How should two autonomous agents establish a mutually acceptable price without either revealing their true constraints?

This is a classic information asymmetry problem applied to autonomous agents. Two parties want to transact. Each has a private constraint — a floor they won't go below, a ceiling they won't go above. Neither should have to reveal their true position to reach a deal. Humans solve this through negotiation. Agents have no standard mechanism for it.

I built ANP — Agent Negotiation Protocol — as one answer to this. Wanted to share the design with a community that will actually critique it.

Core protocol design

Buyer and seller agents negotiate over HTTP using a structured offer/counter/accept loop. Each round the buyer sends an offer. The seller evaluates it against its private strategy — floor price, target price, max rounds — and returns ACCEPTED, COUNTER with a counter price, or REJECTED. The buyer adjusts and tries again. Convergence happens through midpoint averaging by default, with configurable strategies planned for V2.

Neither side's true constraints are ever transmitted. The seller's floor is never exposed. The buyer's ceiling is never revealed. Information asymmetry is preserved throughout.

Payment layer

When they agree, the buyer signs an EIP-3009 payment authorization using x402 v2 with CAIP-2 network identifiers (eip155:84532 for Base Sepolia). The seller verifies it via the Coinbase facilitator. Both parties receive an Ed25519-signed receipt — one covering the full negotiation record (every round, every price, every timestamp) and one covering the payment authorization.

Receipts are signed over the full document with signature: '' as a placeholder before signing, making the payload deterministic. Verifiable by anyone with the seller's public key.

A debugging note worth sharing

x402 v2 requires extra.name to match the USDC contract's on-chain name() return value exactly for EIP-712 domain verification. USDC on Base Sepolia returns 'USDC', not 'USD Coin'. The wallet produced a consistent signature either way but transferWithAuthorization reverted on-chain because the domain didn't match. Took a while to trace.

What's missing

facilitatorClient.settle() — the seller calls verify() only. Funds don't move in the MVP. The EIP-3009 authorization is cryptographically valid, the receipt is signed, but on-chain transfer requires settle(). That's the V2 priority.

Live seller: https://gent-negotiation-v1-production.up.railway.app/analytics Code: github.com/ANP-Protocol/Agent-Negotiation-Protocol

Questions I'd genuinely like this community's input on:

• Is midpoint convergence the right default strategy, or is there a more game-theoretically sound approach for agents that don't have human psychology?
• Is EIP-3009 the right primitive for agent payment authorization, or is there a better on-chain mechanism for this use case?
• Any security concerns with the verify-only approach for MVP? Does an unexecuted but cryptographically valid authorization create any attack surface?
• Thoughts on the receipt design — Ed25519 over the full session record including all rounds. Is there a better approach for tamper-evident audit trails between autonomous agents?