DEV Community: arian gogani

What happens when AI agents have something to lose

arian gogani — Sun, 17 May 2026 23:10:17 +0000

Every person has a credit score. Every business has one. AI agents making real decisions -- executing trades, accessing data, managing infrastructure -- have nothing.

Full access on day one. No track record. No portable reputation. No consequences.

The result is predictable: Akeyless reports 2/3 of enterprises suspect their agents already accessed unauthorized data. 14-hour average detection time. EU AI Act Article 12 enforcement starts August 2026.

The problem isn't capability. It's accountability.

Standard logs are mutable. Dashboards are internal. No third party can independently verify that an agent stayed in scope. For regulated deployments, this is a blocker.

What we built

Nobulex produces bilateral Ed25519 cryptographic receipts for every agent action:

Pre-execution: agent signs what it's authorized to do
Agent executes
Post-execution: counterparty co-signs what actually happened
Hash-chained so if any entry is modified, the chain breaks

A third party can verify the full chain without trusting the agent or the operator.

Trust Capital: the score that earns access

The receipts accumulate into Trust Capital -- a credit score for the agent. This isn't compliance. Trust Capital measures how much value an agent has provably created relative to the risk it represents.

High Trust Capital unlocks: higher transaction limits, regulated market access, lower insurance premiums, more autonomy. Agents that deviate get sandboxed. Not as punishment. As math.

The flywheel

More Trust Capital → more valuable work → more receipts → higher Trust Capital. Accountability becomes the most profitable strategy, not because anyone mandated it, but because the economics demand it.

Traction

Microsoft merged the receipt primitive into their Agent Governance Toolkit
10 independent implementations cross-validated byte-identical output
Discussions on OpenAI, Stripe, CrewAI, LlamaIndex, Google ADK, AutoGen repos
MIT licensed, open source

Repo: github.com/arian-gogani/nobulex

What am I missing? Would love feedback from the dev community.

I'm 15 and I built credit scores for AI agents

arian gogani — Wed, 13 May 2026 06:11:36 +0000

Here's something that's been bugging me.

AI agents are about to handle real money. Insurance claims. Mortgage applications. Customer refunds. Sierra just raised $950M because 40% of the Fortune 50 are already using agents for this stuff. And the Vercel supply chain breach in April happened because an AI agent had OAuth access with zero per-action verification.

But here's the thing. Every single one of these agents gets full access on day one. No track record. No history. No consequences if they screw up. Just... full permissions from the start.

Think about how insane that is. When you apply for a credit card, the bank checks your history. When you get car insurance, they look at your driving record. When you get hired, they call your references. But AI agents? They get the keys to the kingdom immediately.

So I built credit scores for AI agents.

How it works

The idea is called Trust Capital. Every agent starts restricted. It can read data but it can't approve transactions or sign contracts. As it performs reliably over time, it earns credit. That credit unlocks more capabilities. Bigger transaction limits. Lower insurance premiums. Enterprise approval. Better routing in agent marketplaces.

If the agent deviates from what it was authorized to do, it loses credit. Automatically. Before the damage spreads.

The same way credit scores turned lending from a "do I know this person" business into a scalable economic system, Trust Capital turns agent governance from a binary yes/no access model into one where reputation has real economic value.

Why the credit matters more than the security

Most tools in this space are guardrails. They block bad actions. That's important but it's a cost center. Nobody wants to pay for security. They pay for it because they have to.

Trust Capital is different because good credit saves real money. An agent with high Trust Capital gets lower insurance premiums (the same way a clean driving record gets you cheaper car insurance). It gets higher transaction limits. It gets approved for enterprise deployments faster. The credit itself has economic value.

That's why this isn't just another security tool. It's an economic primitive.

What's under the hood

Every agent action produces two cryptographic signatures. One before execution (binding what was authorized). One after (binding what actually happened). These get hash-chained together so the full history is tamper-evident.

Any third party can verify the chain without trusting the agent or its operator. The credit score decomposes into the exact behavioral history that produced it. It's not a black box.

Five independent implementations have cross-validated byte-identical output across TypeScript and Python. Microsoft merged the core primitive into their Agent Governance Toolkit. OpenLineage (Linux Foundation) accepted it into their ecosystem. The AAIF (founded by Anthropic, OpenAI, Google, Microsoft, AWS, and Block) has the project under staff review.

Try it

npm install @nobulex/core
npx tsx examples/trust-capital-demo.ts

The demo shows an agent earning credit through verified behavior. It starts restricted, performs a few clean actions, and you can watch its Trust Capital grow and unlock higher capability tiers.

GitHub: github.com/arian-gogani/nobulex
Website: nobulex.com
Blog post with the full explanation: What if AI agents had credit?

MIT licensed. Open source. If the idea clicks, star the repo and try the demo. If it doesn't, tell me why in the comments. I want to know what I'm missing.

Proof-of-Behavior: The Missing Trust Layer for AI Agents

arian gogani — Sun, 12 Apr 2026 19:00:57 +0000

AI agents are moving money, signing contracts, and managing infrastructure. MCP handles tool connections. A2A handles agent-to-agent messaging. But nobody handles the most important question: can you prove what the agent actually did?

Right now, compliance is self-reported. Logs are written by the same software being audited. That's like asking a defendant to write their own court transcript.

What Is Proof-of-Behavior?

Proof-of-behavior means every agent action is declared in advance, enforced at runtime, and proven cryptographically.

1. A constraint language — Define what an agent can and cannot do:

covenant SafeTrader {
  permit read;
  permit transfer (amount <= 500);
  forbid transfer (amount > 500);
  forbid delete;
}

Three keywords. No YAML. No JSON schemas. Just rules.

2. Runtime enforcement — Every action is evaluated before execution. Forbidden actions are blocked, not logged-and-reported:

const mw = new EnforcementMiddleware({ agentDid: agent.did, spec });

// $300 transfer — allowed
await mw.execute({ action: 'transfer', params: { amount: 300 } }, handler);

// $600 transfer — BLOCKED before execution
await mw.execute({ action: 'transfer', params: { amount: 600 } }, handler);
// handler never runs

3. Cryptographic proof — Every decision is logged in a SHA-256 hash chain. Tamper with one entry and the chain breaks:

const result = verify(spec, mw.getLog());
// { compliant: true, violations: [] }

Always decidable, always deterministic. No ML, no heuristics.

The Cross-Agent Handshake

Before two agents transact, they verify each other's proof-of-behavior:

import { generateProof, verifyCounterparty } from '@nobulex/sdk';

const proof = await generateProof({
  identity: agentA,
  covenant: spec,
  actionLog: middleware.getLog(),
});

const result = await verifyCounterparty(proof);

if (!result.trusted) {
  console.log('Refusing transaction:', result.reason);
  return;
}

await executeTransaction(proof.agentDid, amount);

No proof, no transaction. The moment one major framework adopts this handshake, every agent without proof-of-behavior gets locked out.

Try It Right Now

Interactive playground (no install): nobulex.com/playground

Define rules, test actions, watch the hash chain build — all in your browser.

Install the SDK:

npm install @nobulex/sdk

The Specification

The Proof-of-Behavior Specification v0.1.0 is published as an open standard under CC-BY-4.0. Anyone can implement it.

Nobulex is the reference implementation. MIT licensed, 4,244 tests, integrations on npm, PyPI, and MCP.

Why Now?

The EU AI Act mandates tamper-evident logging for high-risk AI systems starting August 2, 2026. $42M+ has been raised by adjacent startups. Microsoft released an agent governance toolkit. But none provide cryptographic proof that a third party can independently verify. They monitor and report. Proof-of-behavior enforces and proves.