Agent Networks for Organizations

Your AI agents can work with agents from other organizations — without sharing credentials, without trust assumptions. Cryptographically signed, fully audited, GDPR-compliant.

How Inter-Organization A2A Works

Two organizations, each running their own Corvin instance, can connect their AI agents via a one-time key exchange. After pairing, agents send signed task envelopes to each other. Every envelope is verified before any work begins: sender identity, timestamp, HMAC over all fields, nonce for replay protection. Neither org gains access to the other's infrastructure or data — only the task and its result travel across the boundary.

Org A — Corvin Instance General Assistant Agent Research Agent Workflow Orchestrator audit.jsonl A2A.envelope_sent ✓ A2A.response_received ✓ Org B — Corvin Instance Legal Database Agent Data Science Agent Specialist Worker audit.jsonl A2A.envelope_received ✓ A2A.engine_spawned ✓ TaskEnvelope (HMAC-signed) ResponseEnvelope (signed) sender identity · time window · HMAC · nonce verified before any work begins

The key exchange happens once, out-of-band. After that, task envelopes flow automatically. Org B's agent never has credentials for Org A's systems — it only sees the signed instruction in a sandboxed context and returns a signed result. Both sides maintain their own independent audit chains.


How It Works — 4 Steps

From zero to a running inter-organization agent network in under ten minutes.

1

Pair once

Run one command. CorvinOS generates a key pair and creates a local origin file plus a peer endpoint file. Exchange the endpoint file out-of-band — email, Signal, any secure channel. No passwords. No shared secrets. No central registry.

corvin-a2a pair acme https://acme.corvin.eu:8000
2

Send a task

Send a signed task envelope to the paired endpoint. You can attach files — each attachment's SHA-256 digest is included in the HMAC payload, so any in-flight modification is immediately detectable on the other side.

corvin-a2a send acme "analyze this dataset and return a summary" --attach data.csv
3

The other org's agent runs

Org B receives the envelope, validates the signature and sender identity, then runs the task in an isolated worker. The agent sees the instruction wrapped in a sandboxed framing block — it cannot break out of the signed context. The result is filtered against a declared schema before signing.

4

Get the result

A signed ResponseEnvelope arrives carrying the result and any output files — charts, reports, CSVs. Your agent can reason about the results immediately. Both sides have a permanent, hash-chained record of the entire exchange.


Security Guarantees

Every guarantee is structural — enforced by the protocol, not by policy or convention. There is no configuration knob that weakens any of these properties.

Identity

You know who sent it

Instance attestation: every envelope carries a persistent instance ID (UUID4, stored locally). If the receiver behind a URL is swapped, the instance ID check fails. A fake Corvin instance cannot impersonate a legitimate one.

Integrity

Nobody tampered with it in transit

HMAC-SHA256 over the full payload — including all attachment SHA-256 digests. Any byte-level modification to the envelope or an attached file breaks the signature and the request is rejected before any work begins.

Freshness

No replay attacks

Every envelope carries a nonce and a timestamp. The receiver enforces a five-minute time window and maintains a TTL-keyed nonce store. The exact same envelope cannot be submitted twice, even within the time window.

Result fidelity

The other side cannot lie about results

The ResponseEnvelope is also HMAC-signed by the receiver. A declared result schema strips any undeclared fields from the worker output before signing. An empty schema produces data: {} — never a pass-all.

Auditability

Full audit trail on both sides

Eight A2A audit events per exchange (envelope_received, engine_spawned, result_filtered, and five more) — all written to the hash-chained audit log before any response is sent. Audit-first is an invariant: a chain write failure blocks the request.

Attachments

Attachments are verified

Each attachment carries a SHA-256 digest inside the HMAC payload. The receiver re-computes the digest after base64-decoding and rejects any envelope where the digests do not match. In-flight modification of attached files is always detectable.


What You Can Build

A2A networks unlock collaboration patterns that are impossible with shared platforms or centralized APIs — because each organization keeps full control of its own data and infrastructure.

⚖️

Specialized research networks

Your org has a general assistant. Another org has a specialist agent with access to legal databases, medical literature, or proprietary market data. Your assistant delegates research tasks and gets back structured analysis — without ever touching the specialist org's underlying data stores.

📊

Data processing pipelines across orgs

Org A collects sensor data. Org B has the data science team and compute infrastructure. A2A pipes the CSV to Org B's agentic compute worker, gets back analysis results, charts, and a signed summary — without Org B ever having credentials to Org A's systems.

🕸️

Federated AI workflows

Five organizations each run one segment of a workflow. Tasks flow from org to org via A2A, each adding their piece: data enrichment, legal review, financial modeling, translation, publication. No central coordinator needed. Each org audits only its own segment.


Network Attestation ()

Every Corvin instance has a cryptographic identity

When CorvinOS starts for the first time, it generates a persistent UUID4 and stores it locally at ~/.corvin/global/instance_id.json (mode 0600). This identity travels inside every TaskEnvelope and ResponseEnvelope you send or receive. Endpoints pin the expected receiver instance ID — if the Corvin instance behind a URL is replaced, the pin check fails and the exchange is rejected.

Closing the fork-bypass gap. Before pairing, an instance can prove membership in the CorvinOS network via an RS256 JWT signed by the Corvin Labs trust anchor (the public key ships with every CorvinOS release at operator/license/a2a_network_pubkey.pem). This means a fork of CorvinOS that removes security properties cannot falsely claim to be a legitimate network member. Isolated networks that cannot reach the attestation endpoint can use --offline-pair to bypass the membership check while retaining all cryptographic signing guarantees.

No phone-home, no lock-in. The trust anchor public key is embedded in the release. Verification is local. The attestation JWT is fetched once at pairing time and cached — no ongoing dependency on any Corvin Labs infrastructure during normal operation.

Start building your AI network

Deploy CorvinOS, run corvin-a2a pair, and your agents can collaborate with agents at any other organization running CorvinOS — fully signed, fully audited, GDPR-compliant.