Skip to content

Releases: MoltyCel/moltrust-api

MoltID v1.0.0 — Agent Identity & Governance

Choose a tag to compare

@MoltyCel MoltyCel released this 16 Apr 06:54

MoltID v1.0.0 — Agent Identity & Governance

Release date: April 15, 2026

MoltID is MolTrust's Agent Identity & Governance module. Three capabilities ship in this release: Agent Type Classification, Cascade Revocation, and a SPIFFE Bridge for enterprise Kubernetes environments.


What's New

Agent Type Classification

Classify agents by operational role with governance rules and trust modifiers per type.

4 agent classes:

  • orchestrator — coordinates other agents (+5 trust modifier)
  • autonomous — self-directed, no human loop (default)
  • human_initiated — triggered by human action
  • copilot — human-assisted, advisory role (-10 trust modifier)

Each class carries governance rules (min trust score, review frequency, audit requirement). Classification is exposed in the A2A Agent Card per DID.

New endpoints:

  • GET /identity/agent-type/{did} — read class + governance rules (public)
  • POST /identity/agent-type/{did} — set/update class (API key)
  • GET /identity/agent-types — list all types + rules (public)

DB: agent_class, agent_framework, agent_version, agent_class_updated_at columns added to agents table. All existing agents defaulted to autonomous.


Cascade Revocation

Revoke a compromised agent and its entire downstream delegation tree in a single API call.

Cascade mechanics:

  • DFS traversal of agent_delegations table
  • Max 8 hops, cycle detection via visited-set
  • Every revoked agent: trust score -> 0.0, grade -> "REVOKED", cache invalidated
  • CAEP event fired per revoked agent
  • Admin reinstatement via /identity/unrevoke/{did}

New endpoints:

  • POST /identity/revoke/{did} — revoke agent (API key + owner/admin)
  • POST /identity/revoke/{did}?cascade=true — cascade revoke delegation tree
  • POST /identity/unrevoke/{did} — reinstate revoked agent (admin only)
  • GET /identity/revocation-status/{did} — check status + downstream count (public)
  • GET /identity/delegations/{did} — view delegation tree (public)

DB: New agent_delegations table (parent_did, child_did, hop_depth, revoked_at). New nullable columns revoked_at, revocation_reason on agents.


SPIFFE Bridge

Lightweight mapping between SPIFFE URIs and MolTrust W3C DIDs. Enterprise Kubernetes stacks can bind existing workload identities to MolTrust trust infrastructure without migration.

New endpoints:

  • GET /identity/spiffe/{uri} — resolve SPIFFE URI -> DID + trust score + classification (public)
  • POST /identity/spiffe/bind — bind SPIFFE URI to existing DID (API key)
  • DELETE /identity/spiffe/bind/{uri} — remove binding (admin)
  • GET /identity/spiffe — list all bindings (API key)

DB: New spiffe_bindings table (spiffe_uri UNIQUE, did FK->agents, bound_by, created_at).

Full SPIFFE/SVID Workload API deferred to Q3 2026.


Infrastructure

  • New caep_events table — all classification changes and revocations logged
  • Trust score computation: agent_class_modifier added to Phase 2 formula
  • Trust cache invalidated on class change and revocation
  • All changes purely additive — no existing endpoints or queries modified
  • 43 existing agents migrated safely (all defaulted to autonomous)

SDK

@moltrust/sdk v1.1.0+ — AgentTrust.verify() now returns agent_class in response:

const trust = await AgentTrust.verify('did:moltrust:abc123');
// trust.agent_class -> "orchestrator"
// trust.trust_modifier -> 5
// trust.revoked -> false

Regulatory Alignment

MoltID implements all four requirements of the Singapore IMDA Model AI Governance Framework for Agentic AI (January 2026):

Requirement Implementation
Accountability Classified DID, anchored on Base L2
Transparency Agent class + trust score publicly queryable
Controllability Cascade revocation across full delegation tree
Human oversight human_initiated / copilot classes enforce review cadences

What's Next

  • Q3 2026: Full SPIFFE/SVID Workload API
  • Q3 2026: ACP (Agent Communication Protocol) alignment
  • Q3 2026: On-chain anchoring for classification events (ZeroID v2)

API docs: https://api.moltrust.ch/docs
Blog post: https://moltrust.ch/blog/moltid-agent-identity-governance.html
npm: @moltrust/sdk

v0.8.0 — Protocol-Agnostic Trust Layer (x402 + MPP)

Choose a tag to compare

@MoltyCel MoltyCel released this 10 Apr 08:33

What's New in v0.8.0

@moltrust/x402 v1.0.0 + @moltrust/mpp v1.0.3

Trust score middleware for AI agent payment endpoints.
Protocol-agnostic. One line of code.

npm install @moltrust/x402   # x402 — Coinbase/Cloudflare
npm install @moltrust/mpp    # MPP — Stripe/Tempo/Visa
const { requireScore } = require('@moltrust/x402'); // or @moltrust/mpp
app.use(requireScore({ minScore: 60 }));

Configurable fail behavior: fail-open (default) or fail-closed.
TypeScript definitions included. MIT license.

Protocol Whitepaper v0.8 + TechSpec v0.8 — Anchored on Base L2

New sections: Trust Score Specification, Security Model,
MPP Interoperability (8.4), Protocol-Agnostic Trust Layer (4.10).

  • TechSpec v0.8: Block 44507822
  • WP v0.8: Block 44507827

Links