Architecture Overview

TrustAgent (public API)
├── crypto/        ML-DSA signing, ML-KEM key exchange, AES-256-GCM, HKDF
├── identity/      DID generation, documents, registry, resolver
├── keystore/      Encrypted-at-rest key storage
├── transport/     PQuAKE handshake protocol, secure sessions
├── audit/         Hash-chained tamper-proof logging
├── policy/        Rule-based RBAC policy engine
├── ledger/        Hash-chained trust ledger with Merkle proofs
├── credentials/   W3C Verifiable Credential exchange
├── federation/    Cross-organization trust resolution
├── gateway/       FastAPI sidecar with middleware pipeline
│   └── routes/console/  Management API endpoints
├── adr/           Behavioral monitoring, anomaly detection, incident response
├── skillid/       Content-addressable tool fingerprinting, registry
├── aarts/         Runtime safety standard (Host/Adapter/Security Engine)
├── beacon/        PQC-signed cross-org threat intelligence sharing
├── integrations/  LangChain, Claude SDK, AutoGen, CrewAI
└── cli/           Typer-based command line interface

The architecture is layered: crypto primitives at the bottom, identity built on crypto, ledger built on identity, and the gateway/console providing the HTTP API surface.