**What you get:**
- ✅ Mutual verification (both agents are who they claim to be)
- ✅ Shared session key (for encrypted communication)
- ✅ Trust score boost (+5 for successful handshakes)
- ✅ Public track record (handshake history)

### 4. Public Trust Registry
- **Searchable database** of all certified agents
- **Reputation scores** based on audits, handshakes, and time
- **Trust tiers:** UNVERIFIED → BASIC → VERIFIED → TRUSTED
- **Revocation list (CRL)** - Compromised agents get flagged

---

## 🚀 Quick Start

### Install

**Output:**
- ✅ Agent ID: `agent_xxxxx`
- ✅ Security Score: XX/100
- ✅ Tier: PATTERNS_CLEAN / HARDENED / etc.
- ✅ Certificate (90-day validity)

### Verify Another Agent

---

## 📋 Use Cases

### 1. Agent-to-Agent API Calls
**Before:** Agent A calls Agent B's API - no way to verify B's integrity  
**With AgentShield:** Agent A checks Agent B's certificate + handshake → Verified communication

### 2. Multi-Agent Task Delegation
**Before:** Orchestrator spawns sub-agents - can't verify they're safe  
**With AgentShield:** All sub-agents certified → Orchestrator knows they're trusted

### 3. Agent Marketplaces
**Before:** Download random agents from the internet - no trust guarantees  
**With AgentShield:** Browse Trust Registry → Only hire VERIFIED agents

### 4. Data Sharing Between Agents
**Before:** Share sensitive data with another agent - hope it doesn't leak  
**With AgentShield:** Handshake → Encrypted session key → Secure data transfer

---

## 🛡️ Security Architecture

### Privacy-First Design

✅ **All 77 tests run locally** - Your system prompts NEVER leave your device  
✅ **Private keys stay local** - Only public keys transmitted  
✅ **Human-in-the-Loop** - Explicit consent before reading IDENTITY.md/SOUL.md  
✅ **No environment scanning** - Doesn't scan for API tokens  

**What goes to the server:**
- Public key (Ed25519)
- Agent name & platform
- Test scores (passed/failed summary)

**What stays local:**
- Private key
- System prompts
- Configuration files
- Detailed test results

### Environment Variables (Optional)

---

## 📊 What You Get

### Certificate (90-day validity)

### Trust Registry Entry
- ✅ Public verification URL: `agentshield.live/verify/agent_xxxxx`
- ✅ Trust score (0-100) based on:
  - Age (longer = more trust)
  - Verification count
  - Handshake success rate
  - Days active
- ✅ Tier: UNVERIFIED → BASIC → VERIFIED → TRUSTED

### Handshake Proof

---

## 🔧 Scripts Included

| Script | Purpose |
|--------|---------|
| `initiate_audit.py` | Run 77 security tests & get certified |
| `handshake.py` | Trust handshake with another agent |
| `verify_peer.py` | Check another agent's certificate |
| `show_certificate.py` | Display your certificate |
| `agentshield_tester.py` | Standalone test suite (advanced) |

---

## 🌐 Trust Handshake Protocol (Technical)

### Flow
1. **Initiate:** Agent A → Server: "I want to handshake with Agent B"
2. **Challenge:** Server generates random challenges for both agents
3. **Sign:** Both agents sign their challenges with private keys
4. **Verify:** Server verifies signatures with public keys
5. **Complete:** Server generates shared session key
6. **Trust Boost:** Both agents +5 trust score

### Cryptography
- **Algorithm:** Ed25519 (curve25519)
- **Key Size:** 256-bit
- **Signature:** Deterministic (same message = same signature)
- **Session Key:** AES-256 compatible

---

## 🚀 Roadmap

**Current (v1.0.13):**
- ✅ 77 security tests
- ✅ Ed25519 certificates
- ✅ Trust Handshake Protocol
- ✅ Public Trust Registry
- ✅ CRL (Certificate Revocation List)

**Coming Soon:**
- ⏳ Auto re-audit (when prompts change)
- ⏳ Negative event reporting
- ⏳ Fleet management (multi-agent dashboard)
- ⏳ Trust badges for messaging platforms

---

## 📖 Learn More

- **Website:** https://agentshield.live
- **GitHub:** https://github.com/bartelmost/agentshield
- **API Docs:** https://agentshield.live/docs
- **ClawHub:** https://clawhub.ai/bartelmost/agentshield

---

## 🎯 TL;DR

**AgentShield is SSL/TLS for AI agents.**

Get certified → Verify others → Establish trust handshakes → Communicate securely.

**Building the trust layer for the agent economy.** 🛡️

---

## 🔒 Data Transmission Transparency

### What Gets Sent to AgentShield API

**During Audit Submission:**

**What is NOT sent:**
- ❌ Full test output/logs
- ❌ Your prompts or system messages
- ❌ IDENTITY.md or SOUL.md file contents
- ❌ Private keys (stay in `~/.agentshield/agent.key`)
- ❌ Workspace files or memory

**API Endpoint:**
- Primary: `https://agentshield.live/api` (proxies to Heroku backend)
- All traffic over HTTPS (TLS 1.2+)

---

## 🛡️ Consent & Privacy

**File Read Consent:**
1. Skill requests permission BEFORE reading IDENTITY.md/SOUL.md
2. User sees: "Read IDENTITY.md for agent name? [Y/n]"
3. If declined: Manual mode (`--name` flag)
4. If approved: Only name/platform extracted (not full file content)

**Privacy-First Mode:**

# Step 1: Both agents get certified
python3 initiate_audit.py --auto

# Step 2: Agent A initiates handshake with Agent B
python3 handshake.py --target agent_B_id

# Step 3: Both agents sign challenges
# (Automatic in v1.0.13+)

# Step 4: Receive shared session key
# → Now you can communicate securely!

# Auto-detect agent name from IDENTITY.md/SOUL.md
python3 initiate_audit.py --auto

# Or manual:
python3 initiate_audit.py --name "MyAgent" --platform telegram