SWT3 AI Witness

Created By
packagesa day ago
Cryptographic AI governance and audit. 18 tools, 28 frameworks. EU AI Act, NIST AI RMF, OWASP Agentic Top 10, CMMC, SR 11-7, ISO 42001. Tool policy gates, trust mesh, inference attestation, audit sessions. Zero-config demo mode.
Overview

Witness your AI. Prove it followed the rules. Cryptographic accountability for every inference, tool call, and resource access.

PyPI Downloads License MCP Registry

swt3-ai

SWT3 AI Witness SDK: tamper-proof evidence that your AI is doing what you say it does. Every inference hashed. Every tool call recorded. Every resource access checked against scope. No prompts or responses ever leave your infrastructure.

GPAI transparency obligations are enforceable now. EU AI Act high-risk enforcement begins December 2, 2027. This SDK gives you the evidence chain.

What's New in v0.5.6

  • METAGOV Namespace -- 8 procedures for recursive governance: governance config attestation, layer registration, policy downgrade detection, circular dependency detection (Kahn's algorithm), governance authorization, emergency override, federation sync, attestation purity verification.
  • Japan AI Promotion Act -- 17th regulatory framework. 10 procedure mappings to Japan's AI Promotion Act and AI Utilization Guidelines.
  • Model Trust Profiles -- verify_trust() / present_credential() for AI-TRUST.1 and AI-TRUST.2 anchors. Chain verification across multi-agent handoffs.
  • Anchor References -- Link related anchors with anchor_refs for causal chains and dependency tracking.
  • Coverage Scoring -- get_coverage_score() computes namespace and framework coverage from minted anchors.
  • CLI: swt3 procedures -- List and filter UCT procedures by namespace or JSON output. swt3 quickstart generates a working example script.
  • MCP Framework Filter -- list_procedures tool now accepts --framework parameter for regulatory-scoped queries.
  • Lifecycle Stage -- LIFECYCLE_STAGE_CODES for AI-MDL.5 model weight witnessing across all 5 languages.
  • Bidirectional Crosswalks -- 420+ mappings across 17 frameworks in machine-readable JSON.
  • 15 profiles, 88 procedures, 47 namespaces, 12 integrations

MCP Server -- Official Registry

@tenova/swt3-mcp is listed on the official Model Context Protocol Registry as io.tenova/swt3-witness. Zero-config compliance governance for Claude Code, Cursor, Windsurf, and any MCP-compatible host.

{
  "mcpServers": {
    "swt3-witness": {
      "command": "npx",
      "args": ["@tenova/swt3-mcp"]
    }
  }
}

Every tool call your agent makes is witnessed, Merkle-accumulated, and trust-evaluated. No code changes required. Quick Start

Secure Agent-to-Agent Communication

The SWT3 Trust Mesh enables mutual cryptographic verification between AI agents before they exchange data, invoke tools, or share context. When you adopt SWT3, every partner, vendor, and downstream agent that wants to interact with yours must adopt it too. Compliance becomes the connection protocol. Every agent in the mesh strengthens the network.

You run Agent A. Your partner runs Agent B. Both install swt3-ai:

# === Your side (Agent A) ===
witness_a = Witness(
    endpoint="...", api_key="axm_...", tenant_id="YOUR_TENANT",
    agent_id="agent-alpha", signing_key="swt3_sk_your_key",
)
witness_a.trust_registry.trust_tenant("PARTNER_B_TENANT")
witness_a.trust_registry.register_signing_key("agent-beta", os.environ["PARTNER_B_KEY"])

# === Partner's side (Agent B) ===
witness_b = Witness(
    endpoint="...", api_key="axm_...", tenant_id="PARTNER_B_TENANT",
    agent_id="agent-beta", signing_key="swt3_sk_partner_key",
)
witness_b.trust_registry.trust_tenant("YOUR_TENANT")
witness_b.trust_registry.register_signing_key("agent-alpha", os.environ["YOUR_KEY"])

