docs

CirtusAI: Comprehensive Architecture and Implementation Plan

This document lays out the problem, our solution, how the model works, integration options for developers, the technical architecture, and a practical roadmap.

Today’s AI ecosystem faces a three-way trust and access problem:

• Users face privacy and security risks when AI needs account access and are frustrated by repeated manual logins and anti-bot measures.
• AI agents rely on brittle browser automation and are often blocked or rate-limited by platforms.
• Platforms lack a reliable way to distinguish legitimate, accountable AI from malicious bots.

These issues lead to poor user experiences, operational cost, and limited AI utility.

Solution

CirtusAI is a trust layer that addresses these problems by providing:

• Sovereign AI Identity (DID): verifiable, user-controlled identities for AI agents.
• Dedicated AI Assets: separate email, wallet, and communication channels for AI to perform routine tasks.
• Controlled User Access: time-limited, auditable permissions for sensitive actions.
• Reputation Engine and VAP: cryptographically signed certificates that encode identity and reputation.f

Benefits:

• Users retain control and privacy while enabling AI autonomy.
• Developers gain reliable API-based integration without brittle automation.
• Platforms can apply differentiated policies to trusted AI and reduce fraud.

flowchart LR
    %% Centered CirtusAI with radial connections to User, Agent, and Service
  style CirtusAI fill:#0f1720,stroke:#2b3940,stroke-width:2px
    CirtusAI["CirtusAI Platform<br/>Trust, VAP, CapTokens, Connectors"]

    User((User))
    Agent((AI Agent))
    Service((Third-Party Service))

    User ---|"Grants approvals / Policies"| CirtusAI
    Agent ---|"Requests capabilities / Intents"| CirtusAI
    Service ---|"Verifies VAP & receipts"| CirtusAI

    %% Mirror Interaction Comparison Summary
    User -.->|"Control, consent, audit trail"| Agent
    Agent -.->|"Autonomy, dedicated assets, reduced auth friction"| User
    Agent -->|"Audited actions, VAP-backed calls"| Service
    Service -->|"Monetization: engagement, attribution, native ads"| Agent
    Service -->|"Receives signed receipts, provenance"| User

    %% Secondary annotations pulled from table
    subgraph Notes [Interaction Summary]
      direction TB
      N1["User ↔ AI: SDK/MCP, Approval System, Separate AI assets"]
      N2["AI ↔ Services: VAP certs, connectors, reliable API access"]
      N3["Services ↔ Users: Monetization, attribution, partner SLAs"]
    end

    CirtusAI --- N1
    CirtusAI --- N2
    CirtusAI --- N3

    click CirtusAI "#" "CirtusAI platform (center)"

User-to-AI Agent Interaction

Traditional interaction between users and AI agents requires users to repeatedly provide credentials, manually handle authentication, and maintain constant oversight of AI operations. This creates friction and limits AI autonomy.

CirtusAI changes this model by routing AI agents’ requests through the platform. Agents connect either via language/tool SDKs or via the Model Context Protocol (MCP) bridge. The platform evaluates policy and reputation, issues capability tokens or approval requests, and executes actions with platform-managed assets when necessary. Users grant scoped permissions through the Approval System; approvals are cryptographically signed, time-limited, and auditable.

The introduction should mention the SDK and MCP as high-level integration paths. Detailed API shapes, SDK design, and MCP wire format are shown in the Technical Implementation section;

sequenceDiagram
    participant User as User
    participant Agent as AI Agent
    participant SDK as SDK / Client
    participant MCP as MCP Bridge
    participant Platform as CirtusAI Backend
    participant Assets as AI Assets
    participant Approval as Approval System

    Note over Agent,Platform: Two integration paths
    Agent->>SDK: 1. Invoke action via SDK (client-side)
    Agent->>MCP: 1b. Or send MCP call (tool bridge)
    SDK->>Platform: 2. API request (capability request / intent)
    MCP->>Platform: 2b. MCP message (capability request / intent)
    Platform->>Platform: 3. Evaluate policy & reputation
    alt Approval required
        Platform->>Approval: 4. Create ApprovalRequest
        Approval->>User: 5. Send approval notification (mobile/web)
        User-->>Approval: 6. Approve / Deny
        Approval->>Platform: 7. Approval result (signed receipt)
    end
    Platform->>Assets: 8. Execute using AI assets OR proxy to user account
    Assets->>Platform: 9. External call result (provider response)
    Platform->>Agent: 10. Return result + ActionReceipt
    Note over User,Agent: Audit trail and receipts persisted

High-level sequence showing SDK and MCP integration paths, the platform’s policy/approval evaluation, and execution using platform-managed assets (or proxying to user accounts when required). The Technical Implementation section contains full SDK and MCP specifications.

• SDK (Software Development Kit): a small library developers add to their applications so AI agents can call CirtusAI services directly. Think of the SDK as a secure “app extension” that forwards AI requests to the platform without exposing user credentials.
• MCP (Model Context Protocol): a lightweight bridge that lets existing AI tools (chat clients, IDE assistants) talk to CirtusAI without modifying the tool itself. For non-technical readers, MCP is a translator that connects existing AI tools to the platform.

See the Technical Implementation section for integration details, API shapes, and SDK guidance.

Benefits for Users:

• Reduced authentication friction through AI identity delegation
• Maintained control through approval system for sensitive operations
• Enhanced privacy with AI using separate assets for routine tasks
• Audit trail of all AI actions and permissions granted

Benefits for AI Agents:

• Autonomous operation capability without constant user intervention
• Dedicated resources (email, wallet, phone) for reliable operations
• Reduced rate limiting and blocking through verified identity
• Scalable multi-user deployment without credential management complexity

AI Agent-to-Third Party Service Interaction

AI agents traditionally rely on brittle browser automation, screen scraping, and credential spoofing to interact with third-party services. This leads to frequent blocking, rate limiting, and security concerns for both services and users.

sequenceDiagram
    participant AIAgent as AI Agent
    participant CirtusAI as CirtusAI Platform
    participant VAP as VAP Engine
    participant Service as Third Party Service
    participant Assets as AI Assets
    
  rect rgb(20, 28, 36)
    Note over AIAgent,Service: Traditional AI-Service Interaction
    AIAgent->>Service: Browser automation request
    Service-->>AIAgent: ❌ Blocked/Rate limited
    AIAgent->>Service: Retry with different headers
    Service-->>AIAgent: ❌ Detected as bot
    end
    
  rect rgb(20, 28, 36)
    Note over AIAgent,Service: CirtusAI Enhanced Integration
    AIAgent->>CirtusAI: Request service access
    CirtusAI->>VAP: Generate verification certificate
    VAP->>CirtusAI: VAP certificate with identity/reputation
    CirtusAI->>Assets: Provision AI-specific credentials
    Assets->>Service: API call with VAP certificate
    Service->>Service: Verify certificate authenticity
    Service-->>Assets: ✅ Trusted API response
    Assets->>CirtusAI: Success + data
    CirtusAI->>AIAgent: Formatted response
    end

AI agents struggle with traditional service integration due to anti-bot measures, while CirtusAI provides verified identity and dedicated access channels.

Traditional Problems:

• Browser automation frequently blocked by anti-bot systems
• Rate limiting and IP blocking affecting reliability
• Security risks from credential sharing and spoofing
• High maintenance overhead from changing anti-bot measures

CirtusAI Solutions:

• API-first integration with VAP certificate verification
• Dedicated AI credentials separate from user accounts
• Reputation-based trust scoring for preferential treatment
• Standardized integration reducing service-specific implementations

Third Party Service-to-User Interaction

Services struggle to distinguish legitimate AI operations from malicious bots, leading to overly restrictive policies that block beneficial AI usage while failing to prevent actual threats.

In addition, third-party services prioritize monetization: user attention, engagement, ad impressions, and high-quality conversion events drive revenue. To be a valued partner, CirtusAI must demonstrate capabilities that increase measurable revenue and preserve — or enhance — the service’s monetization channels.

