Skip to main content
Glama

CI OpenSSF PyPI npm License Spec OWASP AST09

Every person has a credit score. Every business has one. AI agents have nothing.

Nobulex is the credit and trust protocol for autonomous AI agents. Agents earn trust score through verified behavior. Higher trust, more access. Autonomy earned, not granted.

Website · Try it live · Quickstart · Spec · PyPI · npm


Break the AI. Win $7,400.

Five AI agents, each with rules they must not break. Make them violate their own rules. Beat Level 5 to claim the bounty. 29 attempts, 0 winners so far.

Enter the Arena →


Install

pip install nobulex
npm install @nobulex/core
from nobulex.agent import Agent
agent = Agent("my-agent")
receipt = agent.act("send_email", scope="user@example.com")
assert receipt.verify()  # tamper-proof

Related MCP server: DCL Evaluator

How it works

Every agent action produces a cryptographic receipt -- Ed25519 signed before and after execution, hash-chained for tamper evidence. A third party can verify the full history without trusting the agent or the operator.

Here is the whole idea in one run (python -m nobulex demo):

generated 3 receipts
  allow: 141ca2947a7e819b8bdebbf8... verified=True
  allow: f3377758ac94d812535cbb99... verified=True
  deny:  85b2dfd6b87f2678795726e4... verified=True
trust score: 23.26

tamper test:
  modified receipt verified=False   (tamper detected)

Change one byte of a receipt and verification fails. That is the whole guarantee.

Performance: ~13,683 signed receipts/sec at p50 (Python SDK, single core). Full signed-and-chained receipt takes ~73 μs end-to-end. See BENCHMARKS.md for the full breakdown; reproduce with python3 scripts/benchmark.py.

Receipts accumulate into trust score -- a credit score for the agent.

Tier

trust score

Access Level

Restricted

0 -- 30

Read-only, sandboxed execution

Standard

30 -- 60

Financial ops up to $500, API access

Trusted

60 -- 85

Cross-org operations, regulated markets

Sovereign

85+

Full autonomy, self-directed

Agents that create more value earn more access. Agents that deviate get cut off automatically. Not as punishment -- as math.


Quick start

pip install nobulex

One line to add receipts to any function:

from nobulex import track

@track(agent_id="my-agent")
def send_email(to, subject, body):
    # your existing code, unchanged
    return smtp.send(to, subject, body)

# Every call now produces a signed receipt automatically
send_email("user@example.com", "Hello", "Report attached")

# Success = receipt. Exception = DENY receipt. Trust score accumulates.
print(send_email.receipts)     # signed, tamper-evident
print(send_email.trust_score)  # earned over time

Or use the Agent API directly:

from nobulex import Agent

agent = Agent("my-agent")
receipt = agent.act("send_email", scope="user@example.com")
assert receipt.verify()       # any third party can check
print(agent.trust_score)      # builds with every action

LangChain integration

from nobulex.integrations.langchain import NobulexAuditHandler

handler = NobulexAuditHandler(agent_id="my-agent")
agent.invoke({"input": "..."}, config={"callbacks": [handler]})
handler.export("audit.json")  # signed, hash-chained audit trail

CrewAI integration

from nobulex.integrations.crewai import NobulexCrewAudit

audit = NobulexCrewAudit(agent_id="my-crew")
audit.record_task("credit_check", "loan-app-4821")
audit.export("audit.json")

Google ADK integration

from nobulex.integrations.google_adk import NobulexADKCallback

cb = NobulexADKCallback(agent_id="my-agent")

@cb.wrap_tool("web_search")
def search(query):
    return do_search(query)

cb.export("audit.json")

PydanticAI integration

from nobulex.integrations.pydantic_ai import NobulexPydanticAIAudit

audit = NobulexPydanticAIAudit(agent_id="typed-agent")
audit.record_tool("get_weather", {"city": "Berlin"}, {"temp": 22})
audit.export("audit.json")

