Verifiable task delegation between AI agents

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev
Report project as malware

Project description

TrustHandoff

TrustHandoff is a lightweight protocol and SDK for verifiable task delegation between AI agents.

It defines a canonical structure for transferring tasks between agents with:

  • agent identity
  • cryptographic signatures
  • bounded execution permissions
  • delegation chains
  • verifiable decision logic

TrustHandoff acts as a delegation trust layer for multi-agent systems.

Why TrustHandoff exists

Modern agent frameworks solve orchestration and communication.

They do not solve verifiable delegation.

Layer Example
Agent ↔ tools MCP
Agent ↔ communication A2A
Agent orchestration LangGraph / CrewAI / AutoGen
Agent delegation trust TrustHandoff

TrustHandoff introduces a portable delegation primitive:

SignedTaskPacket

This packet allows agents to safely hand off tasks while preserving:

  • authority
  • permissions
  • provenance
  • cryptographic verification

Positioning

TrustHandoff is a delegation trust layer for multi-agent systems.

It is not:

  • a transport protocol
  • a message bus
  • an orchestration framework
  • a replacement for LangGraph, CrewAI, AutoGen, A2A, or MCP

TrustHandoff complements these systems by adding:

  • verifiable delegation
  • bounded authority
  • provenance-aware handoff
  • replay protection
  • multi-hop authority validation

Recommended ecosystem framing:

  • MCP = tools / context
  • A2A = agent communication
  • LangGraph / CrewAI / AutoGen = orchestration
  • TrustHandoff = delegation trust layer

Installation

pip install trusthandoff

Quickstart

Minimal example:

from datetime import datetime, timedelta, timezone
from trusthandoff import (
    AgentIdentity,
    Permissions,
    SignedTaskPacket,
    sign_packet,
    verify_packet,
    process_handoff
)

planner = AgentIdentity.generate()
research = AgentIdentity.generate()

packet = SignedTaskPacket(
    packet_id="pk_example",
    task_id="task_example",
    from_agent=planner.agent_id,
    to_agent=research.agent_id,
    issued_at=datetime.now(timezone.utc),
    expires_at=datetime.now(timezone.utc) + timedelta(minutes=10),
    nonce="nonce-example",
    intent="Research company background",
    context={"company": "Example Corp"},
    permissions=Permissions(
        allowed_actions=["read", "search"],
        max_tool_calls=5
    ),
    signature_algo="Ed25519",
    signature="",
    public_key=planner.public_key_pem
)

signed_packet = sign_packet(packet, planner)

verify_packet(signed_packet)

decision = process_handoff(signed_packet)

print(decision.decision)
print(decision.reason)

Expected output:

ACCEPT
Packet verified and valid

Core primitives

TrustHandoff revolves around four primitives:

SignedTaskPacket
DelegationEnvelope
DelegationChain
PacketDecision

These primitives allow verifiable multi-hop delegation between agents.

Framework adapters

TrustHandoff provides adapters for major agent frameworks.

Current adapters:

  • CrewAI
  • AutoGen
  • LangGraph

These adapters map framework-native delegation events into TrustHandoff primitives.

See:

specs/adapters.md

Specification

Protocol specifications:

specs/trusthandoff-spec-v0.1.md
specs/trusthandoff-spec-v0.2.md

Examples

Example flows are available in:

examples/

Vision

TrustHandoff aims to become the trust layer for delegation in multi-agent systems.

Rather than replacing agent frameworks, TrustHandoff complements them by providing a secure delegation primitive.

Security Pipeline

TrustHandoff enforces a secure delegation pipeline through its middleware.

The verification pipeline is:

Threat Model

TrustHandoff is designed to prevent the following attacks during agent-to-agent delegation:

  • Impersonation
    Unsigned or forged packets → signature verification fails

  • Unbounded delegation
    Unlimited recursion or tool access → bounded permissions + max depth enforced

  • Context poisoning
    Malicious context injection → provenance chain allows auditing back to origin

  • Replay attacks
    Re-use of old packets → nonce + replay protection

  • Lost ownership
    Delegated agent claims authority it doesn't have → delegation chain + signer verification

Out of scope (for now):

  • side-channel key extraction
  • denial-of-service against verification
  • physical key theft

License

MIT

Python License: MIT PyPI

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev

Release history Release notifications | RSS feed

0.4.0

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.5

0.2.3

0.2.2

This version

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

trusthandoff-0.2.1.tar.gz (25.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

trusthandoff-0.2.1-py3-none-any.whl (26.0 kB view details)

Uploaded Python 3

File details

Details for the file trusthandoff-0.2.1.tar.gz.

File metadata

  • Download URL: trusthandoff-0.2.1.tar.gz
  • Upload date:
  • Size: 25.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.1.tar.gz
Algorithm Hash digest
SHA256 756bdb18fe694e7c3d0227f9de84308294f1ecbad8145f868cb9b92e4e24f28c
MD5 71a325902877474262cf76abf8c1986b
BLAKE2b-256 a0edd68c60614f0e27df76ba9fbc265dd2676e4f8603fcec8db92f8492a61d74

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.1.tar.gz:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file trusthandoff-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: trusthandoff-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 26.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 b60cb720be710c9140af7da9712a855ed41147868bca8da29b9b2b1f7f4175b1
MD5 edc95338551898d801a1aac6f3f00a2a
BLAKE2b-256 7e1b1a4546fb479fa8a773628a6a4a757e690c037c474267b50b0fbeb0bb9ac1

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.1-py3-none-any.whl:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page