Reference implementation · Apache-2.0 · Python 3.12+
The typed, trust-bearing, schema-mediated coupling layer that composes heterogeneous harnessed agents into a single coherent system. Signed cards. Delegation contracts. Mechanical blame.
$ pip install rigging▌
“You can have a great harness on every agent and still have terrible rigging.
If you’re not the model, and you’re not the harness, you’re the rigging.”
Why this layer needs a name
route_to_agent()# prod-grade glue, every team writes it differently
trace_id = uuid()
contract = {"caller": "planner", "callee": callee}
try:
out = await callee.run(req)
except Exception:
out = await fallback.run(req) # silent swap
cost[caller] += out.cost # 🤞
return outresult = await rig.call(
caller=planner,
callee_did=worker.did,
capability="translate_pdf",
input={"uri": "s3://…"},
cost_budget=("usd", "0.50"),
verifier=quality.did,
)
Every multi-agent stack ships a route_to_agent that
reinvents identity, contracts, budgets, and retries — incorrectly,
inconsistently, and invisibly. Rigging makes the invisible layer
a typed primitive.
The three primitives a rig refuses to live without
A rig is a runtime that does three things, and refuses to do anything else. It makes capability advertisements explicit. It makes delegation contracts explicit. It makes blame attribution mechanical. Everything else in a rig exists to keep those three primitives honest.
The most important discipline a rig enforces is refusing to silently fix things. A friendly system absorbs partial failure and gives the caller a working answer. A friendly system also destroys the chain of evidence that blame attribution depends on. Keep reading →
Interactive · click any scenario
Pick a failure mode. The runtime emits a signed envelope per step; the extractor walks the DAG backwards until it finds the proximate cause. No guesswork.
Interactive · press ▶
Six steps. Each one is a checkpoint at which the rig can refuse. No animation magic — every box is a span the runtime actually emits.
Why budgets compose
Cost is a property of a contract, not of an agent. B may subcontract to C only by carving a sub-budget from B's own allocation. C's overruns hit B's ledger; A's budget is inviolable.
The agentic version of letting a subcontractor put arbitrary charges on the general contractor's credit card is exactly what cost-as-an-agent-property allows. Rigging refuses it structurally. See ADR-0006.
No edge labelled "silently retry"
Terminal states are fulfilled, rejected, and voided. Retries are first-class events with their own contracts and their own identifiers, because a retry against a fresh callee produces output signed by an identity the caller did not address. See ADR-0009.
Five runnable examples · offline · no API keys
The minimum viable rig. A planner delegates to a worker. One signed contract; one execute; one verify.
02Heterogeneous composition: a planner (Anthropic), a coder (OpenAI), a reviewer (local). Same rig.
03The worker is deliberately bad. The verifier catches it. The blame chain points unambiguously at the worker.
04A → B → C with explicit sub-budgets. C overruns. A's budget is unaffected. Cost has a defensible answer.
05Three verifiers, majority rules. Disagreement becomes a composition problem, not a runtime problem.
06A verifier's verdict is itself audited by a meta-verifier. Recursion is bounded by verification_recursion_cap.
Interactive · drag the sliders
A → B → C. Each contract has its own carved sub-budget. C overspends. Move the sliders; watch where the overrun lands. A's budget is structurally inviolable — that is the entire point.
The runtime debits against the contract that holds the spend.
A's ledger never sees C's overrun. Try setting C beyond B's
sub-budget to trigger BudgetOverrun.
budget$1.00
committed to B$0.20
remaining$0.80
sub-budget$0.20
spent on C$0.33
statusoverrun
Three teams, three problems
Synthesised from real conversations with practitioners. Names and numbers redacted; the patterns are the patterns.
Before: A planner agent at a fintech ramped a research subtask onto a chain of three reasoning subagents. One agent silently spun off a sibling that re-issued the same query in a retry loop. $8,400 in token spend on one task before alerting fired.
With rigging: The retry would have been a new contract, with its own signed identifier. The sibling's budget would have been a carved sub-allocation from the parent. The runaway would have hit BudgetOverrun after $0.50, not $8,400.
Before: A code-review pipeline composed of four agents from three vendors auto-merged a regression. The post-mortem took six engineers eight hours to attribute fault — three of the agents were running in different repos, with non-aligned trace formats.
With rigging: One trace. One blame chain. rig trace inspect would have named the reviewer agent whose verdict was wrong, with its signed envelope as the proof. Six engineer-hours back.
Before: A regulated-industry customer asked: "for last month's automated decisions, prove which agent made each call and under what budget." The team spent two weeks reconstructing it from logs.
