Skip to content

cloakmaster/foxbook

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

59 Commits
.github/workflows
.github/workflows
 
 
.husky
.husky
 
 
__fixtures__/core-isolation
__fixtures__/core-isolation
 
 
adapters
adapters
 
 
apps
apps
 
 
core
core
 
 
docs
docs
 
 
ops
ops
 
 
packages
packages
 
 
schemas
schemas
 
 
scripts
scripts
 
 
.dockerignore
.dockerignore
 
 
.env.example
.env.example
 
 
.gitignore
.gitignore
 
 
.mcp.json
.mcp.json
 
 
.nvmrc
.nvmrc
 
 
CODEOWNERS
CODEOWNERS
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
TRADEMARK.md
TRADEMARK.md
 
 
biome.json
biome.json
 
 
core-isolation.config.json
core-isolation.config.json
 
 
go.work
go.work
 
 
package.json
package.json
 
 
pnpm-lock.yaml
pnpm-lock.yaml
 
 
pnpm-workspace.yaml
pnpm-workspace.yaml
 
 
pyproject.toml
pyproject.toml
 
 
tsconfig.base.json
tsconfig.base.json
 
 
turbo.json
turbo.json
 
 
uv.lock
uv.lock
 
 

Repository files navigation

🦊 Foxbook

CI License: Apache 2.0

Verifiable agent identity for A2A and MCP.

import { verifyAgentCard } from "@foxbook/sdk-claim";

// Before your agent calls another agent, check its card.
const result = await verifyAgentCard(otherAgent.card);
if (result.status !== "verified") return;
// Verified. Safe to call.

Open source. Apache 2.0. Run your own log; anyone following the same spec can verify against any deployment.

Live demo · Why · Status · RFC

When this fires

You're building an agent. It needs to hand work off to another agent it didn't write. The other agent's card — the JSON manifest agents publish at /.well-known/agent-card.json per A2A — says handle: @somebody-trustworthy. That's just a string. Anyone can write anything there. If you call the other agent before checking, the work goes to whoever wrote the handle, not whoever owns it.

verifyAgentCard(card) is the check before the call.

Live demo

The log is real. One curl proves it.

curl -s https://transparency.foxbook.dev/root | jq

Returns a signed tree head. Combine /inclusion/:i with /root and verify the Merkle proof. RFC 9162 shape; no auth, no API key.

An adversarial test of the identity guard, refused before any network I/O. fetchCount === 0 at the adapter. Read the transcript.

Why

When one agent calls another, it has no cryptographic way to prove the handle on the other agent's card is real. Today the answer is "trust the directory" or "build your own check." Foxbook is a third answer: a public log anyone can verify against, in one function call, four possible outcomes.

verifyAgentCard(card) returns one of four outcomes:

  • verified → proceed
  • unverified → block
  • handle-mismatch → block (the card claims a handle the log doesn't attest)
  • stale-proof → caller's risk policy (refresh, retry, warn)

That's the whole verification surface. No trust score. No reputation field. Identity goes here; reputation goes in a layer above.

Why this exists

Agents are about to call other agents 10x more often than they do today. Each call needs to verify the handle on the receiving card. Without a verification primitive, every call is trust-by-faith — the card says it's @somebody, the calling agent has no way to know.

The primitive has to be three things: cryptographic, public, and free. Cryptographic so claims can't be forged. Public so anyone can audit without asking permission. Free so adoption isn't gated on commercial relationships.

RFC 9162 (Certificate Transparency) has been the model for this in the TLS world for ten years — every certificate your browser trusts gets logged into a public, append-only Merkle tree, and Chrome refuses certificates that aren't logged. Foxbook is that pattern, applied to agent identity.

A2A and MCP both opened discussions about trust between agents — composable evidence, reputation, identity-extension fields. None of them shipped the piece underneath. Foxbook ships it.

Status

Live

  • Public transparency log: signed tree head per append, consistency proofs.
  • Tier-1 verification via GitHub Gist, with an identity guard at the URL-owner level.
  • Tier-2 verification via DNS TXT and signed-nonce endpoint challenge.
  • Recovery-key signed revocation: atomic across leaf append and claim delete. Observed at 467ms wall-clock against live Postgres (single-run benchmark).
  • Firehose stream: 20ms median commit-to-receive latency (single-run benchmark).
  • 173 in-process tests, 4 gated integration tests.

Not yet live

  • SDK npm publish (signatures committed; implementation in progress).
  • MCP server (in progress).
  • Production WAN load test (planned).
  • Multi-vendor federated logs (the protocol contract is identical; bring your own deployment).

Quickstart

Verify one record (a "leaf" in the Merkle tree), no install:

curl -s https://transparency.foxbook.dev/inclusion/1
curl -s https://transparency.foxbook.dev/root

The proof can be verified in any language. Test vectors at schemas/crypto-test-vectors.json keep implementations in sync.

Workspace, locally:

git clone https://github.com/cloakmaster/foxbook.git
cd foxbook
pnpm install
pnpm -r test

License

Apache 2.0. See LICENSE.

The protocol is open. The Foxbook name has a trademark; see TRADEMARK.md. Run your own log under your own name; the spec is the standard, not the host.

Built by @cloakmaster.

About

Verifiable agent identity for A2A and MCP. Cryptographic claims, append-only transparency log, recovery-key revocation. Apache 2.0.

transparency.foxbook.dev

Topics

cryptography typescript json-schema mcp protocol ed25519 jws merkle-tree ai-agents did decentralized-identity a2a transparency-log agentic-ai model-context-protocol agent-identity agent-security agent2agent agent-verification rfc-9162

Resources

Readme

License

Apache-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Contributors

Languages