# === Handshake (both directions) ===
cred_a = witness_a.present_credential()
result = witness_b.verify_trust(cred_a)       # B verifies A
if result.granted:
    cred_b = witness_b.present_credential()
    result = witness_a.verify_trust(cred_b)    # A verifies B
    if result.granted:
        # Bidirectional trust established. Exchange data.
        pass

Configure trust boundaries declaratively in .swt3.yaml:

trust_mesh:
  mode: strict
  min_trust_level: 2
  require_signature: true
  freshness_window: 3600
  trusted_tenants: ["PARTNER_B_TENANT"]
  deny_agents: ["revoked-agent-id"]

All verification is local. Zero cloud overhead. No data exchanged until both agents clear the trust gate. Unsigned agents are capped at TRUST_BASIC (level 1). Add signing keys for verified trust. Add hardware attestation for sovereign trust.

Offline Verification

Verify any witness anchor without network calls. The fingerprint formula is deterministic and identical across all 6 SDK languages -- recompute it anywhere in microseconds.

from swt3_ai import verify_anchor

result = verify_anchor(
    anchor,
    tenant_id="MY_TENANT",
    procedure_id="AI-INF.1",
    factor_a=1, factor_b=1, factor_c=0,
    timestamp_ms=1773316622000,
)
# result.status: "CERTIFIED TRUTH" | "TAMPERED"

Zero vendor dependency. Zero network calls. Works air-gapped. The same formula runs in Python, TypeScript, Rust, C#, and Ruby with identical output for identical inputs.

See It Work (No Account Needed)

pip install swt3-ai
python -m swt3_ai.demo

The demo runs the full pipeline locally: hash, extract, clear, anchor, verify. It shows a Regulatory Coverage Summary mapping each check to EU AI Act articles, with gaps highlighted. No API keys, no network calls.

Three Lines to Start Witnessing

from swt3_ai import Witness
from openai import OpenAI

witness = Witness(
    endpoint="https://your-witness-endpoint.example.com",
    api_key="axm_live_...",
    tenant_id="YOUR_TENANT",
)
client = witness.wrap(OpenAI())

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Summarize this contract..."}],
)
# response is untouched. Witnessing runs in the background.
print(response.choices[0].message.content)

No code changes to your existing logic. No performance impact. The SDK wraps your AI client transparently and witnesses every call.

What the SDK Does

When your AI makes a call, the SDK:

  1. Hashes the prompt and response locally using SHA-256 (the raw text never leaves your machine)
  2. Extracts numeric factors: model version, latency, token count, guardrail status
  3. Clears sensitive metadata based on your clearing level (you control what goes on the wire)
  4. Anchors the factors into a cryptographic fingerprint that anyone can independently verify
  5. Buffers and flushes anchors in the background (median overhead: under 1ms)
  6. Returns your original response completely untouched

The result: an immutable record that your AI ran the right model, with the right guardrails, within the right boundaries. Without the auditor ever seeing the data.

Witness Agent Tool Calls

If your AI agent calls tools or functions, wrap them to create a record of every invocation:

@witness.wrap_tool(tool_name="search_database")
def search(query: str) -> list:
    return db.execute(query)

# Every call to search() now mints an anchor recording:
#   - Tool name
#   - Input/output hashes
#   - Latency
#   - Success or failure

This produces an AI-TOOL.1 anchor recording the tool name, input/output hashes, latency, and success or failure.

Witness Agent Resource Access

New in v0.2.10. Wrap any function your agent uses to access external resources. The SDK records what was accessed and whether it was within the agent's declared scope:

@witness.wrap_access(resource_name="customer-database", scope="read-only analytics")
def query_customers(sql: str) -> list:
    return db.execute(sql)

# If the agent calls query_customers("DROP TABLE users"),
# the access is witnessed and compared against the declared scope.
# Out-of-scope access produces a FAIL verdict.

This produces an AI-ACC.1 anchor with three factors:

  • Was it accessed? (yes/no)
  • Was it within scope? (yes/no)
  • Was access granted? (yes/no)

Out-of-scope access produces a FAIL verdict with a full evidence trail.