CirtusAI can offer potential partner-facing features including:

– TBC

Benefits for Third Party Services:

• Reliable AI identification through cryptographic verification
• Differentiated rate limiting and access policies for trusted AI
• Reduced fraud and abuse through reputation tracking
• Enhanced user experience by enabling beneficial AI operations

Benefits for Users:

• AI agents can access services on behalf of users without being blocked
• Transparent approval process for operations requiring user consent
• Enhanced security through verified AI identity rather than credential sharing
• Consistent experience across different services and platforms

Interaction Comparison Summary

Interaction	Traditional Issues	CirtusAI Solution
User ↔ AI	Manual auth, limited autonomy, privacy risks	SDK / MCP integration, AI identity delegation, approval system, separate AI assets
AI ↔ Services	Browser automation, blocking, unreliable access	API integration, VAP certificates, dedicated credentials, provenance receipts for ad/tracking integrity
Services ↔ Users	Overly restrictive bot detection, poor UX; loss of monetization opportunities	Partner monetization features: engagement SLAs, consent-forward monetization, analytics & attribution, referral/revenue-sharing, native ad support

Technical Implementation

A compact summary of how the pieces fit together:

• User -> Platform: Users interact via the web dashboard or mobile clients; they grant scoped approvals and view audit receipts.
• Agent -> Platform: AI agents connect using the SDK or the MCP bridge; they request capabilities/intents which the platform evaluates.
• Platform -> Backend: The CirtusAI backend evaluates policy & reputation, issues signed capability tokens and VAP certificates, manages AI-specific assets, executes actions or proxies calls to third-party services, and stores audit logs.
• SDK/MCP -> Backend: SDKs call backend REST APIs; MCP sends protocol messages (tool discovery, tools/call). Both receive ActionReceipts and capability tokens.
• VAP & Certificates: The VAP engine issues cryptographic certificates (VAP certs) that assert AI identity and reputation; these are attached to outbound API calls or presented to third-party services for verification.
• VAP distribution: VAP certs and ActionReceipts are signed by the platform and can be shared with external parties (services, partners) as part of API requests or as post-action receipts for provenance and monetization.
• The platform issues capability tokens and VAP certificates, maintains policies and audit logs, and provisions AI-specific assets, but it does NOT directly perform outbound calls to third-party services on behalf of users.
• AI Agents perform outbound calls using their provisioned AI assets (or via platform-managed connectors invoked as part of an agent-executed action). All external service interactions are initiated by agents and accompanied by VAPs and signed receipts for provenance.

flowchart LR
  U["User"]
  FE["Frontend (Web/Mobile)"]
  SDK["SDK / MCP"]
  PL["Platform (CirtusAI Backend)"]
  AG["AI Agent"]
  AS["AI Assets / Connectors"]
  VAP["VAP Engine / Certificates"]
  SRV["Third-Party Service"]

  U -->|"UI: grant approvals, view receipts"| FE
  FE -->|"submit capability request"| SDK
  SDK -->|"POST /v1/capabilities/request"| PL
  AG -->|"request capabilities / intents"| SDK
  PL -->|"evaluate policy & reputation"| VAP
  PL -->|"issue signed capability token / VAP"| SDK
  SDK -->|"deliver token + ActionReceipt"| AG
  AG -->|"use provisioned AI assets / connectors with VAP"| AS
  AS -->|"call with VAP and receipts"| SRV
  SRV -->|"response / provider result"| AS
  AS -->|"forward result + ActionReceipt"| PL
  PL -->|"persist audit log / receipts"| U

  %% Clarifying note nodes (non-intrusive, plain text)
  note_left(["Note: The platform issues capability tokens and VAP certificates, maintains policies and audit logs, and provisions AI-specific assets, but it does NOT directly perform outbound calls to third-party services on behalf of users."])
  note_right(["AI Agents perform outbound calls using their provisioned AI assets; all external interactions are initiated by agents and accompanied by VAPs and signed receipts."])

  note_left --- PL
  note_right --- AG

Notes: Users grant approvals through the frontend which submits signed approval data to the backend; CirtusAI issues tokens and VAP certificates but does not itself call third-party services — the AI agent performs outbound calls using its own provisioned assets and presents VAP certs for verification. ActionReceipts and VAP certs are cryptographically signed by the platform and may be forwarded to external parties for provenance and monetization.

MCP Integration Workflow

How existing AI tools connect to CirtusAI without any changes

The Model Context Protocol (MCP) allows existing AI tools like Claude Desktop, GitHub Copilot, and ChatGPT to seamlessly access CirtusAI’s AI identity services and capability-based access control without any modifications to their existing workflows. The MCP server acts as a transparent bridge that handles capability token lifecycle management behind the scenes.

Benefits of this approach

• Existing AI tools work without modification
• No need to rebuild or reconfigure AI applications
• Universal compatibility across all AI platforms
• Instant access to AI identity capabilities
• Transparent capability token management
• Built-in approval workflows for sensitive operations

MCP Capability Token Integration

The MCP server implements the complete capability token workflow transparently:

1. Tool Discovery: When an AI tool requests available tools via tools/list, the MCP server queries the CirtusAI platform for available capabilities and transforms them into MCP tool definitions
2. Capability Request: When a tool is invoked via tools/call, the MCP server automatically requests the appropriate capability token from the platform
3. Approval Handling: If approval is required, the MCP server manages the approval workflow and waits for user consent
4. Action Execution: Once a capability token is issued, the MCP server executes the action and returns formatted results to the AI tool
5. Audit Trail: All actions generate signed ActionReceipts that are logged for compliance and debugging

MCP Integration Process with Capability Tokens

1. User makes a request in their existing AI tool
   • Example: “Book a flight to Tokyo for next week”
2. AI tool requests available tools from MCP server
   • MCP server queries CirtusAI platform for available capabilities
   • Platform returns capability catalog filtered by user permissions and AI identity
   • MCP server transforms capabilities into MCP tool definitions
3. AI tool invokes relevant capability via MCP
   • Tool calls tools/call with capability ID and parameters
   • MCP server validates parameters and requests capability token from platform
4. Platform evaluates capability request
   • Trust Engine evaluates policy, reputation, and risk factors
   • If auto-approved: issues capability token immediately
   • If approval required: creates ApprovalRequest and notifies user
5. Approval workflow (if required)
   • User receives push notification or in-app approval request
   • Request includes action summary, estimated cost, and security context
   • User approves/denies with optional constraints or time limits
6. Capability token issuance and execution
   • Platform issues signed capability token with specific constraints
   • MCP server executes action using platform-managed credentials
   • External service call includes VAP certificate for trust verification
7. Response and audit trail
   • Platform returns ActionReceipt with execution details and provider response
   • MCP server formats response for AI tool consumption
   • All actions logged with provenance and attribution metadata

MCP Server Capability Token Management

The MCP server acts as a transparent proxy for capability token operations, allowing unmodified AI tools to benefit from CirtusAI’s security model without requiring integration changes.

Token Caching Strategy:

• Short-lived tokens (5-15 minutes) cached in memory
• Automatic token refresh for repeated operations
• Cache invalidation on user policy changes

Approval Flow Handling:

• Async approval workflows with configurable timeouts
• Real-time status updates via WebSocket connections
• Graceful fallback for approval denials or timeouts

sequenceDiagram
    participant AITool as AI Tool
    participant MCP as MCP Server  
    participant Backend as CirtusAI Backend
    participant Approval as Approval Service
    
    AITool->>MCP: tools/call: send_email
    MCP->>Backend: POST /v1/capabilities/request
    Backend->>Backend: Policy evaluation
    alt Approval Required
        Backend->>Approval: Create approval request
        Backend->>MCP: 202 Approval Required
        MCP->>MCP: Wait for approval (async)
        Approval-->>Backend: User approves
        Backend->>MCP: Capability token issued
    else Auto-Approved
        Backend->>MCP: 200 Capability token
    end
    MCP->>Backend: POST /v1/actions/execute
    Backend->>MCP: ActionReceipt
    MCP->>AITool: MCP response (formatted)

SDK Integration Workflow

How developers integrate CirtusAI into AI applications

For AI developers, CirtusAI transforms complex multi-week integration processes into simple, secure API calls. The SDK provides a streamlined interface that abstracts capability token management, approval workflows, and external service integration while maintaining enterprise-grade security and auditability.

Traditional approach problems:

• Each service (email, wallet, phone) requires weeks of setup time
• Complex authentication and API management
• Trust and rate limiting issues with platforms
• Each external service needs separate integration
• No standardized approval flows or audit trails

CirtusAI approach advantages:

• Single SDK with unified capability discovery and execution
• Automatic capability token lifecycle management
• Built-in approval workflows with user consent tracking
• Pre-verified external platform access with reputation scoring
• Enterprise-grade audit trails and compliance features

Developer Experience Philosophy: The SDK follows the principle of “simple by default, powerful when needed.” Common workflows require minimal code (3-5 lines), while advanced use cases provide full control over capability discovery, token caching, approval handling, and error recovery.

Core SDK Architecture

The SDK implements a capability-based access model with three primary abstractions:

1. Client: Handles authentication, AI identity management, and capability discovery
2. CapabilityManager: Orchestrates token requests, approval workflows, and caching
3. ActionExecutor: Executes capabilities with platform-managed resources and returns signed receipts

Value to developers: The SDK abstracts complex capability token management while providing full control when needed. Developers get enterprise-grade security, audit trails, and compliance features without sacrificing development speed or simplicity.

SDK Capability Token Workflow

The SDK provides for capability token management. All external service integrations use platform-issued tokens rather than storing provider credentials in client applications.

