| ⚙ eyeVesa | Identity · Trust · Audit · [GitHub] |
eyeVesa gives autonomous AI agents cryptographic identity, enforces real-time authorization policies, and produces non-repudiable audit trails -- so enterprises can trust what their agents do.
[See How It Works] [View on GitHub]
| 3 | Ed25519 | 100% |
|---|---|---|
| Decision Layers | Crypto Identity | Audit Integrity |
When AI agents access production systems, three questions have no good answer:
Every agent request passes through decision layers before reaching your production systems.
| Capability | Description |
|---|---|
| Cryptographic Identity | Every agent gets an Ed25519 keypair on registration. Requests are signed, verified, and non-repudiable. No more shared API keys. |
| Policy Engine & HITL | OPA/Rego policies auto-allow low-risk actions, auto-deny dangerous ones, and route uncertain decisions to humans. Four layers of trust. |
| Trust Scoring | Dynamic trust scores adapt in real-time. Good behavior earns trust (+0.01). Policy violations degrade it (-0.05). Low-trust agents get contained automatically. |
| Non-Repudiable Audit | Every action is logged with an Ed25519 signature. Integrity verification is built-in. Tamper-proof evidence for compliance. |
| Agent Delegation | Agents can delegate scoped, time-limited authority to sub-agents. Depth limits prevent unbounded chains. Every delegation is tracked. |
| mTLS + SPIRE | Zero-trust networking with SPIFFE/SPIRE workload identity. Every service-to-service call is mutually authenticated via mTLS. |
Four layers decide every agent action in milliseconds:
| 1 | AUTO-DENY -- Hard blocks, no override | [DENY] |
|---|---|---|
| Bank transfers over $5,000. Trust below 0.1. Budget exceeded. Instantly denied. Trust -= 0.05 | ||
| 2 | AUTO-ALLOW -- Low-risk, no human needed | [ALLOW] |
| Trust > 0.8 + low-risk resource. Read-only operations. Scaling within limits. Trust += 0.01 | ||
| 3 | HUMAN-IN-THE-LOOP -- Needs human judgment | [HITL] |
| Production deployments. Bank transfers $100-$500. Restricted data with trust < 0.8. Pending until human approves. | ||
| 4 | ESCALATION -- Needs multiple approvals | [ESCALATE] |
| Bank transfers over $1,000. Database schema changes. Requires 2+ separate sign-offs. | ||
Trust is earned, not given. Agents start at 1.0 and adapt based on behavior.
| Outcome | Trust Change | Effect |
|---|---|---|
| Successful call | +0.01 | Gradually earns more autonomy |
| Policy denied | -0.05 | Restricted until recovered |
| Budget exceeded | -0.10 | Severe restriction |
| Never-event violation | BLOCKED | Auto-deny, no override |
Trust Thresholds:
Where autonomous agents meet real consequences.
Agent reads logs.......... [AUTO-ALLOW]
Scales up service......... [AUTO-ALLOW]
Deploys hotfix............ [HITL] -- 1 human tap
4 minutes total. Full audit trail. No 3am pages.
$50 transfer............. [AUTO-ALLOW]
$300 transfer............ [HITL] -- manager approves
$6,000 transfer.......... [AUTO-DENY]
Hard limits enforced. Cryptographic audit for compliance.
Query public data........ [AUTO-ALLOW]
Access patient records... [HITL]
Bulk data export......... [AUTO-DENY]
HIPAA compliant. PHI access audit with proofs.
Dual-protocol gateway: Rust core proxies to Go control plane for auth, registration, and crypto.
+-------------------------------------------------------+
| ENTERPRISE |
| |
| +-------------+ +-------------+ +--------------+ |
| | K8s Adapter | | DB Adapter | | Slack Adapter | |
| | (Go :8443) | | (Go :8443) | | (Go :8443) | |
| +------+------+ +------+------+ +------+-------+ |
| | | | |
| +--------+--------+----------------+ |
| | |
| v |
| +----------------------+ |
| | eyeVesa Gateway | |
| | | |
| | +----------------+ | |
| | | Gateway Core | | |
| | | (Rust :9443) | | |
| | | mTLS, proxy, | | |
| | | crypto, MCP | | |
| | +----------------+ | |
| | | |
| | +----------------+ | |
| | | Control Plane | | |
| | | (Go :8080) | | |
| | | REST, gRPC, | | |
| | | HITL, audit | | |
| | +--------+-------+ | |
| +----------+----------+ |
| | |
| +-------------+-------------+ |
| | | | |
| v v v |
| +----------+ +---------+ +---------+ |
| |PostgreSQL| | SPIRE | | OPA | |
| |+pgvector | |Identity | | Policy | |
| | :5432 | |:8081/90 | | :8181 | |
| +----------+ +---------+ +---------+ |
| |
| +-----------------------------------------------+ |
| | Agent SDK (Rust) | |
| | connect() -> discover() -> invoke() -> delegate()| |
| +-----------------------------------------------+ |
+-------------------------------------------------------+
From agent action to audit log in 12 steps:
1. Agent registers -> POST /v1/agents/register -> PostgreSQL
2. Resource registers -> POST /v1/resources/register -> PostgreSQL
3. Agent connects via SDK -> mTLS to Gateway Core (:9443)
4. Agent discovers tools -> GET /v1/agents/{id}
5. Agent invokes a tool -> Ed25519-signed MCP request
6. Gateway verifies signature
7. Gateway checks policy -> OPA evaluates Rego rules
8. If HITL required -> Write to hitl_approvals, notify human
9. If allowed -> Proxy MCP request to Resource Adapter
10. Result returns -> Agent gets response + trust score
11. Audit log written -> Ed25519-signed entry
12. Trust score updated -> +0.01 or -0.05
| Score | Role | Benefit |
|---|---|---|
| 95 | CISO / Security | Cryptographic identity, tamper-proof audit, trust degradation. Proof and control. |
| 90 | DevOps / SRE | Auto-handle 80% of ops. Only woken for HITL approvals. |
| 85 | Compliance / Legal | Signed audit trail. Defensible evidence for regulators. |
| 75 | Enterprise IT | One registry, one policy engine, one audit source. |
| 65 | Agent Developers | Standard SDK: connect() -> discover() -> invoke(). |
| 60 | Business Leaders | Fewer incidents, simplified compliance, reduced risk. |
Get running in under 5 minutes.
docker-compose up -d
# Terminal 1: Gateway core (Rust proxy) cd gateway/core && cargo run # Terminal 2: Control plane (Go API) cd gateway/control-plane && go run cmd/api/main.go
curl -X POST http://localhost:8080/v1/agents/register \
-H "Content-Type: application/json" \
-d '{"name":"hermes-ops","owner":"org:devops",
"capabilities":["infrastructure_read","deployment"],
"allowed_tools":["k8s_deploy","log_search"]}'
curl http://localhost:8080/health # Control plane curl http://localhost:9443/health # Gateway core curl http://localhost:8181/v1/data/agentid/authz/allow # OPA
eyeVesa gives you cryptographic identity, real-time policy enforcement,
and non-repudiable audit trails -- so your agents can act autonomously
without putting production at risk.
[Get Started on GitHub] [View Architecture]
|
⚙ eyeVesa Identity and trust layer for the agentic economy. |
Product Features How It Works Use Cases Architecture |
Developers GitHub Quick Start Documentation |
Stack Rust Gateway Go Control Plane PostgreSQL OPA/Rego |
© 2026 eyeVesa. Proprietary license.