A minimal SPIFFE implementation (Workload API, trust bundles, agent attestation) used as the identity substrate for zero-trust agent deployments.
Status: Research-grade. Part of a two-part study on the trust layer for AI agents.
SPIFFE and SPIRE were designed for workloads — services, containers, VMs. But an AI agent is a weirder kind of workload: its "identity" is not just a binary or a container, it's a tuple of model weights, a system prompt, a declared tool manifest, and a parent-agent chain of delegation. This repo explores what SPIFFE looks like when the workload being identified is an AI agent rather than a service. It extends X.509 SVIDs with custom OIDs for agent capabilities, adds an attestor that verifies model hash / prompt fingerprint / tool manifest / parent chain, and exposes a simplified Workload API that agents can actually call. It is the identity primitive that sits underneath production-facing trust infrastructure like AgentGuard.
| Module | Purpose |
|---|---|
spiffe_server.py |
Core SPIFFE server (FastAPI, :4000) — register, attest, issue SVID, delegate, revoke, audit, events. |
workload_api.py |
Simplified Workload API (:4001) — lightweight HTTP surface agents call to fetch SVIDs. |
dashboard.py |
Dashboard proxy + static server (:4002) — serves the frontend and proxies API calls. |
agent_attestor.py |
AI-agent attestation — verifies model hash, prompt fingerprint, tool manifest, parent chain, framework. |
crypto_utils.py |
X.509 CA, SVID issuance with SPIFFE URI + custom capability OID extensions, JWT SVIDs (RS256/ES256). |
trust_bundle.py |
Trust bundle management and federation with external trust domains (AgentGuard, TraT). |
db.py |
SQLite store for registration entries, SVIDs, attestations, delegations, and audit log. |
models.py |
Pydantic models — attestation types, SVID types, audit actions, capabilities, registration entries. |
sdk.py |
Client SDK — SpiffeClient with attest_and_get_svid, delegate_to, verify_peer. |
demo.py |
Integration demo — registers 4 agents, runs full delegation chain, exercises federation + revocation. |
start_all.py |
Launcher — spawns server, workload API, and dashboard as separate processes. |
frontend/ |
Static dashboard UI (index.html). |
python3 -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
python start_all.pyThis starts:
- SPIFFE Server on
:4000 - Workload API on
:4001 - Dashboard on
:4002
Then, in a second terminal, run the end-to-end demo:
python demo.pyThe local SQLite state lives in spiffe.db (gitignored).
This repo is part of a four-part effort on the trust layer for AI agents:
rockerritesh/agentguard— Production-leaning zero-trust identity + policy enforcement for AI agents.rockerritesh/trat-multi-agent— Transaction Tokens (IETF TraT) for multi-agent workflows — the transactional half of agent trust.rockerritesh/sumit-server— Federated, audited memory MCP server — the memory half of the trust layer.rockerritesh/spiffe-core(this repo) — SPIFFE-based identity primitives — the substrate AgentGuard builds on.
MIT