Verifiable task delegation between AI agents

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

OpenSSF Scorecard

PyPI version

Python versions

License

Supply Chain Releases are published from GitHub Actions using Trusted Publishing and include verifiable build provenance / attestations.

TrustHandoff

TrustHandoff is a lightweight protocol and SDK for verifiable task delegation between AI agents.

It defines a canonical structure for transferring tasks between agents with:

  • agent identity
  • cryptographic signatures
  • bounded execution permissions
  • delegation chains
  • verifiable decision logic

TrustHandoff acts as a delegation trust layer for multi-agent systems.

Why TrustHandoff exists

Modern agent frameworks solve orchestration and communication.

They do not solve verifiable delegation.

Layer Example
Agent ↔ tools MCP
Agent ↔ communication A2A
Agent orchestration LangGraph / CrewAI / AutoGen
Agent delegation trust TrustHandoff

TrustHandoff introduces a portable delegation primitive:

SignedTaskPacket

This packet allows agents to safely hand off tasks while preserving:

  • authority
  • permissions
  • provenance
  • cryptographic verification

Positioning

TrustHandoff is a delegation trust layer for multi-agent systems.

It is not:

  • a transport protocol
  • a message bus
  • an orchestration framework
  • a replacement for LangGraph, CrewAI, AutoGen, A2A, or MCP

TrustHandoff complements these systems by adding:

  • verifiable delegation
  • bounded authority
  • provenance-aware handoff
  • replay protection
  • multi-hop authority validation

Recommended ecosystem framing:

  • MCP = tools / context
  • A2A = agent communication
  • LangGraph / CrewAI / AutoGen = orchestration
  • TrustHandoff = delegation trust layer

Installation

pip install trusthandoff

Quickstart

Minimal example:

from datetime import datetime, timedelta, timezone
from trusthandoff import (
    AgentIdentity,
    Permissions,
    SignedTaskPacket,
    sign_packet,
    verify_packet,
    process_handoff
)

planner = AgentIdentity.generate()
research = AgentIdentity.generate()

packet = SignedTaskPacket(
    packet_id="pk_example",
    task_id="task_example",
    from_agent=planner.agent_id,
    to_agent=research.agent_id,
    issued_at=datetime.now(timezone.utc),
    expires_at=datetime.now(timezone.utc) + timedelta(minutes=10),
    nonce="nonce-example",
    intent="Research company background",
    context={"company": "Example Corp"},
    permissions=Permissions(
        allowed_actions=["read", "search"],
        max_tool_calls=5
    ),
    signature_algo="Ed25519",
    signature="",
    public_key=planner.public_key_pem
)

signed_packet = sign_packet(packet, planner)

verify_packet(signed_packet)

decision = process_handoff(signed_packet)

print(decision.decision)
print(decision.reason)

Expected output:

ACCEPT
Packet verified and valid

Core primitives

TrustHandoff revolves around four primitives:

SignedTaskPacket
DelegationEnvelope
DelegationChain
PacketDecision

These primitives allow verifiable multi-hop delegation between agents.

Framework adapters

TrustHandoff provides adapters for major agent frameworks.

Current adapters:

  • CrewAI
  • AutoGen
  • LangGraph

These adapters map framework-native delegation events into TrustHandoff primitives.

See:

specs/adapters.md

Specification

Protocol specifications:

specs/trusthandoff-spec-v0.1.md
specs/trusthandoff-spec-v0.2.md

Examples

Example flows are available in:

examples/

Vision

TrustHandoff aims to become the trust layer for delegation in multi-agent systems.

Rather than replacing agent frameworks, TrustHandoff complements them by providing a secure delegation primitive.

Security Pipeline

TrustHandoff enforces a secure delegation pipeline through its middleware.

The verification pipeline is:

Threat Model

TrustHandoff is designed to prevent the following attacks during agent-to-agent delegation:

  • Impersonation
    Unsigned or forged packets → signature verification fails

  • Unbounded delegation
    Unlimited recursion or tool access → bounded permissions + max depth enforced

  • Context poisoning
    Malicious context injection → provenance chain allows auditing back to origin

  • Replay attacks
    Re-use of old packets → nonce + replay protection

  • Lost ownership
    Delegated agent claims authority it doesn't have → delegation chain + signer verification

Out of scope (for now):

  • side-channel key extraction
  • denial-of-service against verification
  • physical key theft

License

MIT

Python License: MIT PyPI

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

0.2.5

This version

0.2.3

0.2.2

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

trusthandoff-0.2.3.tar.gz (26.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

trusthandoff-0.2.3-py3-none-any.whl (26.3 kB view details)

Uploaded Python 3

File details

Details for the file trusthandoff-0.2.3.tar.gz.

File metadata

  • Download URL: trusthandoff-0.2.3.tar.gz
  • Upload date:
  • Size: 26.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.3.tar.gz
Algorithm Hash digest
SHA256 4a1d66fe3918ba268c4aaf726f9bee5889a5c92116423b633fee8e0d47f7bd7d
MD5 ee3550026fdfff04e28121fed843beca
BLAKE2b-256 91c1dcbc088dea739d456e40cc3a9c4e2784f86d096bb30c5bde1674f29ff833

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.3.tar.gz:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file trusthandoff-0.2.3-py3-none-any.whl.

File metadata

  • Download URL: trusthandoff-0.2.3-py3-none-any.whl
  • Upload date:
  • Size: 26.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.3-py3-none-any.whl
Algorithm Hash digest
SHA256 38060fc73d94581db1d403d2eefd554195c1c7ac9bf6c9860da38abc73b17c4e
MD5 f99d334b3322d3822e7006e0537fb0ca
BLAKE2b-256 0a6ccf58b2767621326de180563b3a9f0b3c1f4711083fe249818e47f948dca0

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.3-py3-none-any.whl:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page