Latin: fides = trust, faith, confidence
Signed agent identity, capability-aware delegation, deterministic policy guards, tamper-evident evidence, runtime attestation, and kill switches for autonomous agent systems.
FIDES is an agent trust fabric for deciding whether an autonomous agent is known, authorized, delegated, attested, and safe to execute before an action crosses a boundary.
As AI agents become increasingly autonomous, they face critical challenges in secure collaboration:
- No verifiable identity β Agents cannot prove who they are or what they're authorized to do
- No capability semantics β No standard way to describe what an agent can do and at what risk level
- No pre-execution guards β Actions execute without policy evaluation or trust verification
- No audit trail β No tamper-evident record of agent actions and decisions
- No emergency control β No way to revoke capabilities or halt rogue agents
FIDES solves these problems with a layered trust protocol built specifically for AI agent ecosystems.
- AgentCards β Self-describing agent manifests with capabilities, endpoints, and security profiles
- CapabilityDescriptors β Typed capability definitions with risk classification (critical/high/medium/low)
- Policy Engine β Deterministic rule evaluation with pre-execution guards (allow/deny/approve-required/dry-run)
- Evidence Ledger β Hash-chained, Merkle-rooted event log with privacy levels (public/private/redacted/hash-only)
- Runtime Attestation β TEE-ready adapter boundary with a mock provider for local verification
- Guard Decision Engine β Multi-factor decision pipeline combining trust, evidence, attestation, and policy
- Kill Switch β Emergency shutdown at global, agent, capability, or principal level
- Delegation β Capability delegation with constraints (spend limits, action counts, context restrictions)
- Discovery Providers β Multi-provider agent discovery (well-known, registry, relay, local, DHT-ready)
- Ed25519 Identity β DID-based identities with canonical JSON signing
- Trust Graph β Weighted, capability-specific reputation with transitive trust scoring
Current implementation status: docs/status/fides-v2-implementation-status.md
pnpm install
pnpm buildpnpm agentd:dev
curl http://localhost:7345/healthThe examples below assume the agentd binary is on your PATH. From the
monorepo, use pnpm agentd <command>.
Replace placeholder DIDs with the IDs returned by identity create.
Use pnpm --silent agentd ... --json when piping JSON output to another tool,
because pnpm prints script banners by default.
agentd identity create --type principal --name "Demo Principal" --agentd-url http://localhost:7345
agentd identity create --type publisher --name "Demo Publisher" --agentd-url http://localhost:7345
agentd identity create --type agent --name "Invoice Agent" --agentd-url http://localhost:7345
agentd card create --did did:fides:invoice-agent --name "Invoice Agent" --capabilities '[{"id":"invoice.reconcile","riskLevel":"medium","requiredScopes":["invoice:read"]}]' --agentd-url http://localhost:7345
agentd card sign did:fides:invoice-agent --agentd-url http://localhost:7345
agentd register did:fides:invoice-agent --agentd-url http://localhost:7345
agentd discover --capability invoice.reconcile --provider local --agentd-url http://localhost:7345
agentd trust did:fides:invoice-agent --capability invoice.reconcile
agentd graph inspect did:fides:invoice-agent --agentd-url http://localhost:7345
agentd policy evaluate --agent did:fides:invoice-agent --capability invoice.reconcile --requested-scopes invoice:read --agentd-url http://localhost:7345
agentd session request did:fides:invoice-agent --capability invoice.reconcile --requested-scopes invoice:read --agentd-url http://localhost:7345
agentd invoke --session-id sess_... --input invoice.json --agentd-url http://localhost:7345
agentd invoke --session-id sess_... --input invoice.json --sign --requester-private-key-file requester.key --agentd-url http://localhost:7345
agentd evidence verify --agentd-url http://localhost:7345Discovery returns candidates only. Policy and scoped SessionGrants are the
authority path. invoke --sign fetches the SessionGrant, creates a canonical
InvocationRequest, verifies that the requester private key resolves to the
grant's requester_agent_id, and submits the request as signedRequest.
