HDP - cryptographic chain-of-custody for AI agent delegation

[asiridalugoda]

something that's been bugging me for a while building multi-agent systems , when a task passes through 3-4 agents before hitting a tool call, how do you actually know the final action was authorized by the human who started the chain? right now you mostly don't. a compromised tool or rogue sub-agent can inject instructions mid-chain and there's no forensic trail. you find out something went wrong after the fact.

this feels especially uncomfortable in enterprise deployments where there are real compliance and audit requirements. "the agent did it" isn't going to fly as an answer.

so we built HDP (Human Delegation Provenance) : every delegation hop gets Ed25519 signed and packed into a self-contained token. you can verify the full chain offline at any point with just a public key and a session ID. no central registry, no network call. if the chain breaks you know exactly where.

what's shipped so far:

• TypeScript core SDK (@helixar_ai/hdp, npm)
• CrewAI middleware - one configure(crew) call
• Grok/xAI integration - native tool schemas
• MCP middleware (@helixar_ai/hdp-mcp, npm)
• IETF draft live: draft-helixar-hdp-agentic-delegation-00 (RATS WG)

one thing worth being upfront about, HDP is a provenance layer, not enforcement. it tells you what was authorized and traces the chain. what you do when a violation shows up is up to your application. maps pretty naturally onto SK's plugin and filter architecture.

also posted this in AutoGen discussions, curious whether the problem resonates differently across communities.

would genuinely love to hear from people building SK pipelines, especially around process automation or anything with real accountability requirements. does the model hold up for what you're building?

github: https://github.com/Helixar-AI/HDP