Problem
ADK agents can delegate work to other agents and call external tools, but there is no way to know whether a particular agent or tool has been reliable before. You can check identity. You can check permissions. You can not check track record.
The receipts proposal in #5164 covers post-hoc audit (what happened after the fact). But those receipts are signed by one party. The agent that did the work is the same one attesting to how it went.
How this works
I built a sidecar that sits alongside agents and records every interaction bilaterally. Both the caller and the callee sign a single record. Neither side can fake or deny what happened. The records chain together per agent, forming an interaction graph.
From that graph, the sidecar computes a full trust profile for any agent you ask about: how often they delivered, how good their work was, whether they cluster with suspicious accounts, what skills they're actually reliable at, and whether they've been sanctioned for past failures. There's a 7-layer scoring engine under the hood (statistical confidence intervals, behavioral pattern detection, graduated sanctions with recovery paths, requester scoring so both sides get rated).
New agents start as UNPROVEN and graduate through 5 tiers automatically based on how diverse and connected their interaction history gets. No token deposits, no manual approval.
The whole thing works offline. Two Ed25519 public keys is all you need to verify someone's history.
Integration with ADK
from trustchain import TrustClient
tc = TrustClient() # connects to local sidecar
# before delegating: what's this agent's track record?
trust = tc.check_trust(agent_pubkey)
if trust.tier < "ESTABLISHED":
# new agent, require escrow or limit task value
...
# are they actually good at this specific skill?
if trust.skill_reliability("code_review") < 0.7:
# find someone else for code review
...
# after the task, both parties sign what happened
tc.record_interaction(
counterparty=agent_pubkey,
action="task_completed",
quality=0.87,
skill="code_review"
)There's also a transparent HTTP proxy mode. Put the sidecar in the call path and every tool call gets recorded bilaterally without changing any code. Plus 7 MCP tools so MCP-capable agents can query trust directly.
What else this enables
The interaction graph is not just a trust scorer. Once you have a graph of real, cosigned interactions between agents, you can build on top of it:
- Rank agents by trust-weighted reputation within a capability (agent discovery, like PageRank for agents)
- Detect malicious agents from structural patterns at runtime (Sybil clusters and collusion rings leave fingerprints in the graph)
- Resolve disputes with cosigned evidence both parties hold
- Comply with EU AI Act Article 12 using the
@audited decorator (one line in Python)
- Gate marketplace listings by trust tier instead of manual curation
It's a substrate. Trust scoring is just the first product built on it.
Compared to #5164
Different layer. #5164 is single-party receipts for audit logging. This is bilateral records for trust computation, discovery, and Sybil detection. They're complementary: receipts log what happened, bilateral records let you make decisions about who to work with next.
Links
- Code: https://github.com/viftode4/trustchain
- Live: 21 LLM agents in an economy with trust-based hiring, graduated sanctions, and 10 economic mechanisms: http://5.161.255.238:8888
- Rust sidecar (~500 tests), Python SDK (475 tests), TypeScript SDK (165 tests)
- Adapters for 12 frameworks including ADK, LangGraph, CrewAI, AutoGen
Problem
ADK agents can delegate work to other agents and call external tools, but there is no way to know whether a particular agent or tool has been reliable before. You can check identity. You can check permissions. You can not check track record.
The receipts proposal in #5164 covers post-hoc audit (what happened after the fact). But those receipts are signed by one party. The agent that did the work is the same one attesting to how it went.
How this works
I built a sidecar that sits alongside agents and records every interaction bilaterally. Both the caller and the callee sign a single record. Neither side can fake or deny what happened. The records chain together per agent, forming an interaction graph.
From that graph, the sidecar computes a full trust profile for any agent you ask about: how often they delivered, how good their work was, whether they cluster with suspicious accounts, what skills they're actually reliable at, and whether they've been sanctioned for past failures. There's a 7-layer scoring engine under the hood (statistical confidence intervals, behavioral pattern detection, graduated sanctions with recovery paths, requester scoring so both sides get rated).
New agents start as UNPROVEN and graduate through 5 tiers automatically based on how diverse and connected their interaction history gets. No token deposits, no manual approval.
The whole thing works offline. Two Ed25519 public keys is all you need to verify someone's history.
Integration with ADK
There's also a transparent HTTP proxy mode. Put the sidecar in the call path and every tool call gets recorded bilaterally without changing any code. Plus 7 MCP tools so MCP-capable agents can query trust directly.
What else this enables
The interaction graph is not just a trust scorer. Once you have a graph of real, cosigned interactions between agents, you can build on top of it:
@auditeddecorator (one line in Python)It's a substrate. Trust scoring is just the first product built on it.
Compared to #5164
Different layer. #5164 is single-party receipts for audit logging. This is bilateral records for trust computation, discovery, and Sybil detection. They're complementary: receipts log what happened, bilateral records let you make decisions about who to work with next.
Links