| eyeVesa | Identity · Trust · Audit · [GitHub] |
"In an agent-first world, the core challenge is no longer about capability,
but about identity, provenance, and secure execution."
-- Dr. Vivian Balakrishnan, Minister for Foreign Affairs, Singapore (AI Engineer Day, 2026)
eyeVesa gives autonomous AI agents cryptographic identity, enforces real-time authorization policies, and produces non-repudiable audit trails -- so enterprises can trust what their agents do.
[See How It Works] [View on GitHub]
| 30+ | Ed25519+PTV | 3-Tier | 100% |
|---|---|---|---|
| API Endpoints | Crypto Identity | Policy Engine | Audit Integrity |
When AI agents access production systems, three questions have no good answer:
The same principles banks use for Know Your Customer (KYC), applied to AI agents. The core loop is the same: identify → assess → authorize → monitor → enforce. Just swapped "customer" for "agent."
| KYC (Banking) | KYA (eyeVesa) |
|---|---|
| Verify customer identity | Ed25519 keypairs + PTV hardware attestation |
| Assess risk profile | Trust scoring + behavioral embeddings (pgvector) |
| Set transaction limits | OPA policies (auto-deny / auto-allow / HITL / escalation) |
| Monitor transactions | Non-repudiable audit logs with signatures |
| Flag suspicious activity | Anomaly detection, trust degradation |
| Report to regulators | Cryptographic proof of who did what, when, who approved |
Hardware-rooted identity attestation. Agents prove their platform identity, the gateway transforms it into a binding, and any party can verify.
Prove:
Agent generates hardware attestation (TPM / Secure Enclave)
Signs with Ed25519 identity key
Submits to /v1/ptv/attest
Transform:
Gateway verifies TPM signature
Creates identity binding (attestation + public key + expiry)
Stores binding in identity_bindings table
/v1/ptv/bind
Verify:
Any party checks binding expiry and signature
Confirms agent is who it claims to be
/v1/ptv/verify/{bindingID}
Three-step protocol. No shared secrets. No API keys. Cryptographic proof that the agent ran on specific hardware at a specific time.
Every agent request passes through decision layers before reaching your production systems.
| Capability | Description |
|---|---|
| Ed25519 Identity | Every agent gets a keypair on registration. Requests are signed, verified, and non-repudiable. No shared API keys. |
| PTV Attestation | Prove-Transform-Verify protocol binds Ed25519 identity to hardware (TPM/Secure Enclave). Cryptographic proof of platform integrity. |
| 3-Tier Policy Engine | Embedded OPA (fast, in-process) -- external OPA server (centralized) -- local Go fallback (always works). Never blocked on policy. |
| HITL + Escalation | Human-in-the-loop approvals with multi-layer escalation. Slack buttons, PagerDuty alerts, webhooks, APNs/FCM push. 5-min auto-escalation. |
| Trust Scoring | Dynamic trust scores adapt in real-time. Good behavior earns trust (+0.01). Policy violations degrade it (-0.05). Low-trust agents get contained. |
| Non-Repudiable Audit | Every action logged with Ed25519 signature. SHA-256 chain integrity. VerifyIntegrity() proves logs weren't tampered with. |
| Delegation | Agents delegate scoped authority to sub-agents. Max depth 3. Time-limited. Revocable. Every link in the chain is tracked. |
| mTLS + SPIRE | Three gateway modes: plaintext (dev), TLS (staging), mTLS (production). SPIRE/SPIFFE workload identity with local dev fallback. |
| Behavioral Anomalies | pgvector 1536-dim behavioral embeddings. Cosine similarity detects anomalous agents. Trust events feed the model. |
| LLM Integration | HITL summaries (OpenAI/Anthropic), audit narratives, natural-language-to-Rego policy translation. Graceful fallback when no API key. |
| Budget & Rate Limits | Per-agent spend tracking. OPA checks budget before authorization. Rate limiting per agent per resource. |
Four layers decide every agent action in milliseconds:
| 1 | AUTO-DENY -- Hard blocks, no override | [DENY] |
|---|---|---|
| Bank transfers over $5,000. Trust below 0.1. Budget exceeded. Instantly denied. Trust -= 0.05 | ||
| 2 | AUTO-ALLOW -- Low-risk, no human needed | [ALLOW] |
| Trust > 0.8 + low-risk resource. Read-only operations. Scaling within limits. Trust += 0.01 | ||
| 3 | HUMAN-IN-THE-LOOP -- Needs human judgment | [HITL] |
| Production deployments. Bank transfers $100-$500. Restricted data with trust < 0.8. Pending until human approves. | ||
| 4 | ESCALATION -- Needs multiple approvals | [ESCALATE] |
| Bank transfers over $1,000. Database schema changes. Requires 2+ separate sign-offs. | ||
Never blocked on policy. Three fallback layers ensure authorization always returns an answer.
