QHermes 26
Documentation
QHermes is a cryptographic authorization kernel. It handles identity derivation, credential issuance, delegation chain verification, and encrypted transport. It does not assume a network protocol, a message format, or a deployment topology.
The credential chain is a byte string. It can be carried in an HTTP header, a message queue payload, a BLE advertisement, a CAN frame, or any other channel. The verifier requires only the root public key and the wire bytes. No server, no database, no network access.
The A2A extension (qhermes-a2a) is one integration built on top of the kernel. Other protocols follow the same pattern.
Where to start
To understand the model before reading any API: Credentials.
To run working code immediately: Quickstart.
Packages
qhermes-kernel: core Rust crate. Identity derivation, credential issuance, chain verification, wire format.#![no_std].qhermes-channels: encrypted channels. ML-KEM-768 key encapsulation, ChaCha20-Poly1305 AEAD.#![no_std].qhermes-a2a: A2A extension layer. Agent Card signing, authorization metadata, KEM session handshake.qhermes-kernel-py: Python bindings for the kernel.qhermes-a2a-py: Python bindings for the A2A extension.
Cryptography
- Signatures: ML-DSA-65 (FIPS 204)
- Key encapsulation: ML-KEM-768 (FIPS 203)
- Authenticated encryption: ChaCha20-Poly1305
- Key derivation: HKDF-SHA3-512
No elliptic curve cryptography is used. All primitives are post-quantum.
License
Copertino Source License 1.0. Change Date: 2036-01-01. Change License: Apache-2.0. Free for non-production use. Contact hello@copertino.world for commercial licensing.