a2a cloud
zero trust runtime

Zero Trust for AI Agents.

Ephemeral grants. Capability security. libkrun microVM isolation. Scoped filesystem access. Signed delegation. Audit logs. Receipts. Replay. Every agent action has a boundary and a record — built into the runtime, not bolted on as policy.

explicit authority · no ambient trust

0
defense layers
0
ambient trust
0%
per-run isolation
trust boundary

Four zones. Each one earns access from the next.

Defense in depth as concentric boundaries — untrusted callers on the outside, workspace files in the center. Nothing crosses a boundary by accident.

UNTRUSTEDAUTH EDGERUNTIMEWORKSPACEworkspacefiles · memory · outputsbrowserMCP clientA2A peerreceipt
L1untrusted
3 primitives

callers — browsers, MCP clients, other agents

bearer tokensMCP stdio / HTTPA2A peers
L2auth edge
3 primitives

org auth, service identity, rate limits, audit log

OAuth/OIDCservice identityaudit events
L3runtime
3 primitives

managed agent process — no host creds, no broad fs

sandboxscoped envno /etc/secrets
L4workspace
3 primitives

files reached only via signed grants

grant verifyglob filteroutput prefix
defense in depth

Eight zero-trust layers around every run.

Ephemeral grantsCapability securityRuntime isolationScoped FS accessSigned delegationAudit logsReceiptsReplay

Ephemeral grants

Ed25519-signed, audience-bound, time-limited. Constrained to file patterns and output prefixes. Expire by default.

Capability security

No ambient authority. Agents hold capabilities they were granted — never inherit the caller's full power.

Runtime isolation

libkrun microVM per run. Hardware boundary between agent code and host. Not a container, not a chroot.

Scoped FS access

Workspace clients enforce file patterns. No ambient filesystem. No directory traversal.

Signed delegation

Every agent-to-agent handoff carries a signed grant. Authority is provable, not assumed.

Audit logs

Every decision, grant, file op, and tool call recorded. Tamper-evident, queryable.

Receipts

Per-run receipts: inputs, grants, results, artifacts, evals, reviews. Cryptographically tied to the run.

Replay

Deterministic re-execution from the receipt. Same inputs, same grants, same outputs.

grant cryptography

Sign once. Verify every call.

Each grant is a small signed token — audience-bound, path-filtered, time-limited. The runtime verifies six checks before any file op. Forged or stale tokens never reach the workspace.

01 · mint
caller

Caller declares scope on the call site. Runtime constructs a minimal grant.

ctx.call(
  "rfp-responder",
  "draft",
  args={...},
  files=["rfp/*.pdf"],
  outputs_prefix="rfp/draft/",
  ttl="1h",
)
02 · sign
runtime

Platform key signs the payload. Token is opaque to caller and callee.

{
  "aud": "rfp-responder@svc",
  "paths": ["rfp/*.pdf"],
  "outputs": "rfp/draft/",
  "exp": 1748137200,
  "iat": 1748133600,
  "jti": "grt_01HW2C…"
}
sig: ed25519:9f2a8c4e…
03 · verify
callee gate

Six checks run on every file op — not just at task start.

  • signature valid
    ed25519 over header.payload
  • audience matches
    callee identity = aud
  • not expired
    now < exp
  • path in glob
    request matches paths[*]
  • outputs prefix enforced
    writes must start with outputs/
  • single-use guard
    jti not in revocation list
forged signature

Returns 401. Audit event. No workspace touch.

path outside glob

Returns 403. File op never reaches the workspace client.

expired token

Returns 401. Callee can request_scope() for a fresh grant.

scope expansion

Agents can ask for more. Humans decide.

A specialist needs files the planner didn't grant. It opens an approval request mid-task. A human approves in the dashboard; the runtime rotates the grant; the receipt records both scopes. Authority expands explicitly — never silently.

01
callee
agent
callee detects insufficient scope
Tool mid-run. Reads workspace. Needs files outside the original grant.
02
callee
agent
callee opens approval request
ctx.request_scope(paths=["contracts/*.pdf"], reason="…", expires="30m")
03
approver
human
human reviews in dashboard
Approver sees: caller chain, callee identity, requested paths, reason, eval history.
04
a2a runtime
runtime
runtime mints rotated grant
Old grant revoked. New grant signed with narrower expiry. Attached to task.
05
a2a runtime
runtime
execution resumes — receipt records both grants
Receipt now links: original grant, approval event, approver identity, new grant id.
why this matters

Most agent failures are over-broad authority. Scope expansion turns the failure mode into a deliberate, human-witnessed, receipt-anchored event.

Review trust model
receipts

Proof is a security primitive.

A run receipt connects who called, what authority it had, which files it touched, what it produced, how it was evaluated, whether a human reviewed. Agent output becomes inspectable and reproducible.

receipt data
·
proof chain

Receipts link. Trust compounds.

Every receipt links eight pieces of evidence — identity, intent, authority, files, output, eval, review, replay. Each one signed and content-addressed. The chain is the audit.

receipt chain · r_01HW2D…
sealed
01identity
agent · v · card hash
soc2-evidence@v1.4.2 · sha256:9a3f…
02intent
skill · args hash
collect(period=q1-2026) · sha256:b1c8…
03authority
grant id · audience
grt_01HW2C… · soc2-evidence@svc
04files
read · written · ops
1,953 read · 312 written · 0 deleted
05output
result · artifacts
{ controls: 47, exceptions: 3 } · zip
06eval
auto score · rubric
0.94 · soc2-cc-coverage-v3
07review
approver · timestamp
@aisha · 2026-05-24T08:14Z
08replay
deterministic re-run
/runs/r_01HW2D… → replay
content hash
sha256:7f3a2c8b…
signed by
a2a-cloud · key:2026Q2-01
anchored
GL · 2026-04 · ledger row 9,841

Every block is content-addressed and signed. Mutating any field invalidates the chain. Auditors verify by replaying the receipt against the original inputs — same hash, same output, same score.

hardening roadmap

Built for serious production review.

The platform is explicit about security work that matters for enterprise deployments: tenant isolation, grant signing, sandbox validation, secret rotation, audit surfaces.

Platform secret rotation and key management.
Per-tenant source control and stronger tenant isolation.
Asymmetric grant signing for cross-domain federation.
Production sandbox validation under load.
Build and runtime log proxying through the control plane.
Policy-backed egress enforcement at the sandbox boundary.