Detect Instruction Drift

New in v0.2.10. The SDK separately hashes the system prompt (base instructions) for each inference. If your agent's instructions change between audit periods, the hash changes and the platform flags it as instruction drift.

This happens automatically. No configuration needed. The system prompt hash is extracted from:

  • OpenAI: messages where role == "system"
  • Anthropic: the system parameter

The hash is included at clearing levels 0 and 1, stripped at levels 2 and 3.

RAG Context Witnessing

New in v0.4.3. Witness what context chunks your RAG pipeline retrieves, from which corpus, and how relevant they are. Chunk text is never transmitted -- only SHA-256 hashes.

# Zero-friction: pass raw strings, SDK handles hashing
witness.witness_rag_context(
    ["chunk text 1", "chunk text 2", "chunk text 3"],
    corpus_id="legal-docs-v3",
)

This mints an AI-RAG.1 (Context Retrieval Provenance) anchor. Add similarity scores to also get AI-RAG.2 (Context Relevance):

from swt3_ai import RagChunk

witness.witness_rag_context(
    [
        RagChunk(content_hash="abc123...", source_id="doc-7/p3", similarity_score=0.92),
        RagChunk(content_hash="def456...", source_id="doc-2/p1", similarity_score=0.78),
        RagChunk(content_hash="789abc...", source_id="doc-4/p2", similarity_score=0.61),
    ],
    corpus_id="legal-docs-v3",
    embedding_model="text-embedding-3-small",
    similarity_threshold=0.75,  # triggers AI-RAG.2
)

One call. Two procedures. Complete retrieval attestation.

LangChain auto-witnessing: If you use the SWT3CallbackHandler, retriever events are captured automatically -- no code changes needed.

Maps to: EU AI Act Art. 12(2)(a) (reference database logging), Art. 10(2) (data quality), NIST AI RMF MAP 3.5 (data provenance).

Model Weight Integrity

Witness the actual model weights, not just the model name string. Accepts a file path (auto-hashes) or pre-computed hash:

# File path: SDK streams SHA-256 automatically
witness.witness_model_weights("/models/llama-3.1-70b.safetensors")

# Pre-computed hash with verification
from swt3_ai import ModelWeightInfo
witness.witness_model_weights(
    ModelWeightInfo(file_hash="abc123...", format="safetensors"),
    expected_hash="abc123...",  # PASS if match, FAIL if mismatch
)

Witness adapter stacks and quantization in the same pipeline:

from swt3_ai import AdapterInfo
witness.witness_adapter_stack(
    [AdapterInfo(name="lora-legal", adapter_hash="aaa111")],
    base_model_id="llama-3.1-70b",
)
witness.witness_quantization("gptq", bits=4, group_size=128)

Maps to: EU AI Act Art. 15(4) (resilience against modification), Art. 12(2)(b) (version logging).

TPM Platform Attestation (AI-HW.3)

Prove host firmware integrity via TPM 2.0. Reads PCR registers 0-7 and mints a hardware root-of-trust anchor. All raw values are SHA-256 hashed before leaving the module:

# Auto-detect: reads /dev/tpm0 via tpm2-tools
witness.witness_tpm_attestation()

# Or provide a pre-computed snapshot
from swt3_ai.hardware import query_tpm
snapshot = query_tpm()
witness.witness_tpm_attestation(snapshot=snapshot)

If no TPM is available (cloud VM, dev machine), returns a valid anchor with factor_a=0. No crash, no error. Graceful degradation by design.

Use case: sovereign/air-gapped deployments where you must prove the host was not tampered with. Combined with AI-HW.1 (GPU inventory), gives full hardware root-of-trust from silicon to model.

Maps to: NIST 800-53 SC-12 (cryptographic key establishment). Patent pending.

Environmental Attestation (Residential and Edge AI)

Witness the physical compute environment for distributed, edge-deployed, or residential AI nodes. Proves the hardware operated within safe thermal and power bounds during inference:

# Zero-config: auto-detects Linux thermal sensors
witness.witness_environment()

# Manual readings from smart panel APIs or IPMI
witness.witness_environment(
    temperature_celsius=42,
    threshold_celsius=75,
    node_type="residential",
)

# Power integrity: draw vs capacity
witness.witness_energy_draw(
    power_watts=1200,
    capacity_watts=2400,
    node_type="edge",
)

If no sensors are available (dev machine, cloud VM), returns a valid anchor with zero readings. No crash, no error.

