read narrative mapping.

We deliberately map Article 10 here to integrity and provenance (hashes, signatures, timestamps)—not to ML “data quality” as a PKI claim. In-app mapping: /trust/regulatory-mapping.

MCP angle: experimental governance next to identity (MCP) and detection—see mcp-ecosystem.md.

Core mapping (summary table)

PKI-native summary: which AI Act articles we discuss against which eIDAS / ETSI levers, and what the repo actually runs. Full tables and sector matrix below.

AI Act (navigator → EUR-Lex)Idea in this prototypeeIDAS / ETSI (entry points)What the repo runs
Art. 10 · EUR-Lex contextIntegrity & provenance only—not ML dataset “quality” as a crypto claimeIDAS (EU) No 910/2014 (trust services, e-signatures); EN 319 102-1, EN 319 132-1; ETSI digital signaturesCanonical payloads, signatures, Evidence Packages
Art. 12Tamper-evident trails, PKI-related eventsEN 319 401, EN 319 411-1Audit ledger, signed events, OCSP / CRL where configured
Art. 13Verifiable crypto / policy state for deployers and auditorseIDAS trust services — Commission overview; EN 319 102-1, EN 319 412-1; EU Digital Identity / eIDAS hubChain-of-trust validation, verification UI/API
Art. 6 + Annex III · Annex III (EUR-Lex)Motivation when agents touch high-risk use typesSame stack as aboveScenario docs, sector matrix—not a compliance certificate

Focus: cryptographic integrity and provenance, not ML data quality under the Act.

What is implemented (prototype depth)

PKI / crypto pipeline

  • Digital signatures over canonical content (RSA; optional ML-DSA hybrid — PQC plan)
  • Certificate path validation (PKIX / X.509) and QTSP-oriented trust configuration (deployment-dependent)
  • RFC 3161 timestamping (real or mock TSA)
  • Hash-chained audit events; signing where enabled
  • Evidence Packages (.aep): export + offline verification (JAR/scripts in repo)
  • Spring Boot + Next.js; REST + partner/MCP-style governed actions and attestation flows

Two signing modes (see docs/concepts/signing-modes.md for the full decision tree):

  • sign modePOST /api/sign. Tenant API key only; agentId optional. For integrity-only use cases: publication signing, CI/CD artefacts, internal audit logs. Helps discharge AI Act Article 12.
  • attest modePOST /api/v1/attest. Requires registered agent + action_type + policy. Returns same crypto envelope plus per-rule policy coverage report. For high-risk AI outputs under Annex III. Helps discharge AI Act Articles 12 + 13 + 14.

Both modes share the same cryptographic substrate (canonicalise → SHA-256 → hybrid RSA-4096 + ML-DSA-65 → RFC 3161 timestamp). They differ in the attribution and policy evaluation layered on top. Machine-readable description at GET /api/public/signing-modes.

Technical entry: docs/README.md.

Post-quantum cryptography (PQC)

Additional prototype components

  • Delegation chain modellingdelegation builder, concepts, /delegation-chains/builder
  • Human-in-the-loop — approvals / review queues (demo tenants)
  • Policy-gated actions — illustrative policies only (not legal compliance)

PKI lens: the tables below are for mapping conversations—they do not replace CP/CPS discipline or notified-body work. Not legal advice. Counsel validates classifications. Extended analysis: eu_ai_act_multi_sector_opportunities.md.

Speaking lines (hypothesis, not statutory interpretation)

  • The AI Act frames what trust and traceability may be required in places; eIDAS / ETSI show how the EU often implements integrity and validation in practice—this prototype tests alignment in software.
  • Article 10 in this mapping means integrity & provenance—not ML training-data “quality” as a PKI deliverable.

Three-column mental model (EN)

EU AI ActeIDAS / ETSIAletheia (prototype)
Art. 6 — high-risk AI systemsTrust services; CA / TSP / QTSP (Commission)End-to-end PKI path: CA material, validation, cross-border trust-service practice per eIDAS hub
Art. 10 — data integrity & provenance (not “quality” on this axis)eIDAS e-signatures (integrity + authenticity)Signed artefacts; integrity checks
Art. 12 — logging, traceabilityNon-repudiation; EN 319 401, EN 319 411-1Serials; OCSP / CRL; validation history
Art. 13 — transparency (verifiability)EN 319 102-1; electronic trust services (EU)Chain validation; source / anchor verification
Art. 14 — human oversightIndirect: qualified trust services + audit trails → accountability; human control remains processValidation + audit evidence for reviewers—not a substitute for governance
Reliability / futureeIDAS 2.0 — (EU) 2024/1183; EU eIDAS policy; ETSI quantum-safe cryptoHybrid RSA + ML-DSA; PoC PQC

Full layer mapping (EU AI Act → eIDAS/ETSI → prototype)

LayerEU AI Act→ eIDAS / ETSI→ Aletheia (prototype)One-liner (EN)
Data integrity & provenanceArt. 10 — scope here: integrity + provenance; “data quality” in the Act ≠ this PKI sliceeIDAS; EN 319 102-1, EN 319 132-1Signed artefactsArt. 10 → integrity & provenance via signatures; not an ML data-quality claim.
Traceability & loggingArt. 12EN 319 401, EN 319 411-1OCSP/CRL; auditArt. 12 → PKI-anchored traceability.
Transparency & verifiabilityArt. 13EN 319 102-1, EN 319 412-1; trust services (EU)Path validation; root / policy provenanceArt. 13 → cryptographic verifiability.
Human oversight (supporting)Art. 14 (indirect)eIDAS trust stack; audit-friendly logsEvidence for reviewArt. 14 → PKI does not add the human; it makes outcomes reviewable and attributable.
High-risk trust architectureArt. 6CA, TSP, QTSP; EN 319 401Configurable trust material + validation + verification UXStrong trust layer analogous to regulated PKI—prototype, not a national scheme.
Crypto agility / PQCHigh-risk chapter context (Arts 9–15 navigator)EU / ETSI quantum-safeHybrid ML-DSAFuture-proofing—not a claim that the Act mandates PQC.