Key SDK Principles:

• Never store external provider credentials client-side
• All integrations use platform-managed capability tokens
• Built-in approval workflows for sensitive operations
• Comprehensive audit trails and error handling

flowchart TD
    %% Developer Entry Point
    Dev[AI Developer<br/>Wants AI Identity]
    
    %% SDK Installation
    Install[Install CirtusAI SDK<br/>pip install cirtusai<br/>Quick Setup]
    
    %% Integration Steps (Vertical) - Updated with Capability Tokens
    subgraph Integration [SDK Integration Process]
        direction TB
        Init[Initialize Client<br/>client = CirtusAI<br/>API Key Setup]
        Discover[Discover Capabilities<br/>client.discover_capabilities<br/>Capability Catalog]
        Request[Request Capability<br/>capability_token<br/>Auto or Manual Approval]
        Execute[Execute Action<br/>client.execute_action<br/>With Capability Token]
        Receipt[Receive Receipt<br/>ActionReceipt<br/>Audit Trail]
    end
    
    %% Backend Processing (Vertical) - Enhanced for Capability Tokens
    subgraph Backend [CirtusAI Backend Processing]
        direction TB
        API[REST API Gateway<br/>Request Handling]
        Identity[Identity Manager<br/>DID Creation]
        CapMgr[Capability Manager<br/>Token Lifecycle]
        Trust[Trust Engine<br/>Policy Evaluation]
        Approval[Approval Service<br/>User Consent]
        Executor[Action Executor<br/>Platform Connectors]
    end
    
    %% AI Resources (Vertical)
    subgraph AIAssets [AI Dedicated Assets]
        direction TB
        Email[AI Email Account<br/>[email protected]<br/>Independent Inbox]
        Wallet[AI Crypto Wallet<br/>0x123...abc<br/>Blockchain Assets]
        Identity[AI Identity Cert<br/>DID Verification<br/>Platform Trust]
    end
    
    %% External Integration (Vertical) - Enhanced with VAP
  subgraph External [External Platform Integration]
    direction TB
    ExternalServices[External Services]
  end
    
    %% Capability Token Flow (New)
    subgraph TokenFlow [Capability Token Lifecycle]
        direction TB
        TokenReq[Token Request<br/>caps + constraints]
        PolicyEval[Policy Evaluation<br/>Trust + Reputation]
        TokenIssue[Token Issuance<br/>Signed JWT/COSE]
        TokenExecute[Token Execution<br/>Platform Connector]
        AuditLog[Audit Logging<br/>ActionReceipt]
    end
    
    %% Flow connections
    Dev --> Install
    Install --> Integration
    Integration --> Backend
    Backend --> TokenFlow
    TokenFlow --> AIAssets
    TokenFlow --> ExternalServices
    AIAssets --> ExternalServices
  
    
    %% Detailed Token Flow
    Request --> TokenReq
    TokenReq --> PolicyEval
    PolicyEval --> TokenIssue
    Execute --> TokenExecute
    TokenExecute --> AuditLog
    AuditLog --> Receipt
    
    %% Styling
  classDef devStyle fill:#111316,stroke:#2b3940,stroke-width:2px
  classDef sdkStyle fill:#111316,stroke:#274251,stroke-width:2px
  classDef backendStyle fill:#0f1720,stroke:#2b3940,stroke-width:2px
  classDef assetStyle fill:#10161a,stroke:#3a2b1a,stroke-width:2px
  classDef externalStyle fill:#16171a,stroke:#3a2630,stroke-width:2px
  classDef tokenStyle fill:#141518,stroke:#3b2f20,stroke-width:3px
    
    class Dev devStyle
    class Integration,Install sdkStyle
    class Backend,API,Identity,CapMgr,Trust,Approval,Executor backendStyle
    class AIAssets,Email,Wallet,Identity assetStyle
  class ExternalServices externalStyle
    class TokenFlow,TokenReq,PolicyEval,TokenIssue,TokenExecute,AuditLog tokenStyle

Backend Architecture

API Gateway Layer — Handles all external communications

• REST API for direct SDK integration
• MCP Server for existing AI tool compatibility
• WebSocket for real-time user notifications and approvals

Core Services Layer — The business logic engine

• Authentication and authorization for all access
• Identity management for agent DID creation and maintenance
• Asset management for email and wallet operations
• Trust engine for reputation scoring and VAP certificate generation
• Approval system for user consent workflows
• Capability Manager for token lifecycle and policy enforcement
• Permissions Engine for dynamic policy evaluation and risk assessment

Capability Manager Service

The Capability Manager orchestrates the complete lifecycle of capability tokens, from initial request through execution and audit trail generation. It serves as the central coordination point for all capability-based operations.

Core Responsibilities:

1. Token Issuance: Generate signed capability tokens after policy evaluation
2. Token Revocation: Emergency revocation and blacklist management
3. Token Introspection: Validate token authenticity and extract claims
4. Audit Logging: Comprehensive logging of all capability operations

Permissions Engine Architecture

The Permissions Engine is the core decision-making component that evaluates capability requests, enforces policies, and determines approval requirements. It implements a multi-layered evaluation system with configurable policies, real-time risk assessment, and adaptive trust scoring.

Capability Token Evaluation Process

The Permissions Engine evaluates capability requests through a structured decision flow that maps AI identity, requested capabilities, and context to policy rules, returning one of three outcomes: auto-approve, require-approval, or deny.

Input Parameters:

• ai_identity: DID of the requesting AI agent
• requested_caps: Array of capability identifiers with constraints
• context: Request metadata (timestamp, source IP, device fingerprint, purpose)

Evaluation Logic:

1. Identity Verification: Validate AI DID and retrieve reputation score
2. Policy Mapping: Match capabilities against user-defined and organizational policies
3. Risk Scoring: Calculate composite risk based on capability sensitivity, context, and history
4. Decision Matrix: Apply rule engine to determine approval requirements

Token Structure: Approved capability tokens are JWT/COSE signed objects containing:

• jti: Unique token identifier for revocation
• iss: CirtusAI platform issuer
• sub: AI DID (subject)
• caps: Array of granted capabilities with constraints
• constraints: Execution limits (time windows, usage quotas, allowed recipients)
• iat/exp: Issuance and expiration timestamps (typically 5-60 minutes TTL)
• sig: Platform signature for verification

Storage and TTL:

• Tokens cached in Redis with automatic expiration
• Audit trail persisted in PostgreSQL for compliance
• Revocation list maintained for emergency token invalidation

flowchart LR
    PolicyEval[Policy Evaluation<br/>Identity + Caps + Context]
    TokenIssue[Token Issuance<br/>Signed JWT/COSE]
    AuditLog[Audit Logging<br/>Decision + Metadata]
    Execution[Action Execution<br/>Platform Connector]
    
    PolicyEval --> TokenIssue
    TokenIssue --> AuditLog
    TokenIssue --> Execution
    AuditLog --> Execution
    
  classDef evalStyle fill:#0f1720,stroke:#274251,stroke-width:2px
  classDef tokenStyle fill:#141518,stroke:#3b2f20,stroke-width:2px
  classDef auditStyle fill:#0f1720,stroke:#2b3940,stroke-width:2px
  classDef execStyle fill:#111316,stroke:#274251,stroke-width:2px
    
    class PolicyEval evalStyle
    class TokenIssue tokenStyle
    class AuditLog auditStyle
    class Execution execStyle

Data Layer — Persistent and temporary storage

• PostgreSQL for all structured data and relationships
• Redis for session management and caching
• Blockchain integration for DID registry and trust records
• File storage for media, logs, and documentation

flowchart TD
    %% === API GATEWAY LAYER ===
    subgraph Gateway [API Gateway Layer]
        direction TB
        REST[REST API<br/>FastAPI<br/>Port 8000]
        MCP[MCP Server<br/>Standard Protocol<br/>Port 3000]
        WebSocket[WebSocket<br/>Real-time Updates<br/>Port 8001]
    end

    %% === CORE SERVICES LAYER ===
    subgraph Core [Core Services Layer]
        direction TB
        Auth[Authentication<br/>JWT + API Keys<br/>User Sessions]
        Identity[Identity Service<br/>DID Management<br/>AI Registration]
        CapMgr[Capability Manager<br/>Token Lifecycle<br/>Policy Enforcement]
        PermEngine[Permissions Engine<br/>Risk Assessment<br/>Policy Evaluation]
        Assets[Asset Manager<br/>Email/Wallet<br/>Resource Allocation]
        Trust[Trust Engine<br/>Reputation Scoring<br/>VAP Certificates]
        Approval[Approval System<br/>User Consent<br/>Workflow Engine]
        Executor[Action Executor<br/>Platform Connectors<br/>Receipt Generation]
    end
    
    %% === MESSAGE QUEUE LAYER ===
    subgraph Queue [Message Queue Layer]
        direction TB
        RabbitMQ[RabbitMQ<br/>Message Broker<br/>Queue Management]
        Celery[Celery Workers<br/>Background Tasks<br/>Email/Crypto Jobs]
        CeleryBeat[Celery Beat<br/>Scheduled Tasks<br/>Trust Score Updates]
    end
    