| Tier | How | Latency | When Used |
|---|---|---|---|
| 1. Embedded OPA | Rego policies compiled and evaluated in-process via OPA Go SDK | <1ms | Default. Always available. No external dependency. |
| 2. External OPA | HTTP query to standalone OPA server at OPA_ENDPOINT | ~5ms | Centralized policy management. Hot-reload without gateway restart. |
| 3. Local Fallback | Hardcoded Go rules: trust thresholds, tool allowlists, budget limits | <0.1ms | Everything else fails. Last line of defense. Always works. |
Policy decisions return four fields: allow, requires_hitl, reason, trust_delta. The gateway updates the agent's trust score based on trust_delta after every call.
When policy is uncertain, humans decide. And they get notified everywhere.
Request enters HITL:
1. Write to hitl_approvals table (persistent, won't disappear)
2. Notify primary approver (Slack DM / push notification / webhook)
3. Start expiry timer (default: 30 minutes)
4. Start escalation timer (5 min -> secondary -> 15 min -> team channel)
Minute 0: Notify primary approver
Minute 5: No response? Escalate to secondary approver
Minute 15: No response? Escalate to team channel (anyone can approve)
Minute 30: No response? EXPIRED (never auto-approve)
Trust -= 0.01 for expired approval
For Layer 4 (escalation):
Requires 2 separate approvals (e.g., VP Engineering + CTO)
First approval: marks 1/2 approved, still pending
Second approval: marks 2/2 approved, request executes
| Backend | How | Interactive? |
|---|---|---|
| Slack | Webhook with interactive Approve/Deny buttons | Yes |
| PagerDuty | Events API v2 payload with severity and links | Links only |
| Webhook | Generic JSON POST with X-EyeVesa-Event header | Custom |
| APNs | Push notification to iOS devices (JWT auth) | Tap to approve |
| FCM | Push notification to Android devices | Tap to approve |
Trust is earned, not given. Agents start at 1.0 and adapt based on behavior.
| Outcome | Trust Change | Effect |
|---|---|---|
| Successful call | +0.01 | Gradually earns more autonomy |
| Policy denied | -0.05 | Restricted until recovered |
| Budget exceeded | -0.10 | Severe restriction |
| Never-event violation | BLOCKED | Auto-deny, no override |
Trust Thresholds:
Where autonomous agents meet real consequences.
Agent reads logs.......... [AUTO-ALLOW]
Scales up service......... [AUTO-ALLOW]
Deploys hotfix............ [HITL] -- 1 human tap
4 minutes total. Full audit trail. No 3am pages.
$50 transfer............. [AUTO-ALLOW]
$300 transfer............ [HITL] -- manager approves
$6,000 transfer.......... [AUTO-DENY]
Hard limits enforced. Cryptographic audit for compliance.
Query public data........ [AUTO-ALLOW]
Access patient records... [HITL]
Bulk data export......... [AUTO-DENY]
HIPAA compliant. PHI access audit with proofs.
Dual-protocol gateway: Rust core proxies to Go control plane for auth, registration, and crypto.
