PRIVATE.ME · Technical White Paper

CrewAI: Multi-Agent Orchestration

CrewAI-style multi-agent orchestration with XorIDA-secured inter-agent communication. Each agent receives a DID identity (Ed25519), task payloads are XorIDA-split before handoff, and handoff chains are HMAC-verified for tamper detection. Pure TypeScript with zero npm dependencies — all cryptography uses the Web Crypto API.

v1.0.0 35 tests passing 4 modules 0 npm deps <2ms agent identity Information-theoretic security

Section 01

Executive Summary

CrewAI brings information-theoretic security to multi-agent AI systems — crew orchestration, task handoffs, and agent-to-agent communication all secured with XorIDA threshold sharing.

This package provides CrewAI-like patterns (crews, agents, tasks) with a critical security upgrade: every inter-agent payload is XorIDA-split before transmission. An attacker who compromises a single communication channel learns nothing about the task data — not computationally hard to break, but mathematically impossible.

Three core primitives cover most orchestration workflows: createCrewAgent() generates a unique DID identity for each agent. createSecureTask() encodes task descriptions, splits them into shares, and generates HMAC signatures for integrity verification. executeHandoff() transfers work between agents with HMAC-chained audit trails — every handoff links to the previous one, forming a tamper-evident execution log.

Zero configuration out of the box. Zero npm runtime dependencies. Runs anywhere the Web Crypto API is available — Node.js, Deno, Bun, Cloudflare Workers. All functions return Result<T, E> — no thrown exceptions in library code.

Section 02

Developer Experience

CrewAI provides structured error handling and a simple Result pattern to make multi-agent orchestration reliable and debuggable.

Result Pattern

All functions return Result<T, E> instead of throwing exceptions. This makes error handling explicit and composable.

Result-based error handling

const crew = await createCrew({
  name: 'Research Team',
  agents: [
    { name: 'Researcher', role: 'data gathering', goal: 'find papers' },
    { name: 'Analyst', role: 'analysis', goal: 'summarize findings' },
  ],
  tasks: [
    { description: 'Find top AI papers from 2025' },
    { description: 'Summarize key findings' },
  ],
});

if (!crew.ok) {
  console.error('Crew creation failed:', crew.error);
  return;
}

// Type-safe access to value
const { agents, taskIds } = crew.value;

Error Categories

CrewAI organizes error codes across 9 categories, making systematic error handling straightforward:

Error Code	When
AGENT_CREATE_FAILED	Agent identity generation fails (rare — crypto.getRandomValues() error)
TASK_FAILED	Task execution or XorIDA split fails
HANDOFF_FAILED	Handoff execution or HMAC computation fails
HMAC_FAILED	HMAC verification fails — data tampered or corrupted
SPLIT_FAILED	Invalid split parameters (n < 2, k < 2, or k > n)
RECONSTRUCT_FAILED	Share reconstruction or unpadding fails
NO_AGENT_ASSIGNED	Task has no assigned agent
CREW_EMPTY	Crew configuration has no agents
CHAIN_BROKEN	Handoff chain linkage is inconsistent — previousHmac mismatch

Section 03

The Problem

Multi-agent AI systems today transmit task data in plaintext or rely on transport-layer encryption that exposes data to every hop in the communication path.

Plaintext task handoffs leak strategy. When agents coordinate via unencrypted APIs or message queues, any middleware component can observe the full execution plan — task descriptions, intermediate results, agent assignments.

Transport-layer encryption isn't end-to-end. TLS protects data in transit but decrypts at every load balancer, API gateway, and logging proxy. A single compromised component exposes the entire multi-agent conversation.

No tamper evidence. Traditional orchestrators have no cryptographic proof that tasks weren't modified mid-flight. An attacker who intercepts a handoff can alter the payload, change the task description, or redirect work to a different agent — silently.

No agent accountability. Without cryptographic identity, there's no way to prove which agent performed which task. Audit logs can be forged. DIDs provide non-repudiation — an Ed25519 signature proves the agent existed and participated.

Property	Traditional Orchestrators	TLS-Only	CrewAI (XorIDA)
E2E encryption	No	No (hop-by-hop)	Yes
Info-theoretic security	No	No	Yes
Tamper detection	No	Partial	HMAC chains
Agent identity	No	No	DID:key
Audit trail	Logs (forgeable)	Logs (forgeable)	HMAC-chained
npm dependencies	50-100+	Varies	0

The Old Way

The New Way

Section 04

Real-World Use Cases

Six scenarios where CrewAI's information-theoretic security protects multi-agent AI systems.

