DEV Community: PiQrypt The latest articles on DEV Community by PiQrypt (@piqrypt). https://dev.to/piqrypt https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3859079%2F8529742b-cc95-4f17-a266-afbc666d57dc.jpeg DEV Community: PiQrypt https://dev.to/piqrypt en Watch your CrewAI agents in real-time with PiQrypt Vigil PiQrypt Fri, 17 Apr 2026 06:18:44 +0000 https://dev.to/piqrypt/watch-your-crewai-agents-in-real-time-with-piqrypt-vigil-41ko https://dev.to/piqrypt/watch-your-crewai-agents-in-real-time-with-piqrypt-vigil-41ko <p>You've added cryptographic audit trails to your crew (<a href="https://dev.to/piqrypt/how-i-added-cryptographic-audit-trails-to-any-crewai-crew-in-3-lines-2n6m">part 1</a>) <br> and co-signed the handoffs between agents (<a href="https://dev.to/piqrypt/multi-agent-accountability-who-co-signs-the-handoff-between-your-crewai-agents-gi4">part 2</a>). </p> <p>You now have tamper-evident history. But that's retrospective — you find out <br> something went wrong after the fact, when you run <code>verify_chain()</code>.</p> <p>Vigil is the real-time layer. It watches your agents while they run and raises <br> alerts the moment behavioural anomalies appear in the chain.</p> <h2> What Vigil is </h2> <p>Vigil is a local HTTP dashboard that launches on <code>http://localhost:8421</code>. <br> No external dependency. No data leaves your machine. It reads the same <br> AISS event chains your agents are writing and computes a VRS <br> (Verifiable Risk Score) in real time.</p> <p>One command:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>piqrypt </code></pre> </div> <p>Vigil is included. To start it:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">vigil</span> <span class="kn">import</span> <span class="n">start_vigil</span> <span class="nf">start_vigil</span><span class="p">()</span> <span class="c1"># Dashboard running at http://localhost:8421 </span></code></pre> </div> <p>Or from the CLI:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>piqrypt vigil start </code></pre> </div> <h2> What VRS measures </h2> <p>VRS is a composite risk score — a number between 0 and 1, where 1 means <br> the chain is healthy and 0 means it's compromised. It's computed across <br> five cryptographic dimensions:</p> <ul> <li> <strong>Integrity</strong> — are all hashes in the chain consistent?</li> <li> <strong>Verified interactions</strong> — are A2A handoffs co-signed as expected?</li> <li> <strong>Diversity</strong> — is the event type distribution normal, or is the agent doing something anomalous?</li> <li> <strong>Finalization</strong> — are events being properly closed?</li> <li> <strong>Rotation health</strong> — if the agent rotated its key, is the PCP continuity intact?</li> </ul> <p>Critically: VRS is deterministic. No ML, no probabilistic scoring, no model <br> that could drift. Given the same chain, any third party running the same <br> verification gets the same score.</p> <h2> A full CrewAI setup with Vigil </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">crewai</span> <span class="kn">import</span> <span class="n">Crew</span><span class="p">,</span> <span class="n">Task</span> <span class="kn">from</span> <span class="n">piqrypt.bridges.crewai</span> <span class="kn">import</span> <span class="n">AuditedAgent</span> <span class="k">as</span> <span class="n">Agent</span> <span class="kn">from</span> <span class="n">vigil</span> <span class="kn">import</span> <span class="n">start_vigil</span> <span class="c1"># Start Vigil before the crew runs </span><span class="nf">start_vigil</span><span class="p">()</span> <span class="c1"># → http://localhost:8421 </span> <span class="n">researcher</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">Researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">goal</span><span class="o">=</span><span class="sh">"</span><span class="s">Find competitive pricing data</span><span class="sh">"</span><span class="p">,</span> <span class="n">backstory</span><span class="o">=</span><span class="sh">"</span><span class="s">Expert at finding and analyzing market data.</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_name</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher_01</span><span class="sh">"</span> <span class="p">)</span> <span class="n">writer</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">Writer</span><span class="sh">"</span><span class="p">,</span> <span class="n">goal</span><span class="o">=</span><span class="sh">"</span><span class="s">Produce a pricing analysis report</span><span class="sh">"</span><span class="p">,</span> <span class="n">backstory</span><span class="o">=</span><span class="sh">"</span><span class="s">Turns raw data into clear executive summaries.</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_name</span><span class="o">=</span><span class="sh">"</span><span class="s">writer_01</span><span class="sh">"</span> <span class="p">)</span> <span class="n">research_task</span> <span class="o">=</span> <span class="nc">Task</span><span class="p">(</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Research competitor pricing for product X</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">researcher</span> <span class="p">)</span> <span class="n">write_task</span> <span class="o">=</span> <span class="nc">Task</span><span class="p">(</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Write a pricing analysis based on the research</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">writer</span> <span class="p">)</span> <span class="n">crew</span> <span class="o">=</span> <span class="nc">Crew</span><span class="p">(</span> <span class="n">agents</span><span class="o">=</span><span class="p">[</span><span class="n">researcher</span><span class="p">,</span> <span class="n">writer</span><span class="p">],</span> <span class="n">tasks</span><span class="o">=</span><span class="p">[</span><span class="n">research_task</span><span class="p">,</span> <span class="n">write_task</span><span class="p">]</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">crew</span><span class="p">.</span><span class="nf">kickoff</span><span class="p">()</span> <span class="c1"># While the crew runs, Vigil shows VRS and chain health per agent in real time </span></code></pre> </div> <p>Open <code>http://localhost:8421</code>. You'll see a dashboard per agent — event count, <br> VRS, chain health, and a SOC-style timeline of events as they're stamped.</p> <h2> What a CRITICAL alert looks like </h2> <p>If <code>researcher_01</code>'s VRS drops below the critical threshold, Vigil raises an <br> alert:<br> [CRITICAL] researcher_01 — chain anomaly detected<br> VRS: 0.21 (threshold: 0.30)<br> Event #34: previous_hash mismatch<br> Affected events: 34 → end of chain</p> <p>This means: someone (or something) modified event 34 after it was written. <br> Every subsequent hash is now invalid. The chain is compromised from that <br> point forward.</p> <p>Vigil alerts. It never acts. The human decides what to do — that's the <br> design principle. Automated blocking without human decision is not in scope.</p> <h2> A real example: the PixelFlow agency </h2> <p>The PiQrypt repo includes a runnable demo with a digital content agency —<br> three CrewAI agents running on Claude Haiku, all monitored live in Vigil.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># From repo root</span> .