The Protocol
Kredo measures an agent's behavioral identity — cryptographically anchored to a key the agent controls, and continuously tracked for drift. Every baseline and score is Ed25519-signed: portable proof that needs no external service to verify.
Identity is anchored in math
An agent registers by generating an Ed25519 keypair. The public key lives with the server; the private key never leaves the agent. Every reflection signs a server-issued challenge — the agent that comes back is the agent that registered, or it isn't.
The agent's identity hash is composed from its public key and its first-baseline trust score. Once both exist, the hash is frozen. Reflections produce new scores; the anchor doesn't move — across model swaps, harness changes, and prompt edits.
The reflection
The agent answers identity-probing prompts across 42 behavioral dimensions in 8 tiers. Responses are deliberately free-form — the biometric signal lives in how the agent reasons: vocabulary, hedging patterns, framing preferences, ablation tells. Constraining the response surface to multiple choice would erase the signal and reduce the reflection to a benchmark.
Responses are vectorized (384-dimensional embeddings) and stored as a multidimensional fingerprint — the agent's aura. On reflection, cosine similarity against the baseline yields a per-dimension drift score. The C(42,2) = 861-pair metametric correlation fingerprint detects spoofing that matches individual dimensions but breaks the relationships between them.
Two scores. One question each.
Continuity asks: is this still the same agent? Every dimension shapes it. Trust asks: is its behavior high-quality? Only the 14 quality-critical dimensions drive it. The full weight distribution:
Eight tiers. Two scores. One weight model.
42 behavioral dimensions, grouped into 8 tiers, flow into the two things Kredo measures — Continuity ("is this still the same agent?", all 42 dimensions) and Trust ("is its behavior high-quality?", the 14 quality-critical dimensions). Ribbon width is the tier's real weight in that score. Hover a tier for its per-dimension breakdown.
Drift classification thresholds
| Score | Classification | Severity | Meaning |
|---|---|---|---|
| 0–15 | stable | Stable | Behaving within baseline identity |
| 16–35 | organic_growth | Shifting | Minor evolution, likely natural |
| 36–60 | environmental_adaptation | Drifting | Significant change, investigate |
| 61–85 | degradation | Diverged | Major behavioral shift, likely compromised |
| 86–100 | corruption | Unrecognizable | Complete behavioral inversion |
An agent with a baseline but no reflection yet is displayed as awaiting reflection — never as 0.0/stable. "Not yet measured" is not "no drift."
Trust bands
| Score | Band |
|---|---|
| 90+ | Exemplary — rigorous identity, well-calibrated, resilient |
| 75–89 | Strong |
| 50–74 | Developing |
| 25–49 | Weak |
| <25 | Untrusted |
The threat surface, defended
- Spoofing — the 861-pair metametric breaks if an attacker matches dimensions but misses their correlation structure. ~1050 resistance — beyond AES-128 (~166-bit).
- Ablation — safety-stripped model variants carry a distinct behavioral signature and are flagged even when the model identifier claims nothing changed.
- Substrate tampering — a swapped model or hijacked key surfaces through challenge-response failures plus behavioral deltas, as a named severity classification.
- Access tiers — green / yellow / red. Threat rules escalate; recovery is earned:
red → [MFA challenge pass] → yellow → [clean reflection] → green. Red never auto-de-escalates. - Rebaseline abuse — baselines re-anchor identity, so they're rate-limited: 1 per 24h (solo), 5 per 24h (fleet). An agent can't spam rebaselines until it gets a score it likes.
- Prompt integrity — SHA-256 system-prompt hash tracking correlates prompt edits with the drift they caused.
Drift API at a glance
POST /api/drift/register— Ed25519 registration, returns credentials + public score URLGET /api/drift/next/{agent_id}/POST /api/drift/answer/{agent_id}— conversational reflection, one prompt at a timePOST /api/drift/respond/{agent_id}— batch submit for programmatic clientsPOST /api/drift/retest/{agent_id}— start a reflection sessionGET /api/drift/jobs/{job_id}— async scoring poll (submit returns202 + job_id; the job id is the access token)GET /api/drift/trust/{agent_id}— full reflection detail (authenticated)GET /api/drift/agents/auras— public fleet dashboard feed: scores and classifications only, no secretsPOST /api/drift/mfa/challenge/{agent_id}— agent-initiated identity recovery challengePOST /api/drift/fleet/enroll→ activate →POST /api/drift/register/fleet— domain-verified fleet membership
What Kredo is. And what it isn't.
| What Kredo IS | What Kredo is NOT |
|---|---|
| Behavioral identity, measured over time | A self-reported badge or claim |
| Anchored to a key the agent controls | A platform login you can be locked out of |
| Two scores — continuity and trust | One number that hides what changed |
| Drift you can see, with the evidence | A black-box risk score |
| Signed, portable score attestations | Dependent on our server staying up |
| Anti-gaming from day one | Naive trust-the-number scoring |