Skip to content

edycutjong/gauntlet

Repository files navigation

Gauntlet Logo

Gauntlet 🧀

Paid certification agent β€” hires your agent with 9 adversarial probes and delivers a scorecard

Gauntlet

Live on CROO Agent Store Live Pitch Page DoraHacks BUIDL


TypeScript Node.js Release CI


πŸ“Έ See it in Action

Gauntlet Demo

The Certification Workflow. Agent Submitted β†’ Gauntlet Pays Agent β†’ Runs 9 Adversarial Probes β†’ Collects Responses β†’ Generates Scorecard PDF.


πŸ’‘ The Problem & Solution

How do you know if an AI agent is safe, secure, and performs as advertised before giving it sensitive access? Gauntlet is a Paid Certification Agent. It acts as an automated red-team for AI agents. You submit an agent to Gauntlet, it pays the agent to execute a series of tasks, but secretly injects 9 adversarial probes (prompt injection, latency, payload limits, concurrency, SLA timeouts, Byzantine behavior). Based on how the agent responds, Gauntlet generates a certified security scorecard.

Key Features:

  • πŸ›‘οΈ Adversarial Probing: Tests agents against 9 distinct attack vectors and failure modes.
  • πŸ’Έ Real-World Execution: Actually hires and pays the target agent to test it in a live environment.
  • πŸ“„ Scorecard Generation: Delivers a comprehensive PDF scorecard detailing vulnerabilities and a final certification grade.
  • πŸ”„ Active State Recovery: Resumes and finishes pending evaluation campaigns on container restart.
  • πŸ“€ Certified PDF Uploads: Automatically uploads generated scorecard PDFs to storage using client.uploadFile and returns the pinned resource key.

🌌 The Constellation β€” On-Chain A2A Graph

Gauntlet is a reputation primitive: it pays real CAP orders to the agent under test, then issues an escrow-backed, on-chain certified scorecard + README badge. It can cross-certify every other agent in the constellation β€” a kind of A2A relationship impossible on a flat marketplace (no escrow, no refund-on-failure, no verifiable on-chain provenance).

graph LR
    User([Any Agent / User]) -->|hires to certify| G[Gauntlet 🧀]
    G -->|9 paid adversarial probes| T[Target Agent]
    G -.->|cross-certifies| M[Maestro 🎼]
    G -.->|cross-certifies| L[Litmus πŸ§ͺ]
    G -.->|cross-certifies| S[Summon πŸ‘€]
    classDef hot fill:#F59E0B,stroke:#111,color:#111,font-weight:bold;
    class G hot;
Loading
  • Diversity: npm run certify cross-certifies multiple constellation agents in one run β€” many distinct A2A edges.
  • Escrow integrity: if a probe run can't complete, the buyer's escrow is refunded rather than charged for a partial scorecard.

πŸ”— Live Run Log β€” On-Chain Proof (Base Mainnet)

Real CAP orders settled in USDC during the hackathon. Gauntlet pays the target agent (probes) and is paid to deliver the certification β€” so each run adds rows on both sides.

Total real CAP orders: 2 Β· last updated: 2026-07-07 Β· Gauntlet is paid to certify and pays the target it probes. [pay tx] Β· [deliver tx] on Base Mainnet.

# Date Role Counterparty USDC Order ID Tx (BaseScan) Result
1 2026-07-07 Provider (paid) Navigator 0.25 725c33bd pay Β· deliver signed scorecard on Worker
2 2026-07-07 Requester (probe) Worker 0.10 2b7a8c3b pay Β· deliver probe draft returned

The certification runs 7 adversarial probes; malformed-input probes that the target correctly rejects are passes, and settle on-chain as rejected sub-orders.

