Latin: fides = trust, faith, confidence
Signed agent identity, capability-aware delegation, deterministic policy guards, tamper-evident evidence, runtime attestation, and kill switches for autonomous agent systems.
FIDES is an agent trust fabric for deciding whether an autonomous agent is known, authorized, delegated, attested, and safe to execute before an action crosses a boundary.
As AI agents become increasingly autonomous, they face critical challenges in secure collaboration:
- No verifiable identity β Agents cannot prove who they are or what they're authorized to do
- No capability semantics β No standard way to describe what an agent can do and at what risk level
- No pre-execution guards β Actions execute without policy evaluation or trust verification
- No audit trail β No tamper-evident record of agent actions and decisions
- No emergency control β No way to revoke capabilities or halt rogue agents
FIDES solves these problems with a layered trust protocol built specifically for AI agent ecosystems.
- AgentCards β Self-describing agent manifests with capabilities, endpoints, and security profiles
- CapabilityDescriptors β Typed capability definitions with risk classification (critical/high/medium/low)
- Policy Engine β Deterministic rule evaluation with pre-execution guards (allow/deny/approve-required/dry-run)
- Evidence Ledger β Hash-chained, Merkle-rooted event log with privacy levels (public/private/redacted/hash-only)
- Runtime Attestation β TEE-ready adapter boundary with a mock provider for local verification
- Guard Decision Engine β Multi-factor decision pipeline combining trust, evidence, attestation, and policy
- Kill Switch β Emergency shutdown at global, agent, capability, or principal level
- Delegation β Capability delegation with constraints (spend limits, action counts, context restrictions)
- Discovery Providers β Multi-provider agent discovery (well-known, registry, relay, local, DHT-ready)
- Ed25519 Identity β DID-based identities with canonical JSON signing
- Trust Graph β Weighted, capability-specific reputation with transitive trust scoring
pnpm install
pnpm buildimport { createIdentity, classifyCapabilityRisk, createDelegationToken } from '@fides/core'
import { evaluatePolicy } from '@fides/policy'
import { evaluateGuard, createTrustContext } from '@fides/guard'
import { createEvidenceChain, appendEvidenceEvent } from '@fides/evidence'
import { MockTEEProvider, InMemoryKillSwitch } from '@fides/runtime'
// Create agent identities
const alice = createIdentity('did:fides:alice', 'agent', { name: 'Alice Assistant' })
const charlie = createIdentity('did:fides:charlie', 'principal', { name: 'Charlie User' })
// Classify capability risk
const risk = classifyCapabilityRisk('email:send') // 'high'
// Delegate capabilities with constraints
const token = createDelegationToken({
delegator: charlie.did,
delegatee: alice.did,
capabilities: ['email:send', 'calendar:create'],
constraints: { maxActions: 10, maxSpend: '10.00', allowedContexts: ['work'] },
expiresAt: new Date(Date.now() + 3600000).toISOString(),
})
// Evaluate policy
const policy = {
id: 'default', version: '1.0.0',
rules: [
{ id: 'trust', condition: { operator: 'gte', field: 'reputationScore', value: 0.8 }, action: 'allow', explanation: 'High trust' },
],
defaultAction: 'deny',
}
const result = evaluatePolicy(policy, { reputationScore: 0.9 })
// Build evidence chain
let chain = createEvidenceChain()
chain = appendEvidenceEvent(chain, {
id: 'e1', type: 'invoke', timestamp: new Date().toISOString(),
actor: alice.did, action: 'email:send', payload: {},
privacy: { level: 'redacted' },
}, 'signature-hex')
// Run guard decision
const trust = createTrustContext({
reputationScore: 0.9, capabilityScore: 0.95,
attestation: await new MockTEEProvider().attest(alice.did),
evidenceChain: chain, killSwitchEngaged: false, recentIncidents: 0,
})