<span class="se">\d</span>emos<span class="se">\s</span>tart_families.ps1 pixelflow <span class="c"># Opens Vigil automatically at http://localhost:8421</span> </code></pre> </div> <p>Three agents, three distinct behavioural profiles:</p> <ul> <li> <code>pixelflow_content</code> (Content Creator) — <code>watch</code> profile, TSI drift signal. Runs 3 content sessions per day. Vigil tracks the drift in event diversity over time.</li> <li> <code>pixelflow_seo</code> (SEO Analyst) — <code>safe</code> profile, A2C concentration signal. 88% of its interactions go to <code>pixelflow_content</code>. Vigil flags this concentration pattern.</li> <li> <code>pixelflow_scheduler</code> (Social Scheduler) — <code>alert</code> profile, temporal sync signal. Shares the same Claude Haiku backend as the other two — Vigil detects the timing correlation as a CRITICAL anomaly.</li> </ul> <p>All three interact with external peers: <code>anthropic_api</code>, <code>google_search_console</code>,<br> <code>instagram_api</code>, <code>twitter_api</code>, <code>analytics_ga4</code>. Every interaction is<br> hash-chained. Every A2A handoff between agents carries a co-signed<br> <code>interaction_hash</code> in both chains.</p> <p>The demo runs in loop mode, injecting events every 5 seconds. Vigil<br> recalculates VRS in real time. You can watch the <code>pixelflow_scheduler</code><br> trust score degrade as the temporal sync pattern accumulates — without<br> touching a single line of your crew definition.</p> <p>Full demo code: <a href="https://github.com/piqrypt/piqrypt/demos" rel="noopener noreferrer">github.com/piqrypt/piqrypt/demos</a></p> <h2> Checking chain integrity programmatically </h2> <p>You don't have to use the dashboard. You can verify a chain directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">piqrypt</span> <span class="k">as</span> <span class="n">aiss</span> <span class="kn">from</span> <span class="n">aiss.exceptions</span> <span class="kn">import</span> <span class="n">InvalidChainError</span> <span class="n">events</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">load_events</span><span class="p">(</span><span class="sh">"</span><span class="s">researcher_01</span><span class="sh">"</span><span class="p">)</span> <span class="k">try</span><span class="p">:</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">verify_chain</span><span class="p">(</span><span class="n">events</span><span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Chain intact — </span><span class="si">{</span><span class="nf">len</span><span class="p">(</span><span class="n">events</span><span class="p">)</span><span class="si">}</span><span class="s"> events verified</span><span class="sh">"</span><span class="p">)</span> <span class="k">except</span> <span class="n">InvalidChainError</span> <span class="k">as</span> <span class="n">e</span><span class="p">:</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Chain compromised: </span><span class="si">{</span><span class="n">e</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p><code>verify_chain()</code> is binary — it returns cleanly if the chain is intact,<br> or raises <code>InvalidChainError</code> the moment a broken link is found. No score,<br> no partial result. The failure message tells you which link broke and why.</p> <p>The VRS score with thresholds (CRITICAL below 0.30, healthy above 0.70)<br> is what Vigil computes continuously from the live chain and displays in<br> the dashboard. These are two different tools for two different moments:<br> <code>verify_chain()</code> is a point-in-time integrity check you call explicitly;<br> Vigil is the continuous watch that alerts you before you think to check.</p> <h2> Standard vs Pro </h2> <p>The Vigil included in <code>pip install piqrypt</code> (standard tier) gives you:</p> <ul> <li>Full dashboard UI</li> <li>VRS with 7-day history</li> <li>CRITICAL alerts</li> <li>Up to 2 bridge types monitored</li> <li>Chain health per agent</li> </ul> <p>Vigil Pro adds 90-day VRS history, all alert levels (WARNING, INFO, DEBUG), <br> unlimited bridge types, and TrustGate integration — the governance layer <br> that intercepts agent actions before execution and routes to a human when <br> policy requires it.</p> <p>For most development and staging use cases, the standard tier is enough.</p> <h2> The full picture </h2> <p>Three articles, one integration pattern:</p> <p><strong>Part 1</strong> — drop-in bridge, 3 lines, every agent action is now <br> Ed25519-signed and hash-chained.</p> <p><strong>Part 2</strong> — A2A co-signing, the handoffs between agents carry <br> cryptographic proof that neither side can deny.</p> <p><strong>Part 3</strong> — Vigil, real-time monitoring of chain health and behavioural <br> anomalies while the crew runs.</p> <p>Together: your CrewAI crew has tamper-evident history, non-repudiable <br> inter-agent accountability, and live anomaly detection. None of it requires <br> a server, an account, or sending data anywhere.</p> <p><strong>Part 1:</strong> <a href="https://dev.to/piqrypt/how-i-added-cryptographic-audit-trails-to-any-crewai-crew-in-3-lines-2n6m">How I added cryptographic audit trails to any CrewAI crew in 3 lines</a><br><br> <strong>Part 2:</strong> <a href="https://dev.to/piqrypt/multi-agent-accountability-who-co-signs-the-handoff-between-your-crewai-agents-gi4">Multi-agent accountability: who co-signs the handoff between your CrewAI agents?</a></p> <ul> <li>GitHub: <a href="https://github.com/piqrypt/piqrypt" rel="noopener noreferrer">github.com/piqrypt/piqrypt</a> </li> <li><code>pip install piqrypt</code></li> <li>Protocol spec (MIT): <a href="https://github.com/piqrypt/aiss-standard" rel="noopener noreferrer">github.com/piqrypt/aiss-standard</a> </li> </ul> crewai python ai monitoring Multi-agent accountability: who co-signs the handoff between your CrewAI agents? PiQrypt Wed, 15 Apr 2026 10:03:12 +0000 https://dev.to/piqrypt/multi-agent-accountability-who-co-signs-the-handoff-between-your-crewai-agents-gi4 https://dev.to/piqrypt/multi-agent-accountability-who-co-signs-the-handoff-between-your-crewai-agents-gi4 <p>In the <a href="https://dev.to/piqrypt/how-i-added-cryptographic-audit-trails-to-any-crewai-crew-in-3-lines-2n6m">previous article</a>, we added cryptographic audit trails <br> to individual CrewAI agents in 3 lines. Each agent now has its own hash-chained, <br> Ed25519-signed event history.</p> <p>But in a real crew, agents don't work in isolation. The Researcher produces <br> output. The Writer consumes it. The Reviewer validates it. These handoffs are <br> where the real accountability gap lives.</p> <p>Who cryptographically proves that the Researcher actually produced that specific <br> output, and that the Writer actually received it unmodified?</p> <h2> The gap that logs don't close </h2> <p>You can read your crew's logs and reconstruct what happened. But logs are <br> unilateral — they record what <em>one agent observed</em>. If you want to prove a <br> handoff to a third party (an auditor, a regulator, a client), you need <br> something both sides signed.</p> <p>In legal terms: you need non-repudiation. Neither party can deny the interaction <br> occurred, because both chains contain the same proof.</p> <h2> How PiQrypt's A2A protocol works </h2> <p>When two PiQrypt-equipped agents interact, the exchange produces an <br> <code>interaction_hash</code> — a deterministic identifier of the interaction payload, <br> present in <strong>both</strong> agents' chains. To falsify the exchange, you'd have to <br> modify both chains simultaneously and maintain hash consistency across both. <br> That's cryptographically intractable.