AGNTCY Agent Directory Service

• AGNTCY ADS is a distributed, cryptographically secure infrastructure for the discovery, verification, and governance of AI agent capabilities across multi-agent ecosystems.
• It integrates content-addressed storage, hierarchical semantic taxonomies, and protocol-agnostic resolution to enable scalable and verifiable agent registration and lookup.
• The service employs rigorous cryptographic proofs, zero-knowledge protocols, and federated governance to defend against impersonation, registry poisoning, and runtime policy violations.

The AGNTCY Agent Directory Service (ADS) is a distributed, cryptographically secure infrastructure for the discovery, verification, and governance of AI agent capabilities, endpoints, and provenance. AGNTCY integrates content-addressed storage, hierarchical semantic taxonomies, strong identity mechanisms, and dynamic governance features to enable scalable, verifiable, and interoperable discovery across heterogenous multi-agent ecosystems and organizational boundaries. The platform unifies principles from DNS-inspired agent naming, distributed hash table (DHT)–backed registries, Kubernetes-native workflows, and protocol-agnostic resolution, supporting both central and federated deployments with defense-in-depth against impersonation, registry poisoning, and runtime policy violations (Mittal et al., 29 Apr 2026, Muscariello et al., 23 Sep 2025, Singh et al., 5 Aug 2025, Huang et al., 15 May 2025, Cui et al., 28 May 2025).

1. Formal Architectural Model

AGNTCY implements a multi-layered architectural model featuring protocol-layer decoupling and rigorous cryptographic provenance. The principal layers are:

1. Schema Layer: Agent records are defined using the Open Agentic Schema Framework (OASF), encoding skills $S$ (e.g., nlp.summarization.abstractive), domains $D$ (e.g., healthcare), and features $F$ (e.g., streaming-output). The agent record is represented as a JSON artifact, with schema-driven extensibility for new agent modalities.
2. Indexing Layer: Index artifacts map taxonomy keys $A = S \cup D \cup F$ to immutable lists of agent record content IDs (CIDs) via a mapping $f: A \to \wp(C)$, where $C$ is the set of agent record CIDs.
3. Storage Layer: All agent records and indices are stored in OCI-compliant artifact registries, referenced by their SHA-256 digests, with deduplication and cross-registry caching.
4. Distribution Layer: Content distribution leverages standard OCI/ORAS protocols. Locators map $g: C \to \wp(L)$, where $L$ is the set of registry-host/repository/digest triples, decoupling capability indexing (immutable) from dynamic content location (mutable) (Muscariello et al., 23 Sep 2025).
5. Security Layer: All artifacts are signed via Sigstore, producing verifiable provenance. Every change is content-addressed, and the system ensures strong collision resistance and artifact immutability.

This model achieves protocol independence, schema-driven extensibility, and separation of high-churn locators from stable capability indices, supporting both single-cluster and federated architectures (Muscariello et al., 23 Sep 2025, Singh et al., 5 Aug 2025, Mittal et al., 29 Apr 2026).

2. Agent Registration, Discovery, and Naming Schemes

Agent registration and discovery are workflow-driven, protocol-agnostic, and cryptographically anchored.

2.1 Registration Workflow

• Registration Protocol: Agents submit records to the registry/API, including a globally unique agent name (e.g., fully qualified via DNS or UARN), public key/DID, zero-knowledge proof of capability, and metadata (capabilities, expiry, Verifiable Credential).
• Record Structure:

$$R = (\mathsf{ansName},\,\mathsf{did},\,\mathsf{pubKey},\,\mathsf{capProof},\,\tau_\mathsf{exp},\,\mathsf{VC})$$

with proof-of-possession and signature validation enforced on all submissions (Mittal et al., 29 Apr 2026).

• Naming: Hierarchical names are formalized as:

$$\text{ANSName} ::= \text{Protocol}://\text{AgentID}.\text{Capability}.\text{Provider}.v\text{Version}[.\text{Extension}]$$

UARN (Uniform Agent Resource Name) and DNS-aligned labels (e.g., summarizer.nlp.acme.agntcy) are supported for human readability and recursive resolution (Cui et al., 28 May 2025).

2.2 Discovery

• Functional Mapping:

$D$0

Agents and clients query by name, required capabilities, or semantic keyword/vector search. Records are filtered for capability match, version constraints, and cryptographic attestation.

• Runtime Discovery: Resolution proceeds via recursive zone traversal (root server $D$1 org server $D$2 agent entry), with fast path through local/DHT cache and fallback to registry. Multi-dimensional queries intersect OASF taxonomies for fine-grained capability routing (Muscariello et al., 23 Sep 2025, Cui et al., 28 May 2025).

3. Security, Cryptographic Proofs, and Policy Governance

AGNTCY is architected for high assurance in agent identity, capability attestation, and runtime control.

3.1 Identity and Proof

• DID/PKI Model: Each agent record binds a W3C Decentralized Identifier (DID) or X.509 identity, with public keys used for all signature operations. The registry issues and signs Verifiable Credentials (VCs) that attest to agent capabilities and metadata.
• Zero-Knowledge Proofs: Capability claims may be proven via zero-knowledge protocols (e.g., Schnorr, GNARK/SNARK roadmap), allowing the registry to confirm rights without disclosing sensitive agent secrets (Mittal et al., 29 Apr 2026).

