Verifiable task delegation between AI agents

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

OpenSSF Scorecard

PyPI version

Python versions

License

Supply Chain Releases are published from GitHub Actions using Trusted Publishing and include verifiable build provenance / attestations.

TrustHandoff

TrustHandoff is a lightweight protocol and SDK for verifiable task delegation between AI agents.

It defines a canonical structure for transferring tasks between agents with:

  • agent identity
  • cryptographic signatures
  • bounded execution permissions
  • delegation chains
  • verifiable decision logic

TrustHandoff acts as a delegation trust layer for multi-agent systems.

Why TrustHandoff exists

Modern agent frameworks solve orchestration and communication.

They do not solve verifiable delegation.

Layer Example
Agent ↔ tools MCP
Agent ↔ communication A2A
Agent orchestration LangGraph / CrewAI / AutoGen
Agent delegation trust TrustHandoff

TrustHandoff introduces a portable delegation primitive:

SignedTaskPacket

This packet allows agents to safely hand off tasks while preserving:

  • authority
  • permissions
  • provenance
  • cryptographic verification

Positioning

TrustHandoff is a delegation trust layer for multi-agent systems.

It is not:

  • a transport protocol
  • a message bus
  • an orchestration framework
  • a replacement for LangGraph, CrewAI, AutoGen, A2A, or MCP

TrustHandoff complements these systems by adding:

  • verifiable delegation
  • bounded authority
  • provenance-aware handoff
  • replay protection
  • multi-hop authority validation

Recommended ecosystem framing:

  • MCP = tools / context
  • A2A = agent communication
  • LangGraph / CrewAI / AutoGen = orchestration
  • TrustHandoff = delegation trust layer

Installation

pip install trusthandoff

Quickstart

Minimal example:

from datetime import datetime, timedelta, timezone
from trusthandoff import (
    AgentIdentity,
    Permissions,
    SignedTaskPacket,
    sign_packet,
    verify_packet,
    process_handoff
)

planner = AgentIdentity.generate()
research = AgentIdentity.generate()

packet = SignedTaskPacket(
    packet_id="pk_example",
    task_id="task_example",
    from_agent=planner.agent_id,
    to_agent=research.agent_id,
    issued_at=datetime.now(timezone.utc),
    expires_at=datetime.now(timezone.utc) + timedelta(minutes=10),
    nonce="nonce-example",
    intent="Research company background",
    context={"company": "Example Corp"},
    permissions=Permissions(
        allowed_actions=["read", "search"],
        max_tool_calls=5
    ),
    signature_algo="Ed25519",
    signature="",
    public_key=planner.public_key_pem
)

signed_packet = sign_packet(packet, planner)

verify_packet(signed_packet)

decision = process_handoff(signed_packet)

print(decision.decision)
print(decision.reason)

Expected output:

ACCEPT
Packet verified and valid

Core primitives

TrustHandoff revolves around four primitives:

SignedTaskPacket
DelegationEnvelope
DelegationChain
PacketDecision

These primitives allow verifiable multi-hop delegation between agents.

Framework adapters

TrustHandoff provides adapters for major agent frameworks.

Current adapters:

  • CrewAI
  • AutoGen
  • LangGraph

These adapters map framework-native delegation events into TrustHandoff primitives.

See:

specs/adapters.md

Specification

Protocol specifications:

specs/trusthandoff-spec-v0.1.md
specs/trusthandoff-spec-v0.2.md

Examples

Example flows are available in:

examples/

Vision

TrustHandoff aims to become the trust layer for delegation in multi-agent systems.

Rather than replacing agent frameworks, TrustHandoff complements them by providing a secure delegation primitive.

Security Pipeline

TrustHandoff enforces a secure delegation pipeline through its middleware.

The verification pipeline is:

Threat Model

TrustHandoff is designed to prevent the following attacks during agent-to-agent delegation:

  • Impersonation
    Unsigned or forged packets → signature verification fails

  • Unbounded delegation
    Unlimited recursion or tool access → bounded permissions + max depth enforced

  • Context poisoning
    Malicious context injection → provenance chain allows auditing back to origin

  • Replay attacks
    Re-use of old packets → nonce + replay protection

  • Lost ownership
    Delegated agent claims authority it doesn't have → delegation chain + signer verification

Out of scope (for now):

  • side-channel key extraction
  • denial-of-service against verification
  • physical key theft

License

MIT

Python License: MIT PyPI

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for shaymizuno from gravatar.com shaymizuno

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Shay Mizuno
  • Requires: Python >=3.11
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.4.0

0.3.4

0.3.3

0.3.2

0.3.1

0.3.0

This version

0.2.5

0.2.3

0.2.2

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

trusthandoff-0.2.5.tar.gz (26.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

trusthandoff-0.2.5-py3-none-any.whl (26.3 kB view details)

Uploaded Python 3

File details

Details for the file trusthandoff-0.2.5.tar.gz.

File metadata

  • Download URL: trusthandoff-0.2.5.tar.gz
  • Upload date:
  • Size: 26.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.5.tar.gz
Algorithm Hash digest
SHA256 02ebd38a13cdb142dd2ea3a83f8693dd03d6cdcfb45eda2cf55bb46a6c5ae8cf
MD5 3527d9e61998acec09eec6076cc6819c
BLAKE2b-256 b5ce1a96a24f63aa7b5f7fa17ed813feda2349a916c2adf95a614742ab84a259

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.5.tar.gz:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file trusthandoff-0.2.5-py3-none-any.whl.

File metadata

  • Download URL: trusthandoff-0.2.5-py3-none-any.whl
  • Upload date:
  • Size: 26.3 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for trusthandoff-0.2.5-py3-none-any.whl
Algorithm Hash digest
SHA256 03f480c0ab57ee67024bd060678cc522a89867c2d642a02b4c79529f5cfa0a9d
MD5 c0f81a3398d38f4b250f5df5c1df4c23
BLAKE2b-256 471fc0e060d0e30896e16a6eaa57f9cef7f80737f4175c6683a21262b7f39872

See more details on using hashes here.

Provenance

The following attestation bundles were made for trusthandoff-0.2.5-py3-none-any.whl:

Publisher: publish.yml on trusthandoff/trusthandoff

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page