Agent Settlement Extension (ASE) represents a foundational economic metadata layer designed for the emerging era of multi-agent coordination. Through its Secure Contract Machine (SCM) runtime, ASE extends standard agent-to-agent (A2A) and Model Control Protocol (MCP) communications with explicit economic semantics, enabling agents to negotiate, settle, and audit transactions with cryptographic guarantees. This infrastructure is intended for organizations deploying autonomous AI agents across sensitive systems, where trust, accountability, and verifiable economic interactions are paramount. By providing standardized schemas for economic intents and settlement records, ASE transforms raw agent communication into auditable, enforceable agreements, creating a framework for decentralized economic coordination without relying on a central authority.
The core problem that ASE addresses is the lack of secure, mutually distrustful coordination in multi-agent environments. As AI agents increasingly operate across organizational boundaries and access sensitive resources, they need a mechanism to establish shared operational policies and generate auditable proof that those policies were followed. Without such infrastructure, agent-to-agent interactions remain opaque, risking unauthorized actions, disputes, and non-compliance. ASE solves this by providing a deterministic, cryptographically verifiable layer that captures economic intents, validates compliance with pre-negotiated policies, and generates tamper-proof audit trails. This matters to enterprises deploying agents for financial settlements, supply chain automation, or cross-organizational data exchange, where every transaction must be accountable and dispute-free.
The first major feature group within ASE is the Policy Capture and Negotiation Engine. Policy Capture transforms an agent's requirements—expressed in natural language, JSON, or a domain-specific language—into a machine-checkable Formal Security Policy (FSP). This FSP is checked for internal consistency using the Z3 satisfiability solver and then digitally signed by the agent. The Negotiation Engine then takes the FSPs of participating agents and produces a Shared Coordination Policy (SCP). It runs a Z3-backed Pre-Negotiation Compatibility Check (PNCC) to ensure the hard predicates of all agents are jointly satisfiable before bargaining begins. This eliminates situations where incompatible policies cause runtime failures, ensuring that only feasible agreements enter enforcement. The utility lies in automating trust establishment: agents can autonomously discover mutually acceptable rules without human intervention.
admin
The second major feature group is the Security Reasoner, which acts as a formal execution guard. After the SCP is negotiated, the Security Reasoner maps it to a formally verified cryptographic protocol specification. It verifies contract tokens before allowing capabilities to be exercised, ensuring that no agent can perform an action that violates the agreed policy. This component relies on ProVerif for symbolic protocol verification and Halo2 PLONK for zero-knowledge transcript authenticity. The result is that every action taken by an agent is provably compliant with the negotiated policy, even in high-stakes environments like cross-enterprise financial settlements. The Security Reasoner makes the system resistant to tampering and repudiation, providing a solid foundation for economic interactions where trust cannot be assumed.
The third feature group is the Adaptive Execution Strategy, which automatically determines the required verification depth for each session. Instead of forcing a one-size-fits-all approach, ASE routes sessions to one of four tiers based on the SCP's novelty and risk profile. The Cached Tier executes in under 100 milliseconds if the SCP fingerprint matches a verified entry. The Library Tier executes in under 500 milliseconds by applying a pre-verified protocol template retrieved via BGE-M3 dense embedding cosine similarity. The Rule Tier executes in under 2 seconds for known-safe patterns resolved by a deterministic rule engine. The Synthesis Tier targets 60-second latency for novel or high-stakes sessions, utilizing live ProVerif verification and ZK proof generation. This tiered approach balances security with performance, allowing routine interactions to be nearly instantaneous while reserving deeper cryptographic checks for unfamiliar or high-value transactions.
ASE operates as a containerised runtime (SCM) that sits as an isolated middleware layer between independent agents. The system encapsulates four sequential components—Policy Capture, Negotiation Engine, Security Reasoner, and Audit and Reporting—inside a single runtime container. External agents interact with this pipeline through standardized interfaces: a REST API for language-neutral deployments or an MCP plugin designed for LLM-based agent frameworks. The runtime automatically selects the appropriate execution tier based on the negotiated policy's novelty and risk, eliminating manual mode selection. This design makes ASE infrastructure rather than a framework: agents are not built upon it but call into it when they need to establish trust and execute verifiable economic actions. The entire pipeline generates a dual-signed Merkle transcript of the execution trace and a Halo2 PLONK ZK-SNARK proof of authenticity for every session.
Concrete use cases for ASE include cross-organizational financial settlements where multiple AI agents from different banks must agree on trade execution and settlement terms. The Policy Capture and Negotiation Engine ensures each bank's security and compliance requirements are jointly satisfiable before any funds move. The Audit and Reporting module generates a cryptographically verifiable record that regulators can inspect without revealing proprietary details. Another scenario involves supply chain coordination: autonomous agents managing inventory, procurement, and logistics can negotiate just-in-time delivery policies and execute constrained actions (e.g., placing orders) only after verifying that all parties' policies are met. In both cases, the outcome is faster, more trustworthy automation without the need for a central arbitrator. Users gain auditable, non-repudiable logs that reduce dispute resolution time from weeks to minutes.
The primary target audience for ASE includes DevOps and security engineers deploying multi-agent systems in finance, supply chain, and decentralized infrastructure. It is also suited for researchers and developers building LLM-based agent frameworks that need verifiable economic coordination. The platform is currently in thesis and prototyping phase (Apache 2.0 license) and is not ready for production. Deployment modes include Gateway Mode (shared SCM instance at the edge) for most environments and Sidecar Mode (Kubernetes sidecar) for high-assurance cross-organization deployments. Backed by Garudex Labs, the project uses production-ready open standards (Z3, ProVerif, Halo2 PLONK). ASE's core value is enabling secure, auditable economic coordination among mutually distrustful AI agents, laying the groundwork for autonomous digital economies where trust is built into the protocol itself.
ASE is designed for DevOps and security engineers deploying multi-agent systems in finance, supply chain, decentralized infrastructure, and regulated industries. It also targets researchers and developers building LLM-based agent frameworks (e.g., using MCP) who need verifiable economic coordination, auditability, and cryptographic trust. Early adopters are organizations experimenting with autonomous multi-agent workflows across organizational boundaries, particularly where distrust, compliance, and asset settlement are critical. The platform is also relevant for startups building agent orchestration platforms and enterprises exploring zero-trust multi-agent architectures.