Releases: MoltyCel/moltrust-api
Release list
MoltID v1.0.0 — Agent Identity & Governance
MoltID v1.0.0 — Agent Identity & Governance
Release date: April 15, 2026
MoltID is MolTrust's Agent Identity & Governance module. Three capabilities ship in this release: Agent Type Classification, Cascade Revocation, and a SPIFFE Bridge for enterprise Kubernetes environments.
What's New
Agent Type Classification
Classify agents by operational role with governance rules and trust modifiers per type.
4 agent classes:
orchestrator— coordinates other agents (+5 trust modifier)autonomous— self-directed, no human loop (default)human_initiated— triggered by human actioncopilot— human-assisted, advisory role (-10 trust modifier)
Each class carries governance rules (min trust score, review frequency, audit requirement). Classification is exposed in the A2A Agent Card per DID.
New endpoints:
GET /identity/agent-type/{did}— read class + governance rules (public)POST /identity/agent-type/{did}— set/update class (API key)GET /identity/agent-types— list all types + rules (public)
DB: agent_class, agent_framework, agent_version, agent_class_updated_at columns added to agents table. All existing agents defaulted to autonomous.
Cascade Revocation
Revoke a compromised agent and its entire downstream delegation tree in a single API call.
Cascade mechanics:
- DFS traversal of
agent_delegationstable - Max 8 hops, cycle detection via visited-set
- Every revoked agent: trust score ->
0.0, grade ->"REVOKED", cache invalidated - CAEP event fired per revoked agent
- Admin reinstatement via
/identity/unrevoke/{did}
New endpoints:
POST /identity/revoke/{did}— revoke agent (API key + owner/admin)POST /identity/revoke/{did}?cascade=true— cascade revoke delegation treePOST /identity/unrevoke/{did}— reinstate revoked agent (admin only)GET /identity/revocation-status/{did}— check status + downstream count (public)GET /identity/delegations/{did}— view delegation tree (public)
DB: New agent_delegations table (parent_did, child_did, hop_depth, revoked_at). New nullable columns revoked_at, revocation_reason on agents.
SPIFFE Bridge
Lightweight mapping between SPIFFE URIs and MolTrust W3C DIDs. Enterprise Kubernetes stacks can bind existing workload identities to MolTrust trust infrastructure without migration.
New endpoints:
GET /identity/spiffe/{uri}— resolve SPIFFE URI -> DID + trust score + classification (public)POST /identity/spiffe/bind— bind SPIFFE URI to existing DID (API key)DELETE /identity/spiffe/bind/{uri}— remove binding (admin)GET /identity/spiffe— list all bindings (API key)
DB: New spiffe_bindings table (spiffe_uri UNIQUE, did FK->agents, bound_by, created_at).
Full SPIFFE/SVID Workload API deferred to Q3 2026.
Infrastructure
- New
caep_eventstable — all classification changes and revocations logged - Trust score computation:
agent_class_modifieradded to Phase 2 formula - Trust cache invalidated on class change and revocation
- All changes purely additive — no existing endpoints or queries modified
- 43 existing agents migrated safely (all defaulted to
autonomous)
SDK
@moltrust/sdk v1.1.0+ — AgentTrust.verify() now returns agent_class in response:
const trust = await AgentTrust.verify('did:moltrust:abc123');
// trust.agent_class -> "orchestrator"
// trust.trust_modifier -> 5
// trust.revoked -> falseRegulatory Alignment
MoltID implements all four requirements of the Singapore IMDA Model AI Governance Framework for Agentic AI (January 2026):
| Requirement | Implementation |
|---|---|
| Accountability | Classified DID, anchored on Base L2 |
| Transparency | Agent class + trust score publicly queryable |
| Controllability | Cascade revocation across full delegation tree |
| Human oversight | human_initiated / copilot classes enforce review cadences |
What's Next
- Q3 2026: Full SPIFFE/SVID Workload API
- Q3 2026: ACP (Agent Communication Protocol) alignment
- Q3 2026: On-chain anchoring for classification events (ZeroID v2)
API docs: https://api.moltrust.ch/docs
Blog post: https://moltrust.ch/blog/moltid-agent-identity-governance.html
npm: @moltrust/sdk
v0.8.0 — Protocol-Agnostic Trust Layer (x402 + MPP)
What's New in v0.8.0
@moltrust/x402 v1.0.0 + @moltrust/mpp v1.0.3
Trust score middleware for AI agent payment endpoints.
Protocol-agnostic. One line of code.
npm install @moltrust/x402 # x402 — Coinbase/Cloudflare
npm install @moltrust/mpp # MPP — Stripe/Tempo/Visaconst { requireScore } = require('@moltrust/x402'); // or @moltrust/mpp
app.use(requireScore({ minScore: 60 }));Configurable fail behavior: fail-open (default) or fail-closed.
TypeScript definitions included. MIT license.
Protocol Whitepaper v0.8 + TechSpec v0.8 — Anchored on Base L2
New sections: Trust Score Specification, Security Model,
MPP Interoperability (8.4), Protocol-Agnostic Trust Layer (4.10).
- TechSpec v0.8: Block 44507822
- WP v0.8: Block 44507827