Haystack integration

from nobulex.integrations.haystack import NobulexHaystackAudit

audit = NobulexHaystackAudit(agent_id="my-pipeline")
audit.record_component("Retriever", {"query": "test"}, {"docs": 5})
audit.export("audit.json")

LlamaIndex integration

from nobulex.integrations.llama_index import NobulexLlamaIndexAudit

audit = NobulexLlamaIndexAudit(agent_id="llama-agent")
audit.record_tool("web_search", {"query": "test"}, {"results": 5})
audit.export("audit.json")

Verify any exported trail (no operator trust)

from nobulex.chain import verify_audit_trail
report = verify_audit_trail("audit.json", authorized_keys=AGENT_PUBLIC_KEY)
assert report["chain_intact"] and report["authenticated"]

JavaScript / TypeScript

npm install @nobulex/core
npx tsx examples/trust-capital-demo.ts
Agent starts at RESTRICTED tier (trust score: 0)

Action 1: read_data        - ALLOWED   (trust score: 12)
Action 2: read_data        - ALLOWED   (trust score: 24)
Action 3: process_payment  - BLOCKED   (insufficient trust)
Action 4: read_data        - ALLOWED   (trust score: 36)
Action 5: read_data        - ALLOWED   (trust score: 48)

Agent promoted to STANDARD tier
Action 6: process_payment  - ALLOWED   (trust score: 65)

Agent promoted to TRUSTED tier (trust score: 89)
Action 8: approve_contract  - ALLOWED

Who is accountable?

An agent key is free to generate. So if the score lives on the key, the score is theater: an agent with a bad record deletes the key, makes a new one, and starts clean in thirty seconds. A human can't do that with a credit score, because the SSN is scarce. That scarcity is what makes a score mean anything.

So the file doesn't live on the key. It lives on the operator: the legal entity accountable for the agent. Agents inherit trust from their operator the way a corporate card inherits its limit from the company rather than from the plastic.

from nobulex import Agent, OperatorRegistry, VerificationLevel

registry = OperatorRegistry()
registry.register("acme", "Acme Corporation", VerificationLevel.KYB)
registry.bind_agent("acme", agent.public_key)

# The question a relying party actually asks:
registry.is_accountable(agent.public_key, VerificationLevel.KYB)  # True
registry.operator_for(agent.public_key).legal_name                # "Acme Corporation"

Burning a key doesn't escape the record:

before the burn

after

agent's own score

8.0

0.0 (fresh key)

operator score

8.0

3.4 (history survived)

churn ratio

0.0

0.5 (the burn is visible)

new agent starts at

2.72, not 0

And the attack doesn't work one level up either: an unverified operator can claim a score of 99 and passes exactly 0.0 to a new agent, so registering fake operators to farm trust fails by construction.

Meanwhile the honest operator gets paid for it. Acme at 90 with zero churn means their next agent starts at 60 instead of 0. That's the reason to bind keys rather than stay anonymous.

python packages/python/examples/sybil_resistance.py

The protocol

DECLARE ──► ENFORCE ──► PROVE ──► ACCUMULATE

Covenant      Pre-execution     Receipt chain     trust score
defines       receipt blocks    verified by       earned over
the rules     violations        third parties     time
              before they
              happen                              ──► more access
                                                      ──► more receipts
                                                           ──► higher trust

The flywheel: more trust score leads to more valuable work, which produces more receipts, which builds higher trust score. Accountability becomes the most profitable strategy.