import { FidesClient } from '@fides/sdk'
const client = new FidesClient({ daemonUrl: 'http://localhost:7345' })
const principal = await client.identity.createPrincipal({ name: 'Demo Principal' })
const requester = await client.identity.createAgent({ name: 'Requester Agent' })
const target = await client.identity.createAgent({ name: 'Invoice Agent' })
const card = await client.cards.create({
agentId: target.did,
name: 'Invoice Agent',
capabilities: [{ id: 'invoice.reconcile', riskLevel: 'medium', requiredScopes: ['invoice:read'] }],
})
await client.cards.sign({ id: card.card.id })
await client.agents.register({ agentCardId: card.card.id })
const candidates = await client.discovery.local({ capability: 'invoice.reconcile' })
console.log(candidates.authorityGranted) // false
await client.trust.evaluate({ agentId: target.did, capability: 'invoice.reconcile' })
await client.policy.evaluate({
principalId: principal.did,
requesterAgentId: requester.did,
agentId: target.did,
capability: 'invoice.reconcile',
requestedScopes: ['invoice:read'],
})
const session = await client.sessions.request({
principalId: principal.did,
requesterAgentId: requester.did,
agentId: target.did,
capability: 'invoice.reconcile',
requestedScopes: ['invoice:read'],
})
await client.invoke({ sessionId: session.session.session_id, input: { invoiceId: 'inv_123' } })
await client.evidence.verify()intent/capability + constraints
β
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Discovery providers β
β local Β· well-known Β· registry Β· relay Β· DHT Β· federation β
β Output: verified candidates only, never authority β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Verification and scoring β
β signed AgentCards Β· protocol versions Β· trust anchors β
β capability-specific trust Β· reputation Β· incidents β
β revocations Β· runtime attestations β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Policy-before-execution β
β allow Β· deny Β· require_approval Β· dry_run_only β
β scope_limit Β· risk_limit Β· kill switch override β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Scoped authority β
β DelegationToken Β· SessionGrant Β· nonce Β· expiry Β· audience β
ββββββββββββββββββββββββββββββββ¬ββββββββββββββββββββββββββββββββ
βΌ
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
β Invocation and evidence β
β validate input/output Β· execute or dry-run Β· signed result β
β hash-chained EvidenceEvents Β· redacted/hash-only by default β
ββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββββ
| Package | Description |
|---|---|
@fides/core |
Core primitives: identity, signing, AgentCard, delegation, capability risk classification |
@fides/policy |
Policy engine with expression evaluation, pre-execution guards, and rule bundles |
@fides/guard |
Guard decision engine combining trust, evidence, attestation, and policy into allow/deny decisions |
@fides/evidence |
Evidence ledger with hash-chained events, Merkle root computation, and privacy levels |
@fides/runtime |
Runtime attestation adapter interfaces, mock attestation, and kill switch (global/agent/capability/principal) |
@fides/runtime-effect |
Effect-ready internal workflow boundary using framework-agnostic protocol objects |
@fides/discovery |
Discovery provider architecture with priority-based orchestration |
@fides/daemon |
Local daemon defaults, config paths, well-known endpoints, and SDK client factory |
@fides/sdk |
TypeScript SDK for identity, RFC 9421 signing, trust graph, agentd authority APIs, and hosted registry APIs |
@fides/shared |
Shared types, constants, and utilities |
@fides/cli |
Command-line interface for agent management and diagnostics |
@fides/rust-sdk |
Rust SDK (planned) |
| Service | Description |
|---|---|
@fides/discovery-service |
AgentCard resolution via .well-known endpoint hosting |
@fides/trust-graph |
Trust edge storage, reputation scoring, and capability-specific trust computation |
@fides/registry-service |
Hosted AgentCard registry with public/private modes, search, metadata, metrics, and durable Postgres storage |
@fides/relay-service |
Message relay for agents behind NAT/firewalls |
@fides/agentd |
Agent daemon for lifecycle management and local policy enforcement |
@fides/platform-api |
Platform metadata API for health, version, and service topology |
@fides/policy-engine |
Standalone policy evaluation service |
agentd defaults to a local file-backed authority store. For production, run it with Postgres:
export AGENTD_AUTHORITY_STORE=postgres
export DATABASE_URL=postgresql://...
pnpm --filter @fides/agentd db:migrate
pnpm --filter @fides/agentd devWhen using Stripe Projects with a resource named fides-authority-db, map the generated connection string before running migrations:
source .env
export AGENTD_DATABASE_URL="$FIDES_AUTHORITY_DB_CONNECTION_STRING"
pnpm --filter @fides/agentd db:migrateSet AGENTD_DB_AUTO_MIGRATE=false when migrations are managed externally. /health reports the active authority store kind and readiness.