+-------------------------------------------------------+
| ENTERPRISE |
| |
| +-------------+ +-------------+ +--------------+ |
| | K8s Adapter | | DB Adapter | | Slack Adapter | |
| | (Go :8443) | | (Go :8443) | | (Go :8443) | |
| +------+------+ +------+------+ +------+-------+ |
| | | | |
| +--------+--------+----------------+ |
| | |
| v |
| +----------------------+ |
| | eyeVesa Gateway | |
| | | |
| | +----------------+ | |
| | | Gateway Core | | |
| | | (Rust :9443) | | |
| | | mTLS, proxy, | | |
| | | crypto, MCP | | |
| | +----------------+ | |
| | | |
| | +----------------+ | |
| | | Control Plane | | |
| | | (Go :8080) | | |
| | | REST, gRPC, | | |
| | | HITL, audit | | |
| | +--------+-------+ | |
| +----------+----------+ |
| | |
| +-------------+-------------+ |
| | | | |
| v v v |
| +----------+ +---------+ +---------+ |
| |PostgreSQL| | SPIRE | | OPA | |
| |+pgvector | |Identity | | Policy | |
| | :5432 | |:8081/90 | | :8181 | |
| +----------+ +---------+ +---------+ |
| |
| +-----------------------------------------------+ |
| | Agent SDK (Rust) | |
| | connect() -> discover() -> invoke() -> delegate()| |
| +-----------------------------------------------+ |
+-------------------------------------------------------+
From agent action to audit log in 12 steps:
1. Agent registers -> POST /v1/agents/register -> PostgreSQL
2. Resource registers -> POST /v1/resources/register -> PostgreSQL
3. Agent connects via SDK -> mTLS to Gateway Core (:9443)
4. Agent discovers tools -> GET /v1/agents/{id}
5. Agent invokes a tool -> Ed25519-signed MCP request
6. Gateway verifies signature
7. Gateway checks policy -> OPA evaluates Rego rules
8. If HITL required -> Write to hitl_approvals, notify human
9. If allowed -> Proxy MCP request to Resource Adapter
10. Result returns -> Agent gets response + trust score
11. Audit log written -> Ed25519-signed entry
12. Trust score updated -> +0.01 or -0.05
| Score | Role | Benefit |
|---|---|---|
| 95 | CISO / Security | Cryptographic identity, tamper-proof audit, trust degradation. Proof and control. |
| 90 | DevOps / SRE | Auto-handle 80% of ops. Only woken for HITL approvals. |
| 85 | Compliance / Legal | Signed audit trail. Defensible evidence for regulators. |
| 75 | Enterprise IT | One registry, one policy engine, one audit source. |
| 65 | Agent Developers | Standard SDK: connect() -> discover() -> invoke(). |
| 60 | Business Leaders | Fewer incidents, simplified compliance, reduced risk. |
Agents can delegate scoped authority to sub-agents. But not forever, and not without limits.
Hermes (level 0, trust: 0.92)
+-- Worker Agent (level 1, delegated by Hermes)
scope: ["log_search"] only
max_depth: 1 (cannot delegate further)
expires: 1 hour
+-- NOT ALLOWED -- delegation_policy prevents depth > 1
| Property | Value | Why |
|---|---|---|
| Max depth | 3 | Prevents unbounded delegation chains |
| Scope | Tool-level allowlist | Sub-agent can only use delegated tools |
| Expiry | Configurable (default: 1 hour) | No permanent sub-agent permissions |
| Revocation | DELETE /v1/delegations/{id} | Parent can revoke at any time |
| Chain tracking | parent_agent_id + child_agent_id | Full audit trail of who delegated to whom |
| Method | Path | Description |
|---|---|---|
| GET | /health | Health check |
| GET | /identity | SPIFFE identity info |
| POST | /v1/agents/register | Register a new AI agent |
| GET | /v1/agents | List all agents |
| GET | /v1/agents/{id} | Get agent by ID |
| POST | /v1/resources/register | Register an enterprise resource |
| GET | /v1/resources | List all resources |
| POST | /v1/authorize | Authorize an agent action (OPA) |
| POST | /v1/verify-signature | Verify Ed25519 signature |
| POST | /v1/delegate | Delegate scope to another agent |
| GET | /v1/delegations/{id} | Get delegation chain |
| DELETE | /v1/delegations/{id} | Revoke a delegation |
| POST | /v1/hitl/request | Request human approval |
| GET | /v1/hitl/pending | List pending approvals |
| POST | /v1/hitl/{id}/decide | Approve/reject with FaceID/password |
| POST | /v1/hitl/escalate | Escalated multi-approver HITL |
| POST | /v1/ptv/attest | PTV: Attest hardware identity |
| POST | /v1/ptv/bind | PTV: Transform attestation to binding |
| GET | /v1/ptv/verify/{id} | PTV: Verify identity binding |
| POST | /v1/behavior/{id}/embedding | Update behavioral embedding |
| GET | /v1/behavior/{id}/anomalies | Detect behavioral anomalies |
| POST | /v1/llm/hitl-summary/{id} | Generate HITL summary (LLM) |
| GET | /v1/budget/check | Check agent budget |
| POST | /v1/budget/spend | Record agent spend |
| POST | /v1/audit | Query audit trail |
| Method | Path | Description |
|---|---|---|
| GET | /health | Health check |
| POST | /v1/mcp | MCP JSON-RPC proxy |
| POST | /v1/register | Agent registration (proxied) |
| POST | /v1/auth | Authorization (proxied via gRPC) |
| * | /v1/ptv/* | PTV endpoints (proxied) |
| * | /v1/hitl/* | HITL endpoints (proxied) |
| * | /v1/agents/* | Agent management (proxied) |
| * | /v1/delegate* | Delegation (proxied) |
| * | /v1/audit* | Audit trail (proxied) |
| Mode | Description | Use When |
|---|---|---|
| plaintext | HTTP, no TLS | Local development |
| tls | Server TLS, no client cert | Staging |
| mtls | Mutual TLS with client cert | Production |
Hermes is a self-improving autonomous AI agent by Nous Research. It features 70+ built-in tools, MCP client/server support, persistent memory, and runs on 20+ messaging platforms. Here's how to connect it to eyeVesa for identity, authorization, and audit.