</p> <p>The mechanism: a pairwise Ed25519 handshake — proposal from agent A, response <br> from agent B, co-signed event appended to both chains. Same <code>interaction_hash</code> <br> in both memories.</p> <h2> The code </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">crewai</span> <span class="kn">import</span> <span class="n">Crew</span><span class="p">,</span> <span class="n">Task</span> <span class="kn">from</span> <span class="n">piqrypt.bridges.crewai</span> <span class="kn">import</span> <span class="n">AuditedAgent</span> <span class="k">as</span> <span class="n">Agent</span> <span class="c1"># Each agent gets its own cryptographic identity </span><span class="n">researcher</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">Researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">goal</span><span class="o">=</span><span class="sh">"</span><span class="s">Find competitive pricing data</span><span class="sh">"</span><span class="p">,</span> <span class="n">backstory</span><span class="o">=</span><span class="sh">"</span><span class="s">Expert at finding and analyzing market data.</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_name</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher_01</span><span class="sh">"</span> <span class="p">)</span> <span class="n">writer</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">Writer</span><span class="sh">"</span><span class="p">,</span> <span class="n">goal</span><span class="o">=</span><span class="sh">"</span><span class="s">Produce a pricing analysis report</span><span class="sh">"</span><span class="p">,</span> <span class="n">backstory</span><span class="o">=</span><span class="sh">"</span><span class="s">Turns raw data into clear executive summaries.</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_name</span><span class="o">=</span><span class="sh">"</span><span class="s">writer_01</span><span class="sh">"</span> <span class="p">)</span> <span class="n">When</span> <span class="n">the</span> <span class="n">Researcher</span> <span class="n">passes</span> <span class="n">its</span> <span class="n">findings</span> <span class="n">to</span> <span class="n">the</span> <span class="n">Writer</span><span class="p">,</span> <span class="n">you</span> <span class="n">record</span> <span class="n">the</span> <span class="n">handoff</span> <span class="n">explicitly</span><span class="p">.</span> <span class="n">The</span> <span class="n">keys</span> <span class="n">are</span> <span class="n">the</span> <span class="n">ones</span> <span class="n">returned</span> <span class="n">when</span> <span class="n">the</span> <span class="n">identities</span> <span class="n">were</span> <span class="n">created</span> <span class="n">via</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="err">—</span> <span class="n">store</span> <span class="n">them</span> <span class="n">at</span> <span class="n">agent</span> <span class="n">init</span> <span class="n">time</span><span class="p">.</span> <span class="n">python</span> <span class="kn">from</span> <span class="n">aiss.a2a</span> <span class="kn">import</span> <span class="n">perform_handshake</span><span class="p">,</span> <span class="n">record_external_interaction</span> <span class="kn">import</span> <span class="n">hashlib</span> <span class="c1"># Establish cryptographic trust between the two agents (once per pair) </span><span class="n">handshake</span> <span class="o">=</span> <span class="nf">perform_handshake</span><span class="p">(</span> <span class="n">researcher_private_key</span><span class="p">,</span> <span class="n">researcher_public_key</span><span class="p">,</span> <span class="n">researcher_agent_id</span><span class="p">,</span> <span class="n">peer_agent_id</span><span class="o">=</span><span class="n">writer_agent_id</span><span class="p">,</span> <span class="n">peer_public_key</span><span class="o">=</span><span class="n">writer_public_key</span> <span class="p">)</span> <span class="c1"># Record the actual handoff </span><span class="n">payload_hash</span> <span class="o">=</span> <span class="n">hashlib</span><span class="p">.</span><span class="nf">sha256</span><span class="p">(</span><span class="n">findings_text</span><span class="p">.</span><span class="nf">encode</span><span class="p">()).</span><span class="nf">hexdigest</span><span class="p">()</span> <span class="nf">record_external_interaction</span><span class="p">(</span> <span class="n">researcher_private_key</span><span class="p">,</span> <span class="n">researcher_agent_id</span><span class="p">,</span> <span class="n">peer_id</span><span class="o">=</span><span class="n">writer_agent_id</span><span class="p">,</span> <span class="n">interaction_type</span><span class="o">=</span><span class="sh">"</span><span class="s">findings_handoff</span><span class="sh">"</span><span class="p">,</span> <span class="n">payload_hash</span><span class="o">=</span><span class="n">payload_hash</span> <span class="c1"># content is hashed, never stored raw </span><span class="p">)</span> <span class="n">The</span> <span class="n">payload_hash</span> <span class="ow">is</span> <span class="n">now</span> <span class="ow">in</span> <span class="n">both</span> <span class="n">chains</span><span class="p">.</span> <span class="n">Neither</span> <span class="n">agent</span> <span class="n">can</span> <span class="n">claim</span> <span class="n">the</span> <span class="n">interaction</span> <span class="n">didn</span><span class="sh">'</span><span class="s">t happen. Neither can claim a different payload was transmitted. What about agents outside your crew? If your pipeline calls an external agent that doesn</span><span class="sh">'</span><span class="n">t</span> <span class="n">have</span> <span class="n">PiQrypt</span><span class="p">,</span> <span class="n">you</span> <span class="n">still</span> <span class="n">record</span> <span class="n">your</span> <span class="n">side</span><span class="p">:</span> <span class="n">python</span> <span class="c1"># Peer without PiQrypt — unilateral proof, honestly recorded </span><span class="nf">record_external_interaction</span><span class="p">(</span> <span class="n">researcher_private_key</span><span class="p">,</span> <span class="n">researcher_agent_id</span><span class="p">,</span> <span class="n">peer_id</span><span class="o">=</span><span class="sh">"</span><span class="s">external_autogen_analyst</span><span class="sh">"</span><span class="p">,</span> <span class="n">interaction_type</span><span class="o">=</span><span class="sh">"</span><span class="s">result_transmitted</span><span class="sh">"</span><span class="p">,</span> <span class="n">payload_hash</span><span class="o">=</span><span class="n">payload_hash</span> <span class="p">)</span> <span class="c1"># Your chain proves you transmitted this payload at this timestamp. # The peer didn't co-sign — that fact is visible in the record. </span> <span class="n">Your</span> <span class="n">chain</span> <span class="n">records</span> <span class="n">the</span> <span class="n">interaction</span><span class="p">.