Forem: PiQrypt The latest articles on Forem by PiQrypt (@piqrypt). https://forem.com/piqrypt https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3859079%2F8529742b-cc95-4f17-a266-afbc666d57dc.jpeg Forem: PiQrypt https://forem.com/piqrypt en # Your AI Agents Are Talking — But Can You Prove What They Said? PiQrypt Thu, 09 Apr 2026 12:41:56 +0000 https://forem.com/piqrypt/-your-ai-agents-are-talking-but-can-you-prove-what-they-said-5a1f https://forem.com/piqrypt/-your-ai-agents-are-talking-but-can-you-prove-what-they-said-5a1f <h1> Your AI Agents Are Talking — But Can You Prove What They Said? </h1> <p>AI agents are no longer “helpers.”</p> <p>They move money, make decisions, and talk to each other.<br><br> If you have at least two agents, you’re already in a <strong>multi‑agent system</strong> — whether you planned for it or not.</p> <p>PiQrypt is an <strong>open‑source trust layer</strong> that ensures every interaction between your agents is <strong>cryptographically verifiable</strong>.<br><br> Even if your agents change, your LLMs evolve, or your infrastructure migrates — PiQrypt stays as the <strong>immutable proof layer</strong> on top.</p> <h2> The gap nobody talks about </h2> <p>Modern AI stacks are incredibly powerful:</p> <ul> <li> <strong>LLMs</strong>: OpenAI, Anthropic, Mistral, DeepSeek, local models. </li> <li> <strong>Agent frameworks</strong>: LangChain, CrewAI, AutoGen, custom agents. </li> <li> <strong>Observability tools</strong>: logs, traces, dashboards.</li> </ul> <p>They all share a blind spot:</p> <blockquote> <p>“They can show you what happened — but they can’t prove it.”</p> </blockquote> <p>Logs can be modified.<br><br> Traces aren’t cryptographic.<br><br> And when agents interact, there’s no <strong>shared, verifiable record</strong> of that interaction.</p> <p>When something goes wrong:</p> <ul> <li>Which agent made the decision? </li> <li>In what order? </li> <li>Based on which interaction? </li> <li>Can you prove it to someone outside your system?</li> </ul> <p>Most systems today can’t.</p> <h2> Agents don’t just need to connect — they need to agree </h2> <p>When two agents interact, there are actually two problems:</p> <ol> <li> <strong>How do they communicate?</strong> </li> <li><strong>How do they prove they communicated?</strong></li> </ol> <p>Today’s A2A‑style protocols (Agent2Agent, AI‑to‑agent handshakes, and custom flows) mainly solve the first.<br><br> PiQrypt solves the second — <strong>with cryptographic proof around agent‑to‑agent interactions</strong>.</p> <blockquote> <p>“Agents need a handshake — not just a connection.”</p> </blockquote> <h2> Enter PiQrypt: co‑signed interactions with cryptographic memory </h2> <p>PiQrypt is an <strong>open‑source trust layer</strong> that sits between your agents and your memory / logs. It’s <strong>LLM‑agnostic, framework‑agnostic, and infrastructure‑agnostic</strong>:</p> <ul> <li>Works with any LLM (OpenAI, Anthropic, Mistral, DeepSeek, local). </li> <li>Integrates with any framework (LangChain, CrewAI, AutoGen, or your own). </li> <li>Independent of your storage, logs, MLflow, or cloud provider.</li> </ul> <p>Every interaction becomes:</p> <ul> <li> <strong>Co‑signed</strong> by the participating agents, </li> <li> <strong>Anchored</strong> in a hash‑chained audit trail, </li> <li>Part of a <strong>verifiable, multi‑agent session</strong>.</li> </ul> <p>This is powered by <strong>AISS</strong> (Agent Identity and Signature Standard) and built on top of <strong>PCP</strong> (Proof of Continuity Protocol) — an open protocol specification for agent‑to‑agent collaboration, with PiQrypt as the reference implementation.</p> <h2> How the A2A handshake works conceptually </h2> <p>PiQrypt’s A2A handshake is a <strong>short, peer‑to‑peer protocol</strong> used to:</p> <ul> <li> <strong>Discover</strong> other agents (via registry or direct), </li> <li> <strong>Authenticate</strong> both agents, </li> <li> <strong>Collaborate</strong> with cryptographic proof, </li> <li> <strong>Audit</strong> all interactions, stored in both agents’ audit trails.</li> </ul> <p>Here’s how it looks at the protocol level:</p> <ol> <li>Each agent generates an Ed25519 keypair. </li> <li>Agents exchange public keys (via your agent bus, API, WebSocket, or A2A‑style transport). </li> <li>Every agent pair performs a <strong>co‑signed handshake</strong>: <ul> <li>Both sign the fact that “Agent X and Agent Y have agreed to talk.” </li> <li>The handshake is appended to each agent’s hash‑chained memory. </li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aiss.a2a</span> <span class="kn">import</span> <span class="n">initiate_handshake</span><span class="p">,</span> <span class="n">accept_handshake</span><span class="p">,</span> <span class="n">verify_handshake</span> <span class="kn">from</span> <span class="n">aiss.crypto</span> <span class="kn">import</span> <span class="n">ed25519</span> <span class="kn">from</span> <span class="n">aiss.identity</span> <span class="kn">import</span> <span