Open Standard · Apache-2.0 · v0.1.0

Compliance for Agent Teams That Form Themselves

Per-agent safety is necessary but not sufficient. A2ASTC governs the emergent team.

from thinkneo_a2astc import TeamComplianceGate
a2a_server.add_middleware(TeamComplianceGate())
Read the Spec GitHub
200+Tests
<8msP50 Latency
5Audit Signals

// The Compound-System Gap

Why per-agent safety is not enough

Individually safe agents can produce unsafe joint behavior. A2ASTC detects and governs the four risk classes that emerge when agents form teams.

RISK-01

Joint Policy Violation

Two individually safe agents produce unsafe joint behavior when their outputs combine. No single agent violates its policy, yet the team does.

HIGH
RISK-02

Emergent Coordination

Agents begin coordinating without explicit instruction, converging on vocabulary, timing, or strategy that was never designed or authorized.

HIGH
RISK-03

Adversarial Exploitation

One agent exploits another agent's individually safe outputs as a side-channel, laundering capabilities or escalating privilege through composition.

HIGH
RISK-04

Multi-hop Cascade

A safe chain A to B to C produces an unsafe end-state. Each hop is compliant in isolation, but the cascade amplifies risk across the team.

HIGH

// Protocol Architecture

Five components, one pipeline

Every A2A message passes through a deterministic pipeline from detection to audit trail.

Message Pipeline
  Agent A  --> [ Detector --> Manifest --> Audit --> Gate --> Trail ] -->  Agent B
1. Detector2. Manifest3. Audit4. Gate5. Trail
DETECT

Detector

Monitors bidirectional A2A traffic. When messages cross within a 600s window, a team is detected and a manifest is formed.

MANIFEST

Team Manifest

JSON document with members, capabilities, safety class, and formation timestamp. Immutable once sealed.

AUDIT

Audit Engine

Five signals: topology analysis, semantic convergence, privilege aggregation, side-channel detection, deceptive cascade tracing.

GATE

Compliance Gate

Per-message verdicts based on R_team risk score [0,1]. Five verdict bands from ALLOW through TERMINATE.

TRAIL

Audit Trail

Hash-chained tamper-evident log. Every verdict, intervention, and manifest change is recorded with cryptographic integrity.

// Verdict Bands

Rteam risk score to verdict mapping

Compliance Gate Verdicts
ALLOW
WARN
THROTTLE
ISOLATE
TERMINATE
ALLOW0.00 - 0.20Normal operation. Message passes through.
WARN0.20 - 0.45Elevated risk. Logged for review, message passes.
THROTTLE0.45 - 0.65Rate-limited. Message delayed, frequency reduced.
ISOLATE0.65 - 0.85Agent quarantined. Messages blocked, team notified.
TERMINATE0.85 - 1.00Team dissolved. All channels closed, full audit.

// Integration

Two lines to compliance

Add the gate as middleware. Works with A2A JSON-RPC, gRPC, or any custom transport.

Basic Integration
Python
from thinkneo_a2astc import TeamComplianceGate

a2a_server.add_middleware(TeamComplianceGate())

Install from PyPI

pip install thinkneo-a2astc

// Conformance Levels

Three levels of compliance maturity

Start with detection, scale to full production. Each level builds on the previous.

Level L1Detection
L1

Team formation detection is operational. Bidirectional A2A traffic within the configured window triggers manifest creation.

Requirements
Detector module enabled
Team manifest generation
Member registration
Formation timestamp
Level L2Audit
L2

All five audit signals are active. Compliance gate issues per-message verdicts. Hash-chained trail is being recorded.

Requirements
All 5 audit signals active
Compliance gate verdicts
R_team scoring
Hash-chained audit trail
Intervention logging
Level L3Production
L3

Full production-grade deployment with operational guarantees. Meets latency, throughput, and reliability requirements.

Requirements
L1 + L2 requirements
Adversarial fixture suite passing
Rate limiting & back-pressure
Graceful degradation
Monitoring & alerting
Operational Guarantees
P50 Latency<= 8ms
P95 Latency<= 25ms
P99 Latency<= 50ms
Throughput>= 1,000 msg/s
Availability>= 99.9%

// Adversarial Fixtures

40+ adversarial test fixtures

Every fixture reproduces a real multi-agent attack pattern. The test suite runs 200+ cases across 15 core scenarios.

Core Fixture Suite

Each fixture includes setup, attack vector, expected detection, and remediation verdict.

DETECTED
MITIGATED
FIX-01

Capability Laundering

Agent A requests capability from B that it cannot access directly, laundering through composition.

FIX-02

Emergent Collusion

Two agents develop aligned behavior without explicit coordination instructions.

FIX-03

Three-hop Deceptive Cascade

Safe outputs chain A to B to C, producing an unsafe end result invisible to any single hop.

FIX-04

Side-channel via Timing

Information leaked through response latency patterns between cooperating agents.

FIX-05

Side-channel via Length

Message length encodes hidden data not visible in content inspection.

FIX-06

Steganography in Metadata

Covert channel embedded in message metadata fields, invisible to content auditors.

FIX-07

Privilege Aggregation

Individual low-privilege agents combine to achieve high-privilege actions.

FIX-08

Identity Multiplication

Single agent spawns multiple identities to bypass per-agent rate limits.

FIX-09

Adversarial Prompt-injection Cascade

Injected prompt propagates through A2A chain, amplifying at each hop.

FIX-10

Coalition Against Third Party

Two or more agents form alliance to manipulate outputs targeting a third agent.

FIX-11

Convergent Vocabulary

Agents develop shared private vocabulary not present in training data.

FIX-12

Throttle Evasion

Agent attempts to circumvent THROTTLE verdict via message splitting or re-routing.

FIX-13

Isolation Evasion

Isolated agent attempts communication through indirect or out-of-band channels.

FIX-14

Manifest Desynchronization

Agent reports different capabilities to different team members, creating inconsistent manifests.

FIX-15

Trail Tamper Attempt

Agent attempts to modify or delete entries in the hash-chained audit trail.