</span> <span class="n">The</span> <span class="n">absence</span> <span class="n">of</span> <span class="n">a</span> <span class="n">co</span><span class="o">-</span><span class="n">signature</span> <span class="ow">is</span> <span class="n">structurally</span> <span class="n">visible</span> <span class="err">—</span> <span class="n">you</span> <span class="n">prove</span> <span class="n">your</span> <span class="n">side</span><span class="p">,</span> <span class="ow">and</span> <span class="nb">any</span> <span class="n">auditor</span> <span class="n">can</span> <span class="n">see</span> <span class="n">the</span> <span class="n">peer</span> <span class="n">didn</span><span class="sh">'</span><span class="s">t participate in the proof. Verifying the full picture python from aiss.exceptions import InvalidChainError researcher_events = aiss.load_events(</span><span class="sh">"</span><span class="s">researcher_01</span><span class="sh">"</span><span class="s">) writer_events = aiss.load_events(</span><span class="sh">"</span><span class="s">writer_01</span><span class="sh">"</span><span class="s">) try: aiss.verify_chain(researcher_events) print(</span><span class="sh">"</span><span class="s">researcher_01: chain intact</span><span class="sh">"</span><span class="s">) except InvalidChainError as e: print(f</span><span class="sh">"</span><span class="s">researcher_01: chain compromised — {e}</span><span class="sh">"</span><span class="s">) try: aiss.verify_chain(writer_events) print(</span><span class="sh">"</span><span class="s">writer_01: chain intact</span><span class="sh">"</span><span class="s">) except InvalidChainError as e: print(f</span><span class="sh">"</span><span class="s">writer_01: chain compromised — {e}</span><span class="sh">"</span><span class="s">) # The interaction_hash appears in both chains — cross-verifiable # without a server, without PiQrypt infrastructure. </span></code></pre> </div> <h2> vs LangSmith / CrewAI traces </h2> <p>CrewAI's built-in tracing and LangSmith both provide excellent observability <br> within their respective frameworks. The distinction isn't observability — <br> it's falsifiability.</p> <p>A trace tells you what happened. A co-signed chain proves it, offline, <br> to a third party who has no reason to trust you. The <code>interaction_hash</code> <br> is the same in both agents' memories. Change one side — the other breaks.<br> These are complementary tools, not competing ones.</p> <h2> Multi-agent sessions: N agents, N×(N-1)/2 handshakes </h2> <p>For larger crews, PiQrypt's <code>AgentSession</code> handles the pairwise handshakes <br> automatically:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">session</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nc">AgentSession</span><span class="p">(</span> <span class="n">agents</span><span class="o">=</span><span class="p">[</span> <span class="n">researcher_id</span><span class="p">[</span><span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">writer_id</span><span class="p">[</span><span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">],</span> <span class="n">reviewer_id</span><span class="p">[</span><span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">]</span> <span class="p">]</span> <span class="p">)</span> <span class="c1"># 3 agents → 3 pairwise handshakes established # Every cross-agent interaction is now co-signed </span></code></pre> </div> <p>This scales to cross-framework sessions — a CrewAI researcher, an AutoGen <br> analyst, an Ollama local model — all in the same session, all with <br> cryptographic proof of every handoff.</p> <h2> The principle </h2> <p>CrewAI handles orchestration — who calls what, in what order, with what tools. <br> PiQrypt handles proof — that it happened, exactly as described, and that <br> neither party can deny it.</p> <p>Both are necessary. Neither replaces the other.</p> <p><strong>Part 1:</strong> <a href="https://dev.to/piqrypt/how-i-added-cryptographic-audit-trails-to-any-crewai-crew-in-3-lines-2n6m">How I added cryptographic audit trails to any CrewAI crew in 3 lines</a><br><br> <strong>Part 3 (next):</strong> Watch your CrewAI agents in real-time with PiQrypt Vigil</p> <ul> <li>GitHub: <a href="https://github.com/piqrypt/piqrypt" rel="noopener noreferrer">github.com/piqrypt/piqrypt</a> </li> <li><code>pip install piqrypt</code></li> <li>Protocol spec (MIT): <a href="https://github.com/piqrypt/aiss-standard" rel="noopener noreferrer">github.com/piqrypt/aiss-standard</a> </li> <li><a href="https://github.com/PiQrypt/piqrypt/blob/main/docs/A2A_HANDSHAKE_GUIDE.md" rel="noopener noreferrer">https://github.com/PiQrypt/piqrypt/blob/main/docs/A2A_HANDSHAKE_GUIDE.md</a></li> <li><a href="https://github.com/PiQrypt/piqrypt/blob/main/docs/A2A_SESSION_GUIDE.md" rel="noopener noreferrer">https://github.com/PiQrypt/piqrypt/blob/main/docs/A2A_SESSION_GUIDE.md</a></li> </ul> crewai multiagents python security How I added cryptographic audit trails to any CrewAI crew in 3 lines PiQrypt Mon, 13 Apr 2026 17:31:16 +0000 https://dev.to/piqrypt/how-i-added-cryptographic-audit-trails-to-any-crewai-crew-in-3-lines-2n6m https://dev.to/piqrypt/how-i-added-cryptographic-audit-trails-to-any-crewai-crew-in-3-lines-2n6m <p>Your CrewAI crew is running in production. It researches, writes, reviews, decides. <br> It produces results. But if someone asks you <em>what exactly happened</em> — which agent <br> ran which step, in what order, and that nothing was altered after the fact — <br> you don't have a cryptographic answer. You have logs.</p> <p>Logs can be faked. A cryptographic chain cannot.</p> <h2> The problem with logs </h2> <p>When your crew produces a result, your logs record what happened. But they're <br> append-only text files — there's no structural guarantee that they haven't been <br> modified. There's no signature. There's no way to prove, to a third party, that <br> event B actually followed event A and that neither was tampered with.</p> <p>This doesn't matter much for a weekend project. It matters a lot once you're in <br> production, under an audit, or working in any regulated context (EU AI Act Art.12, <br> MiFID II, HIPAA).</p> <h2> The fix: 3 lines </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">pip</span> <span class="n">install</span> <span class="n">piqrypt</span> <span class="kn">from</span> <span class="n">piqrypt.bridges.crewai</span> <span class="kn">import</span> <span class="n">AuditedAgent</span> <span class="k">as</span> <span class="n">Agent</span> <span class="n">researcher</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">Researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">goal</span><span class="o">=</span><span class="sh">"</span><span class="s">Find competitive pricing data</span><span class="sh">"</span><span class="p">,</span> <span class="n">backstory</span><span class="o">=</span><span class="sh">"</span><span class="s">Expert at finding and analyzing market data.</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_name</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher_01</span><span class="sh">"</span> <span class="p">)</span> </code></pre> </div> <p>That's it. <code>AuditedAgent</code> is a drop-in replacement for CrewAI's <code>Agent</code>. <br> Your crew definition doesn't change. Your tasks don't change. <br> Your tools don't change.</p> <p>What changes: every action this agent takes is now an <strong>Ed25519-signed, <br> hash-chained event</strong> stored locally.