AGENTS.md TemplatesTemplate
AGENTS.md Template for Encryption in Transit Design
AGENTS.md Template for Encryption in Transit Design to govern AI coding agents and multi-agent orchestration.
AGENTS.md templateencryption in transitAI coding agentsmulti-agent orchestrationagent handoff rulestool governancesecurity in transitTLSmutual TLScertificate managementkey management
Target User
Engineering leaders, security architects, platform teams, MLOps
Use Cases
- Design encryption in transit for AI coding agents
- Coordinate multi-agent handoffs for secure data in transit
- Establish tool governance and access control for crypto components
Markdown Template
AGENTS.md Template for Encryption in Transit Design
# AGENTS.md
Project role: Security design and orchestration for encryption in transit in AI coding agents. Ensure confidentiality integrity and authenticity of data in transit across single-agent and multi-agent workflows.
Agent roster and responsibilities:
- Planner: defines encryption requirements TLS versions cipher suites and handoff criteria.
- Implementer: configures TLS mutual TLS cert management and runtime integration with crypto libraries.
- Reviewer: validates cryptographic controls key management and logging auditing rules.
- Tester: executes end-to-end encryption tests MITM simulations and regression checks.
- Researcher: tracks best practices for cryptography PKI and API security patterns.
- Domain Specialist: ensures domain-specific encryption compliance (e.g., healthcare finance).
Supervisor or orchestrator behavior:
- Central coordinator authenticates all agents enforces policy and triggers handoffs when sections complete.
- Maintains a single source of truth for policies keys and certificates distributes configuration securely.
Handoff rules between agents:
- Handoff occurs when the Planner seals the encryption requirements and the Implementer confirms the runtime setup.
- All handoffs must include policy anchors cryptographic parameters and test results.
Context memory and source-of-truth rules:
- Context is anchored in a persistent policy document and a crypto-config repository.
- Memory is limited to per-task scoped details large data stays off-memory and accessed via references.
- Source-of-truth includes configuration repositories KMS and vaults.
Tool access and permission rules:
- Only authorized agents may access TLS material keys and secrets via approved secret stores.
- CI/CD pipelines must run in restricted environments with audit trails.
Architecture rules:
- Microservices must support TLS 1.2+ with mutual TLS where applicable.
- All cryptographic operations occur in dedicated crypto services when possible.
File structure rules:
- crypto-config/
tls/
policy/
- services/
- tests/
- docs/
- secrets/
Data API or integration rules:
- All API calls between agents use HTTPS with TLS 1.2+ and client certificates where supported.
- Data references in logs should be redacted or tokenized.
Validation rules:
- Validate certificate validity chain of trust and expiry.
- Validate cipher suites and protocol versions.
- Validate that encryption in transit is enforced for all inter-service calls.
Security rules:
- Never log private keys or secrets.
- Rotate keys on schedule and after suspected compromise.
- Enforce least privilege on secret stores.
Testing rules:
- Run MITM tests TLS interception tests and handshake failure scenarios.
- Validate performance impact and TLS renegotiation handling.
Deployment rules:
- Deploy crypto services to isolated environments with restricted access.
- Require code review and security approval before production deployment.
Human review and escalation rules:
- Security lead approves changes to encryption policies and key material rotation.
- If policy drift detected escalate to governance board.
Failure handling and rollback rules:
- If TLS handshake fails rollback to previous known-good configuration and alert the team.
- Maintain a rollback plan for certificate revocation and re-issuance.
Things Agents must not do:
- Do not bypass TLS verification or disable certificate validation.
- Do not rotate keys without approval.
- Do not share secrets in logs or chat history.Overview
Direct answer: This AGENTS.md Template codifies an encryption-in-transit design workflow for AI coding agents, enabling secure auditable multi-agent coordination with clear handoffs, tool governance, and human review gates. It explains what the AGENTS.md Template covers how it governs both single-agent and multi-agent orchestration and how teams should operate under this context.
The encryption in transit workflow focuses on securing data in transit between agents and services establishing mutual trust and providing a repeatable blueprint for different environments. It is designed for both individual agents and coordinated multi-agent sessions where data travels across microservices gateways and model runtimes.
When to Use This AGENTS.md Template
- When you need a standards-based approach to encrypt data in transit between AI coding agents and external services.
- When multiple agents coordinate to perform a task and data flows across boundaries requiring mutual authentication and encryption.
- When you require an auditable trail for cryptographic decisions key rotation and certificate management.
- When governance security reviews and human escalation are necessary before production rollout.
Copyable AGENTS.md Template
# AGENTS.md
Project role: Security design and orchestration for encryption in transit in AI coding agents. Ensure confidentiality integrity and authenticity of data in transit across single-agent and multi-agent workflows.
Agent roster and responsibilities:
- Planner: defines encryption requirements TLS versions cipher suites and handoff criteria.
- Implementer: configures TLS mutual TLS cert management and runtime integration with crypto libraries.
- Reviewer: validates cryptographic controls key management and logging auditing rules.
- Tester: executes end-to-end encryption tests MITM simulations and regression checks.
- Researcher: tracks best practices for cryptography PKI and API security patterns.
- Domain Specialist: ensures domain-specific encryption compliance (e.g., healthcare finance).
Supervisor or orchestrator behavior:
- Central coordinator authenticates all agents enforces policy and triggers handoffs when sections complete.
- Maintains a single source of truth for policies keys and certificates distributes configuration securely.