class="n">derive_agent_id</span> <span class="c1"># Agent A </span><span class="n">priv_a</span><span class="p">,</span> <span class="n">pub_a</span> <span class="o">=</span> <span class="n">ed25519</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">agent_a</span> <span class="o">=</span> <span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">pub_a</span><span class="p">)</span> <span class="c1"># Agent B </span><span class="n">priv_b</span><span class="p">,</span> <span class="n">pub_b</span> <span class="o">=</span> <span class="n">ed25519</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">agent_b</span> <span class="o">=</span> <span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">pub_b</span><span class="p">)</span> <span class="c1"># 1. Agent A initiates handshake </span><span class="n">handshake</span> <span class="o">=</span> <span class="nf">initiate_handshake</span><span class="p">(</span> <span class="n">priv_a</span><span class="p">,</span> <span class="n">agent_a</span><span class="p">,</span> <span class="n">agent_b</span><span class="p">,</span> <span class="n">payload</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">intent</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">data_sharing</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">scope</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">market_analysis</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">terms</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">50/50 split</span><span class="sh">"</span> <span class="p">},</span> <span class="n">expires_in</span><span class="o">=</span><span class="mi">3600</span> <span class="c1"># 1h timeout, anti‑replay </span><span class="p">)</span> <span class="c1"># 2. Send to Agent B # ... </span> <span class="c1"># 3. Agent B accepts </span><span class="n">response</span> <span class="o">=</span> <span class="nf">accept_handshake</span><span class="p">(</span> <span class="n">priv_b</span><span class="p">,</span> <span class="n">agent_b</span><span class="p">,</span> <span class="n">handshake</span><span class="p">,</span> <span class="n">counter_payload</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">agreed</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">conditions</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Data encrypted in transit</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># 4. Verify (both agents) </span><span class="n">is_valid</span> <span class="o">=</span> <span class="nf">verify_handshake</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="p">{</span> <span class="n">agent_a</span><span class="p">:</span> <span class="n">pub_a</span><span class="p">,</span> <span class="n">agent_b</span><span class="p">:</span> <span class="n">pub_b</span> <span class="p">})</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Handshake valid: </span><span class="si">{</span><span class="n">is_valid</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Thanks to <code>piqrypt-session-multi-ai-agents</code>, this is packaged as an <strong>AgentSession</strong> that creates a shared session across all agents before a single action is taken.</p> <h2> From handshake to verifiable sessions </h2> <p>Here’s a minimal example with three agents: planner (LangChain), executor (AutoGen), and reviewer (CrewAI). All frameworks, one session.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">piqrypt.session</span> <span class="kn">import</span> <span class="n">AgentSession</span> <span class="kn">import</span> <span class="n">piqrypt</span> <span class="k">as</span> <span class="n">aiss</span> <span class="c1"># Generate keypairs </span><span class="n">planner_key</span><span class="p">,</span> <span class="n">planner_pub</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">executor_key</span><span class="p">,</span> <span class="n">executor_pub</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">reviewer_key</span><span class="p">,</span> <span class="n">reviewer_pub</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="c1"># Define agents </span><span class="n">session</span> <span class="o">=</span> <span class="nc">AgentSession</span><span class="p">(</span><span class="n">agents</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">planner</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">planner_pub</span><span class="p">),</span> <span class="sh">"</span><span class="s">private_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">planner_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">public_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">planner_pub</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">executor</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">executor_pub</span><span class="p">),</span> <span class="sh">"</span><span class="s">private_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">executor_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">public_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">executor_pub</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">reviewer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">reviewer_pub</span><span class="p">),</span> <span class="sh">"</span><span class="s">private_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">reviewer_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">public_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">reviewer_pub</span><span class="p">},</span> <span class="p">])</span> <span class="c1"># 1. Start: all pairwise A2A handshakes are recorded </span><span class="n">session</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="c1"># 2. Stamp events in the session </span><span class="n">session</span><span class="p">.