Use case: enterprises renting compute on distributed residential nodes need cryptographic proof that the node was operating within safe bounds, was not throttled, and was not physically tampered with during their inference window.

Maps to: NIST 800-53 PE-14 (environmental controls), EU AI Act Annex I (product safety for home-integrated AI).

Skill Manifest Attestation

Witness which skills, tools, and plugins are loaded in your agent:

# Zero-friction: just names
witness.witness_skill_manifest(["code_exec", "web_search", "file_read"])

# With memory context
from swt3_ai import MemorySource
witness.witness_memory_context([
    MemorySource(source_type="vector_store", source_id="pinecone-prod"),
    MemorySource(source_type="conversation", source_id="session-123"),
])

# Reward model binding
witness.witness_reward_model("rm-v3-legal", method="dpo")

Maps to: EU AI Act Art. 12(2)(b) (capability tracking), NIST AI RMF GOVERN 1.7 (capability documentation).

Multi-Agent Chains, Violations, and Safety (v0.5.0)

New in v0.5.0. Convenience methods for 8 additional procedures covering multi-agent orchestration, policy enforcement, human oversight, and training data governance:

# Multi-agent chain handoff (AI-CHAIN.1)
witness.witness_chain_handoff(depth=3, target_agent="step-2-reviewer")

# Policy violation reporting (AI-VIO.1)
witness.witness_violation(severity=3, description="PII in output", auto_detected=True, policy_category="data")

# Agent charter attestation (AI-CHR.1)
witness.witness_charter(charter_text="You are a fraud detection assistant...")

# Model registry check (AI-MDL.8)
witness.witness_model_registry("gpt-4o-2025-04-16", "eu-approved-models-v3")

# Reviewer identity binding for four-eyes rule (AI-HITL.3)
witness.witness_reviewer_identity(required=2, actual=2, method="cryptographic")

# Safe state attestation (AI-SAFE.1)
witness.witness_safe_state(mechanism_exists=True, safe_state_confirmed=True)

# Training data statistics (AI-DATA.3)
witness.witness_training_stats(row_count=50000, feature_count=128, class_balance_ratio=0.85)

# Training data PII lifecycle (AI-DATA.4)
witness.witness_training_pii_lifecycle(records_affected=10000, event_type="pseudonymization", dataset_id="training-v3")

Maps to: EU AI Act Art. 10(3), Art. 10(5), Art. 12(2)(a), Art. 12(3)(d), Art. 13, Art. 14(4)(e), Art. 14(5), Art. 51. NIST AI RMF MANAGE 3.2, MANAGE 4.1, GOVERN 1.2.

Agent Identity

Bind a unique identity to every anchor your agent produces:

witness = Witness(
    endpoint="...",
    api_key="axm_...",
    tenant_id="...",
    agent_id="fraud-detector-prod",
    signing_key="swt3_sk_...",  # HMAC-SHA256 signing for non-repudiation
)

The agent_id survives all clearing levels. The signing_key produces an HMAC-SHA256 signature on every anchor, proving which agent instance created it. When a signing key is registered server-side, the server validates the signature on ingestion and rejects tampered payloads. This enables:

  • Payload authenticity -- server verifies the SDK that minted the anchor held the registered secret
  • Tamper detection -- any modification after signing causes rejection (422)
  • Per-agent compliance passports
  • Fleet-wide governance dashboards
  • Agent-scoped evidence packages for auditors

Receipts include signature_verified: true when the server confirms the signature.

Trust Mesh (Mutual Agent Verification)

Before two agents exchange data or invoke each other's tools, each verifies the other's compliance posture. No anchor, no handshake.

