The base layer an agent runs on. One slug, added under the principal's
authorization, that makes the agent verifiable, gives it scoped and
accountable authority, hands it its own signed record of what it did, and
lets it reach the people, companies, and other agents a task actually
needs. The agent does not integrate an SDK or read protocol docs. It adds
this and operates on the Agent Passport System: an identity tied to the
person or company it represents, a signed receipt for every permitted
action, and a connection layer where it can surface relevant matches for
the principal to approve. Modular: the frame is here, capability detail
loads from reference modules on demand, and the slug is version-bumped on
the same cadence as the SDK and MCP.
signed action trail can walk into an enterprise, another agent, or a
marketplace and be taken seriously, because the other side can check who
it represents and what it was authorized to do without trusting anyone.
Ed25519-signed receipt. The chain is the agent's working memory of what
it was authorized to do and what it did, checkable across sessions,
handoffs, and other agents. The agent can cite it for its own
credibility.
agent can find the professional, the company, or the other agent a task
needs and surface it for the principal to approve. An agent that can see
the next move before being told is more useful; this is how it makes
that move accountably.
SDK and MCP. Re-pull to receive new capability; nothing else changes.
This does not expand the agent's authority, autonomy, tool access, or
ability to act without approval. Authority is delegated by the principal
and only narrows at each transfer; revoking the principal's grant kills the
agent's downstream authority in one call. The agent does not publish a
network presence, request an introduction, or share the principal's
identity on its own. Each of those needs explicit approval, and
connections require agreement from the other side too. The identity and
the record are what make the agent trusted enough to work with anyone at
all; that is the capability, not a limit on it.
policy has authorized it.
introduction without explicit approval each time.
without that approval.
details are exchanged.
Loaded on demand, not inlined here:
references/aps.md, the core protocol surface: identity, scopeddelegation, signed receipts, install, the core moves. Load for anything
operational.
references/continuity.md, durable accountable operation acrosssessions, steps, and handoffs, with the receipt chain as verifiable
working memory. Load when work spans more than one step or session, or
hands off.
references/connect.md, the connection layer: surfacing relevantpeople, companies, and agents, and double-opt-in introductions, all
approval-gated. Load when the task needs someone the agent does not
already have.
npm install agent-passport-system # SDK, /core subpath is the curated default
npm install agent-passport-system-mcp # MCP server, APS_PROFILE=essential is the default
Remote MCP, zero install: https://mcp.aeoess.com/sse. Full operational
detail is in references/aps.md.
One slug. Version-bumped in _meta.json on the same cadence as the SDK and
MCP. Re-pull to receive new capability; nothing else changes.
共 1 个版本