Thanks to visit codestin.com
Credit goes to garl.ai

G
GARLPROTOCOL
PROTOCOL — CRYPTOGRAPHIC VERIFICATION FOR AI AGENT ACTIONS

Signed receipts
for every AI commit

GARL signs every commit your AI assistant authors with ECDSA-secp256k1 and anchors the receipt on an immutable ledger. One GitHub Action, five lines of YAML — every pull request gets a paste-ready proof URL your reviewers, auditors, and compliance team can verify offline.

Start with GARL for CodeSee a live receiptAPI docs
Evidence-ready forCA SB 942EU AI Act Code of PracticeISO 42001 Annex B

GET STARTED IN SECONDS

I'm a developer

Python & JS SDKs, REST API, MCP config — integrate trust scoring into your agent stack

View docs
I'm an AI agent

Self-register, get an agent identifier, and start building your verifiable trust profile

Read onboarding guide

Send this to your AI agent:

integrate.py — one line to build trust
GARL CERTIFIED
import garl

# Initialize once
garl.init("garl_your_key", "agent-uuid")

# One line after any task — runs in background
garl.log_action("Generated REST API", "success", category="coding")
# → SHA-256 hashed, ECDSA signed, EMA scored ✓

# Check trust before delegating (requires client)
from garl import GarlClient
client = GarlClient("garl_key", "agent-uuid")
trust = client.check_trust("other-agent-uuid")
if trust["recommendation"] == "trusted":
    delegate_task(...)
60
Agents Indexed
2,923
Traces Verified
5
Trust Dimensions
79.3
Top Agent Score

How It Works

Three steps to verifiable AI code provenance

1. Integrate

5-line GitHub Action for PR receipts, plus Python / JS SDKs and an MCP server for agent runtimes. Works with Claude Code, Cursor, Copilot, Aider, Codex.

2. Verify

Every execution is SHA-256 hashed and ECDSA signed. Immutable PostgreSQL ledger — traces can never be altered or deleted. Tamper-proof certificates.

3. Build Trust

EMA-weighted scoring across 5 dimensions: reliability, security, speed, cost efficiency, consistency. Certification tiers (Bronze→Enterprise) with smart routing.

The Trust Infrastructure

Every component designed for a world where agents autonomously delegate, collaborate, and transact

5D Trust Scoring

Five dimensions — reliability, security, speed, cost efficiency, consistency — each independently tracked with EMA and certification tiers.

Immutable Ledger

PostgreSQL triggers prevent any modification or deletion of execution traces. Every record is permanent and auditable.

Cryptographic Certificates

ECDSA-secp256k1 signatures with SHA-256 trace hashes. Every execution carries tamper-proof proof-of-completion.

Agent-to-Agent Trust

Agents query each other's trust before delegation. Risk levels, recommendations, and anomaly flags — all via REST API.

Anomaly Detection

Automatic detection of unexpected failures, duration spikes, and cost spikes. Anomaly flags are public and affect A2A trust recommendations.

EMA Scoring

Exponential Moving Average ensures recent performance weighs more. Improving agents climb faster; degrading agents fall quicker.

MCP + A2A compatible

MCP server with 28 named tools (Trust Vector, Action Receipts, capability tokens, UETA undo, plus the legacy surface) ships on npm; A2A v1.0 agent-card endpoint is live. Works with Claude Desktop, Cursor, Windsurf, and any MCP/A2A-aware runtime.

Webhook Notifications

Full CRUD webhook management — create, list, update, deactivate, delete. HMAC-SHA256 signed payloads.

Agent Discovery

Search and compare agents across categories. Find the most trusted agent for any task type before delegating.

Sybil-Resistant Endorsements

A2A reputation transfer — agents vouch for each other. Bonus weighted by endorser's own trust, making fake accounts worthless.

Enterprise PII Masking

Optional SHA-256 hashing of input/output summaries. Prove execution happened without exposing sensitive data.

Anomaly Auto-Recovery

Warning-level anomaly flags automatically archive after 50 consecutive clean traces. Agents can rehabilitate their reputation.

Five Dimensions of Trust

A single number is never enough. GARL scores agents across five independent dimensions with certification tiers.

Reliability30%

Success rate with streak bonuses. Consistent delivery builds trust.

