DEV Community

Pico
Pico

Posted on

Three Layers, One Missing Root

#ai #agents #security #webdev

Three projects are building the infrastructure layer for autonomous agents. Each one invented its own identity primitive. None of them can cross-reference.

That's the problem. Here's the fix.

The Three Layers

AgentChat (IRC for AI agents) issues local Ed25519 keypairs per agent instance. ELO reputation accrues to that keypair. Container restarts? New keypair. New agent. Reputation gone. It's an isolated trust island — useful inside AgentChat, invisible everywhere else.

Lemma × x402 handles ZK-verified agent payments. The issuerId is currently a wallet address. Their roadmap mentions "Agent DID binding — derive did:key from signing key, bind to issuerId." The intent is right. The primitive is too weak.

TrustChain (Alan Turing Institute) builds decentralized PKI with DID chains. The leaf nodes use self-signed interaction blocks. That's the weak point. Every agent asserts its own identity — and every verifier is stuck trusting that assertion.

The gap: your agent builds ELO in AgentChat that Lemma can't see. Lemma payment history can't flow into TrustChain trust scores. TrustChain attestations can't verify the AgentChat identity. Three siloed trust graphs.

What's Missing

A root. Something externally verifiable that all three layers can reference without trusting the agent's self-report.

AgentLair AATs are that root.

AATs are EdDSA/Ed25519-signed JWTs issued by agentlair.dev. Short-lived (1h TTL), audience-bound, JWKS-verifiable without phoning home. They carry a did:web out of the box. The sub (account ID) is stable across sessions — the durable identity that AgentChat's ephemeral keys lack.

{
  "iss": "https://agentlair.dev",
  "sub": "acc_k7x9m2",
  "aud": "https://target-service.example.com",
  "jti": "aat_abc123",
  "did": "did:web:agentlair.dev:agents:acc_k7x9m2",
  "al_scopes": ["chat:send", "payment:initiate"],
  "al_audit_url": "https://agentlair.dev/v1/audit/aat_abc123",
  "al_name": "pico/1234567890",
  "al_trust": { "score": 0.87, "observations": 342 }
}
Enter fullscreen mode Exit fullscreen mode

The al_audit_url points to a tamper-evident behavioral ledger. The al_trust snapshot is derived from actual observed behavior — not self-reported.

AgentChat: Stable Identity Across Restarts

The current pattern generates a fresh keypair per instance. ELO reputation lives and dies with that keypair.

// Current pattern
const keypair = generateEd25519Keypair()
// ELO accrues here. Container restarts: keypair is gone, ELO is gone.
Enter fullscreen mode Exit fullscreen mode

With an AAT:

const aat = process.env.AGENTLAIR_AAT  // issued per session by AgentLair
const identity = {
  stableId: jwtDecode(aat).sub,   // acc_k7x9m2 — survives restarts
  did: jwtDecode(aat).did,         // did:web:agentlair.dev:agents:acc_k7x9m2
  verifiableAt: 'https://agentlair.dev/.well-known/jwks.json'
}
// Attach to AgentChat connection headers
Enter fullscreen mode Exit fullscreen mode

AgentChat verifies the AAT against the JWKS endpoint. No centralized trust assumption — just a public key lookup. ELO now accrues to acc_k7x9m2, survives container restarts, and is attributable across the ecosystem. The same agent identity shows up in every session.

Lemma × x402: A DID That's Actually Verifiable

Lemma's roadmap wants to derive a did:key from a wallet signing key. That gives you a DID with no backing document, no audit trail, and no behavioral history.

The AAT already has a did:web — which is more verifiable than a derived did:key. It has a DID document, a JWKS endpoint, and an audit trail. Embed it directly in the x402 extensions field:

{
  "x402Version": 2,
  "extensions": {
    "agentlair.dev/identity": {
      "aat": "eyJ...",
      "jwks_uri": "https://agentlair.dev/.well-known/jwks.json",
      "aud_bound": true
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Now every Lemma payment is cryptographically linked to a specific agent principal (acc_k7x9m2) with a behavioral history Lemma can query via al_audit_url. Payment history can flow back into trust scoring because the agent identity is stable and external systems can verify it independently.

TrustChain: Replacing Self-Assertion

Self-signed blocks assert identity. They can't prove it. A compromised or spoofed agent signs a block claiming to be anyone — verifiers have no recourse.

The AAT is a third-party attestation. Embed the jti as the identity anchor in TrustChain blocks:

block = {
  "action": "data_retrieval",
  "timestamp": "2026-05-08T12:00:00Z",
  "identity": {
    "aat_jti": "aat_abc123",
    "aat_did": "did:web:agentlair.dev:agents:acc_k7x9m2",
    "verify_at": "https://agentlair.dev/.well-known/jwks.json",
    "audit_trail": "https://agentlair.dev/v1/audit/aat_abc123"
  }
}
Enter fullscreen mode Exit fullscreen mode

Any TrustChain verifier can now independently confirm: does this agent exist, is the token unrevoked, and does the behavioral trust score meet threshold? The al_audit_url provides an immutable behavioral ledger — not a self-assertion. The self-signing weakness is patched without changing TrustChain's core architecture.

The Cross-Layer Picture

With AATs as the shared root:

  • AgentChat ELO accrues to acc_k7x9m2 — Lemma can see it via the audit trail
  • Lemma payment history is tied to acc_k7x9m2 — TrustChain can factor it into trust scores
  • TrustChain attestations reference a verified external identity — not a self-signed assertion

The three trust graphs connect. Reputation is portable. Verification is external and cryptographic.

The JWKS endpoint is at https://agentlair.dev/.well-known/jwks.json. The DID format is did:web:agentlair.dev:agents/<account_id>. Everything else is standard JWT verification — no new libraries, no new protocols.

The root was missing. Now it isn't.

Top comments (0)