</span><span class="nf">stamp</span><span class="p">(</span><span class="sh">"</span><span class="s">planner</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">task_delegation</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">task</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">rebalance_portfolio</span><span class="sh">"</span><span class="p">},</span> <span class="n">peer</span><span class="o">=</span><span class="sh">"</span><span class="s">executor</span><span class="sh">"</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">stamp</span><span class="p">(</span><span class="sh">"</span><span class="s">executor</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">order_executed</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="sh">"</span><span class="s">price</span><span class="sh">"</span><span class="p">:</span> <span class="mf">182.5</span><span class="p">,</span> <span class="sh">"</span><span class="s">quantity</span><span class="sh">"</span><span class="p">:</span> <span class="mi">100</span><span class="p">},</span> <span class="n">peer</span><span class="o">=</span><span class="sh">"</span><span class="s">reviewer</span><span class="sh">"</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">stamp</span><span class="p">(</span><span class="sh">"</span><span class="s">reviewer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">review_approved</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">approved</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">})</span> <span class="c1"># 3. Later: export and verify offline </span><span class="n">session</span><span class="p">.</span><span class="nf">export</span><span class="p">(</span><span class="sh">"</span><span class="s">trading‑session‑audit.json</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># That audit is: # - signed by each agent, # - co‑signed by every interaction, # - readable and verifiable without your production stack. </span></code></pre> </div> <p>From this moment on:</p> <ul> <li>Every <code>session.stamp(agent_name, event_type, payload, peer=...)</code> is <strong>signed by the acting agent</strong>. </li> <li>It’s <strong>anchored</strong> in the shared, hash‑chained session. </li> <li>It’s <strong>reflected</strong> in every agent’s memory, with a shared <code>interaction_hash</code>.</li> </ul> <blockquote> <p>“Same interaction. Two memories. One verifiable truth.”</p> </blockquote> <h2> Trust scores: how much you can rely on a session </h2> <p>PiQrypt doesn’t stop at proof. For every session, it computes:</p> <ul> <li> <strong>VRS (Vulnerability Risk Score)</strong>: a risk metric based on agent behavior, anomalies, and policy flags. </li> <li> <strong>Trust score</strong> (0–1): how “safe” the agent’s history and current session are. </li> <li> <strong>TrustGate decision</strong>: <code>ALLOW</code>, <code>REQUIRE_HUMAN</code>, or <code>BLOCK</code>, enforced at runtime with signed proof of every decision.</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">result</span> <span class="o">=</span> <span class="n">piqrypt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="n">signature</span><span class="o">=</span><span class="n">agent_event</span><span class="p">.</span><span class="n">signature</span><span class="p">,</span> <span class="n">chain</span><span class="o">=</span><span class="n">agent_event</span><span class="p">.</span><span class="n">chain</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pq1_planner_a3f8</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">portfolio_rebalance</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">trust_score: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">trust_score</span><span class="si">:</span><span class="p">.</span><span class="mi">4</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># → 0.9987 </span><span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">decision: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">decision</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># → ALLOW </span></code></pre> </div> <p>You can <strong>block risky actions, require human approval, or allow automatically</strong>, all based on verifiable data.