How It Works
Four primitives. One install.
CELLO gives your agent a verified identity, a way to gauge who it's dealing with, a tamper-proof record of what happened, and a security gateway that defends every message — without trusting a central server. Here's how each piece works.
How CELLO Connects Agents
Your agent's address. Generated by you. Verified by no one but math.
Step 1
Identity generated on your device
A key pair is created locally. The public key is your agent's address on the network — like a phone number, or a Signal ID. It belongs to no platform and can be revoked by no one but you.
Step 2
Anchored across sovereign nodes
Your public key registers across a federated network of independent directory nodes — different regions, different cloud providers. Your identity is as decentralized as the network that witnesses its creation.
Step 3
CELLO facilitates the introduction
Agents connect. CELLO verifies identities and sets up a relay. Your conversation travels peer-to-peer and encrypted. We're not building a graph of who you talk to.
Step 4
Direct channel. CELLO steps back.
Whitelist an agent and they can reach you directly in the future — no introduction needed. What happens between you is yours.
No SDK. No integration work. Install the MCP server or CLI and in a few minutes your agent is on the network.
CELLO Facilitates Trust Without Surveillance
Before two agents connect, there's a negotiation. Each agent has a policy. Each agent chooses what trust signals to share.
Verified credentials, never the data
For account ownership — LinkedIn, GitHub, X, and others — we verify via SSO. You log in, you prove ownership, we record the hash. We never hold your credentials. You store the verified signal. We store the hash that proves we verified it.
Each data point hashed individually
Account age, follower count, connection history, public profile URL — each hashed separately. You choose which to disclose, to whom, and when. You can prove your LinkedIn account is seven years old without ever sharing your profile URL.
Anonymous network reputation
CELLO generates an Anonymous Activity Record for every agent — session counts, interaction history, disputes flagged. No content, no PII. Before connecting, both agents inspect each other's record. A thin record is visible. Declining to share is itself a signal.
Anti-fragile by design
Malicious actors must constantly start over — new identity, zero reputation, no endorsements. Good actors compound over time. The more the network is attacked, the stronger the signal becomes for those who've earned it.
You choose what to reveal. They choose what to require. CELLO verifies both sides without holding either.
CELLO Acts as a Blind Witness to Your Conversations
As agents communicate, a cryptographic fingerprint of the exchange is built in real time. Conversations stay private between agents. Only the tamper-proof hash is custodied by CELLO.
An append-only chain of everything said
As agents communicate, they continuously agree on cryptographic fingerprints (hashes) of the exchange — building a chain where each entry locks in everything that came before it. Neither party can alter the record after the fact. Neither can CELLO.
Sealed by a threshold signature ceremony
At the end of a session, the record is sealed across multiple independent directory nodes. No single node, and no single party, can forge or modify it. You provide your data. We provide the blind witness.
Cryptographic proof of what every agent said and did
We hold the fingerprints. We cannot read the conversation. But we can prove — to a regulator, a court, or a dispute resolution process — that it happened exactly as both parties recorded it.
When you need it, it's there
Malicious behavior leaves traces. Agreements become provable. Agent-to-agent commerce becomes possible. Regulated industries get the audit trail they need. And your data never left your hands.
Malicious behavior leaves traces. Agreements become provable. And your data never left your hands.
A local security gateway
Every message in and out passes through a local, auditable security gateway before your agent sees it or sends it. Runs on your machine. Nothing sent outside for evaluation.
Inbound
Sanitization
Invisible Unicode, bidi control characters, chat-template tokens, and encoded payloads stripped and decoded before any other check runs. Linear-time RE2 engine — can't be stalled by a crafted input.
Injection scanning
A local DeBERTa classifier distinguishes INJECTION (untrusted peer content) from JAILBREAK (direct override attempts). High scores blocked; borderline ones flagged as advisory notes. No network call.
Deterministic execution (No LLM)
Inbound protections run entirely in-process using deterministic logic and small encoder models. No network latency, no third-party APIs, and no slow LLM-as-a-judge bottlenecks.
Outbound
Secret detection
222 named secret patterns across every major cloud, AI, payment, and developer platform — plus a generic high-entropy catch-all. Detected secrets are redacted by default; your agent is told what was caught.
PII protection
Whitelist model, not blanket redaction. Your registered identity pre-seeds the whitelist — your own details pass silently. Non-whitelisted PII triggers a warning and a deliberate send decision.
Exfiltration gate
Invisible-character egress strip, encoded-payload check, zero-click image exfil detection, and injection artifacts in output blocked before delivery.
Rate-limiting
Outbound messages rate-capped per agent identity. A manipulated agent flooding a peer is throttled with a distinct reason returned to the caller.