Is your feature request related to a specific problem?

When deploying ADK agents to production, there is no built-in mechanism to cryptographically verify which agent is executing an action, enforce hard boundaries (allowed/denied actions, monetary limits per transaction), or instantly revoke a compromised agent's access in real-time.

Currently, agent security relies on API key scoping and prompt-level guardrails — both are insufficient. A prompt injection can trick an agent into calling any tool with any parameters, and there is no protocol-level barrier to stop it.

Describe the Solution You'd Like

Cryptographic agent identity, intent verification, and a kill switch for ADK agents.

Each agent should have:

• Ed25519 cryptographic identity — a unique keypair that mathematically proves which agent is acting
• Signed intent envelopes — before every action, the agent signs: "I am agent X, doing action Y, at time T, with parameters Z"
• Boundary enforcement — allowed/denied action lists and monetary limits enforced deterministically, not via prompts
• Kill switch — instant revocation that blocks all future actions from a compromised agent, sub-millisecond, zero network calls

Input/Output for the API:

from aip_protocol import AgentPassport, create_envelope, sign_envelope, verify_intent # Input: Create agent with cryptographic identity + boundaries passport = AgentPassport.create( domain="enterprise.com", agent_name="data-agent", allowed_actions=["query_db", "generate_report"], denied_actions=["delete_data", "modify_schema"], monetary_limit_per_txn=1000, ) # Input: Agent declares intent before acting envelope = create_envelope( passport=passport, action="query_db", target="production-db", parameters={"query": "SELECT * FROM users"}, ) signed = sign_envelope(envelope, passport.private_key) # Output: Deterministic verification result result = verify_intent( envelope=signed, public_key=passport.public_key, revocation_store=store, ) # result.valid = True/False # result.tier_used = Tier.STANDARD # result.errors = [AIP-E200, AIP-E202, ...] (machine-readable)

Impact on your work

This is critical for anyone deploying ADK agents in enterprise environments where agents handle financial transactions, access sensitive data, or operate autonomously. Without cryptographic identity and boundaries, a single prompt injection can cause an agent to execute unauthorized actions with no way to stop it in real-time.

I'm building production agent infrastructure and need this capability now — I've already implemented it as an open-source protocol (AIP) and would love to see native ADK support.

Willingness to contribute

Yes — I can submit a PR. I have a working implementation and can build an ADK-native integration that adds AIP verification to the tool execution pipeline.

Describe Alternatives You've Considered

• API key scoping — Limits which APIs an agent can call, but doesn't verify intent or enforce per-action monetary limits. Doesn't distinguish between agents sharing the same key.
• Prompt-level guardrails — System prompts saying "don't transfer more than $500" are easily bypassed by prompt injection.
• LLM-as-judge — Using a second LLM to validate actions adds ~500ms latency and is probabilistic, not deterministic. Cannot guarantee safety.

AIP is deterministic, sub-millisecond, and operates outside the LLM context — it cannot be bypassed by prompt engineering.

Proposed API / Implementation

Integration at ADK's tool execution layer using a decorator pattern:

from aip_protocol import AgentPassport, shield passport = AgentPassport.create( domain="enterprise.com", agent_name="data-agent", allowed_actions=["query_db", "generate_report"], denied_actions=["delete_data"], monetary_limit_per_txn=1000, ) # Decorator wraps any ADK tool function with AIP verification @shield(passport, allowed_actions=["query_db"], monetary_limit=1000.0) def query_database(sql: str): return db.execute(sql) # Every call → signed envelope → verified → execute or block # Unauthorized actions are blocked before execution # Kill switch: store.revoke(agent_id=passport.agent_id) → all tools dead

Additional Context

• Repo: github.com/theaniketgiri/aip
• Install: pip install aip-protocol