</p> <h2> What that actually means </h2> <p>Each event contains a <code>previous_hash</code> pointing to the hash of the event before it. <br> The structure looks like this:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight json"><code><span class="p">{</span><span class="w"> </span><span class="nl">"version"</span><span class="p">:</span><span class="w"> </span><span class="s2">"AISS-1.0"</span><span class="p">,</span><span class="w"> </span><span class="nl">"agent_id"</span><span class="p">:</span><span class="w"> </span><span class="s2">"researcher_01_xK9mP..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"timestamp"</span><span class="p">:</span><span class="w"> </span><span class="mi">1744531200</span><span class="p">,</span><span class="w"> </span><span class="nl">"nonce"</span><span class="p">:</span><span class="w"> </span><span class="s2">"550e8400-e29b-41d4-a716-446655440001"</span><span class="p">,</span><span class="w"> </span><span class="nl">"payload"</span><span class="p">:</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="nl">"event_type"</span><span class="p">:</span><span class="w"> </span><span class="s2">"tool_call"</span><span class="p">,</span><span class="w"> </span><span class="nl">"tool"</span><span class="p">:</span><span class="w"> </span><span class="s2">"web_search"</span><span class="p">,</span><span class="w"> </span><span class="nl">"input"</span><span class="p">:</span><span class="w"> </span><span class="s2">"competitor pricing Q1 2026"</span><span class="w"> </span><span class="p">},</span><span class="w"> </span><span class="nl">"previous_hash"</span><span class="p">:</span><span class="w"> </span><span class="s2">"sha256:a3f7e8c9b1d5f2..."</span><span class="p">,</span><span class="w"> </span><span class="nl">"signature"</span><span class="p">:</span><span class="w"> </span><span class="s2">"base64:RXZlbnQ..."</span><span class="w"> </span><span class="p">}</span><span class="w"> </span></code></pre> </div> <p>If someone modifies any event after the fact — even a single byte — every <br> <code>previous_hash</code> downstream breaks. The tampering is detectable instantly, <br> offline, with no server needed.</p> <p>Verification:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">import</span> <span class="n">piqrypt</span> <span class="k">as</span> <span class="n">aiss</span> <span class="n">events</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">load_events</span><span class="p">(</span><span class="sh">"</span><span class="s">researcher_01</span><span class="sh">"</span><span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">verify_chain</span><span class="p">(</span><span class="n">events</span><span class="p">)</span> <span class="c1"># Chain verified — 47 events, 0 anomalies, trust_score: 0.97 </span></code></pre> </div> <h2> A full crew example </h2> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">crewai</span> <span class="kn">import</span> <span class="n">Crew</span><span class="p">,</span> <span class="n">Task</span> <span class="kn">from</span> <span class="n">piqrypt.bridges.crewai</span> <span class="kn">import</span> <span class="n">AuditedAgent</span> <span class="k">as</span> <span class="n">Agent</span> <span class="n">researcher</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">Researcher</span><span class="sh">"</span><span class="p">,</span> <span class="n">goal</span><span class="o">=</span><span class="sh">"</span><span class="s">Find competitive pricing data</span><span class="sh">"</span><span class="p">,</span> <span class="n">backstory</span><span class="o">=</span><span class="sh">"</span><span class="s">Expert at finding and analyzing market data.</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_name</span><span class="o">=</span><span class="sh">"</span><span class="s">researcher_01</span><span class="sh">"</span> <span class="p">)</span> <span class="n">writer</span> <span class="o">=</span> <span class="nc">Agent</span><span class="p">(</span> <span class="n">role</span><span class="o">=</span><span class="sh">"</span><span class="s">Writer</span><span class="sh">"</span><span class="p">,</span> <span class="n">goal</span><span class="o">=</span><span class="sh">"</span><span class="s">Produce a pricing analysis report</span><span class="sh">"</span><span class="p">,</span> <span class="n">backstory</span><span class="o">=</span><span class="sh">"</span><span class="s">Turns raw data into clear executive summaries.</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent_name</span><span class="o">=</span><span class="sh">"</span><span class="s">writer_01</span><span class="sh">"</span> <span class="p">)</span> <span class="n">research_task</span> <span class="o">=</span> <span class="nc">Task</span><span class="p">(</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Research competitor pricing for product X</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">researcher</span> <span class="p">)</span> <span class="n">write_task</span> <span class="o">=</span> <span class="nc">Task</span><span class="p">(</span> <span class="n">description</span><span class="o">=</span><span class="sh">"</span><span class="s">Write a pricing analysis based on the research</span><span class="sh">"</span><span class="p">,</span> <span class="n">agent</span><span class="o">=</span><span class="n">writer</span> <span class="p">)</span> <span class="n">crew</span> <span class="o">=</span> <span class="nc">Crew</span><span class="p">(</span> <span class="n">agents</span><span class="o">=</span><span class="p">[</span><span class="n">researcher</span><span class="p">,</span> <span class="n">writer</span><span class="p">],</span> <span class="n">tasks</span><span class="o">=</span><span class="p">[</span><span class="n">research_task</span><span class="p">,</span> <span class="n">write_task</span><span class="p">]</span> <span class="p">)</span> <span class="n">result</span> <span class="o">=</span> <span class="n">crew</span><span class="p">.</span><span class="nf">kickoff</span><span class="p">()</span> </code></pre> </div> <p>Every action from <code>researcher_01</code> and <code>writer_01</code> is independently hash-chained <br> and signed. Two separate cryptographic histories. Nothing else changed.</p> <h2> Monitoring with Vigil </h2> <p><code>pip install piqrypt</code> also installs Vigil — a local monitoring dashboard that <br> launches on <code>http://localhost:8421</code>.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">vigil</span> <span class="kn">import</span> <span class="n">start_vigil</span> <span class="nf">start_vigil</span><span class="p">()</span> </code></pre> </div> <p>Vigil shows you VRS (Verifiable Risk Score) in real time, chain health per agent, <br> and raises CRITICAL alerts if anomalies are detected. No external dependency. <br> No data leaves your machine.</p> <h2> What this is and what it isn't </h2> <p>PiQrypt doesn't decide whether your agents make <em>good</em> decisions. It doesn't <br> evaluate output quality. The trust score is a measure of <strong>chain integrity</strong>, <br> not decision quality — fully deterministic, no ML involved.</p> <p>It also doesn't replace legal counsel for compliance. What it does: provide the <br> cryptographic infrastructure that makes your agent's history tamper-evident and <br> verifiable by any third party, offline, without PiQrypt infrastructure.</p> <p>The MIT core (AISS protocol) is open source. The signing primitives are standard: <br> Ed25519 (RFC 8032), SHA-256 (NIST FIPS 180-4), RFC 8785 canonicalization. <br> No proprietary black box.