    %% === DATA LAYER ===
    subgraph Data [Data Layer]
        direction TB
        Postgres[PostgreSQL<br/>Main Database<br/>ACID Transactions]
        Redis[Redis<br/>Cache + Sessions<br/>Real-time Data]
        Blockchain[Blockchain<br/>DID Registry<br/>Immutable Records]
        Files[File Storage<br/>Media + Logs<br/>S3/MinIO]
    end
    
    %% === EXTERNAL SERVICES ===
  subgraph External [External Services]
    direction TB
    ExternalServices[External Services]
  end
    
    %% === PRIMARY FLOWS ===
    
    %% Gateway to Core
    REST --> Auth
    MCP --> CapMgr
    WebSocket --> Approval
    
    %% Capability Token Lifecycle Flows
    Auth --> CapMgr
    CapMgr --> PermEngine
    PermEngine --> Trust
    PermEngine --> Approval
    CapMgr --> Executor
    Executor --> Assets
  Executor --> ExternalServices
    
    %% Core Service Interactions
    Auth --> Redis
    Identity --> Postgres
    Identity --> Blockchain
    Assets --> Postgres
    Assets --> Queue
    Trust --> Postgres
    Trust --> Blockchain
    Approval --> Redis
    Approval --> WebSocket
    CapMgr --> Postgres
    CapMgr --> Redis
    PermEngine --> Postgres
    Executor --> Postgres
    
    %% Queue Internal Connections
    RabbitMQ --> Celery
    RabbitMQ --> CeleryBeat
  Celery --> ExternalServices
    CeleryBeat --> Trust
    
    %% Data Layer Interactions
    Postgres <--> Redis
    Redis --> WebSocket
    Blockchain --> Trust
    Files --> Assets
    
    %% Asset Manager to External Services
  Assets --> ExternalServices
    
    %% Background Task Flows
  Celery --> ExternalServices
    Celery --> Postgres
    
    %% Trust Engine Flows
  Trust --> ExternalServices
    Trust --> Blockchain
    
    %% === STYLING ===
  classDef gatewayStyle fill:#111316,stroke:#19727a,stroke-width:2px
  classDef coreStyle fill:#0f1720,stroke:#274251,stroke-width:2px
  classDef queueStyle fill:#111316,stroke:#2b3940,stroke-width:2px
  classDef dataStyle fill:#101316,stroke:#2f2b20,stroke-width:2px
  classDef externalStyle fill:#16171a,stroke:#3a2630,stroke-width:2px
    
    class Gateway,REST,MCP,WebSocket gatewayStyle
    class Core,Auth,Identity,Assets,Trust,Approval coreStyle
    class Queue,RabbitMQ,Celery,CeleryBeat queueStyle
    class Data,Postgres,Redis,Blockchain,Files dataStyle
  class ExternalServices externalStyle

Platform Frontend Features

The user interface that makes AI identity management simple and intuitive

CirtusAI’s frontend provides three distinct interfaces for different user types: everyday users who want to control their AI, developers who integrate AI applications, and administrators who manage the platform.

User Dashboard — For end users managing their AI

• AI activity monitoring and approval workflows
• Asset management (view AI email, wallet activity)
• Security settings and permission controls
• Real-time notifications for AI actions requiring approval

Developer Tools — For AI application creators

• Agent creation and version management
• SDK integration guides and testing tools
• Analytics dashboard for AI performance and usage
• Webhook testing and debugging interfaces

Admin Panel — For platform operators

• System monitoring and health metrics
• User and developer account management
• Trust score analytics and fraud detection
• Platform configuration and feature flags

Complete System Architecture

Comprehensive view of how all CirtusAI components interact to create the trusted AI identity ecosystem

This diagram shows the complete technical architecture of CirtusAI, illustrating how users, their personal assets, AI agents, the platform infrastructure, external services, and developer tools all interconnect to create a seamless AI identity and access management system.

The five main architectural layers

User Layer — Human control and personal assets

CirtusAI Platform — Core infrastructure and AI identity system

• Frontend: Web dashboard, mobile app(coming soon), API gateway, real-time WebSocket connections
• Backend Services: Authentication, Identity Management (DID), Asset Management, Trust Engine (VAP), Approval System, Access Control
• Data Layer: PostgreSQL (main database), Redis (cache/sessions), Blockchain (DID registry), File Storage (logs/media)
• AI Infrastructure: AI Digital Identity (DID), AI Dedicated Assets (email/wallet), Reputation System

Developer Integration — How developers connect to the platform

• SDK Integration: Python SDK, JavaScript SDK, Direct REST API access with full authentication
• MCP Integration: Universal protocol supporting Claude Desktop, Cursor, and other AI tools without modification

AI Agents

• Integrated with our platform via our sdk/mcp

  External Platforms & Services

Key architectural flows:

Trust & Verification: Trust Engine generates VAP certificates that external platforms use to verify AI identity and reputation

Developer Experience: Both SDK integration and MCP protocol support

User Control: All major AI decisions flow through the Approval System with real-time notifications to user devices

flowchart TD
    %% === USER LAYER (TOP) ===
    subgraph UserLayer [USER LAYER - Human Control]
        direction TB
        User[User<br/>Human Controller<br/>Ultimate Authority]
        UserAssets[Personal Assets<br/>Email - Wallet<br/>Existing Accounts]
        UserControls[User Controls<br/>Mobile App<br/>Web Dashboard]

        User --> UserControls
        User -.-> UserAssets
    end

    %% === PLATFORM CORE LAYER (CENTER) ===
    subgraph Platform [CIRTUSAI PLATFORM - Core Infrastructure]
        direction TB

        %% Frontend Layer
        subgraph Frontend [Frontend Services]
            WebApp[Web Dashboard<br/>User Management<br/>Real-time Interface]
            MobileApp[Mobile App<br/>Instant Approvals<br/>Push Notifications]
            Gateway[API Gateway<br/>Request Routing<br/>Load Balancing]
        end

        %% Backend Layer
        subgraph Backend [Backend Services]
            Auth[Authentication<br/>JWT + API Keys<br/>Session Security]
            Identity[Identity Manager<br/>DID Registry<br/>AI Registration]
            Assets[Asset Manager<br/>Email/Wallet Control<br/>Resource Operations]
            Trust[Trust Engine<br/>VAP Certificates<br/>Reputation Scoring]
            Approval[Approval System<br/>User Consent<br/>Workflow Engine]
            Access[Access Control<br/>Permission Gates<br/>Security Policies]
        end

        %% Data Layer
        subgraph DataLayer [Data Infrastructure]
            DB[PostgreSQL<br/>Main Database<br/>ACID Transactions]
            Cache[Redis<br/>Cache + Sessions<br/>Real-time Data]
            Chain[Blockchain<br/>DID Registry<br/>Immutable Records]
            Files[File Storage<br/>Media + Logs<br/>S3/MinIO]
        end

        %% AI Infrastructure
        subgraph ModelServices [Model Services]
            AIIdentity[AI Digital Identity<br/>DID: did:ethr:0x...<br/>Unique Registration]
            AIAssets[AI Assets<br/>Dedicated Email<br/>AI Wallet]
            Reputation[Reputation System<br/>Trust Scoring<br/>Behavior Tracking]
        end
    end

    %% === DEVELOPER INTEGRATION LAYER ===
    subgraph DevLayer [DEVELOPER INTEGRATION - SDK & APIs]
        direction TB
        PythonSDK[Python SDK<br/>Type Safety<br/>Async Support]
        JSSDK[JavaScript SDK<br/>React/Node.js<br/>Browser Support]
        RestAPI[REST API<br/>OpenAPI Spec<br/>Direct HTTP Access]
        MCP[MCP Protocol<br/>Universal Support<br/>Zero Modification]
    end

    %% === AI APPLICATIONS LAYER ===
    subgraph AILayer [AI APPLICATIONS - Agents & Tools]
        direction TB
        CustomAgents[Custom AI Agents<br/>Trading Bots<br/>Email Assistants<br/>Booking Agents]
        ExistingTools[Existing AI Tools<br/>Claude Desktop<br/>ChatGPT<br/>GitHub Copilot]
    end

Appendix:

Most the content in the appendix was generated by AI and did not go through rigorous checking. Treat the below content as “for reference only”.

Backend

Comprehensive Endpoint Catalog (summary)

The platform should implement a clear, well-documented REST surface. Below is a compact reference; use this to generate an OpenAPI spec.

SDK vs Platform Tooling — design, trade-offs, and recommended patterns

Problem statement

• Each external capability (email, SMS, social posting, payments) can be modeled as a “tool”. If the SDK enumerates and implements every tool, the SDK grows large, releases become frequent, and platform-specific credentials/complexity leak into every client.
• If the SDK is tiny and delegates all tool wiring to the platform, developers get a slim client but the platform must implement and maintain many connectors.