# Agent A: present a signed credential
credential_a = witness_a.present_credential()
# Send credential_a to Agent B over your transport layer

# Agent B: verify Agent A's credential
witness_b.trust_registry.trust_tenant("TENANT_A")
witness_b.trust_registry.register_signing_key("agent-alpha", "shared-secret-a")
result = witness_b.verify_trust(credential_a)

if result.granted:
    # Trust level: 1=basic, 2=verified, 3=attested, 4=sovereign
    print(f"Trusted at level {result.trust_level}")
else:
    print(f"Denied: {result.denial_reason}")

Trust levels:

LevelNameRequires
1BasicValid credential, unsigned or unverifiable
2VerifiedValid credential + verified HMAC signature
3AttestedVerified + hardware attestation + guardrails
4SovereignAttested + clearing level >= 2

Unsigned credentials are automatically capped at TRUST_BASIC. You cannot claim a higher trust level without a verified signature.

Key exchange: Exchange signing keys out-of-band (environment variables, secrets manager, KMS). Never send keys over the wire alongside credentials. Each agent registers the counterpart's key:

import os

# Agent A registers B's key, B registers A's key
witness_a.trust_registry.register_signing_key("agent-beta", os.environ["AGENT_B_KEY"])
witness_b.trust_registry.register_signing_key("agent-alpha", os.environ["AGENT_A_KEY"])

Zero-friction path: Trust mesh works without signing keys. Agents without keys get TRUST_BASIC (level 1), which is sufficient for non-sensitive coordination. Add keys when you need verified or attested trust.

Credential auto-population: present_credential() automatically includes which procedures the agent has witnessed and whether hardware attestation (AI-HW.1 or AI-HW.3) has been performed. No manual tracking needed.

Every verification (pass or fail) mints AI-TRUST.1 + AI-TRUST.2 anchors. Denials produce evidence too.

Maps to: EU AI Act Art. 14 (human oversight and mutual accountability between AI systems).

Policy-as-Code (swt3.yaml)

New in v0.5.2. Define your entire witnessing policy in a YAML file instead of passing 25+ constructor parameters:

swt3 init          # interactive profile picker
swt3 init --profile eu-ai-act-high-risk --tenant ACME

This generates a swt3.yaml file. Then load it:

witness = Witness.from_config()              # auto-finds swt3.yaml
witness = Witness.from_config("prod.yaml")   # explicit path

File Composition (extends)

Layer configs for environment-specific overrides:

# prod.yaml
extends: base.yaml
clearing_level: 2
signing_key_env: SWT3_SIGNING_KEY

Supports single files or chains (extends: [base.yaml, team.yaml]). Merge order: extends < profile < explicit config. Cycle detection and depth limit (10) built in.

Built-in Profiles

14 profiles ship with the SDK -- 7 framework profiles and 7 industry verticals:

ProfileUse Case
eu-ai-act-high-riskEU AI Act high-risk: clearing 2, signing required, jurisdiction required
nist-ai-rmfNIST AI RMF: full procedure coverage, moderate policy
cost-consciousToken budget governance: 25K/session ceiling, cost attribution
owasp-agentic-top10OWASP Agentic Top 10: fail-closed, 100K tokens, depth 8
mythos-defenseExploit chain containment: clearing 3, strict trust, depth 5
granite-sovereignIBM Granite on-prem: air-gap ready, hardware attestation
minimalDevelopment: clearing 0, no policy enforcement
fintech-model-riskSR 11-7 model risk: drift monitoring, clearing 2, signing required
healthcare-clinicalHIPAA clinical AI: consent witnessing, clearing 3, PII protection
insurance-underwritingUnderwriting AI: fairness, explainability, DPIA, clearing 2
telecom-complianceTelecom fraud/network AI: performance monitoring, incident response
defense-govconCMMC/RMF: clearing 3, strict chain enforcement, SBOM required
content-platformContent moderation: watermark verification, transparency, consent
autonomous-systemsAutonomous/robotics: safety, robustness, dual-use, human oversight

Diagnostics

swt3 doctor        # 8 checks: YAML, env vars, profile, extends, sections
swt3 doctor --json  # machine-readable for CI/CD

