The Treebeard Methodology: A Continuous Trust Layer for the Agent Economy

An AI agent walks up to your smart contract and asks for funds. You have two hundred milliseconds to decide if it can be trusted. The institutional infrastructure that handles this decision for human counterparties, the licensing regimes, the audit firms, the rating agencies, the regulators, does not exist for autonomous agents. It may never exist in the form it takes for human institutions.

That is the gap a continuous trust layer is built to fill. Today we publish v4.0 of the Treebeard methodology, the specification for how we rate AI agents on-chain. The full whitepaper runs about 18,000 words across twelve sections plus an appendix and is available here. This post is a tour of the substantive contributions, written for counterparties, builders, and journalists who want the argument without the math.

Three structural contributions

The methodology rests on three pieces. The first is a category framework of seven signal categories that compose the rating: Economic Viability, Operational Reliability, Code Quality, Autonomy Index, Safety, Community and Ecosystem, and Security Posture. The seven were not picked from a menu. They were derived as the smallest set that distinguishes between the structurally different ways an AI agent can fail as a counterparty.

The second is a non-substitutable safety floor. When the Safety category score falls below threshold, the composite grade caps at D regardless of how strong the other six categories are. This is the same primitive aviation, pharmaceutical, and nuclear regulators use, for the same reason: safety failures are unbounded losses for the counterparty, and the composite cannot reward strength elsewhere when the safety floor fails.

The third, and the central technical contribution of v4.0, is the application of two source-level corrections that we believe are not currently applied in combination by any other agent-rating provider. Both are required. Either alone produces a number that looks defensible and is silently wrong.

Why static evaluation breaks

Most agent ratings today are static. They snapshot an agent at one moment, treat the audit as durable evidence, and stop updating. Agents do not sit still. Models retrain. Prompts get updated. Tools get added. Permissions get expanded. The agent that was audited in February is not the agent operating in April.

The post-audit silent rebuild is a real attack pattern. An agent passes one audit, redeploys its contracts after a quiet refactor without commissioning a new audit, and the static rating system continues to credit the audit signal at full weight. A counterparty relying on the rating routes a payment through the agent. The new contract has a vulnerability. The vulnerability traces back to the audit-laundering pattern the static rating did not catch.

Continuous rating is the structural answer. The Treebeard composite recomputes for every rated agent on a daily cadence and additionally on enrichment events that materially change a signal source. The pipeline is deterministic. There is no human in the path.

The two corrections that change the answer

A multi-source rating that treats every signal as equal weight hands attackers the lowest-friction source. A continuous rating that treats every signal as equally fresh keeps stale evidence at full weight long after it should have decayed.

Source-conflict discounting is the first fix. Each signal source is multiplied by an explicit conflict-of- interest factor before aggregation. A source that is itself a token-issuing rating provider is discounted toward zero. A source that aggregates self-attesting feedback is discounted by a sybil-resistance factor. A source that has been demonstrably gamed in the past is discounted by a historical-manipulation factor. The discount is published per source and updated when new evidence about source quality arrives.

Time-decay weighting is the second. Each signal is weighted by an exponential decay function with a half-life specific to the underlying property. A live endpoint probe has a short half-life because endpoint behavior changes quickly. A code audit has a longer half-life because audit findings remain relevant longer. Operational continuity has the longest half-life because long operational history is durable evidence. The half- lives are calibrated and published per source.

The full Treebeard composite is the weighted sum, across all signal sources, of (signal × conflict_discount × time_decay). Section 6 of the whitepaper gives the math in full.

The FICO precedent, and where the bridge is incomplete

We argue, and Section 10 of the whitepaper develops, that the FICO credit score architecture is the right precedent for trust scoring at scale. FICO publishes the categories, the percentage weight ranges, the directional logic, the dispute pathway, and the scoring scale. FICO does not publish the exact algorithm that converts those inputs into a number. FICO is commonly treated as calibration-opaque rather than fully black-box, and is not the canonical example of the 2008-style failure mode.

Treebeard publishes the same kinds of structural information and withholds the exact numerical calibration of weights, discount factors, and time-decay half-lives, for the same reason FICO does: publishing exact weights invites optimization for the rating instead of the underlying behavior. Goodhart's Law applies in print, and every credit-rating system that has tried full calibration transparency has watched its metric collapse into a target.

