Skip to content

Observatory

The Observatory at auth.kanoniv.com is the hosted control plane for Kanoniv Auth. It provides agent registration, delegation management, scope enforcement, reputation scoring, and a full provenance trail.

Getting Started

Sign Up

Create an account at auth.kanoniv.com or via CLI/SDK.

bash
kt signup
python
from kanoniv_auth.cloud import TrustClient

trust = TrustClient(url="https://auth.kanoniv.com")
trust.signup("[email protected]", "password", "Your Name")

Get Your API Key

Login returns an API key. Save it - it is shown once.

bash
kt login
python
result = trust.login("[email protected]", "password")
api_key = result["api_key"]

The CLI saves the key to ~/.kanoniv/cloud.key automatically. You can also set the KT_API_KEY environment variable.

Connect

python
from kanoniv_auth.cloud import TrustClient

trust = TrustClient(api_key="kt_live_...", url="https://auth.kanoniv.com")

The default URL is https://trust.kanoniv.com. Pass url explicitly if your deployment uses a different hostname.

Agent Registry

Register agents with capabilities and auto-generated DIDs.

python
trust.register("coordinator", capabilities=["resolve", "merge", "delegate"], description="Orchestration agent")
trust.register("sdr-agent", capabilities=["resolve", "search"], description="Sales development")

agents = trust.agents()            # List all, sorted by reputation
agent = trust.agent("sdr-agent")   # Details + RL context
bash
kt register coordinator -c resolve,merge,delegate
kt register sdr-agent -c resolve,search
kt agents

Each agent gets a persistent did:agent: identifier. The DID is auto-generated from the agent name and a random suffix. Re-registering an existing agent name updates capabilities and sets status to online.

Delegation Management

Grant scoped authority between agents.

python
trust.delegate(
    from_agent="coordinator",
    to_agent="sdr-agent",
    scopes=["resolve", "search"],
    expires_in_hours=4,
    metadata={"max_amount": 100}
)

delegations = trust.delegations("sdr-agent")
trust.revoke(delegation_id)
bash
kt delegate coordinator sdr-agent -s resolve,search
kt delegations sdr-agent
kt revoke <delegation-id>

The delegation response includes the delegatee's RL context (outcome history and summary) so the caller can assess the agent's track record before granting authority.

Enforcement

The Observatory enforces delegation scopes on every provenance entry. When an agent records an action via POST /v1/provenance, the server checks:

  1. Scope check - Does the agent have an active delegation granting the action scope?
  2. Caveat check - Does the action metadata satisfy delegation caveats (e.g. max_amount)?
  3. Expiry check - Is the delegation still within its TTL?
CheckPassFail
ScopeAction proceeds with status ALLOWED403 delegation_denied
CaveatAction proceeds403 caveat_exceeded
ExpiryAction proceeds403 delegation_expired
No delegation-403 no_delegation

Blocked actions are still recorded in the provenance trail with status BLOCKED and a reason code. Denied attempts are evidence too.

INFO

The observatory agent and agents identified in the X-Agent-Name header as system bypass enforcement. All other agents must have an active delegation.

Recording Actions

python
# This action is enforced - sdr-agent must have "resolve" scope
trust.action("sdr-agent", "resolve", metadata={"entity": "[email protected]"})

# This would be blocked - no "merge" scope
trust.action("sdr-agent", "merge", metadata={"entities": ["e1", "e2"]})
# Returns {"error": "delegation_denied", "reason": "..."}

Every successful action also auto-records an outcome memory entry and updates the agent's reputation.

Reputation Scoring

Every agent builds a reputation score from 0 to 100 based on five weighted signals:

SignalWeightCalculation
Activity30%log2(total_actions + 1) * 15, capped at 100
Success Rate25%successes / (successes + failures) * 100
Reward Signal20%Average feedback score (-1 to 1), normalized to 0-100
Tenure15%days_registered / 90 * 100, capped at 100
Action Diversity10%distinct_action_types / 7 * 100

Submit feedback to affect reputation:

python
trust.feedback(agent_did, "resolve", "success", reward_signal=0.8, content="Accurate match")

Reputation is recomputed after every feedback submission and after every auto-recorded outcome.

WARNING

Reputation scores below 20 trigger a warning in the dashboard. This does not block actions automatically, but operators can configure delegation policies that require minimum reputation thresholds.

Memory

Agents can memorize decisions, investigations, and patterns.

python
trust.memorize("sdr-agent", "Resolved [email protected] to entity e3a1f9c2", entry_type="decision")
entries = trust.memories(entry_type="decision", author="agent:sdr-agent")

INFO

The author field uses the format agent:{name}. When querying memories by author, include the agent: prefix.

Memory entry types: decision, investigation, pattern, knowledge, task, outcome.

Recall retrieves all outcomes and a summary for a specific agent DID:

python
context = trust.recall(agent_did)
# Returns: {"did": "...", "summary": {...}, "entries": [...]}

View time-series reputation data for charts and monitoring:

python
trend = trust.trend(agent_did, window="7d")
# Returns: {"did": "...", "window": "7d", "bucket": "day", "points": [...]}

trend_24h = trust.trend(agent_did, window="24h")
# Returns hourly buckets

Each point contains time, total, successes, failures, and avg_reward.

Dashboard

The Observatory web UI at auth.kanoniv.com shows:

  • Agent Registry - All agents with status (online/idle/offline), capabilities, and reputation scores. Agents go idle after 5 minutes without activity and offline after 1 hour.
  • Delegation Management - Active delegations with scopes, caveats, and expiry. Grant and revoke from the UI.
  • Provenance Trail - Chronological timeline of every action with ALLOWED/BLOCKED status and metadata.
  • Reputation Trends - Time-series charts (7-day and 24-hour windows) showing success rates and reward signals.
  • Memory - Agent decisions and knowledge entries with expandable detail cards.

Plans

PlanAgentsActions/monthDelegations
Free31005
Team2510,000100
EnterpriseUnlimitedUnlimitedUnlimited

API Reference

MethodPathPurpose
POST/v1/agents/registerRegister or update agent
GET/v1/agentsList agents (sorted by reputation)
GET/v1/agents/:nameAgent details + RL context
POST/v1/delegationsGrant delegation
GET/v1/delegationsList delegations (filter by agent_name)
PUT/v1/delegations/:idUpdate delegation scopes
DELETE/v1/delegations/:idRevoke delegation
POST/v1/provenanceRecord action (enforced)
GET/v1/provenanceList provenance entries
POST/v1/memorySave memory entry
GET/v1/memoryList memory entries (filter by entry_type, author)
PUT/v1/memory/:idUpdate memory entry
POST/v1/memory/feedbackSubmit feedback (triggers reputation recompute)
GET/v1/memory/recallAgent RL context + outcomes for a DID
GET/v1/memory/trendReputation time-series (7d or 24h windows)
POST/v1/auth/signupCreate account
POST/v1/auth/loginGet API key
GET/v1/auth/meCurrent tenant info and usage
DELETE/v1/auth/resetWipe data (keeps account)
DELETE/v1/auth/accountDelete everything

INFO

Auth endpoints (/v1/auth/*) are served through the control plane proxy. Agent, delegation, provenance, and memory endpoints are served by the Observatory API directly.

Next Steps

The identity and delegation layer for AI agents.