Handoff rules between agents:
- Handoff occurs when the Planner seals the encryption requirements and the Implementer confirms the runtime setup.
- All handoffs must include policy anchors cryptographic parameters and test results.
Context memory and source-of-truth rules:
- Context is anchored in a persistent policy document and a crypto-config repository.
- Memory is limited to per-task scoped details large data stays off-memory and accessed via references.
- Source-of-truth includes configuration repositories KMS and vaults.
Tool access and permission rules:
- Only authorized agents may access TLS material keys and secrets via approved secret stores.
- CI/CD pipelines must run in restricted environments with audit trails.
Architecture rules:
- Microservices must support TLS 1.2+ with mutual TLS where applicable.
- All cryptographic operations occur in dedicated crypto services when possible.
File structure rules:
- crypto-config/
tls/
policy/
- services/
- tests/
- docs/
- secrets/
Data API or integration rules:
- All API calls between agents use HTTPS with TLS 1.2+ and client certificates where supported.
- Data references in logs should be redacted or tokenized.
Validation rules:
- Validate certificate validity chain of trust and expiry.
- Validate cipher suites and protocol versions.
- Validate that encryption in transit is enforced for all inter-service calls.
Security rules:
- Never log private keys or secrets.
- Rotate keys on schedule and after suspected compromise.
- Enforce least privilege on secret stores.
Testing rules:
- Run MITM tests TLS interception tests and handshake failure scenarios.
- Validate performance impact and TLS renegotiation handling.
Deployment rules:
- Deploy crypto services to isolated environments with restricted access.
- Require code review and security approval before production deployment.
Human review and escalation rules:
- Security lead approves changes to encryption policies and key material rotation.
- If policy drift detected escalate to governance board.
Failure handling and rollback rules:
- If TLS handshake fails rollback to previous known-good configuration and alert the team.
- Maintain a rollback plan for certificate revocation and re-issuance.
Things Agents must not do:
- Do not bypass TLS verification or disable certificate validation.
- Do not rotate keys without approval.
- Do not share secrets in logs or chat history.Recommended Agent Operating Model
In encryption-in-transit design the operator rules define decision boundaries and escalation paths for an agent ecosystem. Roles include Planner Implementer Reviewer Tester Researcher and Domain Specialist. The planner decides cryptographic requirements and when to proceed the orchestrator enforces policy and coordinates handoffs implementers execute configuration and integration reviewers and testers validate correctness and escalations occur for policy drift or security concerns.
Recommended Project Structure
encryption-in-transit/
├── configs/
│ ├── tls/
│ └── policies/
├── crypto-config/
│ ├── tls/
│ └── keys/
├── services/
├── tests/
│ ├── unit/
│ ├── integration/
│ └── end-to-end/
├── docs/
└── secrets/Core Operating Principles
- Encrypt data in transit using TLS 1.2+ and mutual TLS where supported.
- Enforce strong authentication authorization and least privilege for all agents.
- Maintain a single source of truth for cryptographic policies and keys.
- Provide auditable traces for all cryptographic decisions and changes.
- Limit exposure of secrets never store plain keys in logs or memory outside secure stores.
Agent Handoff and Collaboration Rules
- Planner hands off to Implementer only after cryptographic requirements are formalized and policy anchors are defined.
- Implementer hands off to Reviewer after configuration is deployed to a staging crypto-service.
- Reviewer hands off to Tester after initial validation passes escalate if failures occur.
- Researcher and Domain Specialist provide input at decision gates before production readiness.
Tool Governance and Permission Rules
- Secret stores and KMS access is granted per-role and rotated on schedule.
- All tool actions require approval gates and audit logging.
- Code changes affecting encryption in transit require security review and sign-off.
Code Construction Rules
- Use standard TLS libraries and avoid custom crypto unless necessary and peer-reviewed.
- Coordinate certificate issuance using a trusted CA and rotate before expiry.
- Include comprehensive tests for handshake cipher suites and failure modes.
Security and Production Rules
- Enforce mutual TLS certificate pinning where possible and encrypted logs for sensitive operations.
- Isolate crypto services and restrict network access to approved agents.
- Monitor for anomalous TLS activity and enforce automatic incident response.
Testing Checklist
- Unit tests for encryption utilities and TLS configuration.
- Integration tests for inter-service calls with TLS and mTLS.
- End-to-end tests simulating vendor prompts and agent handoffs.
Common Mistakes to Avoid
- Disabling certificate validation in production.
- Storing private keys in code repositories or logs.
- Ignoring certificate expiry or weak cipher suites.
Related implementation resources: AI Agent Use Case for Intermodal Transport Providers Using Rail Schedules To Coordinate Seamless Truck-To-Train Transfers and AI Use Case for Corporate Event Managers Using Slack To Orchestrate Day-Of Venue Tasks Across Multi-Department Teams.
FAQ
What is the purpose of this AGENTS.md Template?
It standardizes encryption-in-transit design for AI coding agents and multi-agent orchestration including roles handoffs and governance.
Who are the primary roles in this workflow?
Planner Implementer Reviewer Tester Researcher and Domain Specialist work under a central orchestrator.
How are keys and certificates managed?
Keys and certificates live in approved secret stores and KMS with rotation access controls and audit logging no secrets in code.
How do handoffs work between agents?
Handoffs occur at defined decision gates with documented criteria and test results the orchestrator enforces policy consistency.
What happens on security incidents or failures?
Rollback to a known-good TLS configuration and trigger incident response with human review for remediation.