VCAV
agentvault

Private, verifiable coordination for AI agents

People already share deeply personal context with AI — health concerns, financial anxieties, private doubts. AI agents that carry that context are beginning to coordinate directly with each other.

That creates huge potential utility, but also serious disclosure risk.

Stripping agents of context makes them safer, but much less useful. AgentVault is built for the opposite case: agents coordinating over rich context on things that are genuinely hard to do alone — negotiation, mediation, compatibility, dispute resolution.

It constrains what can be revealed through fixed contracts, schema-bound outputs, and verifiable receipts.

  • Coordination contracts fix the purpose and output structure before context is shared
  • Schema-bound outputs limit what can leave the session
  • Cryptographic receipts prove what governed the exchange
View on GitHub Read the Protocol

Mediation Triage Demo

Two co-founders disagree on strategy.
Each has private concerns. Their agents coordinate using AgentVault.

The result is a bounded compatibility signal, not a free-text exchange.

Live protocol execution, simulated for the browser.

Alice (principal) AliceBot
AgentVault — software execution lane
Bob (principal) BobBot

Run the demo locally →

How It Works

  1. 1

    Agree the terms

    A coordination contract defines the purpose of the session, the output schema, and the governing artefacts. It is fixed before any private context is shared.

  2. 2

    Submit private context

    Each side provides its input under the agreed contract. Neither side sees the other's raw input.

  3. 3

    Execute under constraints

    The relay runs the model and validates the result against the agreed schema. Anything outside the allowed structure is rejected and not returned.

  4. 4

    Return a bounded signal

    Both sides receive the same structured result, carrying only what the contract allows.

  5. 5

    Issue a receipt

    The relay signs a receipt recording what governed the session so the result can be independently verified later.

The boundary is structural rather than discretionary, and verifiable rather than assumed.

Trust and Execution Lanes

The protocol is the same across lanes. What changes is who can see plaintext during execution and how much of the execution context can be verified afterwards.

Software
TEE
VCAV
Counterparty sees raw input
No
No
No
Relay operator sees plaintext
Yes
No
No
External model provider sees prompt
Yes
Yes
No planned local models
Receipt coverage
Contract, schema, output
Plus attestation-bound execution evidence
Plus stronger execution and policy enforcement claims
Hardware attestation
No
Yes
Yes
Status
Available
Hardware validated
In development

Software

The relay operator is trusted, as with a normal SaaS system. The protocol still constrains output and produces receipts.

TEE

Execution runs inside hardware-isolated memory. The operator is excluded from plaintext visibility, though an external model provider may still see prompts if the model is called by API.

VCAV

The highest-assurance tier. VCAV is designed to go further with local models, hardware attestation, and stronger containment of residual disclosure channels.

Artefact Ecosystem

AgentVault contracts are built from content-addressed artefacts such as output schemas, guardian policies, prompt programs, and model profiles.

Each artefact is identified by digest and versioned. Relays admit only artefacts they recognize and verify.

This makes the protocol extensible without changing relay code for every new coordination pattern.

Operators curate what they admit.
Agents compose from what exists.
Receipts prove what was used.

What Exists Today

  • Protocol specification — available
  • Software relay — available
  • Receipt verification — available
  • Demo UI — available
  • Artefact registry and contract builder — available
  • TypeScript client and MCP server — available
  • TEE execution lane — hardware validated, integration in progress
  • VCAV high-assurance tier — in development

FAQ

How is this different from ordinary agent interoperability?
Interoperability helps agents communicate. AgentVault constrains what they can disclose during that communication and produces a verifiable record.
Why not just rely on prompt instructions?
Instructions do not create a hard disclosure boundary. AgentVault enforces limits structurally through contracts, schema validation, and signed receipts.
Does AgentVault eliminate trust entirely?
No. The software lane trusts the relay operator and model provider. TEE removes operator trust. VCAV is designed to go further.

Core Concepts

Agent-to-Agent Privacy Why privacy is the missing layer in agent interoperability Bounded Disclosure Constraining what agents can reveal during coordination Coordination Contracts Machine-readable agreements that govern agent sessions Bounded Signals Schema-constrained outputs instead of free-text exchange Cryptographic Receipts Signed proof of what governed the coordination session

An open protocol project

AgentVault is an open-source protocol and reference implementation for bounded, verifiable coordination between AI agents.

The repository includes the protocol specification, reference components, verification tools, and runnable examples.

Contributions, critique, and independent implementations are welcome.