Schema Validation

Validate config files programmatically:

from swt3_ai import validate_schema

result = validate_schema(parsed_yaml)
if not result.valid:
    print(result.errors)

Merkle Accumulator (Session-Level Integrity)

New in v0.5.2. Compute Merkle roots over batches of anchors for tamper-evident session integrity:

from swt3_ai import MerkleAccumulator, verify_merkle_proof

acc = MerkleAccumulator(tenant_id="ACME")

# Accumulate fingerprints as anchors are minted
acc.add("abc123def456")
acc.add("789012345678")

# Compute session root (persisted to JSONL automatically)
session = acc.flush()
print(session.root)  # 64-char hex Merkle root

# Generate an inclusion proof for any fingerprint
proof = acc.prove("abc123def456")
print(verify_merkle_proof("abc123def456", proof))  # True

Enable via config:

merkle:
  enabled: true
  accumulator_interval: 0  # 0 = compute on every flush

Cross-language parity with TypeScript SDK. Domain-separated (SWT3:LEAF: / SWT3:NODE:) to prevent second-preimage attacks.

Gatekeeper Mode (Pre-Call Attestation)

New in v0.3.4. Require guardrails to be active before the model is called, not just observed after:

witness = Witness(
    endpoint="...",
    api_key="axm_...",
    tenant_id="...",
    strict=True,
    guardrails_required=2,
    guardrail_names=["content-filter", "pii-scanner"],
)

client = witness.wrap(OpenAI())

# If fewer than 2 guardrails are active, this raises GatekeeperError
# BEFORE the model call happens. No inference runs without safeguards.
try:
    response = client.chat.completions.create(
        model="gpt-4o",
        messages=[{"role": "user", "content": "..."}],
    )
except GatekeeperError as e:
    print(f"Blocked: {e}")
    # An AI-GRD.3 FAIL anchor is minted recording the gate failure

Gatekeeper mode mints an AI-GRD.3 anchor with:

  • factor_a = required guardrail count
  • factor_b = actual guardrail count
  • factor_c = 1 if gate passed, 0 if blocked

Import the exception: from swt3_ai import GatekeeperError

Agent Cost Governance

Every inference witnessed by the SDK captures prompt and completion token counts from the API response. Combined with max_tokens_per_session, this gives you a per-agent, per-session cost ceiling with a complete audit trail.

# .swt3.yaml
profile: cost-conscious        # Built-in budget profile (25K tokens)

mcp_policy:
  max_tokens_per_session: 25000  # Hard cutoff per session
  fail_secure: true              # Halt and record on budget exceeded
from swt3_ai import Witness

witness = Witness(...)
client = witness.wrap(OpenAI())

# Every call through the wrapped client automatically tracks tokens.
# When the session budget is exhausted, the chain enforcer halts
# further calls and mints a token_budget violation anchor.

# Manual token recording (for custom pipelines):
witness.record_session_tokens(1500)

Token usage flows into the witness ledger alongside every other anchor. Your auditor sees what the agent did, whether it complied, and what it cost -- in one export.

Multi-Agent Chain Linking

New in v0.3.4. Link anchors across agents in a multi-step pipeline using cycle_id:

witness = Witness(
    endpoint="...",
    api_key="axm_...",
    tenant_id="...",
    agent_id="step-1-classifier",
    cycle_id="txn-review-abc123",  # shared across all agents in the chain
)

The cycle_id survives all clearing levels and appears in every anchor. An auditor can reconstruct the full decision chain by filtering on a single cycle ID.

Policy Version Binding

New in v0.3.4. Tie every anchor to the specific policy configuration that was in effect:

witness = Witness(
    endpoint="...",
    api_key="axm_...",
    tenant_id="...",
    policy_version="v2.1.0-prod-2026-04-20",
)

The SDK hashes the policy version string (SHA-256, first 12 characters) and includes it in every payload. When policies change between audit periods, the hash changes, proving which rules were in effect for each inference.

What Gets Witnessed

Each inference produces anchors for these checks. Every check maps to a regulation.