πŸ—οΈ Architecture & Tech Stack

Layer Technology
Runtime Node.js (TypeScript)
Ecosystem Constellation A2A (croo-core)
PDF Generation PDFKit
Testing Vitest

🧩 CROO SDK Methods Used

Gauntlet builds on the shared @edycutjong/croo-core SDK. The methods it actually calls:

Method Source Role in Gauntlet
makeClient(sdkKey) croo-core Instantiates the shared CROO AgentClient (Base Mainnet config) from the SDK key.
runProvider(...) croo-core Runs Gauntlet as an on-chain provider β€” subscribes to order/negotiation events and fulfils incoming hires.
hire(...) croo-core Acts as a consumer β€” places orders against other Constellation agents (A2A).
isMockMode() croo-core Branches between offline mock mode and live on-chain execution.
client.uploadFile(...) @croo-network/sdk Uploads the deliverable artifact.
client.getNegotiation(id) @croo-network/sdk Reads negotiation/order state during a hire.

πŸ“ž Hire Gauntlet (A2A)

Any agent can hire Gauntlet on-chain through croo-core's hire() primitive β€” it's live on the CROO Agent Store.

import { makeClient, hire } from '@edycutjong/croo-core';

const client = makeClient(process.env.CROO_SDK_KEY!);

const { delivery } = await hire(client, {
  serviceId: 'a6982cf5-502c-41c1-971e-2e7eef4ed2e9', // Gauntlet on the CROO Agent Store
  requirement: { targetServiceId: '<the service id you want certified>' },
  maxPrice: 1.0,
});

delivery β†’ a signed scorecard { totalScore, passedCount, probes: ProbeResult[] } (7 adversarial probes)

πŸš€ Getting Started

Prerequisites

  • Node.js β‰₯ 20
  • npm

Installation

  1. Clone: git clone https://github.com/edycutjong/gauntlet.git
  2. Enter the directory: cd gauntlet
  3. Install: npm install
  4. Configure: cp .env.example .env.local and fill in your service ID (skip for mock mode)

▢️ Run it now β€” offline mock mode (no wallet, no USDC)

npm install
npm run certify          # cross-certifies the constellation, end-to-end
# …or boot the provider + badge server in mock mode:
CROO_MOCK=true npm run dev

With the provider running, the live certification badge is served at http://localhost:8080/badge?serviceId=<id> β€” drop it straight into any README.

πŸ§ͺ Testing & CI

4-stage pipeline: Quality β†’ Security β†’ Build β†’ Deploy Gate

# ── Code Quality ────────────────────────────
make lint          # ESLint
make typecheck     # TypeScript check
make test          # Run tests
make test-coverage # Coverage report
make ci            # Full quality gate

# ── Security ────────────────────────────────
make security-scan # npm audit + license check
Layer Tool Status
Code Quality ESLint + TypeScript βœ…
Unit Testing Vitest (43 tests) βœ…
Security (SAST) CodeQL βœ…
Security (SCA) Dependabot + npm audit βœ…
Secret Scanning TruffleHog βœ…

πŸ“ Project Structure

gauntlet/
β”œβ”€β”€ docs/              # README assets (hero, screenshots)
β”œβ”€β”€ src/               # Application source code
β”œβ”€β”€ scripts/           # Build and run scripts
β”œβ”€β”€ __tests__/         # Vitest test suites
β”œβ”€β”€ .github/           # CI workflows
└── README.md          # You are here

🚒 Deploy

Containerized web service with a built-in health check on /health and the badge endpoint on $PORT (default 8080):

docker build -t gauntlet .
docker run -p 8080:8080 --env-file .env.local gauntlet
# Health:  http://localhost:8080/health
# Badge:   http://localhost:8080/badge?serviceId=<id>

πŸ“„ License

MIT Β© 2026 Edy Cu

πŸ™ Acknowledgments

Built for the DoraHacks CROO Hackathon 2026.

About

🧀 Paid certification agent β€” runs your agent through 7 adversarial probes and delivers a signed security scorecard (CROO Constellation)

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

1 star

Watchers

0 watching

Forks

Packages

 
 
 

Contributors