</p> <h2> Get started </h2> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>pip <span class="nb">install </span>piqrypt </code></pre> </div> <ul> <li>GitHub: <a href="https://github.com/piqrypt/piqrypt" rel="noopener noreferrer">github.com/piqrypt/piqrypt</a> </li> <li>Protocol spec (MIT): <a href="https://github.com/piqrypt/aiss-standard" rel="noopener noreferrer">github.com/piqrypt/aiss-standard</a> </li> <li>Site: <a href="https://piqrypt.com" rel="noopener noreferrer">piqrypt.com</a> <a href="https://aiss-standard.org" rel="noopener noreferrer">aiss-standard.org</a> </li> </ul> <p>Next article in this series: multi-agent accountability — what happens when your <br> Researcher passes output to an Analyst and you need cryptographic proof of the <br> exchange itself, not just each agent's individual history.</p> crewai python ai security # Your AI Agents Are Talking — But Can You Prove What They Said? PiQrypt Thu, 09 Apr 2026 12:41:56 +0000 https://dev.to/piqrypt/-your-ai-agents-are-talking-but-can-you-prove-what-they-said-5a1f https://dev.to/piqrypt/-your-ai-agents-are-talking-but-can-you-prove-what-they-said-5a1f <h1> Your AI Agents Are Talking — But Can You Prove What They Said? </h1> <p>AI agents are no longer “helpers.”</p> <p>They move money, make decisions, and talk to each other.<br><br> If you have at least two agents, you’re already in a <strong>multi‑agent system</strong> — whether you planned for it or not.</p> <p>PiQrypt is an <strong>open‑source trust layer</strong> that ensures every interaction between your agents is <strong>cryptographically verifiable</strong>.<br><br> Even if your agents change, your LLMs evolve, or your infrastructure migrates — PiQrypt stays as the <strong>immutable proof layer</strong> on top.</p> <h2> The gap nobody talks about </h2> <p>Modern AI stacks are incredibly powerful:</p> <ul> <li> <strong>LLMs</strong>: OpenAI, Anthropic, Mistral, DeepSeek, local models. </li> <li> <strong>Agent frameworks</strong>: LangChain, CrewAI, AutoGen, custom agents. </li> <li> <strong>Observability tools</strong>: logs, traces, dashboards.</li> </ul> <p>They all share a blind spot:</p> <blockquote> <p>“They can show you what happened — but they can’t prove it.”</p> </blockquote> <p>Logs can be modified.<br><br> Traces aren’t cryptographic.<br><br> And when agents interact, there’s no <strong>shared, verifiable record</strong> of that interaction.</p> <p>When something goes wrong:</p> <ul> <li>Which agent made the decision? </li> <li>In what order? </li> <li>Based on which interaction? </li> <li>Can you prove it to someone outside your system?</li> </ul> <p>Most systems today can’t.</p> <h2> Agents don’t just need to connect — they need to agree </h2> <p>When two agents interact, there are actually two problems:</p> <ol> <li> <strong>How do they communicate?</strong> </li> <li><strong>How do they prove they communicated?</strong></li> </ol> <p>Today’s A2A‑style protocols (Agent2Agent, AI‑to‑agent handshakes, and custom flows) mainly solve the first.<br><br> PiQrypt solves the second — <strong>with cryptographic proof around agent‑to‑agent interactions</strong>.</p> <blockquote> <p>“Agents need a handshake — not just a connection.”</p> </blockquote> <h2> Enter PiQrypt: co‑signed interactions with cryptographic memory </h2> <p>PiQrypt is an <strong>open‑source trust layer</strong> that sits between your agents and your memory / logs. It’s <strong>LLM‑agnostic, framework‑agnostic, and infrastructure‑agnostic</strong>:</p> <ul> <li>Works with any LLM (OpenAI, Anthropic, Mistral, DeepSeek, local). </li> <li>Integrates with any framework (LangChain, CrewAI, AutoGen, or your own). </li> <li>Independent of your storage, logs, MLflow, or cloud provider.</li> </ul> <p>Every interaction becomes:</p> <ul> <li> <strong>Co‑signed</strong> by the participating agents, </li> <li> <strong>Anchored</strong> in a hash‑chained audit trail, </li> <li>Part of a <strong>verifiable, multi‑agent session</strong>.</li> </ul> <p>This is powered by <strong>AISS</strong> (Agent Identity and Signature Standard) and built on top of <strong>PCP</strong> (Proof of Continuity Protocol) — an open protocol specification for agent‑to‑agent collaboration, with PiQrypt as the reference implementation.</p> <h2> How the A2A handshake works conceptually </h2> <p>PiQrypt’s A2A handshake is a <strong>short, peer‑to‑peer protocol</strong> used to:</p> <ul> <li> <strong>Discover</strong> other agents (via registry or direct), </li> <li> <strong>Authenticate</strong> both agents, </li> <li> <strong>Collaborate</strong> with cryptographic proof, </li> <li> <strong>Audit</strong> all interactions, stored in both agents’ audit trails.</li> </ul> <p>Here’s how it looks at the protocol level:</p> <ol> <li>Each agent generates an Ed25519 keypair. </li> <li>Agents exchange public keys (via your agent bus, API, WebSocket, or A2A‑style transport). </li> <li>Every agent pair performs a <strong>co‑signed handshake</strong>: <ul> <li>Both sign the fact that “Agent X and Agent Y have agreed to talk.” </li> <li>The handshake is appended to each agent’s hash‑chained memory. </li> </ul> </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">aiss.a2a</span> <span class="kn">import</span> <span class="n">initiate_handshake</span><span class="p">,</span> <span class="n">accept_handshake</span><span class="p">,</span> <span class="n">verify_handshake</span> <span class="kn">from</span> <span class="n">aiss.crypto</span> <span class="kn">import</span> <span class="n">ed25519</span> <span class="kn">from</span> <span class="n">aiss.identity</span> <span class="kn">import</span> <span class="n">derive_agent_id</span> <span class="c1"># Agent A </span><span class="n">priv_a</span><span class="p">,</span> <span class="n">pub_a</span> <span class="o">=</span> <span class="n">ed25519</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">agent_a</span> <span class="o">=</span> <span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">pub_a</span><span class="p">)</span> <span class="c1"># Agent B </span><span class="n">priv_b</span><span class="p">,</span> <span class="n">pub_b</span> <span class="o">=</span> <span class="n">ed25519</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">agent_b</span> <span class="o">=</span> <span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">pub_b</span><span class="p">)</span> <span class="c1"># 1. Agent A initiates handshake </span><span class="n">handshake</span> <span class="o">=</span> <span class="nf">initiate_handshake</span><span class="p">(</span> <span class="n">priv_a</span><span class="p">,</span> <span class="n">agent_a</span><span class="p">,</span> <span class="n">agent_b</span><span class="p">,</span> <span class="n">payload</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">intent</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">data_sharing</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">scope</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">market_analysis</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">terms</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">50/50 split</span><span class="sh">"</span> <span class="p">},</span> <span class="n">expires_in</span><span class="o">=</span><span class="mi">3600</span> <span class="c1"># 1h timeout, anti‑replay </span><span class="p">)</span> <span class="c1"># 2. Send to Agent B # ... </span> <span class="c1"># 3. Agent