const decision = await evaluateGuard({
agentDid: alice.did, capabilityId: 'email:send',
policy, context: { requestCount: 10 }, trust,
})
// decision.decision β 'allow' | 'deny' | 'approve-required' | 'dry-run'βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β AI Agent β
β β
β ββββββββββββββ ββββββββββββββ ββββββββββββββ ββββββββββββββββββββββββ β
β β @fides/ β β @fides/ β β @fides/ β β @fides/ β β
β β core β β policy β β guard β β evidence β β
β β β β β β β β β β
β β Identity β β Policy β β Decision β β Hash-chain β β
β β Signing β β Rules β β Pipeline β β Merkle root β β
β β AgentCard β β Expressionsβ β KillSwitch β β Privacy levels β β
β β DelegationToken evaluation β β Attestationβ β Event log β β
β βββββββ¬βββββββ βββββββ¬βββββββ βββββββ¬βββββββ ββββββββββββ¬ββββββββββββ β
β β β β β β
β βββββββ΄βββββββββββββββ΄βββββββββββββββ΄ββββββββββββββββββββ΄βββββββββββ β
β β @fides/discovery β β
β β well-known Β· registry Β· relay Β· DHT Β· local β β
β ββββββββββββββββββββββββββββββββ¬βββββββββββββββββββββββββββββββββββββ β
β ββββββββββββββββββββββββββββββββ΄βββββββββββββββββββββββββββββββββββββ β
β β @fides/runtime β β
β β TEE Attestation Β· Kill Switch Β· Runtime verification β β
β βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ β
βββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β
βββββββββββββββββββββββββΌββββββββββββββββββββββββ
βΌ βΌ βΌ
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β @fides/ β β @fides/ β β @fides/ β
β discovery-svc β β trust-graph β β registry-svc β
β β β β β β
β AgentCard β β Trust edges β β Agent β
β resolution β β Reputation β β registration β
β .well-known β β BFS scoring β β Capability pub β
βββββββββββββββββββ ββββββββββ¬βββββββββ ββββββββββ¬βββββββββ
β β
ββββββββββββ΄ββββββββββββββββββββββ΄βββββββββββ
βΌ βΌ βΌ
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
β @fides/ β β @fides/ β β @fides/ β
β relay-svc β β agentd β β platform-api β
β β β β β β
β NAT traversal β β Agent daemon β β REST/gRPC β
β Message relay β β Lifecycle mgmt β β Admin API β
βββββββββββββββββββ βββββββββββββββββββ βββββββββββββββββββ
| Package | Description |
|---|---|
@fides/core |
Core primitives: identity, signing, AgentCard, delegation, capability risk classification |
@fides/policy |
Policy engine with expression evaluation, pre-execution guards, and rule bundles |
@fides/guard |
Guard decision engine combining trust, evidence, attestation, and policy into allow/deny decisions |
@fides/evidence |
Evidence ledger with hash-chained events, Merkle root computation, and privacy levels |
@fides/runtime |
Runtime attestation adapter interfaces, mock attestation, and kill switch (global/agent/capability/principal) |
@fides/discovery |
Discovery provider architecture with priority-based orchestration |
@fides/sdk |
TypeScript SDK for identity, RFC 9421 signing, trust graph, agentd authority APIs, and hosted registry APIs |
@fides/shared |
Shared types, constants, and utilities |
@fides/cli |
Command-line interface for agent management and diagnostics |
@fides/rust-sdk |
Rust SDK (planned) |
| Service | Description |
|---|---|
@fides/discovery-service |
AgentCard resolution via .well-known endpoint hosting |
@fides/trust-graph |
Trust edge storage, reputation scoring, and capability-specific trust computation |
@fides/registry-service |
Hosted AgentCard registry with public/private modes, search, metadata, metrics, and durable Postgres storage |
@fides/relay-service |
Message relay for agents behind NAT/firewalls |
@fides/agentd |
Agent daemon for lifecycle management and local policy enforcement |
@fides/platform-api |
Platform metadata API for health, version, and service topology |
@fides/policy-engine |
Standalone policy evaluation service |
agentd defaults to a local file-backed authority store. For production, run it with Postgres:
export AGENTD_AUTHORITY_STORE=postgres
export DATABASE_URL=postgresql://...