Official & secondary anchors

ResourceURL
AI Act (EU law)EUR-Lex CELEX 32024R1689
AI Act — implementation timelineCommission AI Act Service Desk
Navigator — Annex IIIartificialintelligenceact.eu/annex/3
Navigator — Arts 9–15Section 3(2) high-risk
Deployer — Art. 26navigator
FRIA — Art. 27navigator
eIDAS (2014)EUR-Lex 910/2014
eIDAS 2.0 (2024/1183)EUR-Lex

High-risk chapter — article quick map (prototype levers)

ArticleNavigatorGistPrototype lever
9Art. 9Risk managementPolicies, kill-switch, delegation limits
10Art. 10Data governanceHere: integrity/provenance via crypto
11Art. 11Technical documentationExports, metadata
12Art. 12Record-keepingHash-chained audit, signed events
13Art. 13Transparency to deployersAgent identity / capabilities in UI/API
14Art. 14Human oversightApprovals, escalation
15Art. 15Robustness / securityVerification endpoints, signals

Deployer discussion only: Art. 26, Art. 27 — not a claim this repo satisfies them.

Annex III → sectors (condensed)

High-risk categories under Art. 6(2) — see Annex III navigator and EUR-Lex Annex III: (1) Biometrics, (2) Critical infrastructure, (3) Education, (4) Employment, (5) Essential services & benefits, (6) Law enforcement, (7) Migration/border, (8) Justice & democratic processes.

Sector matrix (illustrative — not classification advice)

SectorTypical agentic actionsTouchpoints (links)Prototype-style response
HealthcareTriage, notes, ordersAnnex III(5)(d); MDR; IVDR; GDPRHuman gate; signed evidence; audit
Life & health insuranceUnderwriting, claimsAnnex III(5)(c)Human binds; policies
Banking & creditCredit, KYCAnnex III(5)(b)Threshold approval; exports
Payments & treasuryPay, FXPSD2; AML overview (Commission); AI Act if 5(b)Governance gate; demo PaymentIntent
Legal & disputeDrafts, discoveryAnnex III(8)(a)Delegation; human sign-off · OpenCourt
HR & talentScreeningAnnex III(4)Escalation; audit
EducationGradingAnnex III(3)Roles; review · School Compass
Critical infrastructureControl suggestionsAnnex III(2)Dual-control patterns
Public benefitsEligibilityAnnex III(5)(a)Records; FRIA-aware design · Bürokratt Kit
Law enforcementCase supportAnnex III(6)Sensitive; audit narrative only where appropriate
Migration & borderChecksAnnex III(7)High sensitivity
Political / civicTargetingAnnex III(8)(b); GPAI — navigatorDemo boundaries
Biometric / emotionInferenceArt. 5 · Annex IIIDefault off; legal review
Citizen × AI (cross-cutting)Personal AI accountabilityArt. 14; eIDAS 2.0EUDI Wallet × EATF; Verifiable Credential receipt · Citizen Receipts

Documentation

You are…Start here
Operator / buyerProduct and trust overview
Developer / integratorAPI, setup, and integration
Partner / implementation leadPartner integrations
Product IA / route ownershipRoute governance · Navigation IA
Delegation UIBuilder quick start
Research (Article 01 plan & bibliography)docs/research/README.md
Reference scenarios (4)OpenCourt · Bürokratt Kit · School Compass · Citizen Receipts
Open Kratt manifest specdocs/specs/kratt-manifest.md · JSON Schema
RIA / Bürokratt pilot pitchdocs/partners/ria-pilot.md

Full index: docs/README.md.

Quick start

git clone https://github.com/tyche-institute/eatf.git && cd eatf
cp .env.example .env
openssl genpkey -algorithm RSA -out ai.key -pkeyopt rsa_keygen_bits:4096
# In .env set: AI_ALETHEIA_SIGNING_KEY_PATH=./ai.key

cd backend && ./mvnw spring-boot:run

cd frontend && cp .env.example .env.local && npm install && npm run dev

More: docs/README.md → Developers.

Demo accounts (development mode)

demo@aletheia.ai / Demo123!tenant-scoped ADMIN on each of demo-healthcare, demo-fintech, demo-legal (one membership row per tenant). NOT SUPER_ADMIN — V208 migration intentionally downgraded this account because SUPER_ADMIN combined with X-Tenant-Id pivoting under the demo profile enabled cross-tenant access. See backend/.../db/seeding/DemoBaselineRecovery.java and DemoBaselineRecoveryTest.java for the guard. Per-tenant admins: admin@demo-{healthcare,fintech,legal}.local / Demo123!. Full detail: database seeding.

License

MIT. See LICENSE. Authorship: docs/README.md#authorship.

Validate legal URLs against your source of record. This README is the canonical project pitch for the repository.