3.2 Policy Engine and Enforcement

• Policy-as-Code: Open Policy Agent (OPA) is deeply integrated at both admission and runtime layers, validating registration, enforcing capability quotas, expiry windows, and namespace scoping. Admission controller logic validates schema, signatures, and ZK proofs before resource admission.
• Kubernetes Integration: Rich CRD/operator patterns ensure that agent registration aligns with cluster-native governance, including sidecar-initiated secure mTLS and dynamic RBAC using extracted VC/capability fields.

3.3 Threat Model

Adversary scenarios encompass agent impersonation, capability escalation, replay, and registry poisoning. Mitigations include strict identity binding (DID+PKI+mTLS), cryptographic ZK proof verification, nonce/expiry/rate-limiting, and fully encrypted service mesh channels. Policy enforcement and audit logs provide strong operational guarantees. Governed GitOps pipelines and auditability add further defense-in-depth (Mittal et al., 29 Apr 2026).

4. Distributed Lookup, Semantic Routing, and OCI-Based Storage

AGNTCY distinguishes itself via its hybrid decentralized registry model and content-addressed artifact distribution.

4.1 DHT-Based Indexing

• Kademlia Extensions: Agent records are discoverable by hash-based routing in an IPFS/Kademlia-style DHT. Specialized buckets/indexes shard by taxonomy keys, supporting semantic lookup and geo-replication. Lookup complexity is $D$3 hops in the number of DHT peers (Muscariello et al., 23 Sep 2025, Singh et al., 5 Aug 2025).
• Semantic Matching: Two-phase discovery filters on taxonomy prefix (exact match) followed by local attribute/embedding similarity—a combination that enables scalable multi-dimensional search.

4.2 OCI Artifact Pipeline

• Storage Format: All agent capability descriptors are immutable OCI artifacts, referenced by content digest (SHA-256). The artifact manifest conforms to OASF, supporting layered extension and deduplication.
• Distribution: Multiple registry replicas provide global, low-latency access and cross-domain failover. Signature/provenance blobs generated via Sigstore are attached as referrers, and on-chain optional anchoring is supported for additional trust (Muscariello et al., 23 Sep 2025, Singh et al., 5 Aug 2025).

5. Performance, Scalability, and Operational Properties

Quantitative and qualitative benchmarks have demonstrated strong scalability and low-latency operation in both centralized and geo-distributed deployments.

• Lookup Latency: Sub-10ms agent discovery in 3-node clusters; sub-second resolution in DHT-based geo-distributed tests, with caching reducing registry pressure by >90% (Mittal et al., 29 Apr 2026, Singh et al., 5 Aug 2025).
• Throughput: Registry sustained 10k lookups/s, 1k registrations/min, and 100k OPA policy evaluations/s under workflow simulation (Mittal et al., 29 Apr 2026).
• Storage and Indexing: Bounded taxonomy depth (typically ≤4) and split index/location mapping enable sub-linear scaling for both search and update operations. Concurrent publisher throughput reaches ~500 index updates/s per node.
• Security/Authentication: All agent metadata and connections are cryptographically authenticated; content is immutable and validated on pull.
• Operational Tooling: Kubernetes & Helm, GitOps, and cross-registry reconciliation via digest equality are first-class deployment patterns (Muscariello et al., 23 Sep 2025).

6. Positioning within the Agent Directory Landscape

AGNTCY occupies a distinct architectural point among contemporary agent registry solutions:

System/Model	Discovery	Trust Anchor	Governance	Resilience
MCP Registry	REST/central	GitHub/DNS PKI	Central	CDN, single-point
A2A Agent Cards	Well-known	TLS CA	Per-domain	Peer cache only
AGNTCY (ADS)	DHT + OCI	Sigstore, opt. on-chain	Federated, GitOps	Multi-source, no SPoF
NANDA Index	DHT + VCs	W3C VC Issuers	Consortium	Global federation
Entra Agent ID	Portal/SaaS	Microsoft Trust Service	Tenant/policy model	SLA-proprietary

AGNTCY advances decentralized, verifiable, and schema-rich agent discovery, while supporting integration with A2A/MCP/ColorEcosystem models. It is distinct in its use of hierarchical capability taxonomies, content-addressed storage, federated peer admission, and defense-in-depth policy controls (Singh et al., 5 Aug 2025, Wu et al., 24 Oct 2025). Its architecture provides continuity across single-cluster, federated, and massive-agent scale environments, and accommodates future production evolution through roadmap features such as full zero-knowledge proofs and multi-cluster federation (Mittal et al., 29 Apr 2026).

7. Limitations, Extensions, and Future Roadmap

The current AGNTCY implementations emphasize security, verifiability, and performance in both proof-of-concept and production-oriented variants. Noteworthy limitations include:

• Deployment Scope: Most PoC deployments are single-cluster, lacking operational multi-cluster federation.
• Extensibility: Partial zero-knowledge proofs; some systems lack HSM-backed CA or sharded multi-region operators.
• Production Hardened Features: Roadmap capabilities include federated registry gossip, GNARK/SNARK ZK pipelines, stateful sharding, lifecycle key rotation, and integration with Kubernetes Federation-v2 for global discovery (Mittal et al., 29 Apr 2026).
• Governance: Trust management, stakeholder admission, and dynamic cross-organization extension remain active areas of research and deployment.

AGNTCY's continued evolution is tightly coupled to the requirements of open, trustworthy, and standardized multi-agent infrastructure for the emerging Internet of AI Agents. Its layered abstractions, declarative schemas, and robust security guarantees position it as a critical substrate for next-generation agent collaboration across domains (Muscariello et al., 23 Sep 2025, Singh et al., 5 Aug 2025, Wu et al., 24 Oct 2025).