pnpm --filter @fides/agentd db:migrate
pnpm --filter @fides/agentd devWhen using Stripe Projects with a resource named fides-authority-db, map the generated connection string before running migrations:
source .env
export AGENTD_DATABASE_URL="$FIDES_AUTHORITY_DB_CONNECTION_STRING"
pnpm --filter @fides/agentd db:migrateSet AGENTD_DB_AUTO_MIGRATE=false when migrations are managed externally. /health reports the active authority store kind and readiness.
Manual and startup migrations record applied ids and statement checksums in agentd_schema_migrations; with AGENTD_DB_AUTO_MIGRATE=false, agentd refuses to start unless the authority tables and migration ledger are present and checksums match the current migrations.
For local agentd lifecycle control through the CLI:
pnpm --filter @fides/cli fides daemon start --port 7345
pnpm --filter @fides/cli fides daemon status --agentd-url http://localhost:7345
pnpm --filter @fides/cli fides daemon status --agentd-url http://localhost:7345 --json
pnpm --filter @fides/cli fides daemon stopdaemon start launches the configured command in the background, writes a pid file to ~/.fides/agentd.pid, and appends logs to ~/.fides/agentd.log. Use --command, --args, --pid-file, and --log-file when running outside the pnpm workspace layout.
For production agentd mutations through the CLI, export the same API key used by the service:
export FIDES_API_KEY="$SERVICE_API_KEY"
pnpm --filter @fides/cli fides session create --agentd-url https://agentd.example.com --capability payments.execute --token-file token.json --delegator-public-key "$DELEGATOR_PUBLIC_KEY_HEX"
pnpm --filter @fides/cli fides revoke agent did:fides:agent --agentd-url https://agentd.example.com --revoked-by did:fides:principal --reason "disabled" --private-key-hex "$REVOCATION_PRIVATE_KEY_HEX"
pnpm --filter @fides/cli fides incident report --agentd-url https://agentd.example.com --actor did:fides:agent --type policy_violation --severity high --description "merchant policy bypass" --reporter did:fides:principal --private-key-hex "$REPORTER_PRIVATE_KEY_HEX"
pnpm --filter @fides/cli fides propagation pending --agentd-url https://agentd.example.com --limit 25
pnpm --filter @fides/cli fides propagation retry --agentd-url https://agentd.example.com --limit 25
pnpm --filter @fides/cli fides authorize check --agentd-url https://agentd.example.com --agent-did did:fides:agent --capability payments.execute --session-id "$SESSION_ID" --audience agentd
pnpm --filter @fides/cli fides card proxy did:fides:agent --agentd-url https://agentd.example.comWhen --delegator-public-key is provided, agentd verifies the DelegationToken signature before creating the session.
For revocation and incident writes, the CLI derives the signer public key from --private-key-hex and sends it as revokerPublicKey or reporterPublicKey.
Use fides propagation pending and fides propagation retry to inspect and replay failed authority propagation outbox records.
Use fides authorize check to smoke-test the same local guard decision path used before agent execution.
Set AGENTD_REQUIRE_AUTHORITY_SIGNATURE_VERIFICATION=true to make this verification fail-closed for session, revocation, and incident writes.
