Verifiable task delegation between AI agents

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev
Report project as malware

Project description

TrustHandoff

TrustHandoff is a lightweight protocol and SDK for verifiable task delegation between AI agents.

It defines a canonical structure for transferring tasks between agents with:

  • agent identity
  • cryptographic signatures
  • bounded execution permissions
  • delegation chains
  • verifiable decision logic

TrustHandoff acts as a delegation trust layer for multi-agent systems.

Why TrustHandoff exists

Modern agent frameworks solve orchestration and communication.

They do not solve verifiable delegation.

Layer Example
Agent ↔ tools MCP
Agent ↔ communication A2A
Agent orchestration LangGraph / CrewAI / AutoGen
Agent delegation trust TrustHandoff

TrustHandoff introduces a portable delegation primitive:

SignedTaskPacket

This packet allows agents to safely hand off tasks while preserving:

  • authority
  • permissions
  • provenance
  • cryptographic verification

Positioning

TrustHandoff is a delegation trust layer for multi-agent systems.

It is not:

  • a transport protocol
  • a message bus
  • an orchestration framework
  • a replacement for LangGraph, CrewAI, AutoGen, A2A, or MCP

TrustHandoff complements these systems by adding:

  • verifiable delegation
  • bounded authority
  • provenance-aware handoff
  • replay protection
  • multi-hop authority validation

Recommended ecosystem framing:

  • MCP = tools / context
  • A2A = agent communication
  • LangGraph / CrewAI / AutoGen = orchestration
  • TrustHandoff = delegation trust layer

Installation

pip install trusthandoff

Quickstart

Minimal example:

from datetime import datetime, timedelta, timezone
from trusthandoff import (
    AgentIdentity,
    Permissions,
    SignedTaskPacket,
    sign_packet,
    verify_packet,
    process_handoff
)

planner = AgentIdentity.generate()
research = AgentIdentity.generate()

packet = SignedTaskPacket(
    packet_id="pk_example",
    task_id="task_example",
    from_agent=planner.agent_id,
    to_agent=research.agent_id,
    issued_at=datetime.now(timezone.utc),
    expires_at=datetime.now(timezone.utc) + timedelta(minutes=10),
    nonce="nonce-example",
    intent="Research company background",
    context={"company": "Example Corp"},
    permissions=Permissions(
        allowed_actions=["read", "search"],
        max_tool_calls=5
    ),
    signature_algo="Ed25519",
    signature="",
    public_key=planner.public_key_pem
)

signed_packet = sign_packet(packet, planner)

verify_packet(signed_packet)

decision = process_handoff(signed_packet)

print(decision.decision)
print(decision.reason)

Expected output:

ACCEPT
Packet verified and valid

Core primitives

TrustHandoff revolves around four primitives:

SignedTaskPacket
DelegationEnvelope
DelegationChain
PacketDecision

These primitives allow verifiable multi-hop delegation between agents.

Framework adapters

TrustHandoff provides adapters for major agent frameworks.

Current adapters:

  • CrewAI
  • AutoGen
  • LangGraph

These adapters map framework-native delegation events into TrustHandoff primitives.

See:

specs/adapters.md

Specification

Protocol specifications:

specs/trusthandoff-spec-v0.1.md
specs/trusthandoff-spec-v0.2.md

Examples

Example flows are available in:

examples/

Vision

TrustHandoff aims to become the trust layer for delegation in multi-agent systems.

Rather than replacing agent frameworks, TrustHandoff complements them by providing a secure delegation primitive.

Security Pipeline

TrustHandoff enforces a secure delegation pipeline through its middleware.

The verification pipeline is:

Threat Model

TrustHandoff is designed to prevent the following attacks during agent-to-agent delegation:

  • Impersonation
    Unsigned or forged packets → signature verification fails

  • Unbounded delegation
    Unlimited recursion or tool access → bounded permissions + max depth enforced

  • Context poisoning
    Malicious context injection → provenance chain allows auditing back to origin

  • Replay attacks
    Re-use of old packets → nonce + replay protection

  • Lost ownership
    Delegated agent claims authority it doesn't have → delegation chain + signer verification

Out of scope (for now):

  • side-channel key extraction
  • denial-of-service against verification
  • physical key theft

License

MIT

Python License: MIT PyPI

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: MIT
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev

Release history Release notifications | RSS feed

0.4.0

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.5

0.2.3

This version

0.2.2

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

trusthandoff-0.2.2.tar.gz (25.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

trusthandoff-0.2.2-py3-none-any.whl (26.0 kB view details)

Uploaded Python 3

File details

Details for the file trusthandoff-0.2.2.tar.gz.

File metadata

  • Download URL: trusthandoff-0.2.2.tar.gz
  • Upload date:
  • Size: 25.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.2.tar.gz
Algorithm Hash digest
SHA256 540718a8b668e2c487941acdaac10c185a73e2c24e7cad3007b1a3e7d7af4d2a
MD5 f48db96cbd5c2142dd1acc823a1afa30
BLAKE2b-256 ba25a197197e11dbeb31a50d1b677046042a82ac1a992e43638667fc9f8e898e

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.2.tar.gz:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file trusthandoff-0.2.2-py3-none-any.whl.

File metadata

  • Download URL: trusthandoff-0.2.2-py3-none-any.whl
  • Upload date:
  • Size: 26.0 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.2-py3-none-any.whl
Algorithm Hash digest
SHA256 9b90fd32484d940ab38fbeede7577a2f773a9d11b4cd91da77256ace11b6054c
MD5 4de3118ff19dc33ff6fa18c743308109
BLAKE2b-256 4f30f6854f1baa04b5108bfac246c399c5f3c1b63b18284d671663ca76d7b721

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.2-py3-none-any.whl:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page