QHermes 26
Examples
All examples are in qhermes-a2a-py/examples/ and run against real A2A types from the a2a-sdk package. Install dependencies and run any of them directly.
pip install qhermes-kernel qhermes-a2a a2a-sdkBasic delegation
A root identity issues a credential to an agent. The agent uses it to authorize an operation. The verifier checks the chain and executes. No multi-hop delegation, no attack scenarios. Just the happy path.
python examples/delegation_basic.pyMulti-hop delegation chain
Root issues to an orchestrator, which delegates further to a sub-agent. The sub-agent presents the full chain to an executor, which verifies it locally against the root public key before acting. Demonstrates node and leaf roles, chain sealing, and verify_auth.
python examples/delegation_chain.pyFinancial approval pipeline
A bank runs three agents over A2A. The RiskOrchestrator owns the master seed and never executes. The ComplianceAgent holds a two-hop credential scoped to /transfers/check and /transfers/approve. The ExecutionAgent holds a five-minute credential scoped only to /transfers/approve. The PaymentGateway verifies the full chain before accepting the KEM session and decrypting the transfer order.
Demonstrates: multi-hop delegation, short-lived credentials, KEM session handshake over A2A message metadata, encrypted payload bound to task ID as AAD.
python examples/financial_approval.pyAI coding agent sandbox
An orchestrator spawns four sub-agents for a single coding task. Each sub-agent receives one credential scoped to exactly the file and operation it requires: ReaderAgent may only GET src/api/handler.py; WriterAgent may only PUT the same file; TestAgent may GET and PUT tests/test_handler.py. The Executor verifies the credential before any operation executes.
A scope escalation attempt is included: WriterAgent tries to PUT tests/test_handler.py using its own credential. The Executor rejects it before any filesystem operation is reached.
Demonstrates: per-task per-file minimum privilege, scope escalation rejection at the credential layer, KEM session per operation.
python examples/code_agent_sandbox.pyHealthcare data pipeline
Patient data flows one way through ingestion, anonymization, and analysis stages. IngestionAgent may only write to data/raw/. AnonymizationAgent may read from data/raw/ and write to data/anonymized/. AnalysisAgent may only read from data/anonymized/; access to data/raw/ is absent from its signed scope, confirmed at the credential layer. AuditAgent holds a read-only credential across all paths.
Demonstrates: one-way data flow enforcement, AnalysisAgent exclusion from raw data verified cryptographically, GDPR compliance snapshot via parse_payload and credential_valid_at.
python examples/healthcare_pipeline.pyCI/CD pipeline
A SaaS pipeline with five agents. BuildAgent holds a two-hour credential scoped to source read and artifact write. StagingDeployAgent holds a credential scoped to staging deployment only. ProdDeployAgent holds a fifteen-minute credential opened only after human approval is recorded. AuditAgent holds a twenty-four-hour read-only credential across all paths.
A scope escalation attempt is included: a compromised BuildAgent tries to use the staging credential for a production deployment. The check confirms /deploy/prod is absent from the BuildAgent's granted paths before any operation is attempted.
Demonstrates: credential expiry, short-lived prod credentials, scope escalation detection, compliance snapshot.
python examples/ci_cd_pipeline.pyA2A SDK integration
End-to-end walkthrough of how QHermes plugs into the A2A protocol using real a2a-sdk types. The root operator signs an AgentCard with ML-DSA-65. The caller fetches and verifies it, extracts the KEM key, receives a credential from the root, seals the credential chain and payload into message.metadata, and sends it. The agent verifies the chain and decrypts the payload before responding.
Demonstrates: AgentCard signing and verification, pack_metadata / unpack_metadata, full request-response cycle with real A2A types.
python examples/a2a_sdk_integration.pyQuestions or custom use cases: hello@copertino.world