Suggested architecture:

1. Thin, predictable SDKs (Client-side responsibilities)
   • The SDK should provide a small, stable surface: authentication, lifecycle (provision/teardown) of AI identities, asset primitives (email-send, wallet-send) expressed as abstract, generic tool calls, and the approval/authorization flows. - Avoid embedding provider-specific connectors in the SDK. Instead, expose an extensible “tool invocation” API where tools are referenced by well-known names or IDs and invoked with a generic payload (method, params, metadata).
   • Contract example (input / output shapes):
     • invoke_tool(tool_id: string, action: string, payload: JSON, context: Metadata) -> TaskHandle

     • task status: { id, state: queued

       running

       completed

       failed, result?, error? }

2. Platform-side connectors (Server-side responsibilities)
   • The platform implements secure, versioned connectors/adapters to third-party services. Each connector is a small service that maps the generic tool invocation into provider-specific API calls, handles credential rotation, rate-limiting, retries, and normalizes responses back to the platform contract.
   • Connectors run in isolated sandboxes (containerized processes or serverless functions) with least privilege credentials and robust telemetry.
3. Discovery and capability registry
   • Maintain a central registry (Tool Catalog) on the platform listing available tools, versions, required scopes, rate-limit classes, and trust-levels (AI-owned asset vs user-account proxying).
   • SDKs query the registry to present capabilities to developers and to validate calls at runtime.
4. Extensibility for third-party developers
   • Provide a connector SDK and clear adapter interface so external partners can ship connectors that plug into the platform’s tool catalog.
   • Support a signed manifest format for connectors that describes inputs/outputs, security requirements, and threat model assertions.

Security, privacy, and compliance guidance

• Secrets and credentials must never be bundled into client SDKs. All third-party credentials live on the platform side and are rotated by the connector subsystem.
• Use signed, short-lived task tokens for tool invocations so the connector can verify the request provenance and enforce approvals and scope.
• Approval flow: tool invocations that touch user assets must be gated by an Approval Service that issues time-limited, signed grants. Connectors verify these grants before performing actions on behalf of a user.
• Strong audit trails: every tool action must generate an immutable audit record (who/what/where/why/timestamp/result). Persist human-readable summaries plus raw request/response payloads for debugging and legal compliance.

Operational recommendations

• Rate limits & backpressure: classify connectors by rate-limit class and implement token-buckets + bulkhead isolation to avoid noisy neighbors.
• Observability: collectors for metrics, traces, and structured logs per connector. Use sampled payloads for privacy-safe debugging.
• Fail-open vs fail-closed: default to fail-closed for user-account actions (explicit approval required); allow fail-open for non-sensitive AI-owned asset actions with caution and configurable policy.

Developer ergonomics and SDK size control

• Keep SDKs language-idiomatic but feature-sparse: implement helpers for retries, async polling of TaskHandle, and local stubs for tests; heavy lifting (connectors, credential management) remains platform-side.
• Provide a “local connector” developer mode for testing that can proxy calls to developer-owned provider credentials during development without bloating the SDK in production.

When to put a tool in the SDK

• Put low-risk, ultra-common tooling primitives in the SDK only when it materially improves latency or offline usability (for example, local crypto helpers for signing where private keys are client-side). Otherwise, keep provider integration on the platform.

Trade-offs summary

• SDK-heavy approach: simpler for very small integrations but scales poorly, increases client responsibility for secrets, and fragments connector maintenance.
• Platform-heavy approach (recommended): centralizes credentials, hardens security, enables consistent policy and observability, and keeps SDKs compact and stable.

Policy Evaluation Framework:

1. Static Policy Layer

• User-defined permission boundaries (max spending limits, allowed recipients, time windows)

• Organizational policies for enterprise accounts (department budgets, approval chains)

• Capability-specific constraints (email sending limits, transaction amounts)

• Compliance requirements (KYC levels, geographic restrictions)

1. Dynamic Risk Assessment

• Real-time fraud detection using machine learning models

• Behavioral anomaly detection (unusual transaction patterns, geographic outliers)

• Reputation scoring based on historical actions and outcomes

• Context analysis (time of day, device fingerprinting, network analysis)

1. Trust Engine Integration

• AI identity reputation scores (0-1000 scale)

• User trust relationship strength

• Platform partner reputation and SLA compliance

• Historical approval patterns and user feedback

API Specifications

Core Capability Token Endpoints

The following OpenAPI fragments define the key endpoints for capability token management. These specifications follow industry standards and provide comprehensive request/response schemas.

POST /v1/capabilities/request

Request a capability token with specific constraints and usage limits.

paths:
  /v1/capabilities/request:
    post:
      summary: Request capability token
      description: Request a capability token for specific actions with constraints
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [ai_identity, capability_id, purpose]
              properties:
                ai_identity:
                  type: string
                  description: AI agent DID or identity reference
                  example: "did:ethr:0x123...abc"
                capability_id:
                  type: string
                  description: Capability identifier with version
                  example: "send_email.v2"
                purpose:
                  type: string
                  description: Human-readable purpose for audit trail
                  example: "Send weekly financial reports to stakeholders"
                constraints:
                  type: object
                  description: Capability-specific constraints
                  properties:
                    allowed_recipients:
                      type: array
                      items:
                        type: string
                      example: ["[email protected]", "[email protected]"]
                    max_amount:
                      type: number
                      example: 1000.00
                    currency:
                      type: string
                      example: "USD"
                    usage_limit:
                      type: integer
                      minimum: 1
                      maximum: 1000
                      example: 10
                expires_in:
                  type: integer
                  description: Token TTL in seconds
                  minimum: 60
                  maximum: 86400
                  example: 3600
                idempotency_key:
                  type: string
                  description: Client-generated idempotency key
                  example: "req_12345_abc"
      responses:
        200:
          description: Capability token issued successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                    enum: [issued, pending_approval]
                    example: "issued"
                  capability_token:
                    type: string
                    description: Signed JWT capability token
                    example: "eyJhbGciOiJFZDI1NTE5In0..."
                  token_id:
                    type: string
                    example: "cap_789xyz"
                  expires_at:
                    type: string
                    format: date-time
                    example: "2025-08-30T15:30:00Z"
                  usage_limit:
                    type: integer
                    example: 10
                  constraints:
                    type: object
                    description: Applied constraints
        202:
          description: Approval required
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                    enum: [pending_approval]
                  approval_id:
                    type: string
                    example: "apr_456def"
                  approval_url:
                    type: string
                    example: "https://app.cirtusai.com/approve/apr_456def"
                  estimated_wait:
                    type: integer
                    description: Estimated approval time in seconds
                    example: 300
                  approval_context:
                    type: object
                    properties:
                      action_summary:
                        type: string
                        example: "Send email to 3 recipients"
                      estimated_cost:
                        type: string
                        example: "$0.03"
                      risk_level:
                        type: string
                        enum: [low, medium, high]
                        example: "low"
        400:
          description: Invalid request
        403:
          description: Policy violation or insufficient permissions
        429:
          description: Rate limit exceeded

POST /v1/actions/execute

Execute an action using a capability token.

paths:
  /v1/actions/execute:
    post:
      summary: Execute action with capability token
      description: Execute a specific action using a valid capability token
      security:
        - CapabilityToken: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              required: [action, payload, idempotency_key]
              properties:
                action:
                  type: string
                  description: Specific action to execute
                  example: "send_email"
                payload:
                  type: object
                  description: Action-specific payload
                  example:
                    to: "[email protected]"
                    subject: "Monthly Report"
                    body: "Please find the monthly report attached."
                    attachments: []
                idempotency_key:
                  type: string
                  description: Prevents duplicate execution
                  example: "exec_12345_def"
                execution_context:
                  type: object
                  description: Optional execution metadata
                  properties:
                    user_agent:
                      type: string
                    source_ip:
                      type: string
                    trace_id:
                      type: string
      responses:
        200:
          description: Action executed successfully
          content:
            application/json:
              schema:
                type: object
                properties:
                  action_id:
                    type: string
                    example: "act_789ghi"
                  status:
                    type: string
                    enum: [success, partial_success, failed]
                    example: "success"
                  result:
                    type: object
                    description: Action-specific result
                    example:
                      message_id: "msg_123abc"
                      delivered_at: "2025-08-30T15:35:00Z"
                  action_receipt:
                    type: object
                    properties:
                      receipt_id:
                        type: string
                        example: "rcpt_456jkl"
                      signature:
                        type: string
                        description: Platform signature for non-repudiation
                        example: "0x789def..."
                      timestamp:
                        type: string
                        format: date-time
                      provider_receipt:
                        type: object
                        description: Third-party provider confirmation
                  token_usage:
                    type: object
                    properties:
                      remaining_uses:
                        type: integer
                        example: 9
                      token_expires_at:
                        type: string
                        format: date-time
        400:
          description: Invalid action or payload
        401:
          description: Invalid or expired capability token
        403:
          description: Action not permitted by token constraints
        409:
          description: Idempotency key conflict
        429:
          description: Rate limit exceeded

