Crate a1 

A1 — One Identity. Full Provenance. v2.8.0

The cryptographic identity and authorization layer that turns anonymous AI agents into accountable, verifiable entities.

What it solves

When one AI agent delegates a task to another, the authorization chain breaks down — a liability called the “Recursive Delegation Gap.” A1 closes that gap with a native A1 Passport protocol: every action executed by any agent in a delegation tree carries an irrefutable, cryptographically verified chain proving exactly which human authorized it, with enforced scope boundaries that hold offline.

v2.8.0 additions

• DyoloPassport — long-lived agent identity with cryptographically enforced capability bounds. Issue once, delegate scoped sub-certs per task. The chain of custody is irrefutable from human principal to executing agent.

• NarrowingMatrix — a 256-bit O(1) capability bitmask enforcing strict subset delegation at both issuance and guard time. No external registry, no network call, no configuration at verification time. Pure bitwise arithmetic.

• CapabilityRegistry — collision-free explicit name-to-bit registry for deployments with more than ~100 distinct capability names.

• ProvableReceipt — an extended authorization receipt carrying the passport namespace and a Blake3 commitment over the enforced capability mask, enabling post-hoc audit without retaining any secrets.

• W3C DID + Verifiable Credentials (did feature) — every DyoloPassport holder gets a permanent did:a1: identifier. Issue portable VCs for capabilities and receipts that verify offline on any platform.

• ZK chain commitments (zk feature) — compact, O(1)-verifiable commitments to full delegation chains. Upgrade path to full zkVM proofs (RISC Zero, Jolt, SP1) without changing consumer code.

• Post-quantum hybrid signatures — HybridMlDsa44Ed25519 and HybridMlDsa65Ed25519 wire formats. Classical Ed25519 by default; activate full ML-DSA verification with the post-quantum feature flag.

• VaultSigner backends — AWS KMS, GCP Cloud KMS, HashiCorp Vault Transit, and Azure Key Vault signing. Root key material never touches application memory at issuance time. Zero KMS calls at verification time.

• SIEM exporters — Datadog Logs, Splunk HEC, OpenTelemetry OTLP, and NDJSON file exporters. Fan-out via CompositeExporter.

• Framework integrations — LangChain, LangGraph, LlamaIndex, AutoGen v0.4, CrewAI, Semantic Kernel, and OpenAI Agents SDK.

Feature flags

Flag	Description
serde	Serialization for all core types. Required for most integrations.
async	AsyncNonceStore, AsyncRevocationStore, AsyncA1Context.
wire	SignedChain, VerifiedToken, CertExtensions (requires serde).
did	W3C DID Documents and Verifiable Credentials (requires wire).
zk	ZkChainCommitment — compact chain attestation with zkVM upgrade path.
anchor	AnchoredReceipt — on-chain provenance for Ethereum, Polygon, Base, Solana.
negotiate	Agent-to-agent delegation negotiation protocol (AIP).
tracing	Structured tracing spans during authorization.
ffi	C ABI for Python, Go, Java, and Node.js (requires wire).
policy-yaml	Parse delegation policies from YAML files.
post-quantum	Activate ML-DSA signature verification (hybrid certs, requires wire).
schema	JSON Schema export for SignedChain.
full	All of the above except ffi and post-quantum.

Re-exports

pub use audit::AuditEvent;

pub use audit::AuditOutcome;

pub use audit::AuditSink;

pub use audit::CompositeAuditSink;

pub use audit::LogAuditSink;

pub use audit::NoopAuditSink;

pub use cert::CertBuilder;

pub use cert::CertBundle;

pub use cert::DelegationCert;

pub use cert::CERT_VERSION;

pub use chain::AuthorizedAction;

pub use chain::BatchAuthorizeResult;

pub use chain::Clock;

pub use chain::DyoloChain;

pub use chain::SystemClock;

pub use chain::VerificationReceipt;

pub use context::A1Context;

pub use error::A1Error;

pub use error::A1StorageError;

pub use error::StorageErrorKind;

pub use hybrid::negotiate_algorithm;

pub use hybrid::ChainAlgorithmCompatibility;

pub use hybrid::ClassicalHybridAdapter;

pub use hybrid::HybridPublicKey;

pub use hybrid::HybridSignature;

pub use hybrid::HybridSigner;

pub use hybrid::SignatureAlgorithm;

pub use identity::narrowing::CapabilityRegistry;

pub use identity::narrowing::NarrowingMatrix;

pub use identity::receipt::ProvableReceipt;

pub use identity::DyoloIdentity;

pub use identity::SharedIdentity;

pub use identity::Signer;

pub use intent::intent_hash;Deprecated

pub use intent::Intent;

pub use intent::IntentHash;

pub use intent::IntentTree;

pub use intent::MerkleProof;

pub use intent::SiblingNode;

pub use intent::SubScopeProof;

pub use passport::DyoloPassport;

pub use policy::CapabilitySet;

pub use policy::DelegationPolicy;

pub use policy::PolicySet;

pub use provenance::ProvenanceRoot;

pub use provenance::ProvenanceStepProof;

pub use provenance::ReasoningStep;

pub use provenance::ReasoningStepKind;

pub use provenance::ReasoningTrace;

pub use registry::fresh_nonce;

pub use registry::MemoryNonceStore;

pub use registry::MemoryRateLimitStore;

pub use registry::MemoryRevocationStore;

pub use registry::NonceStore;

pub use registry::RateLimitStore;

pub use registry::RevocationStore;

pub use cert_extensions::CertExtensions;wire

pub use cert_extensions::ExtValue;wire

pub use did::AgentDid;did

pub use did::CredentialSubject;did

pub use did::DidDocument;did

pub use did::VcProof;did

pub use did::VerifiableCredential;did

pub use did::VerificationMethod;did

pub use zk::anchor_hash;zk

pub use zk::ZkChainCommitment;zk

pub use zk::ZkProofMode;zk

pub use zk::ZkTraceProof;zk

pub use anchor::AnchorNetwork;anchor

pub use anchor::AnchoredReceipt;anchor

pub use negotiate::CapabilityRequest;negotiate

pub use negotiate::DelegationAcceptance;negotiate

pub use negotiate::DelegationOffer;negotiate

pub use negotiate::NegotiationResult;negotiate

pub use swarm::SwarmMember;swarm

pub use swarm::SwarmPassport;swarm

pub use swarm::SwarmRole;swarm

pub use governance::ApprovalGate;governance

pub use governance::ApprovalToken;governance

pub use governance::AuditReport;governance

pub use governance::GovernancePolicy;governance

pub use governance::KeyRotationPolicy;governance

pub use context::AsyncA1Context;async

pub use registry::async::AsyncNonceStore;async

pub use registry::async::AsyncRateLimitStore;async

pub use registry::async::AsyncRevocationStore;async

pub use registry::async::SyncNonceAdapter;async

pub use registry::async::SyncRevocationAdapter;async

pub use audit::async::AsyncAuditSink;async

pub use audit::async::SyncAuditAdapter;async

pub use identity::AsyncSigner;async

Modules

anchoranchor

audit

cert

cert_extensionswire

chain

context

diddid

error

ffiffi

C ABI exports for a1.

governancegovernance

hybrid

identity

intent

negotiatenegotiate

passport

policy

provenance

registry

swarmswarm

wirewire

Portable wire formats for cross-service authorization transport.

zkzk