</p> <h2> Stack‑agnostic by design </h2> <p>PiQrypt is built to be <strong>truly agnostic</strong>:</p> <ul> <li> <strong>LLMs</strong>: OpenAI, Anthropic, Mistral, DeepSeek, local models. </li> <li> <strong>Agent frameworks</strong>: LangChain, CrewAI, AutoGen, or any custom stack. </li> <li> <strong>Cloud / infra</strong>: Independent of your storage, logs, MLflow, Application Insights, or LangSmith.</li> </ul> <blockquote> <p>“Your agents can change. Your infrastructure can change. Your trust layer should not.”</p> </blockquote> <p>PiQrypt’s A2A handshake and PCP‑backed audit trail work over <strong>any transport</strong> (API, message bus, A2A style, or custom protocol). The registry can be centralized, distributed, or even DHT‑based in the future.</p> <h2> Why this matters in production </h2> <p>If you’re building:</p> <ul> <li> <strong>Multi‑agent workflows</strong> (planner → executor → reviewer → auditor). </li> <li> <strong>Agents that communicate across boundaries</strong> (company ↔ partner, SaaS ↔ local). </li> <li> <strong>Compliance‑sensitive applications</strong> (finance, healthcare, legal, etc.).</li> </ul> <p>…then an A2A handshake with <strong>cryptographic trust scoring</strong> is no longer optional.</p> <p>With PiQrypt, you get:</p> <ul> <li> <strong>Cryptographic identity</strong> for every agent. </li> <li> <strong>Co‑signed, hash‑chained handshakes</strong> for every session. </li> <li> <strong>Session‑anchored events</strong> that are verifiable offline, across frameworks. </li> <li> <strong>Numeric trust scores</strong> integrated into your governance and policy layer.</li> </ul> <h2> Getting started </h2> <ol> <li>Install PiQrypt and the A2A‑ready session module: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> pip <span class="nb">install </span>piqrypt piqrypt-session-multi-ai-agents </code></pre> </div> <ol> <li>Follow the A2A‑focused guides:</li> </ol> <ul> <li> <code>docs/A2A_HANDSHAKE_GUIDE.md</code> </li> <li> <code>docs/A2A_SESSION_GUIDE.md</code> </li> <li> <code>QUICK-START.md</code> (A2A handshake section).</li> </ul> <ol> <li>Run the 3‑agent demo (<code>planner</code> → <code>executor</code> → <code>reviewer</code>) and experiment with <code>verify()</code> + <code>trust_score</code> on your own event chains.</li> </ol> <h2> From observability to verifiability </h2> <p>We’ve spent years building <strong>observability</strong> for software systems.<br><br> Now, AI needs the same — but stronger:</p> <blockquote> <p>“Not just visibility.<br><br> Proof.”</p> </blockquote> <p>Your agents already talk.<br><br> The real question is:</p> <blockquote> <p>“Can you prove what happened between them?”</p> </blockquote> <p>Right now, most systems can’t.</p> <p><strong>PiQrypt does.</strong></p> <p>PiQrypt is the A2A handshake your agents never knew they needed.<br><br> <strong>Nothing ever disappears, and nothing appears out of nowhere — only what’s cryptographically agreed upon.</strong></p> <p>You can check out the full reference implementation on [GitHub/PiQrypt]<br> <a href="https://github.com/PiQrypt/piqrypt" rel="noopener noreferrer">https://github.com/PiQrypt/piqrypt</a> and try your first A2A handshake today.</p> agents mcp security llm Why AI agents need cryptographic memory — and how to add it in one line PiQrypt Fri, 03 Apr 2026 09:29:21 +0000 https://forem.com/piqrypt/why-ai-agents-need-cryptographic-memory-and-how-to-add-it-in-one-line-4gae https://forem.com/piqrypt/why-ai-agents-need-cryptographic-memory-and-how-to-add-it-in-one-line-4gae <p>The problem nobody talks about<br> AI agents can act. They can call APIs, write files, execute code, make decisions.<br> But can they prove what they did?<br> Logs can be edited. Timestamps can be faked. Events can be reordered silently.<br> There's no equivalent of Git, TLS, or OAuth for agent behavior over time.<br> What cryptographic memory looks like<br> Every action becomes a signed, hash-chained event:</p> <p>Who acted — deterministic Ed25519 agent identity<br> What was decided — signed payload<br> When — tamper-evident sequence<br> Nothing missing — fork detection catches silent deletions</p> <p>Verifiable offline. No server. No central authority.<br> One line with LangChain<br> pythonfrom piqrypt_langchain import PiQryptCallbackHandler</p> <p>handler = PiQryptCallbackHandler(agent_name="my_agent")<br> llm = ChatOpenAI(model="gpt-4o", callbacks=[handler])</p> <h1> Every action is now signed &amp; hash-chained </h1> <p>handler.export_audit("audit.json")<br> The standard behind it<br> This is built on AISS — Agent Identity and Signature Standard — an open protocol.<br> The RFC is public. The spec is implementable by anyone.<br> TCP/IP secured communication. TLS secured it. OAuth made it delegable.<br> AISS is that primitive for autonomous agent trust.<br> Try it<br> bashpip install piqrypt[langchain]<br> 📦 PyPI : piqrypt<br> 🔗 LangChain Hub : hub.langchain.com/piqrypt/piqrypt-audited-agent<br> 📖 RFC : github.com/PiQrypt/piqrypt/blob/main/docs/RFC_AISS_v2.0_narrative.md<br> Happy to discuss the threat model, the crypto choices, or the RFC in the comments. 👇</p> ai security opensource langchain