GET /v1/capabilities/catalog

Discover available capabilities and their metadata.

paths:
  /v1/capabilities/catalog:
    get:
      summary: Get capability catalog
      description: Retrieve available capabilities with metadata and constraints
      parameters:
        - name: category
          in: query
          schema:
            type: string
            enum: [communication, financial, storage, computation, external_api]
          description: Filter by capability category
        - name: risk_level
          in: query
          schema:
            type: string
            enum: [low, medium, high]
          description: Filter by risk level
        - name: auto_approve
          in: query
          schema:
            type: boolean
          description: Filter by auto-approval eligibility
      responses:
        200:
          description: Capability catalog
          content:
            application/json:
              schema:
                type: object
                properties:
                  capabilities:
                    type: array
                    items:
                      type: object
                      properties:
                        capability_id:
                          type: string
                          example: "send_email.v2"
                        name:
                          type: string
                          example: "Send Email"
                        description:
                          type: string
                          example: "Send emails using AI identity with delivery tracking"
                        category:
                          type: string
                          example: "communication"
                        risk_level:
                          type: string
                          example: "low"
                        auto_approve:
                          type: boolean
                          example: true
                        estimated_cost:
                          type: string
                          example: "$0.01 per email"
                        constraints_schema:
                          type: object
                          description: JSON Schema for capability constraints
                        example_payload:
                          type: object
                          description: Example action payload
                        required_scopes:
                          type: array
                          items:
                            type: string
                          example: ["email:send", "identity:use"]
                  metadata:
                    type: object
                    properties:
                      total_capabilities:
                        type: integer
                      user_permissions:
                        type: object
                      platform_limits:
                        type: object

Security Schema

components:
  securitySchemes:
    CapabilityToken:
      type: http
      scheme: bearer
      bearerFormat: JWT
      description: Capability token issued by /v1/capabilities/request
    ApiKey:
      type: apiKey
      in: header
      name: X-API-Key
      description: Platform API key for authentication
  schemas:
    CapabilityToken:
      type: object
      description: JWT capability token structure
      properties:
        header:
          type: object
          properties:
            alg:
              type: string
              example: "EdDSA"
            typ:
              type: string
              example: "JWT"
            kid:
              type: string
              example: "cap-key-2025"
        payload:
          type: object
          properties:
            iss:
              type: string
              example: "cirtusai-platform"
            sub:
              type: string
              description: AI identity DID
              example: "did:ethr:0x123...abc"
            aud:
              type: string
              example: "cirtusai-actions"
            jti:
              type: string
              description: Unique token identifier
              example: "cap_789xyz"
            iat:
              type: integer
              description: Issued at timestamp
            exp:
              type: integer
              description: Expiration timestamp
            caps:
              type: array
              description: Granted capabilities
              items:
                type: object
                properties:
                  action:
                    type: string
                  constraints:
                    type: object
            usage_limit:
              type: integer
              minimum: 1
            approval_id:
              type: string
              description: Reference to approval if required

Capability lifecycle

• POST /v1/capabilities/request — Request capabilities (ai_did, requested_caps, purpose)
• GET /v1/capabilities/{request_id} — Status and metadata
• POST /v1/capabilities/simulate — Dev sandbox issuance

Approvals

• GET /v1/approvals/{approval_id} — Retrieve approval details
• POST /v1/approvals/{approval_id}/respond — Approve/deny (signed Receipt)
• GET /v1/approvals/user/{user_id} — Pending approvals

Action execution

• POST /v1/actions/execute — Execute with cap_token (action, payload)
• GET /v1/actions/{action_id} — Action result & provenance

Trust & VAP

• POST /v1/vap/issue — Issue VAP for external platform
• POST /v1/vap/introspect — Remote introspect
• GET /v1/trust/roots — Public keys for offline verification

Admin & revocation

• POST /v1/admin/revocations — Revoke tokens (jti)
• POST /v1/admin/keys/rotate — Rotate signing keys

Audit & evidence

• GET /v1/audit/events — Query audit log
• POST /v1/audit/evidence/export — Export evidence bundle

Webhooks & notifications

• POST /v1/webhooks — Register tenant webhooks
• POST /v1/webhooks/test — Test delivery

Assets & uploads

• POST /v1/assets/upload/request — Presigned uploads
• GET /v1/assets/{asset_id} — Download asset

Wallet & crypto

• GET /v1/wallets/{wallet_id}/balance
• POST /v1/wallets/transfer

Sandbox & developer utilities

• POST /v1/sandbox/reset
• GET /v1/sandbox/sample_cap_token

Introspection & diagnostics

• POST /v1/introspect/cap_token
• GET /v1/metrics/tenants/{tenant_id}/usage

Important notes for API design

• All mutating endpoints accept Idempotency-Key and return idempotent results.
• Structured errors: {code, message, details, retriable, request_id}.
• cap_token TTLs are short by default (minutes); VAPs can be longer (hours).
• Publish /v1/trust/roots for offline verification of VAPs and signed receipts.

---

End of Appendix

MCP

MCP Protocol Extensions for Capability Tokens

The CirtusAI MCP server implements standard MCP protocol with enhanced metadata for capability management:

Tool List Response (Enhanced)

{
  "tools": [
    {
      "name": "book_flight",
      "description": "Search and book flights using AI identity",
      "inputSchema": {
        "type": "object",
        "properties": {
          "departure": {"type": "string", "description": "Departure city"},
          "destination": {"type": "string", "description": "Destination city"},
          "date": {"type": "string", "format": "date"}
        }
      },
      "cirtusai": {
        "capability_id": "travel_booking.v1",
        "risk_level": "medium",
        "auto_approve": false,
        "estimated_cost": "$500-2000",
        "requires_approval": true,
        "approval_context": "Flight booking with payment authorization"
      }
    },
    {
      "name": "send_email",
      "description": "Send email using AI identity",
      "inputSchema": {
        "type": "object",
        "properties": {
          "to": {"type": "string"},
          "subject": {"type": "string"},
          "body": {"type": "string"}
        }
      },
      "cirtusai": {
        "capability_id": "send_email.v2",
        "risk_level": "low",
        "auto_approve": true,
        "estimated_cost": "$0.01",
        "requires_approval": false
      }
    }
  ]
}

Tool Call Execution with Capability Tokens

{
  "method": "tools/call",
  "params": {
    "name": "book_flight",
    "arguments": {
      "departure": "San Francisco",
      "destination": "Tokyo",
      "date": "2025-09-15"
    }
  }
}

MCP Server Internal Flow:

1. Validate input against capability constraints
2. Request capability token: POST /v1/capabilities/request
3. Handle approval workflow if required
4. Execute with capability token: POST /v1/actions/execute
5. Return formatted response to AI tool

Enhanced Tool Response with Audit Trail

{
  "content": [
    {
      "type": "text",
      "text": "Flight booked successfully! Your confirmation number is ABC123."
    }
  ],
  "isError": false,
  "cirtusai": {
    "action_id": "act_789xyz",
    "capability_token_id": "cap_456def",
    "approval_id": "apr_123abc",
    "execution_time": "2025-08-30T14:30:00Z",
    "audit_receipt": {
      "signed": true,
      "receipt_id": "rcpt_890ghi",
      "signature": "0x1234...",
      "provider_confirmation": "booking_ref_abc123"
    }
  }
}

MCP Server Configuration and Deployment

The CirtusAI MCP server can be deployed in multiple configurations:

Local Development Setup

# Install CirtusAI MCP server
npm install -g @cirtusai/mcp-server

# Configure with API credentials
cirtus-mcp configure --api-key="sk_test_..." --sandbox-mode

# Add to Claude Desktop config
{
  "mcpServers": {
    "cirtusai": {
      "command": "cirtus-mcp",
      "args": ["serve"]
    }
  }
}

Production Enterprise Setup

{
  "api_key": "sk_prod_...",
  "base_url": "https://api.cirtusai.com",
  "cache_capabilities": true,
  "cache_ttl": 300,
  "approval_timeout": 600,
  "enable_audit_logging": true,
  "approval_notification": {
    "webhook_url": "https://company.com/webhooks/approvals",
    "mobile_push": true
  }
}

Partner SLA & Attestation

CirtusAI will deliver defined traffic quality thresholds (bot/human signal scoring), commit to agreed throughput and latency SLAs for partner endpoints, provide verifiable provenance and attribution receipts for conversions, and support revenue-sharing or referral settlement APIs. Partners will receive signed attestation tokens (VAPs) for each action that include issuer, subject (agent identity), action scope, expiry, and signature metadata to support disputed events and settlement reconciliation.