Manual and startup migrations record applied ids and statement checksums in agentd_schema_migrations; with AGENTD_DB_AUTO_MIGRATE=false, agentd refuses to start unless the authority tables and migration ledger are present and checksums match the current migrations.
For local agentd lifecycle control through the CLI:
pnpm --filter @fides/cli fides daemon start --port 7345
pnpm --filter @fides/cli fides daemon status --agentd-url http://localhost:7345
pnpm --filter @fides/cli fides daemon status --agentd-url http://localhost:7345 --json
pnpm --filter @fides/cli fides daemon stopdaemon start launches the configured command in the background, writes a pid file to ~/.fides/agentd.pid, and appends logs to ~/.fides/agentd.log. Use --sqlite-path, --local-state memory, and --authority-store-path to isolate demo state. Use --command, --args, --pid-file, and --log-file when running outside the pnpm workspace layout.
To smoke test the actual local daemon plus CLI demo/simulation path with isolated state:
pnpm smoke:agentdTo verify that the documented agentd OpenAPI surface matches the routes implemented by the local daemon:
pnpm api:auditFor production agentd mutations through the CLI, export the same API key used by the service:
export FIDES_API_KEY="$SERVICE_API_KEY"
pnpm --filter @fides/cli fides session create --agentd-url https://agentd.example.com --capability payments.execute --token-file token.json --delegator-public-key "$DELEGATOR_PUBLIC_KEY_HEX"
pnpm --filter @fides/cli fides session create --agentd-url https://agentd.example.com --capability payments.execute --token-file signed-delegation-token-v2.json
pnpm --filter @fides/cli fides invoke --agentd-url https://agentd.example.com --session-id "$SESSION_ID" --input payment-dry-run.json --sign --requester-private-key-file requester.key
pnpm --filter @fides/cli fides revoke agent did:fides:agent --agentd-url https://agentd.example.com --revoked-by did:fides:principal --reason "disabled" --private-key-hex "$REVOCATION_PRIVATE_KEY_HEX"
pnpm --filter @fides/cli fides incident report --agentd-url https://agentd.example.com --actor did:fides:agent --type policy_violation --severity high --description "merchant policy bypass" --reporter did:fides:principal --private-key-hex "$REPORTER_PRIVATE_KEY_HEX"
pnpm --filter @fides/cli fides propagation pending --agentd-url https://agentd.example.com --limit 25
pnpm --filter @fides/cli fides propagation retry --agentd-url https://agentd.example.com --limit 25
pnpm --filter @fides/cli fides authorize check --agentd-url https://agentd.example.com --agent-did did:fides:agent --capability payments.execute --session-id "$SESSION_ID" --audience agentd
pnpm --filter @fides/cli fides card proxy did:fides:agent --agentd-url https://agentd.example.comWhen --delegator-public-key is provided, agentd verifies the legacy
DelegationToken signature before creating the session. Canonical
SignedDelegationTokenV2 input is detected from { payload, proof } JSON and
sent as signedToken, so the daemon verifies the issuer-bound proof directly.
For revocation and incident writes, the CLI derives the signer public key from --private-key-hex and sends it as revokerPublicKey or reporterPublicKey.
Use fides propagation pending and fides propagation retry to inspect and replay failed authority propagation outbox records.
Use fides authorize check to smoke-test the same local guard decision path used before agent execution.