The FICO architecture rests on three structural conditions Treebeard does not yet fully reproduce: low-noise signals, consumer skin in the game, and regulatory oversight. The paper names what we substitute for each: the multi-source composition and the source-conflict-discount and time-decay corrections substitute for low-noise signals; demand-side accountability through insurance underwriting and on-chain enforcement substitutes for consumer skin in the game (and is still nascent); and the Ent Review Panel's public dispute pathway, methodology version history, and bug bounty program substitute for regulatory oversight in the short term.

The substitutions are weaker than the originals in the short run and are designed to strengthen as the agent economy matures. The FICO model is the right precedent. The bond ratings model from before 2008 is not. But the bridge from one to the other is not yet complete.

Trust as a protocol primitive

The published rating is queryable on-chain on Base at handshake time. Smart contracts and other agents can read the agent's current letter grade, the current numeric composite, the safety floor activation flag, the methodology version that produced the current rating, and a stale-read timestamp on every read.

The on-chain availability is what makes Treebeard part of the agent commerce protocol stack rather than a website that humans check periodically. Agent-to-agent handshakes can include a trust check the same way TLS handshakes include certificate verification. Smart contracts that gate access to capital or liquidity on a rating threshold can read the rating in a single transaction. Section 6.9 of the whitepaper specifies the oracle interface, the failure modes, and the handling of disputed ratings.

What we publish, what we don't, and the dispute pathway

We publish the seven category definitions, the signal sources for each, the formula shape, the safety floor mechanism, the time-decay function, the source-conflict-discount framework, the dispute pathway at /methodology/improve, the methodology version history, and the calibration-shift summary that ships with each new methodology version so consumers can reason about cross-version comparability.

We do not publish the exact numerical calibration of weights, discount factors, or time-decay half-lives. The structural reason is the gameability concern above. The structural protections that sit underneath that opacity are documented in full.

Disputed ratings are handled by the Ent Review Panel, an internal body whose decisions are versioned and public. The Panel as currently constituted is the methodology owner plus AI-simulated expert panels (a credit rating analyst, a mechanism designer, a blockchain security reviewer, an AI safety researcher). This is structurally smaller than the review committees the bond rating agencies maintained even before 2008. The mechanism is what those raters lacked, not the headcount. The expansion to independent human reviewers is gated on dispute volume and funding and is acknowledged as a current limitation in Section 11.

What we do not claim

Per-agent score history with timestamps across prior methodology versions is currently maintained internally but not published as a public time series. This is a packaging gap, not a calibration- opacity question, and is named in Section 11.6 as an open commitment for the next major release.

Cross-agent dependency rating is open work. The methodology rates agents in isolation. Real agent commerce involves chains of agents whose outputs feed each other, and a high-rated agent that depends on a low-rated agent inherits the low-rated agent's risk in some functional sense. The methodology does not yet propagate dependency risk through the composite. Section 2.5.3 names the failure mode this leaves open.

Calibration on adversarial regime shifts is open work. The calibration loop assumes that observed manipulation is a noisy sample from a stationary distribution. If an attacker introduces a fundamentally novel attack, the calibration loop catches it only after evidence accumulates. The lag is a structural vulnerability that no calibration scheme fully closes.

The bet

If the argument of v4.0 is right, then which agents to trust becomes critical infrastructure for the agent economy. Counterparties will not commit funds, integrations, or strategic decisions without a continuous trust signal that survives audit-laundering, sybil-flooding, and cascade-propagation attacks. In five years, no serious agent interaction will occur without a continuous trust layer. That is the bet of v4.0, and the bet of Treebeard.

Read the whitepaper

The full v4.0 methodology is available at /methodology/whitepaper. The methodology hub at /methodology indexes the live methodology pages. Disputes filed through /methodology/improve are processed by the Ent Review Panel under the published charter.

Citation guidance for journalists, analysts, and builders: Burns, P. Treebeard Methodology Whitepaper v4.0. Treebeard, May 6, 2026. https://treebeardai.com/methodology/whitepaper.

We rate every agent the same way. Methodology public. Calibration-shift summary on every version. No token. No payment from rated entities. No paid placement. The structural commitments that S&P and Moody's lacked in 2008.