Example: Signed Attestation (JSON payload)

{
    "iss": "cirtusai-platform",
    "sub": "agent:weather-forecaster-42",
    "action": "purchase:create",
    "target": "partner:acme-checkout",
    "issued_at": "2025-08-29T12:00:00Z",
    "expires_at": "2025-08-29T12:05:00Z",
    "attribution": {
        "campaign_id": "spring_promo_2025",
        "referral_token": "rft_1XyZ...",
        "revenue_share": 0.15
    },
    "signature": {
        "alg": "ED25519",
        "sig": "MEUCIQDx...",
        "key_id": "vap-key-2025"
    }
}

1. AI tool connects to CirtusAI through MCP protocol
2. CirtusAI provides AI identity and resource access
3. User receives approval notifications for important operations
4. AI completes tasks using CirtusAI infrastructure

sequenceDiagram
    participant User as User
    participant AITool as AI Tool<br/>Claude, Cursor, etc
    participant MCP as MCP Server<br/>CirtusAI
    participant Backend as CirtusAI Backend
    participant Trust as Trust Engine
    participant Approval as Approval Service
    participant Assets as AI Assets
    participant Platform as External Platform
    
    Note over User,Platform: MCP Protocol with Capability Tokens
    
    User->>AITool: 1. "Book a flight to Tokyo"
    AITool->>MCP: 2. MCP Request<br/>tools/list
    MCP->>Backend: 3. Get Available Capabilities
    Backend->>MCP: 4. Return Capability Catalog<br/>flight_search, book_flight
    MCP->>AITool: 5. Transform to MCP Tools
    
    AITool->>MCP: 6. MCP Call<br/>tools/call: flight_search
    MCP->>Backend: 7. Request Capability Token<br/>search_flights.v1
    Backend->>Trust: 8. Evaluate Policy & Reputation
    Backend->>MCP: 9. Issue Capability Token (auto-approved)
    MCP->>Assets: 10. Execute Search with Token
    Assets->>Platform: 11. Search Flights<br/>With VAP Certificate
    Platform->>Assets: 12. Return Results
    Assets->>Backend: 13. Flight Options + ActionReceipt
    Backend->>MCP: 14. Search Results with Audit
    MCP->>AITool: 15. MCP Response (formatted)
    AITool->>User: 16. Show Flight Options
    
    User->>AITool: 17. "Book option 2"
    AITool->>MCP: 18. MCP Call<br/>tools/call: book_flight
    MCP->>Backend: 19. Request Capability Token<br/>book_flight.v1 (high-risk)
    Backend->>Trust: 20. Policy Check - Approval Required
    Backend->>Approval: 21. Create ApprovalRequest
    Approval->>User: 22. Push Notification<br/>"Authorize $847 flight booking?"
    User->>Approval: 23. Approve with Face ID
    Approval->>Backend: 24. Signed ApprovalReceipt
    Backend->>MCP: 25. Issue Capability Token
    MCP->>Assets: 26. Execute Booking with Token
    Assets->>Platform: 27. Complete Payment & Booking<br/>With VAP + Capability Token
    Platform->>Assets: 28. Booking Confirmation + Receipt
    Assets->>Backend: 29. ActionReceipt + Provider Response
    Backend->>MCP: 30. Success with Full Audit Trail
    MCP->>AITool: 31. MCP Response
    AITool->>User: 32. "Flight booked! Confirmation: ABC123"

Capability Delegation Model & SDK Design (Integrated)

This appendix consolidates the Capability Delegation Model and a focused SDK design that keeps the developer-facing surface small while shifting critical, trust-sensitive work to the platform.

Goals

• Preserve developer ergonomics (5-line quickstart) for common flows.
• Centralize sensitive side-effects (email sends, wallet transfers) on the platform to ensure auditability, policy enforcement, and non-repudiation.
• Provide a robust capability delegation primitive (capability tokens) with short TTLs, narrow constraints, and revocation support.

Actors (short)

• Platform (CirtusAI) — enforcement plane, connector host, VAP issuer.
• External Agent (EA) — third-party AI or tool requesting capabilities.
• AI Identity — DID + ai-owned assets.
• End User — grants approvals and sets policies.
• External Services — third-party platforms and providers
• Auditor / Verifier — validates tokens and inspects logs.

Core principles

1. Platform-mediated side-effects.
2. Thin, language-idiomatic SDKs that offer high-level helpers and low-level primitives.
3. Short-lived, signed capability tokens (cap_token) and VAPs for external trust.
4. Explicit, signed approvals for user-account actions.
5. Immutable provenance and audit trails.

---

SDK

Public surface (minimal):

• Client.bootstrap(credentials) -> Client
• client.ai(did) -> AIClient
• AIClient.request_capability(name, constraints, purpose, expires_in, idempotency_key) -> CapabilityRequest
• Client.wait_for_approval(approval_id, timeout) -> ApprovalReceipt
• AIClient.execute_with_capability(cap_token, action, payload, idempotency_key) -> ActionReceipt

High-level convenience wrappers:

• AIClient.safe_send_email(to, subject, body, opts) — wraps request -> wait -> execute
• AIClient.safe_transfer(wallet_id, amount, opts) — wraps request -> approval (if required) -> execute

Developer UX (5-line quickstart example):

from cirtusai import Client
c = Client.bootstrap(api_key="...")                                # 1
ai = c.ai("assistant-1")                                           # 2
cap = ai.request_capability("send_email", {"from":"ai@..."})     # 3
c.wait_for_approval(cap.approval_id)                                 # 4 (optional helper)
receipt = ai.execute_with_capability(cap.token, "send_email", payload)  # 5

Notes:

• The SDK focuses on intent and orchestration; the platform performs the side-effects.
• SDK stores tokens in-memory for short TTLs and provides local helpers for verification.

Developer Integration Patterns

Pattern 1: High-Level Convenience API (Recommended for most use cases)

from cirtusai import Client

# Initialize with API key and optional configuration
client = Client(api_key="sk_test_...", base_url="https://api.cirtusai.com")

# Single-line capability execution with built-in approval handling
receipt = await client.perform(
    capability="send_email",
    params={
        "to": "[email protected]",
        "subject": "Invoice #12345",
        "body": "Please find your invoice attached."
    },
    ai_identity="assistant-finance-bot"
)

print(f"Email sent: {receipt.action_id}")

Pattern 2: Explicit Capability Management (Advanced use cases)

from cirtusai import Client, CapabilityRequest

client = Client(api_key="sk_test_...")

# Discover available capabilities
capabilities = await client.discover_capabilities(category="communication")

# Request specific capability with constraints
cap_request = CapabilityRequest(
    capability_id="send_email.v2",
    constraints={
        "allowed_recipients": ["[email protected]", "[email protected]"],
        "max_attachments": 5,
        "usage_limit": 10
    },
    purpose="Send weekly financial reports",
    expires_in=3600  # 1 hour
)

# Request capability (may require approval)
capability_token = await client.request_capability(cap_request)

# Handle approval if required
if capability_token.requires_approval:
    approval = await client.wait_for_approval(
        capability_token.approval_id,
        timeout=300  # 5 minutes
    )
    capability_token = approval.capability_token

# Execute action with capability token
receipt = await client.execute_action(
    capability_token=capability_token,
    action="send_email",
    payload={
        "to": "[email protected]",
        "subject": "Q3 Financial Report",
        "body": "Please review the attached report."
    }
)

Pattern 3: Batch Operations with Token Reuse

# Request capability for multiple uses
capability_token = await client.request_capability(
    CapabilityRequest(
        capability_id="send_email.v2",
        usage_limit=50,
        expires_in=1800  # 30 minutes
    )
)

# Execute multiple actions with the same token
recipients = ["[email protected]", "[email protected]", "[email protected]"]
receipts = []

for recipient in recipients:
    receipt = await client.execute_action(
        capability_token=capability_token,
        action="send_email",
        payload={
            "to": recipient,
            "subject": "Monthly Newsletter",
            "body": "Here's your monthly update..."
        }
    )
    receipts.append(receipt)

print(f"Sent {len(receipts)} emails successfully")

SDK Capability Discovery and Metadata

The SDK provides rich capability discovery to help developers understand what’s available and how to use it effectively:

# Get all available capabilities
all_caps = await client.discover_capabilities()

# Filter by category or risk level
communication_caps = await client.discover_capabilities(
    category="communication",
    risk_level="low"
)

# Get detailed capability metadata
email_cap = await client.get_capability_details("send_email.v2")
print(f"Description: {email_cap.description}")
print(f"Auto-approve: {email_cap.auto_approve}")
print(f"Required constraints: {email_cap.required_constraints}")
print(f"Example payload: {email_cap.example_payload}")

Error Handling and Resilience

The SDK implements comprehensive error handling with automatic retries, circuit breakers, and graceful degradation:

from cirtusai import Client, CirtusError, ApprovalTimeoutError, TokenExpiredError

try:
    receipt = await client.perform("send_email", params, retry_config={
        "max_retries": 3,
        "backoff_factor": 2.0,
        "timeout": 30
    })
except ApprovalTimeoutError as e:
    # Handle approval timeout
    print(f"Approval timed out: {e.approval_id}")
    # Optionally poll for approval later
    
except TokenExpiredError as e:
    # Token expired during execution
    print("Token expired, requesting new capability")
    # SDK can auto-retry with new token
    
except CirtusError as e:
    # Generic platform error
    print(f"Platform error: {e.code} - {e.message}")
    if e.retriable:
        # Implement exponential backoff retry
        pass