B accepts </span><span class="n">response</span> <span class="o">=</span> <span class="nf">accept_handshake</span><span class="p">(</span> <span class="n">priv_b</span><span class="p">,</span> <span class="n">agent_b</span><span class="p">,</span> <span class="n">handshake</span><span class="p">,</span> <span class="n">counter_payload</span><span class="o">=</span><span class="p">{</span> <span class="sh">"</span><span class="s">agreed</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">,</span> <span class="sh">"</span><span class="s">conditions</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">Data encrypted in transit</span><span class="sh">"</span> <span class="p">}</span> <span class="p">)</span> <span class="c1"># 4. Verify (both agents) </span><span class="n">is_valid</span> <span class="o">=</span> <span class="nf">verify_handshake</span><span class="p">(</span><span class="n">response</span><span class="p">,</span> <span class="p">{</span> <span class="n">agent_a</span><span class="p">:</span> <span class="n">pub_a</span><span class="p">,</span> <span class="n">agent_b</span><span class="p">:</span> <span class="n">pub_b</span> <span class="p">})</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">Handshake valid: </span><span class="si">{</span><span class="n">is_valid</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> </code></pre> </div> <p>Thanks to <code>piqrypt-session-multi-ai-agents</code>, this is packaged as an <strong>AgentSession</strong> that creates a shared session across all agents before a single action is taken.</p> <h2> From handshake to verifiable sessions </h2> <p>Here’s a minimal example with three agents: planner (LangChain), executor (AutoGen), and reviewer (CrewAI). All frameworks, one session.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="kn">from</span> <span class="n">piqrypt.session</span> <span class="kn">import</span> <span class="n">AgentSession</span> <span class="kn">import</span> <span class="n">piqrypt</span> <span class="k">as</span> <span class="n">aiss</span> <span class="c1"># Generate keypairs </span><span class="n">planner_key</span><span class="p">,</span> <span class="n">planner_pub</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">executor_key</span><span class="p">,</span> <span class="n">executor_pub</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="n">reviewer_key</span><span class="p">,</span> <span class="n">reviewer_pub</span> <span class="o">=</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">generate_keypair</span><span class="p">()</span> <span class="c1"># Define agents </span><span class="n">session</span> <span class="o">=</span> <span class="nc">AgentSession</span><span class="p">(</span><span class="n">agents</span><span class="o">=</span><span class="p">[</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">planner</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">planner_pub</span><span class="p">),</span> <span class="sh">"</span><span class="s">private_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">planner_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">public_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">planner_pub</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">executor</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">executor_pub</span><span class="p">),</span> <span class="sh">"</span><span class="s">private_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">executor_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">public_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">executor_pub</span><span class="p">},</span> <span class="p">{</span><span class="sh">"</span><span class="s">name</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">reviewer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="n">aiss</span><span class="p">.</span><span class="nf">derive_agent_id</span><span class="p">(</span><span class="n">reviewer_pub</span><span class="p">),</span> <span class="sh">"</span><span class="s">private_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">reviewer_key</span><span class="p">,</span> <span class="sh">"</span><span class="s">public_key</span><span class="sh">"</span><span class="p">:</span> <span class="n">reviewer_pub</span><span class="p">},</span> <span class="p">])</span> <span class="c1"># 1. Start: all pairwise A2A handshakes are recorded </span><span class="n">session</span><span class="p">.</span><span class="nf">start</span><span class="p">()</span> <span class="c1"># 2. Stamp events in the session </span><span class="n">session</span><span class="p">.</span><span class="nf">stamp</span><span class="p">(</span><span class="sh">"</span><span class="s">planner</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">task_delegation</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">task</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">rebalance_portfolio</span><span class="sh">"</span><span class="p">},</span> <span class="n">peer</span><span class="o">=</span><span class="sh">"</span><span class="s">executor</span><span class="sh">"</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">stamp</span><span class="p">(</span><span class="sh">"</span><span class="s">executor</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">order_executed</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">order_id</span><span class="sh">"</span><span class="p">:</span> <span class="mi">42</span><span class="p">,</span> <span class="sh">"</span><span class="s">price</span><span class="sh">"</span><span class="p">:</span> <span class="mf">182.5</span><span class="p">,</span> <span class="sh">"</span><span class="s">quantity</span><span class="sh">"</span><span class="p">:</span> <span class="mi">100</span><span class="p">},</span> <span class="n">peer</span><span class="o">=</span><span class="sh">"</span><span class="s">reviewer</span><span class="sh">"</span><span class="p">)</span> <span class="n">session</span><span class="p">.</span><span class="nf">stamp</span><span class="p">(</span><span class="sh">"</span><span class="s">reviewer</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">review_approved</span><span class="sh">"</span><span class="p">,</span> <span class="p">{</span><span class="sh">"</span><span class="s">approved</span><span class="sh">"</span><span class="p">:</span> <span class="bp">True</span><span class="p">})</span> <span class="c1"># 3. Later: export and verify offline </span><span class="n">session</span><span class="p">.</span><span class="nf">export</span><span class="p">(</span><span class="sh">"</span><span class="s">trading‑session‑audit.json</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># That audit is: # - signed by each agent, # - co‑signed by every interaction, # - readable and verifiable without your production stack. </span></code></pre> </div> <p>From this moment on:</p> <ul> <li>Every <code>session.stamp(agent_name, event_type, payload, peer=...)</code> is <strong>signed by the acting agent</strong>. </li> <li>It’s <strong>anchored</strong> in the shared, hash‑chained session. </li> <li>It’s <strong>reflected</strong> in every agent’s memory, with a shared <code>interaction_hash</code>.</li> </ul> <blockquote> <p>“Same interaction. Two memories. One verifiable truth.”