Set AGENTD_REQUIRE_AUTHORITY_SIGNATURE_VERIFICATION=true to make this verification fail-closed for session, revocation, and incident writes.
fides/
βββ packages/
β βββ core/ # v2 core primitives (identity, signing, delegation, AgentCard)
β βββ policy/ # Policy engine and rule evaluation
β βββ guard/ # Guard decision engine
β βββ evidence/ # Evidence ledger (hash chain, Merkle root)
β βββ runtime/ # Runtime attestation and kill switch
β βββ discovery/ # Discovery provider architecture
β βββ sdk/ # TypeScript SDK
β βββ shared/ # Shared types and constants
β βββ cli/ # Command-line interface
β βββ rust-sdk/ # Rust SDK (planned)
βββ services/
β βββ discovery/ # AgentCard resolution service
β βββ trust-graph/ # Trust and reputation service
β βββ registry/ # Agent registration service
β βββ relay/ # Message relay service
β βββ agentd/ # Agent daemon
β βββ platform-api/ # Platform metadata API
β βββ policy-engine/ # Policy evaluation service
βββ apps/
β βββ web/ # Web dashboard
βββ tests/
β βββ e2e/ # End-to-end tests
β βββ adversarial/ # Adversarial security tests
βββ docs/
βββ protocol/
βββ fides-v2-spec.md # Full protocol specification
- Node.js >= 22
- pnpm (package manager)
- Docker (for PostgreSQL)
git clone https://github.com/EfeDurmaz16/fides.git
cd fides
pnpm install
pnpm build| Command | Description |
|---|---|
pnpm build |
Build all packages |
pnpm test |
Run test suite |
pnpm lint |
Lint codebase |
pnpm typecheck |
Type-check TypeScript |
pnpm examples:typecheck |
Type-check example agents and demo manifests |
pnpm examples:audit |
Verify canonical v2 example agents and capability/risk contracts |
pnpm cli:audit |
Verify the implemented agentd CLI surface against the v2 command contract |
pnpm api:audit |
Verify documented agentd API routes against the implementation |
pnpm dev |
Start services in watch mode |
pnpm clean |
Clean build artifacts |
pnpm demo |
Run the primitive-level v2 demo |
pnpm demo:authority |
Run the authority path demo through service routes |
pnpm build
pnpm demo
pnpm demo:authorityThe demo exercises all 9 subsystems: identity creation, AgentCard validation, risk classification, delegation tokens, policy evaluation, evidence ledger, runtime attestation, kill switch, and guard decisions.
The authority path demo additionally exercises the service route path: AgentCard registration, standalone policy evaluation, delegated session creation, nonce replay rejection, authorization evidence append, session revocation, and agent revocation denial.
FIDES v2 implements defense-in-depth across multiple layers:
- Canonical Signing β All signed objects use canonical JSON encoding (recursive key sorting, no whitespace) to prevent signature malleability
- Ed25519 Cryptography β Fast, secure elliptic curve signatures via @noble/ed25519
- Evidence Chain Integrity β Hash-chained events with Merkle root verification; tampering breaks the chain
- Kill Switch β Emergency capability/agent shutdown with precedence rules (global > agent > capability)
- TEE Attestation β Trusted Execution Environment adapter boundary with mock local attestation
- Privacy Levels β Evidence events support public/private/redacted/hash-only visibility
- Delegation Constraints β Spend limits, action counts, and context restrictions on delegated capabilities
- Pre-Execution Guards β Multi-factor decision pipeline before any capability execution
Security disclosure: Report vulnerabilities via SECURITY.md
FIDES v2 implements a complete trust fabric with:
- Identity Layer β Ed25519 keypairs with
did:fides:identifiers and canonical JSON signing - AgentCard Layer β Self-describing manifests with capabilities, endpoints, and security profiles
- Trust Graph Layer β Weighted, capability-specific reputation with transitive trust (depth-based weighting)
- Policy Layer β Deterministic rule evaluation with pre-execution guard pipeline
- Evidence Layer β Hash-chained, Merkle-rooted event log with privacy controls
- Runtime Layer β TEE attestation and emergency kill switch
- Discovery Layer β Multi-provider orchestration with priority-based resolution
Full specification: docs/protocol/fides-v2-spec.md
See CONTRIBUTING.md for the FIDES v2 contribution workflow,
architecture invariants, security review checklist, and verification gates.
At minimum, keep pnpm verify green and run pnpm smoke:agentd for CLI,
API, daemon, session, invocation, discovery, demo, or simulation changes.
See RELEASE_NOTES.md for the current v2 release snapshot, verified gates, local mock surfaces, adapter-ready surfaces, and release checklist.
MIT License β see LICENSE for details
Built with cryptographic trust
Documentation β’ Protocol Spec β’ Contributing