Skip to content

client certificate authorization, mTLS, and simplification of architecture #9

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
JL2718 wants to merge 2 commits into
base: main
Choose a base branch
from
Open

client certificate authorization, mTLS, and simplification of architecture #9

JL2718 wants to merge 2 commits into from

Conversation

@JL2718
Copy link

@JL2718 JL2718 commented Jan 14, 2026

TL;DR: Client certificate authentication is the most important change, but I started from scratch for simplicity. I did it because it took me a long time to figure out what TAP was actually doing, and then saw that the central registry concept would require handling a duplicate request for some large portion of the entire internet, and doing a terra-scale lookup for each, so I made an alternative architecture for much better scalability. Maybe something to pick at.

Proposed Changes

1. Unified Stack

  • Current: Juggles Python (FastAPI, Streamlit), Node.js, and React.
  • Proposed: Everything runs on Bun. One runtime, one language (TypeScript), one test runner.
  • Structure: Organized cleanly under src/ with dedicated modules for agent, proxy, registry, authority, and merchant.

2. Enhanced Protocol & Security

  • New Authority Service: I've introduced a dedicated Certificate Authority (CA) to demonstrate issuing short-lived client certificates to agents.
  • Dual Authentication: The Proxy implementation now supports both:
    • mTLS / Client-Cert: Verifying identity at the connection level (RFC 9440).
    • HTTP Signatures: Fine-grained request signing (RFC 9421).
  • Optimization: The Proxy logic extracts the public key directly from a verified Client-Cert, potentially eliminating the network round-trip to the Registry, heavy load expectations, and single point of failure.

3. Lightweight Frontend

  • Current: Heavier React setup. Uses Playwright browser automation.
  • Proposed: VanJS to keep it light and focused. Eliminated Playwright to focus only on protocol-relevant behavior.

Architecture Comparison

Feature original Proposed
Runtime Python 3 + Node.js Bun (v1.0+)
Identity Simple Key Registry Authority (CA) + Registry
Auth Basic Signatures RFC 9421 Signatures + RFC 9440 Client Certificates
Merchant UI React VanJS (TypeScript)
Agent Action browser control (Playwright) simple https requests

I hope this reference implementation provides some useful ideas for the project's evolution.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JL2718