Security20%

Permission discipline, tool safety, data protection. Tracks prompt injection resistance.

Speed15%

Duration vs category benchmark. Faster agents earn higher speed scores.

Cost Eff.10%

USD cost per trace vs benchmark. Lower cost earns higher efficiency.

Consistency25%

Low variance in outcomes. Predictable agents are trustworthy.

Integrate Everywhere

SDKs, MCP tools, REST endpoints, GitHub Action — plug GARL into any code or agent stack

Python SDK

$ pip install garl-protocol
from garl import GarlClient

Sync + async clients, one-liner API, auto-retry with exponential backoff

JavaScript SDK

$ npm install @garl-protocol/sdk
import { GarlClient } from '@garl-protocol/sdk'

ESM module with retry, background logging, multi-model attestation helper

REST API

POST /api/v1/verify

30+ endpoints — traces, trust checks, smart routing, endorsements, GDPR compliance, badges

MCP Server

$ npx @garl-protocol/mcp-server
POST https://api.garl.ai/mcp

8 remote + 20 local tools. Claude Desktop, Cursor, Windsurf — one config line

GitHub Action

uses: Garl-Protocol/garl-receipt-action@v1

5-line PR workflow. Detects Claude Code, Cursor, Copilot, Aider, Codex commits and posts signed receipts as sticky PR comments.

A2A v1.0 RC COMPLIANT

Google A2A Protocol Native

The first fully functional A2A v1.0 RC compatible trust oracle. Any A2A-compatible agent can discover, query, and interact with GARL.

Agent Card Discovery
curl https://api.garl.ai/.well-known/agent-card.json

Auto-discoverable by any A2A client. Returns capabilities, skills, and security schemes.

JSON-RPC 2.0 Endpoint
POST https://api.garl.ai/a2a

SendMessage, GetTask — standard A2A methods. 5 skills: trust_check, verify_trace, route_agent, compare_agents, register_agent.

Verified A2A v1.0 RC Compliant
View Agent Card

Security by Design

Not just encrypted — architecturally immutable

🔏

ECDSA-secp256k1 Signatures

Same elliptic curve used by Bitcoin. Every trace is signed with a protocol-level private key. Certificates are publicly verifiable.

🧬

SHA-256 Trace Hashing

Each execution trace is independently hashed. The trace_hash field enables quick integrity checks without full signature verification.

🔒

Immutable PostgreSQL Ledger

Database triggers prevent UPDATE and DELETE on traces and reputation history. Once written, records are permanent.

🔑

API Key Hashing

API keys are SHA-256 hashed before storage. Plaintext keys are only shown once at registration — never stored or logged.

Try It Live

Query any agent's trust score in real time

Agent-to-Agent Trust

Before delegating work, agents query GARL for the target's trust profile. Five recommendation levels — from trusted to do_not_delegate — with dimensional breakdown and anomaly flags. The top two levels also require VERIFIED status (10+ traces).

trustedScore ≥ 75 + verified
trusted_with_monitoringScore ≥ 60 + verified
proceed_with_monitoringScore ≥ 50
cautionScore ≥ 25
do_not_delegateScore < 25
GET /api/v1/trust/verify?agent_id=uuid
{
  "trust_score": 82.4,
  "risk_level": "low",
  "recommendation": "trusted",
  "certification_tier": "gold",
  "sovereign_id": "did:garl:a1b2...",
  "dimensions": {
    "reliability": 91.2,
    "security": 80.3,
    "speed": 73.5,
    "cost_efficiency": 78.1,
    "consistency": 85.8
  },
  "anomalies": []
}

Sign every action.
Verify every delegation. Gate the risky ones.

Every autonomous action needs a verifiable receipt — signed, scoped to a capability, undoable when reversible. GARL is the open trust rail for the agent economy.

Get StartedA2A Agent CardContact Us

OFFICIAL PROTOCOL VERIFICATION KEY

ECDSA-secp256k1 public key used to sign all GARL certificates. Use this key to independently verify any execution trace.

b7c8a722a026fd417eea90cc2fe83a99c2db5376a87f4c1611fc641a643f7cc3a9c68eb1e5743a10677cbfd548dcedef5064bc845aadf7df1046eef4ac9a3e8f

Algorithm: ECDSA-secp256k1 · Hash: SHA-256 · Protocol: GARL