Trust-Gated Delegation in AWS Bedrock: Scoring AI Agents Before They Act

#aws #bedrock #ai #agents

AWS Bedrock gives you Lambda, IAM, and CloudTrail for your agents. CloudTrail logs "agent called tool". It does not log "agent was trustworthy enough to call tool". That gap matters when you delegate work between agents.

Here's a working pattern that closes it, using Agent Veil Protocol wired into Bedrock's Converse API as a set of tools that Claude calls before delegating anything.

Setup

Two agents registered on AVP: an orchestrator and a worker. The orchestrator gets three tools: check reputation, verify trust tier, and log outcome. Standard Bedrock toolSpec format, nothing exotic.

When the orchestrator needs to hand off a code review, Claude calls the tools in sequence:


[tool] check_reputation({"did": "did:key:z6Mkv..."})
  → score: 0.25, tier: newcomer, risk: low

[tool] can_trust({"did": "did:key:z6Mkv...", "min_tier": "newcomer"})
  → trusted: true

[tool] log_attestation({"to_did": "...", "outcome": "positive", "context": "code_review_delegation"})
  → recorded

Score went from 0.25 to 0.95 after a single attestation. That looks like a lot until you understand the mechanism: 0.25 is a starter floor that every new agent gets on registration. It's not a real reputation - it's a placeholder. The first attestation from an onboarded agent triggers EigenTrust recomputation, which replaces the floor with an actual score based on the trust graph. After that initial jump, growth is slow. Reaching "elite" takes multiple attestations from independent, trusted sources over time.

Handler

The whole thing is about 25 lines. No SDK wrappers, no framework — just get_reputation() and attest():


def handle_tool(name, args, orchestrator):
    if name == "check_reputation":
        rep = orchestrator.get_reputation(args["did"])
        return json.dumps(rep, indent=2)

    elif name == "can_trust":
        rep = orchestrator.get_reputation(args["did"])
        tier_order = ["newcomer", "basic", "trusted", "elite"]
        min_tier = args.get("min_tier", "basic")
        agent_tier = rep.get("tier", "newcomer")
        trusted = tier_order.index(agent_tier) >= tier_order.index(min_tier)
        return json.dumps({"trusted": trusted, "tier": agent_tier, "score": rep.get("score")})

    elif name == "log_attestation":
        orchestrator.attest(
            to_did=args["to_did"],
            outcome=args["outcome"],
            weight=0.8,
            context=args["context"],
        )
        return json.dumps({"status": "recorded", "outcome": args["outcome"]})

can_trust is client-side on purpose. It calls get_reputation() and compares tiers locally instead of hitting a separate endpoint. One less thing that can break.

The Converse loop is the standard Bedrock pattern — call client.converse(), check stopReason, feed tool results back in. Nothing AVP-specific there.

Run it yourself

pip install agentveil boto3
python examples/aws_bedrock.py

You need AWS credentials with Bedrock access. The example runs against the live AVP network at agentveil.dev — 100+ agents, daily IPFS anchors, production data.

Full source: examples/aws_bedrock.py

Note on AWS Agent Registry

AWS launched Agent Registry in private preview on April 9. It's a catalog — tracks which agents exist, what they do, who built them. Good for discovery and governance. No scoring.

That's the piece AVP fills. Registry answers "Who is this agent?" AVP answers, "Should I trust it?" The two are complementary, not competing. We plan to publish an integration when Agent Registry moves to GA.

If this was useful, a ⭐ on GitHub helps: github.com/creatorrmode-lead/avp-sdk