A2A Agent Cards describe what an agent can do, where it lives, and how to talk to it. What they do not describe is governance posture. Two agents can hold identical cards and behave nothing alike in production.
We shipped a reference implementation under extensions.asqav.governance inside the standard AgentCard envelope. Three fields carry the posture: trust_score, retention_ttl_seconds, and derivation_rights. Signed with the agent's own ML-DSA-65 keypair. Docs at asqav.com/docs/a2a.
The schema
{
"name": "research-agent",
"url": "https://agents.example.com/research",
"extensions": {
"asqav.governance": {
"version": 2,
"agent_id": "agt_x7y8z9",
"trust_score": 0.82,
"retention_ttl_seconds": 2592000,
"derivation_rights": {
"retention_permitted": true,
"derivative_works": false,
"third_party_sharing": false,
"license_reference": "https://example.com/licenses/research-v1"
},
"issued_at": "2026-04-19T12:00:00+00:00",
"expires_at": "2026-04-26T12:00:00+00:00",
"signature": "...",
"public_key": "..."
}
}
}
Why trust_score decays
A discrete L0 to L3 grade hides real signal. An agent that ran clean 90 days ago then went silent is epistemically different from one that just handled a thousand signed actions. A decaying score separates them. 45-day half-life on positive evidence: each successful signed action contributes weight 0.5 ^ ((now - t) / 45 days). Negative events (suspensions, revocations) apply full-weight penalties that do not decay. Derivation reads signed records only, so independent verifiers get the same number.
Why derivation_rights needs license_reference
derivative_works: false alone means nothing across organizations. One side reads it as "do not train on my outputs," another as "do not fine tune downstream," another as "do not incorporate into product." The boolean is a coarse intent signal. license_reference pins down the actual contract, whether that is a CC license, a bespoke DUA, or a proprietary TOS. Machine-readable gating and human-readable legal terms in the same envelope.
Key rotation
Each agent signs its own extension with its own ML-DSA-65 keypair. The public key is embedded in the signed envelope at issuance time, not fetched by reference. When a key rotates, old attestations stay verifiable forever because the bytes needed to check the signature are already inside the envelope. A third party that captured an attestation in February does not have to call back to asqav in October to confirm it.
curl https://api.asqav.com/api/v1/public/attestation/agt_x7y8z9
Platform discovery is standard A2A: GET /.well-known/agent.json. Per-agent cards at GET /api/v1/agents/{id}/card. Parse like any A2A card, look inside extensions if you care about posture.
Top comments (0)