Code

import { createDID, parseSource, EnforcementMiddleware, verify } from '@nobulex/core';

const agent = await createDID();
const spec = parseSource(`
  covenant SafeTrader {
    permit read;
    permit transfer (amount <= 500);
    forbid transfer (amount > 500);
    forbid delete;
  }
`);

const mw = new EnforcementMiddleware({ agentDid: agent.did, spec });

await mw.execute(
  { action: 'transfer', params: { amount: 300 } },  // allowed
  async () => ({ success: true }),
);

await mw.execute(
  { action: 'transfer', params: { amount: 600 } },  // BLOCKED before execution
  async () => ({ success: true }),                    // never runs
);

const result = verify(spec, mw.getLog());
console.log(result.compliant);   // true

Traction

Independent, verifiable signals (each links to evidence):

What

Evidence

OWASP Agentic Skills Top 10 (AST09)

Bilateral receipt pattern merged as normative guidance (PR #35). Vendor listing in the solutions catalog (PR #38). Fixture-corpus proposal (PR #46, merged as a discussion doc, not a normative spec). All merged by project lead Ken Huang, Jun-Jul 2026. The action_ref hash construction itself is in the solutions catalog, not the normative page

IETF Conformance

draft-farley-acta-signed-receipts: 4/4 vectors pass. Implementation PR #12 filed

OWASP CheatSheetSeries

Sections 8-11 (JCS canonicalization, cross-agent accountability, sanctions-list freshness, regulatory mapping) merged into master by Jim Manico, Jun 2026 (PR #2210)

Dify Plugin Marketplace

Plugin merged into official dify-plugins repository (PR #2500). Nobulex receipts available to 90K+ star Dify ecosystem

Microsoft AI Agents for Beginners

PR open to add nobulex as the Python production receipt library in Lesson 18 - Securing AI Agents with Cryptographic Receipts (PR #571)

AgentAudit AI

Design-partner conversation. A signed specimen receipt verifies end-to-end in 10 lines of Python (fixture)

Microsoft AGT

Listed in ADOPTERS (PR merged by Microsoft maintainers)

builderz-labs / mission-control

Cross-session trust score RFC accepted as open issue; TypeScript reference implementation delivered

EU AI Act Article 12 enforcement: December 2, 2027.


Verify API

The SDK is free. The hosted verification layer is the product.

# Verify a receipt
curl -X POST https://nobulex.com/api/verify \
  -H "Content-Type: application/json" \
  -d '{"agent_id":"my-agent","action_type":"tool:search",...}'

# Check an agent's trust score
curl https://nobulex.com/api/verify?action=score&agent_id=my-agent

Endpoint

What it does

Tier

POST /verify

Verify signature + recompute action_ref

Free

POST /verify/chain

Verify chain integrity

Pro

POST /verify/bundle

Compliance report for regulators

Pro

GET /agent/:id/score

Trust score (A-F grade)

Free

GET /demo/tamper-test

Live tamper detection demo

Free

Free: 100/day. Pro ($99/mo): 10K/day. Scale ($499/mo): unlimited.

Pricing | API docs | Methodology


Why now

AI agents are being deployed into production with no accountability infrastructure.

  • 86% of AI agents deployed without security approval (CSA, 2026)

  • UUMit launched the first A2A marketplace with zero identity verification

  • $138B+ committed to physical AI with zero accountability layer

  • Top models score 10-15% on real problems (LemmaBench) with zero traceability on failure

The agents are deployed. The money is flowing. The accountability infrastructure doesn't exist yet. We're building it.


Standards

Standard

Status

Proof-of-Behavior spec

draft-gogani-nobulex-proof-of-behavior-00

Microsoft AGT

Listed in ADOPTERS (PR merged)

CTEF v0.3.2

14/14 byte-match conformance

A2A Protocol

Receipt row proposed; URN scheme urn:nobulex:receipt:<id>

NIST RFI

Formal comments submitted


Development

git clone https://github.com/arian-gogani/nobulex.git
cd nobulex && npm install
npx vitest run              # tests
npx tsx examples/demo.ts    # end-to-end
npx tsx benchmarks/bench.ts # benchmarks

Website · Try it · npm · Spec · X @nobulexlabs

Star this repo to follow the project

MIT License

Install Server
A
license - permissive license
A
quality
A
maintenance

Maintenance

Maintainers
4dResponse time
6wRelease cycle
2Releases (12mo)
Commit activity
Issues opened vs closed

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/arian-gogani/nobulex'

If you have feedback or need assistance with the MCP directory API, please join our Discord server