curl -fsSL https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.sh | bash
curl -X POST http://localhost:8080/v1/agents/register \
-H "Content-Type: application/json" \
-d '{
"name": "hermes-ops",
"owner": "org:devops",
"capabilities": ["infrastructure_read", "infrastructure_write", "deployment"],
"allowed_tools": ["k8s_deploy", "k8s_scale", "log_search", "incident_create"],
"max_budget_usd": 500.0,
"delegation_policy": "single_level",
"behavioral_tags": ["production", "sre", "high_autonomy"]
}'
mcp_servers:
agentid-gateway:
url: "http://localhost:9443/v1/mcp"
headers:
X-Agent-ID: "YOUR-AGENT-ID"
tools:
include: [tools/list, tools/call, resources/list, prompts/list]
EYEVESA_AGENT_ID=your-agent-id-here EYEVESA_AGENT_NAME=hermes-ops EYEVESA_AGENT_OWNER=org:devops EYEVESA_GATEWAY=https://gateway.yourcompany.com:9443 EYEVESA_KEY_PATH=/run/secrets/hermes.key
| Layer | System | What it Controls |
|---|---|---|
| Hermes approval | Hermes Agent | Should this shell command run? (local process safety) |
| eyeVesa authorization | eyeVesa Gateway | Should this agent identity access this enterprise resource? (remote access policy) |
User sends message to Hermes (Telegram/Discord/CLI)
|
+-- Hermes LLM reasons about the request
|
+-- Is it an enterprise resource? (via eyeVesa Gateway MCP)
|
+-- Gateway verifies Ed25519 identity
|
+-- Gateway evaluates OPA policy
| +-- AUTO-DENY (trust < 0.1, budget exceeded, never event)
| +-- AUTO-ALLOW (trust > 0.8, low-risk, tool in allowed_tools)
| +-- HITL (production deploy, bank transfer > $100)
|
+-- Gateway signs audit log entry
|
+-- Gateway returns result + trust delta to Hermes
The eyevesa CLI covers agent management, authorization, HITL, and audit from the terminal.
# Agent operations
eyevesa agent register --name hermes-ops --owner org:devops --capabilities "read,write" --tools "k8s_deploy,log_search"
eyevesa agent list
eyevesa agent get <agent-id>
eyevesa agent trust <agent-id>
# Authorization
eyevesa authorize --agent-id <id> --action read --resource-id <rid>
# HITL approvals
eyevesa hitl list
eyevesa hitl approve <approval-id>
eyevesa hitl deny <approval-id>
# Delegation
eyevesa delegate create --parent <id> --child <id> --scope "log_search" --max-depth 1
eyevesa delegate list <agent-id>
eyevesa delegate revoke <delegation-id>
# Audit
eyevesa audit --agent-id <id> --limit 50
# Resources
eyevesa resource register --name k8s-api --type mcp_server --endpoint https://k8s:8443
eyevesa resource list
eyevesa resource get <resource-id>
# MCP
eyevesa mcp initialize
eyevesa mcp tools-list
Get running in under 5 minutes.
docker-compose up -d
# Terminal 1: Gateway core (Rust proxy) cd gateway/core && cargo run # Terminal 2: Control plane (Go API) cd gateway/control-plane && go run cmd/api/main.go
curl -X POST http://localhost:8080/v1/agents/register \
-H "Content-Type: application/json" \
-d '{"name":"hermes-ops","owner":"org:devops",
"capabilities":["infrastructure_read","deployment"],
"allowed_tools":["k8s_deploy","log_search"]}'
curl http://localhost:8080/health # Control plane curl http://localhost:9443/health # Gateway core curl http://localhost:8181/v1/data/agentid/authz/allow # OPA
eyeVesa gives you cryptographic identity, real-time policy enforcement,
and non-repudiable audit trails -- so your agents can act autonomously
without putting production at risk.
|
eyeVesa Identity and trust layer for the agentic economy. |
Stack Rust Gateway, Go Control Plane, PostgreSQL, OPA/Rego |
© 2026 eyeVesa. Proprietary license.
Developed by Hafizal Johari
▲