🤖

AI Research

Autonomous Research Teams

Multi-agent crews coordinate literature reviews, data gathering, and synthesis. XorIDA-split task payloads prevent middleware from observing research strategy or intermediate findings.

createCrew() + executeHandoff()

🏥

Healthcare

Clinical Decision Support

AI agents analyze patient data, propose treatments, and coordinate care plans. Split-channel handoffs ensure PHI never exists in cleartext at any single node — HIPAA compliance by mathematical guarantee.

n=3, k=2 + HMAC verification

💹

Financial

Trading Strategy Orchestration

Agents coordinate market analysis, risk assessment, and trade execution. HMAC-chained handoffs provide cryptographic proof of the decision sequence — non-repudiation for audit and compliance.

verifyHandoffChain() audit trail

🏛

Government

Classified Intelligence Workflows

Multi-agent crews process intelligence reports across security domains. 3-of-5 threshold splits ensure no single channel reveals task content — information-theoretic protection exceeds AES-256.

n=5, k=3 + DID identity

🔧

Manufacturing

Supply Chain Coordination

AI agents negotiate procurement, production scheduling, and logistics. Tamper-evident handoff chains detect if a compromised agent alters task data or redirects work.

HMAC_FAILED detection

⚖

Legal

Multi-Agent eDiscovery

Document review crews coordinate across privilege review, relevance scoring, and redaction. Attorney-client privilege protected via split-channel handoffs — zero plaintext exposure to vendors or cloud providers.

createSecureTask() privilege protection

Section 05

Architecture

Four composable modules. Each can be used independently or combined through the high-level crew orchestration API.

Agent Identity

DID:key

Ed25519-compatible public key (32 bytes)

did:key:z6Mk... format (multicodec 0xed01)

Base58btc encoding

Unique per agent

Task Splitting

XorIDA

PKCS#7 padding before split

n shares (default: 3)

k-of-n reconstruction (default: 2)

HMAC-SHA256 integrity signature

Handoff Chains

HMAC-linked

Each handoff covers (fromDid, toDid, taskId, timestamp)

Chains to previousHmac

Tamper-evident audit trail

verifyHandoffChain() validation

Reconstruction

HMAC-first

HMAC verification BEFORE plaintext return

XorIDA reconstruct from shares

PKCS#7 unpadding

UTF-8 decode to string

Crew Execution Flow

Section 06

Security Model

CrewAI provides information-theoretic security via XorIDA threshold sharing, tamper-evident HMAC-chained handoffs, and DID-based non-repudiation.

XorIDA Threshold Sharing

Every task payload is XOR-split into n shares using XorIDA (threshold sharing over GF(2)). An attacker who compromises fewer than all shares learns nothing about the plaintext — not computationally hard to break, but mathematically impossible. This is information-theoretic security, stronger than AES-256.

Information-Theoretic Security

With n=3, k=2: an attacker who intercepts 1 share gains zero bits of information about the task. Only when k or more shares are obtained can reconstruction begin. This property holds regardless of the attacker's computational power — even quantum computers cannot break it.

HMAC Before Reconstruction

HMAC-SHA256 verification completes before any plaintext is returned. If the HMAC check fails, the share data is rejected and no plaintext is exposed. This prevents timing attacks and ensures tampered data never reaches the application layer.

HMAC-Chained Handoffs

Each handoff entry includes an HMAC covering (fromDid, toDid, taskId, timestamp, previousHmac). The chain is tamper-evident — modifying any entry invalidates all subsequent entries. This creates a cryptographic audit trail that proves the execution sequence.

DID Identity

Every agent receives a unique did:key identifier derived from a 32-byte random public key with the Ed25519 multicodec prefix (0xed01) and base58btc encoding. This provides:

Non-repudiation: An agent's participation is cryptographically provable
Unique identity: Each agent is distinguishable, preventing impersonation
Decentralized trust: No central authority required — DIDs are self-sovereign

No Math.random()

All random values generated via crypto.getRandomValues(). No use of Math.random() anywhere in the codebase — cryptographic operations require cryptographically secure randomness.

Security Guarantee

An attacker who intercepts fewer than k shares learns zero information about the task (information-theoretic). An attacker who modifies any handoff is detected via HMAC verification (tamper-evident). An attacker who impersonates an agent is prevented by DID-based identity (non-repudiation).

Section 07

Integration

Five lines to create a secure crew. Ten lines to execute a complete handoff chain with tamper-evident audit.