With rigging: Every decision is a signed contract; every output is a signed envelope; the trace is the audit. The same question becomes SELECT * FROM traces WHERE … against the OpenTelemetry backend.
One-direction dependency graph
Rigging-Bench v0 · honest scoring
Half honest, half dishonest agents — the floor is structural.
All four canonical patterns expressible.
Spoofing, tampering, wrong-key covered. Revocation is v1.
Zero L1 error on the synthetic chain.
Leaf attribution solid. Planner-misroutes & verifier-itself-wrong: v1.
We name the gaps so they cannot be hidden in headline numbers.
Where Rigging sits in the stack
| MCP | A2A | Harness | Supervisor (LangGraph, CrewAI) |
Rigging | |
|---|---|---|---|---|---|
| Tool wire format | ✓ | — | — | — | ↗ reuses |
| Agent-to-agent wire | — | ✓ | — | — | ↗ reuses |
| Single agent loop | — | — | ✓ | partial | — |
| Multi-agent routing | — | — | — | ✓ | ✓ typed |
| Signed capability advertisement | — | partial | — | — | ✓ |
| Typed delegation contract | — | — | — | — | ✓ |
| Per-contract budget enforcement | — | — | per agent | — | ✓ recursive |
| Verifier as first-class participant | — | — | — | conv. | ✓ |
| Cross-agent blame extraction | — | — | — | — | ✓ |
| Refuses silent retries | n/a | n/a | policy | policy | ✓ structural |
A rig uses MCP and A2A as wire formats. It sits one floor up from supervisor patterns. It does not replace your harness — it composes across harnesses.
Why this layer needs a name in 2026
Every layer in this stack was open-coded by every team before it had
a name. Kubernetes was the loop your ops engineer ran in tmux.
MCP was a function called call_tool() in five styles.
A2A was a hand-written REST shim. The layer that comes next — the
typed coupling across trust domains — needs a name too.
One screen of code
# build a rig and register three agents
from rigging.runtime import Rig
from rigging.adapters import LocalPythonAdapter
from rigging.identity import KeyPair
rig = Rig(name="my-system")
rig.register(planner, keypair=planner_key)
rig.register(worker, keypair=worker_key)
rig.register(quality, keypair=quality_key)
# delegate with a signed, typed contract
result = await rig.call(
caller=planner,
callee_did=worker.did,
capability="translate_pdf",
input={"uri": "s3://docs/contract.pdf",
"target_language": "fr"},
cost_budget=("usd", "0.50"),
verifier=quality.did,
)
# export the trace + blame chain
trace = rig.finish()
trace.write("trace.json")No silent retries. No transparent fallback. No tribal knowledge. A typed exception names the responsible agent, every time.
The art of this layer is in what it refuses
FAQ
No. Rigging sits above MCP and A2A. Tool calls inside a harness flow over MCP; the contract flows over A2A; the trace flows over OpenTelemetry. A rig that invents a new wire format is, by our definition, doing it wrong.
No — and we tried that first. A verifier is just an agent whose card declares a verify capability. The runtime invariants apply to it uniformly. Disagreement becomes a composition problem (vote, recurse), not a runtime problem. See ADR-0007.
A retry against a fresh agent produces output signed by an identity the caller did not address. The trace shows A → B but the work was done by B′. Blame analysis terminates in a contradiction. Retries are first-class events with their own contracts and their own identifiers.
v0 only needs to answer "is this card real and unchanged?" Long-lived per-agent Ed25519 keys solve that with no infrastructure. OAuth/OIDC is a v1 conversation.
No. rigging-core and rigging-runtime contain zero LLM-specific code. All provider concerns live under rigging-adapters.
Cost is a property of a contract, not of an agent. B may subcontract to C only by carving a sub-budget from its own allocation. C's overruns hit B's ledger; A's budget is inviolable. See ADR-0006.
Not in v0. The TUI is sufficient. This page is the visual demo. A dedicated rigging-viz is on the roadmap.
Maritime, not fraudulent. The rigging of a sailing ship is the load-bearing web that translates wind into motion. The sails do not move the ship. The hull does not move the ship. The rigging does.
Curator
PhD candidate, Department of Computer Science, The University of Hong Kong. Advised by Prof. Siu-Ming Yiu.
Research interests: trust-bearing infrastructure for multi-agent systems, applied cryptography, and the systems substrate beneath modern AI agents. Rigging is the reference implementation of a concept she has been developing through her PhD.
Star it on GitHub. Run the four examples. File an issue. We answer.