feat: Add Joy trust network integration for agent delegation#4886
Open
tlkc888-Jenkins wants to merge 4 commits intocrewAIInc:mainfrom
Open
feat: Add Joy trust network integration for agent delegation#4886tlkc888-Jenkins wants to merge 4 commits intocrewAIInc:mainfrom
tlkc888-Jenkins wants to merge 4 commits intocrewAIInc:mainfrom
Conversation
This PR integrates Joy, an open trust network for AI agents, into CrewAI
to enable secure agent verification before task delegation.
Key Features:
- JoyVerifier class for checking agent trust scores
- verify_before_delegation() for pre-delegation checks
- discover_trusted_agents() for finding trusted agents by capability
- Optional dependency: pip install crewai[joy]
Example:
from crewai.trust import JoyVerifier
verifier = JoyVerifier(min_trust_score=0.5)
result = verifier.verify_agent("ag_xxx")
if result.is_trusted:
# Safe to delegate
pass
Joy provides:
- Decentralized trust via agent-to-agent vouching
- Trust scores (0-2.0) based on vouches and behavior
- Agent discovery by capability
- Vouch suggestions for network growth
This is opt-in and backward compatible - existing crews work unchanged.
Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
- Fix discover_trusted_agents to respect require_verified setting - Re-raise ImportError instead of silently catching it - Remove unused joy-trust dependency (httpx is already a core dep) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
verify_before_delegation now checks for API errors and raises descriptive exceptions instead of reporting "not trusted" when the real issue is network/API failure. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 1 potential issue.
Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.
| return self._request( | ||
| "GET", | ||
| f"/agents/vouch-suggestions?agentId={self.agent_id}&limit={limit}" | ||
| ) |
There was a problem hiding this comment.
Query params manually interpolated without URL encoding
Medium Severity
get_vouch_suggestions manually interpolates self.agent_id and limit into the URL path string without URL encoding, unlike discover_trusted_agents which correctly passes a params dict to httpx. If agent_id contains special characters (e.g. &, =, spaces), the URL will be malformed or the query string could be injected with unintended parameters.
- Add _validate_agent_id() function to validate agent ID format - Agent IDs must match pattern: ag_ + 24 hex characters - URL-encode validated IDs for additional safety - Prevents path traversal and injection attacks Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Adds optional integration with Joy, an open trust network for AI agents. This enables crews to verify agent trustworthiness before delegation.
crewai.trustmodule withJoyVerifierclasspip install crewai[joy]Usage
Why This Matters
As AI agents increasingly collaborate, there's no standard way to verify which agents are reliable. Joy provides a decentralized trust network where agents vouch for each other, similar to web-of-trust for PGP keys.
Test Plan
🤖 Generated with Claude Code
Note
Medium Risk
Adds a new HTTP-based trust verification layer that calls an external Joy API; failures or API changes could affect users who adopt it, and it introduces new error-handling paths around delegation decisions.
Overview
Adds an optional
crewai.trustmodule that integrates with the Joy trust network via a newJoyVerifierto verify agent IDs, fetch trust scores/metadata, enforce minimum trust/verified requirements, and gate delegation withTrustVerificationError.Also adds trusted-agent discovery and vouch-suggestion helpers, defines a
crewai[joy]extra for discoverability (no new deps beyond existinghttpx), and includes an example script demonstrating verification and discovery flows.Written by Cursor Bugbot for commit 6b06107. This will update automatically on new commits. Configure here.