SDK Configuration and Best Practices

from cirtusai import Client, SDKConfig

# Production configuration
config = SDKConfig(
    base_url="https://api.cirtusai.com",
    timeout=30,
    max_retries=3,
    cache_capabilities=True,
    cache_ttl=300,  # 5 minutes
    enable_telemetry=True,
    log_level="INFO"
)

client = Client(api_key="sk_prod_...", config=config)

# Development configuration with sandbox mode
dev_config = SDKConfig(
    base_url="https://sandbox.cirtusai.com",
    sandbox_mode=True,
    mock_approvals=True,  # Auto-approve for testing
    log_level="DEBUG"
)

dev_client = Client(api_key="sk_test_...", config=dev_config)

---

Capability Token (cap_token) — minimal spec

• Least privilege: issue the narrowest capability possible (recipient allow-list, max_amount, usage_limit=1).
• Reputation-based widening: trusted agents with high reputation may receive broader auto-approvals under monitored policies.
• Context sensitivity: increase requirements if geolocation, anomalies, or new recipient patterns detected.
• Idempotency & anti-replay: require idempotency_key and unique jti checks.
• Revocation & emergency: immediate revocation endpoints and CRL publication.

Delegation flow (summary):

1. EA/SDK requests capability.
2. Platform evaluates policy & reputation.
3. If required: create ApprovalRequest -> notify User -> wait for ApprovalReceipt.
4. Issue cap_token bound to approval (or issue immediate token if safe).
5. EA calls /v1/actions/execute with cap_token.
6. Platform verifies token and constraints, executes external call using platform-managed credentials, signs an ActionReceipt, logs provenance, and updates reputation.

---

Capability Token: Workflow

This section describes the end-to-end flow from user intent to capability issuance to successful task execution.

1. User intent / Agent request
   • The user instructs an agent or app (via SDK or UI): e.g., Send invoice email to [email protected] for $120. The SDK translates this into a structured capability request describing the intended action and constraints.
2. Capability Request (POST /v1/capabilities/request)
   • The SDK/agent submits: { ai_did, requested_caps, purpose, idempotency_key } to the platform. The platform validates caller credentials and request shape.
3. Policy & Reputation evaluation
   • The Trust Engine evaluates policies, reputation scores, fraud signals, and risk heuristics. Based on risk, the platform either auto-issues a token or creates an ApprovalRequest for the user.
4. Approval path (if required)
   • An ApprovalRequest is persisted and a compact approval notification (who/what/why/cost) is sent to the user’s device. The user approves or denies; the ApprovalService returns a signed ApprovalReceipt preserving the human decision.
5. Token issuance
   • On approval or auto-allow, the platform mints a signed cap_token (JWT/COSE) containing explicit caps, jti, iat, exp, usage_limit, and optionally approval_id and attribution metadata. The SDK receives { status: issued, cap_token }.
6. Execution (POST /v1/actions/execute)
   • The SDK/agent calls the execute endpoint with Authorization: Bearer , providing action name, payload, and idempotency_key. The platform validates signature, expiry, jti uniqueness, usage_limit, and that the requested action and payload satisfy the token's caps/constraints.
7. External call & provider response
   • The platform executes the side-effect through a platform-managed connector (credentials never leave the platform). Connectors include VAPs if required. Provider receipts are collected.
8. Action Receipt & Audit
   • The platform issues a signed ActionReceipt containing action_id, jti, provider_receipt (if any), timestamp, and result. This is returned to the caller and persisted for audits and settlement.
9. Post-execution bookkeeping
   • Update token usage counters, mark jti used/revoked when usage_limit is exhausted, update reputation metrics, and emit audit/log events.

Validation & security checks

• Signature and expiry verification, jti uniqueness, usage limits and payload-constraint matching.
• Enforce idempotency and anti-replay with idempotency_key + jti.
• Short TTLs for tokens, introspection endpoint for partners, and CRL/webhook revocation propagation.

Capability token lifecycle

sequenceDiagram
     participant User as User
     participant SDK as Developer SDK
     participant Backend as CirtusAI Backend
     participant Trust as Trust Engine
     participant Approval as Approval Service
     participant Connector as Platform Connector
     participant External as External Service

     User->>SDK: 1. Intent (send_email to alice)
     SDK->>Backend: 2. POST /v1/capabilities/request {caps, purpose, idempotency_key}
     Backend->>Trust: 3. Evaluate policy & reputation
     alt approval required
          Backend->>Approval: 4. Create ApprovalRequest
          Approval->>User: 5. Notify (mobile/web)
          User-->>Approval: 6. Approve
          Approval->>Backend: 7. Signed ApprovalReceipt
     end
     Backend->>SDK: 8. {status: issued, cap_token}
     SDK->>Backend: 9. POST /v1/actions/execute (Bearer cap_token, action, payload)
     Backend->>Backend: 10. Verify cap_token signature, constraints, usage
     Backend->>Connector: 11. Execute using platform-managed creds
  Connector->>External: 12. External API call
     External-->>Connector: 13. Provider response + receipt
     Connector->>Backend: 14. Provider response
     Backend->>SDK: 15. ActionReceipt + status

Caption: Sequence showing capability request, optional approval, token issuance, guarded execution via platform connectors, and signed action receipts for audit and settlement.

Decision: two-step capability issuance as default

We will adopt the two-step pattern (request → cap_token issuance → execute with token) as the default for capability-based side-effects. This provides the strongest security guarantees (least privilege, revocation, auditable approvals). To preserve a smooth developer and agent experience, official SDKs will expose a single high-level helper (for example, sdk.perform(...)) that discovers capability metadata, requests tokens when needed, waits or subscribes for approvals where required, and executes actions using issued tokens. Low-risk, auto-approved capabilities may be optimized later with a combined execute-with-issuance endpoint, but the canonical flow remains two-step for security and compliance.

SDK vs Backend

SDK responsibilities (client):

• Bootstrapping, credential refresh, DID proofs for auth.
• Build capability requests and human-readable summaries.
• Local validation of constraints and developer-friendly error messages.
• Submit capability requests and poll/subscribe for approvals.
• Attach cap_token to execute calls and store short-lived tokens securely in memory.
• Verify signed receipts and VAPs locally using trust roots.
• Developer ergonomics: CLI, sandbox mode, dev simulators, code snippets.

Backend responsibilities (platform):

• Authenticate & authorize EAs and SDKs.
• Evaluate policies, reputation, and risk.
• Orchestrate approval workflows and issue ApprovalReceipts.
• Mint cap_tokens with exact constraints and enforce usage_limit & TTL.
• Execute external side-effects using platform-managed credentials and connectors.
• Produce ActionReceipts, sign them, and persist audit logs.
• Publish trust roots, CRLs, and support introspection APIs.
• Monitor, revoke, and run anomaly detection and reputation scoring.

---

SDK ↔ Backend Capability Flow

sequenceDiagram
        participant SDK as Developer SDK
        participant EA as External Agent
        participant Backend as CirtusAI Backend
        participant Trust as Trust Engine
        participant Approval as Approval Service
        participant User as End User
        participant External as External Service
        participant Audit as Audit Log

        EA->>SDK: build capability request (name, constraints)
        SDK->>Backend: POST /v1/capabilities/request {ai_did, caps, purpose, idempotency}
        Backend->>Trust: policy & reputation check
        alt requires user approval
                Backend->>Approval: create ApprovalRequest(approval_id)
                Approval->>User: notify (push / mobile / email)
                User-->>Approval: approve/deny
                Approval->>Backend: approval result
        end
        Backend->>Backend: issue cap_token (signed, constrained, jti)
        Backend-->>SDK: {status: issued, cap_token} / {status: pending, approval_id}
        SDK->>EA: deliver cap_token or pending status

        EA->>Backend: POST /v1/actions/execute (Authorization: Bearer cap_token, action, payload)
        Backend->>Backend: verify cap_token signature, exp, usage, constraints
        Backend->>Trust: log attempt, update metrics
        Backend->>External: perform action using platform-managed creds
        External-->>Backend: provider response (success/fail, provider_receipt)
        Backend->>Audit: write ActionReceipt (signed)
        Backend->>Trust: update reputation / issue VAP if applicable
        Backend-->>EA: ActionReceipt + provenance

        Note over Backend,External: Revocation / CRL flow
        Admin->>Backend: POST /v1/admin/revocations {jti, reason}
        Backend->>Audit: record revocation
        Backend->>Trust: publish CRL / webhook revocation
        External->>Backend: optional introspect(token)

---