</p> </blockquote> <h2> Trust scores: how much you can rely on a session </h2> <p>PiQrypt doesn’t stop at proof. For every session, it computes:</p> <ul> <li> <strong>VRS (Vulnerability Risk Score)</strong>: a risk metric based on agent behavior, anomalies, and policy flags. </li> <li> <strong>Trust score</strong> (0–1): how “safe” the agent’s history and current session are. </li> <li> <strong>TrustGate decision</strong>: <code>ALLOW</code>, <code>REQUIRE_HUMAN</code>, or <code>BLOCK</code>, enforced at runtime with signed proof of every decision.</li> </ul> <p>Example:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight python"><code><span class="n">result</span> <span class="o">=</span> <span class="n">piqrypt</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="n">signature</span><span class="o">=</span><span class="n">agent_event</span><span class="p">.</span><span class="n">signature</span><span class="p">,</span> <span class="n">chain</span><span class="o">=</span><span class="n">agent_event</span><span class="p">.</span><span class="n">chain</span><span class="p">,</span> <span class="n">context</span><span class="o">=</span><span class="p">{</span><span class="sh">"</span><span class="s">agent_id</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">pq1_planner_a3f8</span><span class="sh">"</span><span class="p">,</span> <span class="sh">"</span><span class="s">action</span><span class="sh">"</span><span class="p">:</span> <span class="sh">"</span><span class="s">portfolio_rebalance</span><span class="sh">"</span><span class="p">}</span> <span class="p">)</span> <span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">trust_score: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">trust_score</span><span class="si">:</span><span class="p">.</span><span class="mi">4</span><span class="n">f</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># → 0.9987 </span><span class="nf">print</span><span class="p">(</span><span class="sa">f</span><span class="sh">"</span><span class="s">decision: </span><span class="si">{</span><span class="n">result</span><span class="p">.</span><span class="n">decision</span><span class="si">}</span><span class="sh">"</span><span class="p">)</span> <span class="c1"># → ALLOW </span></code></pre> </div> <p>You can <strong>block risky actions, require human approval, or allow automatically</strong>, all based on verifiable data.</p> <h2> Stack‑agnostic by design </h2> <p>PiQrypt is built to be <strong>truly agnostic</strong>:</p> <ul> <li> <strong>LLMs</strong>: OpenAI, Anthropic, Mistral, DeepSeek, local models. </li> <li> <strong>Agent frameworks</strong>: LangChain, CrewAI, AutoGen, or any custom stack. </li> <li> <strong>Cloud / infra</strong>: Independent of your storage, logs, MLflow, Application Insights, or LangSmith.</li> </ul> <blockquote> <p>“Your agents can change. Your infrastructure can change. Your trust layer should not.”</p> </blockquote> <p>PiQrypt’s A2A handshake and PCP‑backed audit trail work over <strong>any transport</strong> (API, message bus, A2A style, or custom protocol). The registry can be centralized, distributed, or even DHT‑based in the future.</p> <h2> Why this matters in production </h2> <p>If you’re building:</p> <ul> <li> <strong>Multi‑agent workflows</strong> (planner → executor → reviewer → auditor). </li> <li> <strong>Agents that communicate across boundaries</strong> (company ↔ partner, SaaS ↔ local). </li> <li> <strong>Compliance‑sensitive applications</strong> (finance, healthcare, legal, etc.).</li> </ul> <p>…then an A2A handshake with <strong>cryptographic trust scoring</strong> is no longer optional.</p> <p>With PiQrypt, you get:</p> <ul> <li> <strong>Cryptographic identity</strong> for every agent. </li> <li> <strong>Co‑signed, hash‑chained handshakes</strong> for every session. </li> <li> <strong>Session‑anchored events</strong> that are verifiable offline, across frameworks. </li> <li> <strong>Numeric trust scores</strong> integrated into your governance and policy layer.</li> </ul> <h2> Getting started </h2> <ol> <li>Install PiQrypt and the A2A‑ready session module: </li> </ol> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code> pip <span class="nb">install </span>piqrypt piqrypt-session-multi-ai-agents </code></pre> </div> <ol> <li>Follow the A2A‑focused guides:</li> </ol> <ul> <li> <code>docs/A2A_HANDSHAKE_GUIDE.md</code> </li> <li> <code>docs/A2A_SESSION_GUIDE.md</code> </li> <li> <code>QUICK-START.md</code> (A2A handshake section).</li> </ul> <ol> <li>Run the 3‑agent demo (<code>planner</code> → <code>executor</code> → <code>reviewer</code>) and experiment with <code>verify()</code> + <code>trust_score</code> on your own event chains.</li> </ol> <h2> From observability to verifiability </h2> <p>We’ve spent years building <strong>observability</strong> for software systems.<br><br> Now, AI needs the same — but stronger:</p> <blockquote> <p>“Not just visibility.<br><br> Proof.”</p> </blockquote> <p>Your agents already talk.<br><br> The real question is:</p> <blockquote> <p>“Can you prove what happened between them?”</p> </blockquote> <p>Right now, most systems can’t.</p> <p><strong>PiQrypt does.</strong></p> <p>PiQrypt is the A2A handshake your agents never knew they needed.<br><br> <strong>Nothing ever disappears, and nothing appears out of nowhere — only what’s cryptographically agreed upon.</strong></p> <p>You can check out the full reference implementation on [GitHub/PiQrypt]<br> <a href="https://github.com/PiQrypt/piqrypt" rel="noopener noreferrer">https://github.com/PiQrypt/piqrypt</a> and try your first A2A handshake today.</p> agents mcp security llm Why AI agents need cryptographic memory — and how to add it in one line PiQrypt Fri, 03 Apr 2026 09:29:21 +0000 https://dev.to/piqrypt/why-ai-agents-need-cryptographic-memory-and-how-to-add-it-in-one-line-4gae https://dev.to/piqrypt/why-ai-agents-need-cryptographic-memory-and-how-to-add-it-in-one-line-4gae <p>The problem nobody talks about<br> AI agents can act. They can call APIs, write files, execute code, make decisions.<br> But can they prove what they did?<br> Logs can be edited. Timestamps can be faked. Events can be reordered silently.<br> There's no equivalent of Git, TLS, or OAuth for agent behavior over time.<br> What cryptographic memory looks like<br> Every action becomes a signed, hash-chained event:</p> <p>Who acted — deterministic Ed25519 agent identity<br> What was decided — signed payload<br> When — tamper-evident sequence<br> Nothing missing — fork detection catches silent deletions</p> <p>Verifiable offline. No server. No central authority.<br> One line with LangChain<br> pythonfrom piqrypt_langchain import PiQryptCallbackHandler</p> <p>handler = PiQryptCallbackHandler(agent_name="my_agent")<br> llm = ChatOpenAI(model="gpt-4o", callbacks=[handler])</p> <h1> Every action is now signed &amp; hash-chained </h1> <p>handler.export_audit("audit.json")<br> The standard behind it<br> This is built on AISS — Agent Identity and Signature Standard — an open protocol.<br> The RFC is public. The spec is implementable by anyone.<br> TCP/IP secured communication. TLS secured it. OAuth made it delegable.<br> AISS is that primitive for autonomous agent trust.<br> Try it<br> bashpip install piqrypt[langchain]<br> 📦 PyPI : piqrypt<br> 🔗 LangChain Hub : hub.langchain.com/piqrypt/piqrypt-audited-agent<br> 📖 RFC : github.com/PiQrypt/piqrypt/blob/main/docs/RFC_AISS_v2.0_narrative.md<br> Happy to discuss the threat model, the crypto choices, or the RFC in the comments. 👇</p> ai security opensource langchain