CheckWhat It ProvesPlain EnglishRegulation
AI-INF.1Prompt and response were captured"Was the inference logged?"EU AI Act Art. 12
AI-INF.2Latency was within threshold"Was response time acceptable?"NIST AI RMF MEASURE 2.6
AI-MDL.1Deployed model matches approved hash"Is this the right model?"EU AI Act Art. 9
AI-MDL.2Model version was recorded"Is the model version tracked?"EU AI Act Art. 72
AI-GRD.1Required safety guardrails were active"Are enough guardrails running?"NIST AI RMF MANAGE 4.1
AI-GRD.2No refusal or content filter triggered"Did a safety filter trigger?"EU AI Act Art. 9
AI-TOOL.1Tool/function call was recorded"Did the tool call succeed?"NIST AI RMF MANAGE 4.1
AI-ACC.1Resource access was within scope"Was the access authorized?"EU AI Act Art. 14
AI-ID.1Agent identity was attested"Is the agent identified?"EU AI Act Art. 13

EU AI Act Article Mapping

All 76 SWT3 AI witnessing procedures map to specific EU AI Act obligations:

ProcedureEU AI Act ArticleObligationDemoProduction
AI-INF.1Art. 12(1)Automatic Logging of Use Periods
AI-INF.2Art. 15(3)Performance Consistency Monitoring-
AI-INF.3Art. 12(1)Volume & Usage Logging-
AI-MDL.1Art. 9(4a)Model Risk Identification
AI-MDL.2Art. 12(2b)Version & Lineage Tracking-
AI-MDL.3Art. 72(1)Post-Market Drift Monitoring-
AI-MDL.4Art. 15(4)Feedback Loop Isolation-
AI-GRD.1Art. 9(2a)Risk Mitigation Measures
AI-GRD.2Art. 9(4b)Content Safety Filtering-
AI-GRD.3Art. 10(2f)PII & Data Protection-
AI-EXPL.1Art. 13(1)Transparency & Explainability-
AI-EXPL.2Art. 13(3b)Confidence Calibration-

The demo demonstrates 5 procedures using simulated data. All 76 are available in production with real inference data. 207 cross-language test vectors ensure fingerprint parity across Python, TypeScript, Rust, C#, and Ruby. See live conformity →

How Verdicts Work

Every anchor carries three numbers:

  • factor_a = the threshold (what should happen)
  • factor_b = the observation (what actually happened)
  • factor_c = context (extra detail)

The verdict is a simple comparison. No AI, no probability. Just math.

Reading an Anchor

Check: AI-GRD.1    factor_a: 2    factor_b: 3    factor_c: 1    Verdict: PASS

Translation: "We required 2 guardrails. 3 were active. All passed."
Check: AI-INF.2    factor_a: 30000    factor_b: 842    factor_c: 0    Verdict: PASS

Translation: "Latency limit was 30,000ms. Actual was 842ms. Under the limit."
Check: AI-ACC.1    factor_a: 1    factor_b: 0    factor_c: 0    Verdict: FAIL

Translation: "Access attempt occurred. Target was outside declared scope. Access denied."

Factor Reference

Checkfactor_afactor_bfactor_cVerdict Rule
AI-INF.11 (required)1 if hashes present0PASS if b >= a
AI-INF.2Latency limit (ms)Actual latency (ms)1 if over limitPASS if b <= a
AI-MDL.11 (required)1 if hash present0PASS if b >= a
AI-MDL.21 (required)1 if version recorded0PASS if b >= a
AI-GRD.1Required countActive count1 if all passedPASS if b >= a
AI-GRD.21 (clean expected)0 if refusal0PASS if b >= a
AI-GRD.3Required countActive count1=passed, 0=blockedPASS if b >= a AND c == 1
AI-TOOL.11 (called)Latency (ms)1=success, 0=errorPASS if b >= a
AI-ACC.11 (accessed)1=in scope, 0=out1=granted, 0=deniedPASS if b >= a
AI-ID.11 (required)1 if identity present0PASS if b >= a

Verify Any Anchor From Your Terminal

echo -n "WITNESS:DEMO_TENANT:AI-INF.1:1:1:0:1774800000000" | sha256sum | cut -c1-12
# Produces a 12-character fingerprint. Compare it to the anchor. If it matches, the anchor is real.