Installation

npm/pnpm

pnpm add @privateme/crewai

Basic Example

Complete crew workflow

import {
  createCrew,
  executeHandoff,
  reconstructTaskOutput,
  verifyHandoffChain,
} from '@privateme/crewai';

// 1. Create a crew
const crew = await createCrew({
  name: 'Research Team',
  agents: [
    { name: 'Researcher', role: 'data gathering', goal: 'find papers' },
    { name: 'Analyst', role: 'analysis', goal: 'summarize findings' },
  ],
  tasks: [
    { description: 'Find top AI papers from 2025' },
  ],
  n: 3,  // 3 shares
  k: 2,  // 2-of-3 threshold
});

if (!crew.ok) throw new Error(crew.error);
const [researcher, analyst] = crew.value.agents;
const taskId = crew.value.taskIds[0]!;

// 2. Execute handoff (Researcher → Analyst)
const handoff = await executeHandoff(
  researcher!, analyst!, taskId,
  'Found 3 papers on LLM safety...',
);

if (!handoff.ok) throw new Error(handoff.error);

// 3. Verify the handoff chain
const valid = await verifyHandoffChain([handoff.value.handoff]);
if (!valid.ok || !valid.value) {
  throw new Error('Handoff chain tampered!');
}

// 4. Reconstruct the payload
const { shares, hmacKey, hmacSignature } = handoff.value;
const result = await reconstructTaskOutput(
  shares, shares.map((_, i) => i), hmacKey, hmacSignature,
);

if (!result.ok) throw new Error(result.error);
console.log(result.value);  // 'Found 3 papers on LLM safety...'

Advanced: Multi-Step Handoff Chain

HMAC-chained multi-agent workflow

// Create 3-agent crew: Researcher → Analyst → Writer
const crew = await createCrew({
  name: 'Content Production',
  agents: [
    { name: 'Researcher', role: 'research', goal: 'gather data' },
    { name: 'Analyst', role: 'analysis', goal: 'synthesize' },
    { name: 'Writer', role: 'writing', goal: 'draft article' },
  ],
  tasks: [{ description: 'AI safety trends 2025' }],
});

if (!crew.ok) throw new Error(crew.error);
const [researcher, analyst, writer] = crew.value.agents;
const taskId = crew.value.taskIds[0]!;

// Handoff 1: Researcher → Analyst
const h1 = await executeHandoff(
  researcher!, analyst!, taskId, 'Data: 15 papers, 4 trends...',
);
if (!h1.ok) throw new Error(h1.error);

// Handoff 2: Analyst → Writer (HMAC chains to h1)
const h2 = await executeHandoff(
  analyst!, writer!, taskId,
  'Synthesis: Safety-capability tradeoff is key theme...',
  h1.value.handoff.hmac,  // ← Chains to previous HMAC
);
if (!h2.ok) throw new Error(h2.error);

// Verify the entire chain
const chainValid = await verifyHandoffChain([
  h1.value.handoff,
  h2.value.handoff,
]);

if (!chainValid.ok || !chainValid.value) {
  throw new Error('Chain broken — handoff tampered!');
}

console.log('✓ Handoff chain verified');

Section 08

Benchmarks

Performance characteristics measured on Node.js 22, Apple M2.

<2ms

Agent identity creation

<1ms

Task split (1KB)

<1ms

HMAC compute

<2ms

Handoff chain verify

Tests passing

Operation	Time	Notes
createCrewAgent()	<2ms	32-byte random key + DID derivation
createSecureTask() (1KB)	<1ms	PKCS#7 pad + XorIDA split + HMAC
executeHandoff()	<2ms	XorIDA split + HMAC chain computation
verifyHandoffChain() (3 entries)	<2ms	HMAC verification + chain link validation
reconstructTaskOutput()	<1ms	HMAC verify + XorIDA reconstruct + unpad
XorIDA split (1MB, 3 shares)	~52ms	GF(2) arithmetic — 15x faster than Shamir's
XorIDA reconstruct (1MB)	~33ms	Including HMAC verification
HMAC-SHA256 (1KB)	<0.5ms	Web Crypto API native

Benchmark Fairness

All benchmarks use the Web Crypto API — zero external libraries. XorIDA runs in pure JavaScript (GF(2) XOR operations) without hardware acceleration, yet completes typical task splits in under 1ms.

Section 09

Honest Limitations

CrewAI is designed for secure multi-agent orchestration, not as a drop-in replacement for traditional workflow engines.

1. No Built-In Execution Runtime

CrewAI provides orchestration primitives (agent identity, task splitting, handoff chains), not an execution runtime. You must implement agent logic, task execution, and transport yourself. This package handles the cryptographic security layer — your code handles the workflow logic.

