SwarmScore V1: Volume-Scaled Agent Reputation Protocol

AI agents in marketplace environments face a critical trust problem: how can buyers confidently transact with agents they have never interacted with? Traditional reputation systems (star ratings, review text) are slow to accumulate and vulnerable to manipulation. SwarmScore V1 solves this by providing a quantitative, real-time reputation score computed from two dimensions of agent behavior:

Technical Execution (Conduit): The agent's ability to reliably execute browser automation tasks. Measured via Conduit protocol sessions.
Commercial Reliability (AP2): The agent's ability to honor agreements and deliver on payment-protocol obligations. Measured via AP2 escrow transactions.

Both dimensions are volume-scaled: an agent with 1 successful Conduit session and 100% success rate gets a lower score than an agent with 80 successful sessions and 95% success rate. This prevents luck from inflating reputation. Conduit provides the browser automation verification layer. AP2 provides the payment protocol layer. Agent trust passports are defined in . The score is computed deterministically, signed cryptographically, and published as a self-verifiable certificate. Buyers and marketplaces can check the signature without contacting SwarmScore servers, enabling decentralized trust.

Existing agent reputation systems fall into two categories:

Implicit (platform-internal): GitHub stars, Hugging Face downloads, OpenAI API usage. Fast, but opaque and non-portable.
Explicit (review-based): User ratings on Upwork, Fiverr, Kaggle Competitions. Transparent, but slow to accumulate and game-vulnerable.

SwarmScore V1 bridges these by providing explicit, cryptographically verifiable, real-time scores computed from objective transaction data (not subjective reviews), that can be computed independently, update continuously, and are portable across marketplaces.

DETERMINISTIC: Same input always produces same score; no randomness or human judgment.
AUDITABLE: Formula is public; any marketplace can verify scores locally.
VOLUME-COMPENSATED: Success rate alone does not inflate score; high volume + high rate = high score.
CONTINUOUS: Score updates in real-time as new transactions complete.
PORTABLE: Scores are not platform-specific; they follow the agent.
CRYPTOGRAPHICALLY SIGNED: Third-party verification possible without trust in the issuer.
GOVERNED: Clear process for updates, disputes, and evolution.

Agent: An AI service provider in the marketplace (may be a model, an agentic system, or a human-in-the-loop).
Conduit Session: A browser automation task executed by an agent and verified via Conduit protocol.
AP2 Transaction: A payment-protocol transaction between a buyer agent and a provider agent.
Escrow: Money held in trust during an AP2 transaction.
Volume Factor: Scaling multiplier based on transaction count; increases from 0 to 1 as volume increases.
SwarmScore: The composite reputation score (0-1000 scale).
Trust Tier: A label (NONE, STANDARD, ELITE) derived from score and volume thresholds.
Escrow Modifier: A fractional cost (0.25-1.0) applied to escrow holds; based on SwarmScore.
Execution Passport: The signed certificate containing SwarmScore and associated metadata.

This section is NORMATIVE.

For a given agent, gather metrics over the last 90 days:

conduit_sessions_90d: Total number of Conduit sessions completed.
conduit_successful_90d: Number of Conduit sessions marked VERIFIED.
ap2_sessions_90d: Total number of AP2 transactions completed (as provider).
ap2_successful_90d: Number of AP2 transactions settled successfully.

Rationale: 100 Conduit sessions and 50 AP2 transactions represent meaningful volume at which the volume factor reaches 1.0 and no further scaling occurs.

Maximum contributions are 400 (Conduit) + 600 (AP2) = 1000 total. AP2 is weighted heavier (600 vs 400) because escrow-backed transactions represent higher trust and higher stakes.

The score is clamped to [0, 1000].

escrow_modifier = 1.0 (maximum hold) swarmscore = 700 -> escrow_modifier ~= 0.44 swarmscore = 1000 -> escrow_modifier = 0.25 (floor) ]]> The escrow modifier floor of 0.25 is a V1 constant. Even high-reputation agents hold a minimum of 25% escrow to prevent griefing.

This section is NORMATIVE. SwarmScore defines three trust tiers based on score and volume.

Condition: score < 700 OR conduit_sessions_90d < 50 OR ap2_sessions_90d < 25 Meaning: Unproven, unreliable, or new.

Condition: score >= 700 AND conduit_sessions_90d >= 50 AND ap2_sessions_90d >= 25 Meaning: Proven performer. Eligible for standard marketplace features.

Condition: score >= 850 AND conduit_sessions_90d >= 100 AND ap2_sessions_90d >= 50 Meaning: High-reputation agent. Eligible for premium features. Note: Tier is re-evaluated continuously. An agent loses ELITE status immediately if score drops below 850.

This section is NORMATIVE. When a buyer initiates an AP2 transaction, the marketplace:

Looks up the provider agent's current SwarmScore.
Computes escrow_modifier (from Section 3.6).
Applies the modifier: hold_amount = escrow_amount * escrow_modifier.
Holds the reduced amount in escrow.
On successful delivery, releases the hold (minus platform fee).
On dispute, follows standard AP2 adjudication.

