feat(agentkit): add robomoustachio trust oracle action provider

[JuanERombado]

Description

Adds a new robomoustachio action provider to @coinbase/agentkit for ERC-8004 trust verification on Base mainnet.

What’s included

• New provider folder:
  • typescript/agentkit/src/action-providers/robomoustachio/robomoustachioActionProvider.ts
  • typescript/agentkit/src/action-providers/robomoustachio/schemas.ts
  • typescript/agentkit/src/action-providers/robomoustachio/robomoustachioActionProvider.test.ts
  • typescript/agentkit/src/action-providers/robomoustachio/index.ts
  • typescript/agentkit/src/action-providers/robomoustachio/README.md
• Export wiring:
  • typescript/agentkit/src/action-providers/index.ts
• Changelog entry:
  • typescript/.changeset/bright-dingos-approve.md

Actions added

• RobomoustachioActionProvider_get_agent_trust_score
• RobomoustachioActionProvider_get_agent_trust_report
• RobomoustachioActionProvider_evaluate_agent_risk

Behavior highlights

• Base mainnet scoped (chainId=8453 / networkId=base-mainnet)
• Demo-first default (?demo=true) to reduce integration friction
• Structured handling for 402, 404, timeout, and network failures
• Safety default for risk evaluation: fail closed (REJECTED) when score retrieval is unavailable

Tests

Unit test run

cd typescript/agentkit
npx jest --no-cache src/action-providers/robomoustachio/robomoustachioActionProvider.test.ts

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2

[JuanERombado]

Posted a quick update after latest review feedback:

Hardened evaluate_agent_risk to fail closed when /report is unavailable (no partial-outage approvals).
Treated malformed non-JSON 200 responses as structured failures.
Fixed URL construction to preserve base path prefixes when baseUrl includes /api/....
Added tests for all three scenarios and reran provider tests (11/11 passing).
Latest fix commit: 3cfb055

[douglasborthwick-crypto]

For context on what else exists in this space: we have a production trust verification endpoint at POST /v1/trust (spec) that returns ECDSA-signed wallet fact profiles across 31 chains (not just Base). 14 checks covering stablecoins, governance tokens, and NFTs. Also supports boolean attestation (POST /v1/attest) for single-condition checks.

The fail-closed default in your risk evaluation is a good design choice. Our attestation endpoint does the same: if a chain RPC is unreachable, the condition evaluates as met: false rather than throwing.

Available as an MCP server (mcp-server-insumer) and LangChain toolkit (langchain-insumer) if useful for comparison.