Architecture Overview

Truss is a platform for governing AI agent actions with signed mandates and verifiable evidence chains. It provides end-to-end trust infrastructure for autonomous agents operating in regulated or high-stakes environments.

Architecture Layers

• CLI — Developer tool for managing organizations, agents, mandates, and evidence from the terminal.
• REST API — Core service that stores mandates, actions, evidence, delegations, alerts, and jurisdiction data. All cryptographic verification happens server-side against stored public keys.
• SDKs — TypeScript (@tensflare/truss-sdk) and Python (truss-sdk) libraries for embedding Truss into agent runtimes. All cryptographic signing happens client-side; private keys never leave the agent.
• Middleware — Integrations with MCP, LangGraph, AutoGen, CrewAI, LlamaIndex, Semantic Kernel, and OpenAI. These adapters wrap agent frameworks to automatically sign mandates and record actions.
• TAP Protocol — The Trust Accountability Protocol, an open standard defining mandate formats, evidence package structures, delegation semantics, and cryptographic signing schemes.

Key Flow

1. An Agent registers with the Truss API, providing its public key.
2. An Organization issues a Mandate — a signed authorization specifying what the agent may do.
3. The Agent performs actions within the mandate's scope. Each action is recorded with input/output hashes and timestamps.
4. Evidence is generated as a cryptographically signed bundle of action records.
5. Anyone can Verify the evidence chain using the agent's public key and the mandate's signature.

All cryptographic signing is performed client-side via the SDKs. The API stores only public keys for verification purposes, ensuring private keys remain under the agent operator's control.