TRUSTCHAIN is a dashboard where multiple AI agents collaborate — and audit each other in real time. Every action (generate, test, deploy) is signed with an Auth0 identity, logged, and revocable.
Maker Agent writes code/artifacts.
Tester Agent validates outputs, security, and policy.
Deployer Agent pushes changes — only after Auth0-guarded approvals.
The result: a verifiable chain of responsibility (“who did what, when, and why”).
Demo
Live (prototype): https://trustchain-demo.vercel.app
Repo: https://github.com/sageworks-ai/trustchain
Test user: demo@trustchain.ai / Auth0Demo@123
Demo flow: Login → assign a task → Maker proposes → Tester signs/pass → hum…
TRUSTCHAIN is a dashboard where multiple AI agents collaborate — and audit each other in real time. Every action (generate, test, deploy) is signed with an Auth0 identity, logged, and revocable.
Maker Agent writes code/artifacts.
Tester Agent validates outputs, security, and policy.
Deployer Agent pushes changes — only after Auth0-guarded approvals.
The result: a verifiable chain of responsibility (“who did what, when, and why”).
Demo
Live (prototype): https://trustchain-demo.vercel.app
Repo: https://github.com/sageworks-ai/trustchain
Test user: demo@trustchain.ai / Auth0Demo@123
Demo flow: Login → assign a task → Maker proposes → Tester signs/pass → human approves via CIBA → Deployer executes → Audit trail appears with JWT metadata.
How I Used Auth0 for AI Agents
Per-agent identities: Each bot (maker/tester/deployer) authenticates to the platform with its own Auth0 client/credentials.
Token Vault: Per-agent secrets (only Deployer can call CI/CD; Maker can’t).
Asynchronous Authorization (CIBA): human-in-the-loop for risky actions (prod deploys, key rotations).
FGA (optional): grant a specific Tester read access to specific repos or datasets.
Architecture
Auth: Auth0 OIDC (agent + human), Token Vault, CIBA
LLM Orchestration: LangChain agent executor
Audit Bus: append-only log (Kafka/Redis stream) → signed digests → optional on-chain anchor
UI: Next.js + audit timeline, JWT viewers
Signed Action Envelope (example)
{ “actor”: “agent:tester-42”, “action”: “validate_security”, “resource”: “repo:org/app@commit:abc123”, “timestamp”: 1730056200, “jwt_claims”: { “sub”:“auth0|agent_tester_42”, “scope”:“repo:read audit:write” }, “hash”:“0xdeadbeef...”, “signature”:“0x…” }
Guarded Deploy (pseudo)
if (riskScore > 7) { const ok = await auth0.cibaRequest({ userId, message:“Approve PROD deploy?”, ttl:300 }); if(!ok) throw new Error(“Human denied”); } await tokenVault.with(“ci_cd”, (token)=>{ return ciClient.deploy({env:“prod”, token}); }); audit.log(“deploy”, actor, resource, digest);
Lessons Learned
separating identity (Auth0) from intelligence (LLM) = clarity + safety.
auditability flips “black-box AI” into accountable automation.
human approvals (CIBA) are the right speed bump for real-world risk.
which one should you ship?
If you want emotional, human-first → MINDKEY will resonate hard.
If you want enterprise/security-first (and likely judge appeal) → TRUSTCHAIN has “this could run in a Fortune 500 on Monday” energy.
Honestly? You could post both (different repos), but if you can only polish one before deadline, go TRUSTCHAIN.
ultra-lean demo plan (both fit this)
Auth0: create tenant → app → Universal Login; enable email/password + Google.
Roles/Scopes:
mindkey: mem:read, mem:write, mem:share
trustchain: repo:read, ci:deploy, audit:write
Token Vault: add one external API key (e.g., GitHub PAT) to prove scoped tools.
CIBA: set up a push/email approval for “export memories” (MINDKEY) or “deploy prod” (TRUSTCHAIN).
Frontend: Next.js page with Login, an action button, and an audit timeline component.
Proof: record a 30–60s Loom showing login → action → approval → result.
minimal Next.js server stubs (drop-in) // /lib/auth.ts import { auth } from ‘@auth0/nextjs-auth0’; export const requireScope = (req, scope:string) => { const s = auth.getSession(req); if(!s || !s.user) throw new Error(‘unauthorized’); if(!s.user.permissions?.includes(scope)) throw new Error(‘forbidden’); return s.user; };
// /pages/api/mindkey/read.ts
import { requireScope } from ‘@/lib/auth’;
import { fga } from ‘@/lib/fga’;
export default async function handler(req,res){
const user = requireScope(req,‘mem:read’);
const { agentId, memoryId } = req.body;
const ok = await fga.check({subject:agent:${agentId}, relation:‘viewer’, object:memory:${memoryId}, userId:user.sub});
if(!ok) return res.status(403).end();
const data = await vault.readEncrypted(memoryId, user.sub);
res.json({data});
}
// /pages/api/trustchain/deploy.ts import { requireScope } from ‘@/lib/auth’; import { ciba, tokenVault, audit } from ‘@/lib/controls’; export default async function handler(req,res){ const user = requireScope(req,‘ci:deploy’); const risk = Number(req.body.risk ?? 0); if(risk > 7){ const approved = await ciba.request({ userId:user.sub, message:‘Approve PROD deploy?’, ttl:300 }); if(!approved) return res.status(401).json({error:‘denied’}); } const token = await tokenVault.get(‘ci_cd’); const result = await ci.deploy({ env:‘prod’, token }); await audit.append({ actor:user.sub, action:‘deploy’, resource:‘prod’, result }); res.json({ ok:true, result }); }