fides/
βββ packages/
β βββ core/ # v2 core primitives (identity, signing, delegation, AgentCard)
β βββ policy/ # Policy engine and rule evaluation
β βββ guard/ # Guard decision engine
β βββ evidence/ # Evidence ledger (hash chain, Merkle root)
β βββ runtime/ # Runtime attestation and kill switch
β βββ discovery/ # Discovery provider architecture
β βββ sdk/ # TypeScript SDK
β βββ shared/ # Shared types and constants
β βββ cli/ # Command-line interface
β βββ rust-sdk/ # Rust SDK (planned)
βββ services/
β βββ discovery/ # AgentCard resolution service
β βββ trust-graph/ # Trust and reputation service
β βββ registry/ # Agent registration service
β βββ relay/ # Message relay service
β βββ agentd/ # Agent daemon
β βββ platform-api/ # Platform metadata API
β βββ policy-engine/ # Policy evaluation service
βββ apps/
β βββ web/ # Web dashboard
βββ tests/
β βββ e2e/ # End-to-end tests
β βββ adversarial/ # Adversarial security tests
βββ docs/
βββ protocol/
βββ fides-v2-spec.md # Full protocol specification
- Node.js >= 22
- pnpm (package manager)
- Docker (for PostgreSQL)
git clone https://github.com/EfeDurmaz16/fides.git
cd fides
pnpm install
pnpm build| Command | Description |
|---|---|
pnpm build |
Build all packages |
pnpm test |
Run test suite |
pnpm lint |
Lint codebase |
pnpm typecheck |
Type-check TypeScript |
pnpm dev |
Start services in watch mode |
pnpm clean |
Clean build artifacts |
pnpm demo |
Run the primitive-level v2 demo |
pnpm demo:authority |
Run the authority path demo through service routes |
pnpm build
pnpm demo
pnpm demo:authorityThe demo exercises all 9 subsystems: identity creation, AgentCard validation, risk classification, delegation tokens, policy evaluation, evidence ledger, runtime attestation, kill switch, and guard decisions.
The authority path demo additionally exercises the service route path: AgentCard registration, standalone policy evaluation, delegated session creation, nonce replay rejection, authorization evidence append, session revocation, and agent revocation denial.
FIDES v2 implements defense-in-depth across multiple layers:
- Canonical Signing β All signed objects use canonical JSON encoding (recursive key sorting, no whitespace) to prevent signature malleability
- Ed25519 Cryptography β Fast, secure elliptic curve signatures via @noble/ed25519
- Evidence Chain Integrity β Hash-chained events with Merkle root verification; tampering breaks the chain
- Kill Switch β Emergency capability/agent shutdown with precedence rules (global > agent > capability)
- TEE Attestation β Trusted Execution Environment adapter boundary with mock local attestation
- Privacy Levels β Evidence events support public/private/redacted/hash-only visibility
- Delegation Constraints β Spend limits, action counts, and context restrictions on delegated capabilities
- Pre-Execution Guards β Multi-factor decision pipeline before any capability execution
Security disclosure: Report vulnerabilities via SECURITY.md
FIDES v2 implements a complete trust fabric with:
- Identity Layer β Ed25519 keypairs with
did:fides:identifiers and canonical JSON signing - AgentCard Layer β Self-describing manifests with capabilities, endpoints, and security profiles
- Trust Graph Layer β Weighted, capability-specific reputation with transitive trust (depth-based weighting)
- Policy Layer β Deterministic rule evaluation with pre-execution guard pipeline
- Evidence Layer β Hash-chained, Merkle-rooted event log with privacy controls
- Runtime Layer β TEE attestation and emergency kill switch
- Discovery Layer β Multi-provider orchestration with priority-based resolution
Full specification: docs/protocol/fides-v2-spec.md
We welcome contributions! Here's how to get started:
- Fork the repository
- Create a feature branch β
git checkout -b feature/amazing-feature - Make your changes β Follow TypeScript best practices
- Add tests β Ensure
pnpm testpasses - Commit changes β
git commit -m 'Add amazing feature' - Push to branch β
git push origin feature/amazing-feature - Open a Pull Request
Guidelines:
- Write clear commit messages
- Add tests for new features
- Update documentation as needed
- Follow existing code style
- Ensure CI passes
MIT License β see LICENSE for details
Built with cryptographic trust
Documentation β’ Protocol Spec β’ Contributing