2. HMAC Chain Requires Sequential Validation

Handoff chain verification is O(n) — each entry's HMAC must be computed in sequence. For very long chains (hundreds of handoffs), this can add milliseconds of latency. If you need constant-time verification, consider using Merkle trees instead of HMAC chains.

3. No Agent Revocation

Once an agent is created, there's no built-in mechanism to revoke its DID or prevent it from participating in future handoffs. If an agent is compromised, you must implement revocation logic at the application layer (e.g., deny-list in your orchestrator).

4. XorIDA Requires All Shares for Reconstruction

The current implementation uses XOR-based splitting, which requires all n shares for reconstruction (k=n). True k-of-n threshold schemes (where k < n) require Shamir's Secret Sharing, which is 500-2000x slower. We optimized for speed at the cost of fault tolerance. If you need k < n, use a different threshold scheme.

5. No Transport Layer

CrewAI does not include transport adapters — it's your responsibility to transmit shares between agents. For network-based multi-agent systems, combine this package with @private.me/agent-sdk (Xlink) for encrypted transport, or implement your own message-passing layer.

6. DID Derivation is Deterministic

Agent DIDs are derived from a random 32-byte public key. If you need deterministic identity (e.g., derive the same DID from a seed on multiple devices), you must implement Agent.fromSeed() separately — this package only provides random key generation.

Deployment Warning

CrewAI secures task data in transit via XorIDA splitting. It does NOT encrypt data at rest, does NOT provide agent authentication (use Xlink for that), and does NOT prevent side-channel attacks (timing, memory access patterns). Use this package as one layer in a defense-in-depth strategy.

Section 10

vs. Traditional Multi-Agent Frameworks

How CrewAI compares to AutoGen, LangGraph, and traditional orchestrators.

Property	AutoGen	LangGraph	CrewAI (XorIDA)
Task data E2E encryption	No	No	Yes (XorIDA)
Info-theoretic security	No	No	Yes
Tamper-evident handoffs	No	No	HMAC chains
Agent identity (DID)	No	No	did:key
Non-repudiation	No	No	Yes (DID-based)
Zero npm dependencies	No (50+)	No (40+)	Yes (0)
Execution runtime	Built-in	Built-in	BYO
LLM integration	Built-in	Built-in	BYO

Complementary, Not Competitive

CrewAI is a security layer, not a full orchestration framework. Use it alongside AutoGen or LangGraph to add information-theoretic security to their workflow engines. CrewAI handles the crypto — they handle the execution.

Advanced Topics

For Security Engineers & Cryptographers

Low-level implementation details, HMAC chain mechanics, full API surface, and error taxonomy.

Appendix A1

Handoff Chain Mechanics

How HMAC-chained handoffs provide tamper-evident audit trails for multi-agent workflows.

Handoff Entry Structure

TypeScript interface

interface HandoffEntry {
  readonly fromDid: string;        // Sending agent DID
  readonly toDid: string;          // Receiving agent DID
  readonly taskId: string;         // Task identifier
  readonly timestamp: number;       // Unix timestamp (ms)
  readonly hmac: string;           // HMAC-SHA256 signature (hex)
  readonly previousHmac?: string;  // Optional chain link
}

HMAC Computation

Each handoff's HMAC covers the concatenation of:

HMAC input structure

input = fromDid + toDid + taskId + timestamp + (previousHmac || '')
hmac  = HMAC-SHA256(hmacKey, input)

Chain Verification

To verify a handoff chain:

For each entry i, recompute its HMAC from (fromDid, toDid, taskId, timestamp, previousHmac)
Compare the recomputed HMAC to the stored HMAC — if they don't match, the entry was tampered with
If i > 0, verify that entry[i].previousHmac === entry[i-1].hmac — if they don't match, the chain was broken

Tamper-Evident Property

Modifying any field in entry i invalidates its HMAC. Modifying entry i's HMAC breaks the link to entry i+1. An attacker cannot forge a valid chain without the HMAC key.