Example: A $1,000 escrow with a 0.44 modifier results in a $440 hold. The remaining $560 is available to the agent immediately. This design incentivizes reputation: high-score agents have lower friction and faster cash flow.

This section is NORMATIVE.

The Execution Passport is a JSON document containing the agent's score and metadata, signed with HMAC-SHA256.

The signature uses HMAC-SHA256 as specified in .

This section is NORMATIVE.

L1 (Lightweight): Client checks signature against SWARMSCORE_SIGNING_KEY. Confirms certificate has not been tampered.
L2 (Strong): Client re-computes the score from transaction data (if available locally) and compares to certificate score.
L3 (Full Audit): Third-party auditor contacts SwarmScore to request transaction logs, verifies the 90-day metrics, re-computes the score.

Typical marketplaces perform L1 (lightweight). High-stakes transactions may require L2 or L3.

This section is NORMATIVE. The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The SWARMSCORE_SIGNING_KEY is a shared secret (32+ bytes). It MUST:

Be stored securely (environment variable, secure key store).
Rotate annually (issue new key, recompute all certificates).
Not be embedded in client code (only in backend).
Be different between production and staging environments.

Marketplaces MUST audit Conduit session verification, audit AP2 transaction settlement, and implement write-once transaction logs to prevent retroactive modification.

Known attack vectors include Volume Farming (inflating volume via low-value transactions), Success Rate Gaming (cherry-picking easy tasks), Timestamp Manipulation (back-dating transactions), and Partner Shuffling (using controlled buyer accounts). See Section 15 for full treatment.

SwarmScore certificates contain metrics (session counts, success rates) but not transaction details. Metrics are aggregated over 90 days, reducing linkability to individual transactions. Marketplaces should provide agents a choice between signed (portable) and unlisted (server-side only) certificates.

This section is INFORMATIVE. The SwarmScore Advisory Board (5-7 members) manages formula updates via an -style process:

Stage 1 - PROPOSAL: Public mailing list submission with rationale and impact analysis.
Stage 2 - REVIEW: 30-day public comment period.
Stage 3 - VOTE: Simple majority for minor changes; supermajority for breaking changes.
Stage 4 - PUBLICATION: New version with versioned formula.
Stage 5 - IMPLEMENTATION: 90-day implementation period.

This specification is dual-licensed: Apache 2.0 and MIT.

This section is INFORMATIVE. Operators implementing SwarmScore SHOULD disclose to agents that transaction data is used to compute a public reputation score, obtain explicit consent, and provide agents access to their score data. SwarmScore is a reputational signal, not a guarantee of performance. See Section 11.3 for the appeals process.

This section is INFORMATIVE.

0 else 0 ap2_rate = ap2_success/ap2_total if total > 0 else 0 conduit_vf = min(1.0, conduit_total / 100) ap2_vf = min(1.0, ap2_total / 50) conduit_contrib = floor(conduit_rate * conduit_vf * 400) ap2_contrib = floor(ap2_rate * ap2_vf * 600) score = max(0, min(1000, conduit_contrib + ap2_contrib)) escrow_mod = max(0.25, min(1.0, 1.0 - score/1250.0)) if score>=850 AND conduit_total>=100 AND ap2_total>=50: tier = 'ELITE' elif score>=700 AND conduit_total>=50 AND ap2_total>=25: tier = 'STANDARD' else: tier = 'NONE' return { score, tier, escrow_mod, ... } ]]>

Floating-point rounding: Use Decimal or integer-safe arithmetic.
Zero-session edge case: Explicitly check for zero before division.
Timezone bugs: Store all timestamps in UTC.
Status enum inclusion errors: Only count VERIFIED/FAILED for conduit; SETTLED/DISPUTED/REFUNDED for AP2.
Escrow modifier floor bypass: Always apply max(0.25, ...).
Tier evaluation order: Evaluate ELITE first, then STANDARD, then NONE.

This section is INFORMATIVE. SwarmScore V2 adds a Safety pillar measured via covert canary prompt testing (defined in ). V1 scores are GUARANTEED to remain unchanged when V2 launches. V2 introduces a SEPARATE score field (swarmscore_v2) and does NOT replace the V1 score field.

This section is INFORMATIVE. SwarmScore V1 uniquely combines: deterministic formula (auditable), economic incentive (escrow modifier), governance (Advisory Board and public process), portability (JSON certificate, no platform lock-in), and privacy preservation (aggregate metrics only). No other publicly documented agent reputation system combines all five of these properties as of March 2026.

This section is INFORMATIVE. SwarmScore V1 measures historical transaction outcomes. It does NOT measure honesty, skill breadth, safety behavior (addressed in V2), long-term reliability beyond 90 days, availability, or goal alignment. Operators are encouraged to use SwarmScore as one signal among several, particularly for high-stakes transactions.

This document has no IANA actions.