AutoGen + Manav: multi-agent attestation chains
In AutoGen, agents talk to each other. Each conversation produces actions that touch real systems. The unanswered question — until now — was which human authorized which side of the dialogue. Manav resolves it in the agent graph.
The pattern
from autogen import AssistantAgent, UserProxyAgent
from manav.autogen import ManavAuthority, attest
authority = ManavAuthority(human_did=os.getenv("MANAV_HUMAN_DID"),
scope=["repos:read", "calendar:write"],
ttl="2h",)
planner = AssistantAgent("planner", llm_config=cfg, authority=authority)
executor = AssistantAgent("executor", llm_config=cfg, authority=authority.derive(scope=["repos:read"]))
proxy = UserProxyAgent("proxy", human_input_mode="NEVER", authority=authority)
@attest(authority)
def write_calendar(event):
return calendar_api.create(event)
proxy.initiate_chat(planner, message="Schedule prep for Friday's review.")
What's happening
The ManavAuthority is the human's delegation, scoped and time-bound. Every agent in the graph receives a derived authority — never broader than the parent. When an agent calls a tool, the @attest decorator signs the call with the agent's authority and writes a structured record to the audit log. The conversation between agents becomes a chain of attested actions, not a chat log.
Why "derived authority" matters
In AutoGen, the planner often delegates to specialized executors. Without Manav, the executor inherits whatever credentials the planner happens to have — usually too many. With Manav's derive() call, you pass a strict subset to the executor: read-only on repositories, no calendar access, no spend cap. If the executor goes off-script and tries to delete a repo, the action is rejected at the relying party because the delegation does not authorize it. Defense in depth, by construction.
What the audit log sees
Every step lands a structured record: human DID, agent name, parent agent, scope at this step, parameters hash, tool called, outcome. The chain reads like a tree: the human signed for an 8h delegation, the proxy ran a chat, the planner produced a plan, the executor ran four tool calls, three succeeded, one was rejected for scope. The format matches the audit-trail design we publish.
Performance
The wrapper adds 3–6 ms per agent message and 5–9 ms per tool call. In agent graphs the LLM dominates; identity is invisible.
Where this matters
AutoGen's killer use cases — research analysis, customer support escalation, code-review automation — all share a regulatory exposure: agents take actions across systems and the audit trail does not name the human. Article 14 of the EU AI Act calls this "lack of human oversight" and prices it at 7% of global revenue. Manav is the lightest patch.
Common objections
Engineers push back on three things. Latency — the cache makes verification 18 µs hot-path, fine for any production system. Vendor lock-in — the protocol is open, the spec is published, the reference implementation is forkable. Adding another auth dance — the integration is twelve lines and middleware, not a new platform to manage.
Frequently asked questions
What is the runtime cost? Single-digit milliseconds per tool call when the verification cache is warm. Cold verification is 1–2 ms. Both numbers are small relative to the LLM round-trip the agent is already paying.
Does it work with our existing agent framework? Yes. The protocol is host-agnostic. SDKs ship for Python, Go, Node, Rust, and TypeScript; integrations exist for LangChain, CrewAI, AutoGen, and the Claude Agent SDK. Anything that calls a tool can present a delegation.
What happens to delegations when an engineer leaves? They die at the human's offboarding. The IdP de-provisions the human; the device key is rotated; every active delegation that human signed is invalidated within 200 ms. No service-account graveyard for the new owner to clean up six months later.
Where to start
Hands-on next: langchain human in the loop ships in twelve lines; crewai manav adds the operational layer once you have the basics. Both link to working repos; clone, integrate, run the bench.
Adjacent reading
For the integration path, start with MCP + Identity in 12 lines, then the cross-platform reference architecture. For the operational surface, see webhooks not polls and performance at 100k RPS. Each of those is a working repo; the integration takes a coffee break, the production hardening takes a sprint.
What AutoGen's group-chat pattern reveals about delegation
AutoGen's multi-agent group-chat pattern surfaces the delegation question in a way single-agent frameworks do not. When agent A asks agent B to take an action, the relying party needs to know whose authority B is acting under — A's delegated scope, A's upstream human's scope, or B's own. AutoGen's implementation defers the question to the integrator. The Manav layer answers it explicitly: B inherits A's delegation chain, with A's scope as the upper bound on B's actions. The integration shape is well-defined, regulator-ready, and independent of which agent in the chat said what. This is the property AutoGen's authors anticipated when they built the chat abstraction; we are filling in the authority semantics they left unspecified. The cleanest integrations in the ecosystem are the ones where the framework respects the authority boundary. AutoGen does, which is why the Manav integration is among the easier ones to ship.
Multi-agent without identity is multi-blame. Manav is what closes the loop.