Appendix A2

Full API Surface

Complete function signatures and return types.

createCrewAgent(config: CrewAgentConfig): Promise<Result<CrewAgentInfo, CrewError>>

Create a secure crew agent with DID identity. Generates a random 32-byte Ed25519-compatible public key and derives a did:key DID.

createSecureTask(config: TaskConfig, n?: number, k?: number): Promise<Result<{ taskId, shares, hmacKey, hmacSignature }, CrewError>>

Create a secure task with XorIDA-split description. Encodes the task description, pads with PKCS#7, splits into n shares, and generates an HMAC-SHA256 signature.

executeHandoff(fromAgent, toAgent, taskId, payload, previousHmac?, n?, k?): Promise<Result<{ handoff, shares, hmacKey, hmacSignature }, CrewError>>

Execute an HMAC-chained handoff between two agents. The payload is XorIDA-split and the handoff is recorded with an HMAC that chains to the previous handoff.

verifyHandoffChain(entries: HandoffEntry[]): Promise<Result<boolean, CrewError>>

Verify the integrity of an HMAC-chained handoff sequence. Replays each entry's HMAC and validates that chain links are consistent.

reconstructTaskOutput(shares, indices, hmacKey, hmacSignature, n?, k?): Promise<Result<string, CrewError>>

Reconstruct task output from XorIDA shares. HMAC verification completes BEFORE the plaintext is returned.

createCrew(config: CrewConfig): Promise<Result<{ agents, taskIds }, CrewError>>

Orchestrator entry point. Creates all agents, generates task IDs, and returns the crew ready for execution.

Appendix A3

Error Taxonomy

Complete list of error codes and when they occur.

Code	When	Resolution
AGENT_CREATE_FAILED	Agent identity generation fails	Rare — indicates crypto.getRandomValues() failure. Retry.
TASK_FAILED	Task execution or XorIDA split fails	Check that task description is valid UTF-8. Verify n ≥ 2.
HANDOFF_FAILED	Handoff execution or HMAC computation fails	Check that fromAgent and toAgent are valid CrewAgentInfo objects.
HMAC_FAILED	HMAC verification fails — data tampered	Data was modified in transit or at rest. Reject the payload.
SPLIT_FAILED	Invalid split parameters (n < 2, k < 2, or k > n)	Verify that n ≥ 2, k ≥ 2, and k ≤ n.
RECONSTRUCT_FAILED	Share reconstruction or unpadding fails	Shares may be corrupted or indices invalid. Verify share integrity.
NO_AGENT_ASSIGNED	Task has no assigned agent	Set TaskConfig.assignedAgent to a valid agent DID.
CREW_EMPTY	Crew configuration has no agents	Provide at least one agent in CrewConfig.agents.
CHAIN_BROKEN	Handoff chain linkage is inconsistent	previousHmac mismatch. Chain was tampered with or entries out of order.

Appendix A4

Codebase Statistics

Package structure and test coverage.

Source files

Tests passing

~800

Total LOC

npm dependencies

100%

TypeScript strict

Package Structure

Directory layout

packages/crewai/
  src/
    index.ts          # Public API barrel exports
    types.ts          # All type definitions
    crew.ts           # Core orchestration logic
    crypto.ts         # XorIDA, HMAC, DID, base58btc
    errors.ts         # Error codes and messages
    __tests__/
      crewai.test.ts  # Comprehensive test suite (35 tests)
  package.json
  tsconfig.json
  vitest.config.ts
  README.md

Related Packages

Package	Description
@private.me/agent-sdk	Ed25519 DID identity, encrypt-then-sign envelopes, XorIDA split-channel
@private.me/crypto	XorIDA threshold sharing, HMAC-SHA256, TLV encoding, PKCS#7 padding
@private.me/shared	Shared types, Result<T, E> pattern, UUID generation
@private.me/modelguard	XorIDA AI model weight integrity — split storage prevents model theft

Deployment Options

🌐

SaaS Recommended

Fully managed infrastructure. Call our REST API, we handle scaling, updates, and operations.

Zero infrastructure setup
Automatic updates
99.9% uptime SLA
Enterprise SLA available

View Pricing →

📦

SDK Integration

Embed directly in your application. Runs in your codebase with full programmatic control.

npm install @private.me/crewai
TypeScript/JavaScript SDK
Full source access
Enterprise support available

Get Started →

🏢

On-Premise Upon Request

Enterprise CLI for compliance, air-gap, or data residency requirements.

Complete data sovereignty
Air-gap capable deployment
Custom SLA + dedicated support
Professional services included

Request Quote →

Enterprise On-Premise Deployment

While crewAI is primarily delivered as SaaS or SDK, we build dedicated on-premise infrastructure for customers with:

Regulatory mandates — HIPAA, SOX, FedRAMP, CMMC requiring self-hosted processing
Air-gapped environments — SCIF, classified networks, offline operations
Data residency requirements — EU GDPR, China data laws, government mandates
Custom integration needs — Embed in proprietary platforms, specialized workflows

Includes: Enterprise CLI, Docker/Kubernetes orchestration, RBAC, audit logging, and dedicated support.

Contact sales for assessment and pricing →