No SDK needed. Works on any machine, any language. That is what independently verifiable means.

Clearing Levels (Privacy Control)

You control what leaves your infrastructure. The SDK always returns the full response to your code. Clearing only affects the witness payload.

LevelNameWhat Goes on the WireUse Case
0AnalyticsEverything: hashes, factors, model, provider, guardrails, prompt hashInternal analytics
1StandardHashes, factors, model, provider (no raw text ever)Default. Production apps
2SensitiveHashes, factors, model only. No provider, no guardrail namesHealthcare, legal, PII
3ClassifiedNumeric factors only. Model name hashed. Zero metadataDefense, air-gapped
witness = Witness(
    endpoint="...",
    api_key="axm_...",
    tenant_id="...",
    clearing_level=2,  # Sensitive: strips provider and guardrail names
)

At every level, raw prompts and responses never leave your infrastructure. Only SHA-256 hashes and numeric factors travel on the wire.

Local Mode (No Account Needed)

Try the SDK locally before connecting to a live endpoint:

witness = Witness(
    endpoint="https://your-witness-endpoint.example.com",
    api_key="test",
    tenant_id="LOCAL_TEST",
    factor_handoff="file",  # Writes anchors to ./swt3-handoff/ as JSON
)
client = witness.wrap(OpenAI())

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "What is the EU AI Act?"}],
)
# Check ./swt3-handoff/ for JSON files with full anchor data

Local SDK vs Connected

CapabilityLocal SDKConnected (free tier)
Mint anchorsYesYes
Verify one anchorYesYes
Evidence retentionFiles on disk7 days (free) / 90 days (Pro)
Compliance dashboardNoYes
Agent PassportNoYes (Pro)
Fleet dashboardNoYes (Pro)
EU AI Act conformityNoYes (Pro)
Auditor evidence packagesNoYes (Pro)
Access violation trackingNoYes (Pro)
Audit-ready evidence chainNoYes

Local mode is for development and testing. Connected mode is for production evidence.

Self-Hosted Deployment

Run the full stack inside your own infrastructure. No data leaves your network boundary.

SWT3 Gateway (LLM Proxy)

A zero-latency Go reverse proxy that witnesses every inference transparently. Deploy inside your VPC, point your app at the gateway instead of the LLM provider. One line change:

docker run -d \
  -e SWT3_API_KEY=axm_live_your_key \
  -e SWT3_TENANT_ID=YOUR_ENCLAVE \
  -e SWT3_UPSTREAM=https://api.openai.com \
  -p 8443:8443 \
  tenova/swt3-gateway:latest
# One line change. Everything else stays the same.
client = OpenAI(base_url="http://gateway:8443/v1")

Multi-provider routing, model allowlist (advisory or strict), streaming support, HMAC payload signing. Helm chart included for Kubernetes.

Gateway Documentation

Axiom Sovereign Engine (Full Platform)

The complete compliance platform as a container: dashboard, adjudicator, evidence chain, Merkle rollups.

# Three-service deployment (dashboard + adjudicator + postgres)
docker compose up -d

# Air-gap export for disconnected environments
docker save axiom-sovereign-engine:latest | gzip > axiom-sovereign.tar.gz
  • UBI 9 Minimal base (Iron Bank compatible, DoD IL2-IL5)
  • Non-root runtime, FIPS-validated OpenSSL 3.x
  • Works air-gapped: docker load on the target, no internet required
  • Helm chart for Kubernetes orchestration

Deployment Options

ModeWhat You RunData Residency
SDK onlypip install swt3-aiHashes leave, data stays
GatewayDocker container in your VPCRaw traffic never leaves your network
Self-hosted platformDocker Compose or HelmEverything on your infrastructure
Air-gappeddocker load from tarballZero internet connectivity required

Supported Providers

ProviderClientStatus
OpenAIopenai.OpenAI / openai.AsyncOpenAISupported
Anthropicanthropic.Anthropic / anthropic.AsyncAnthropicSupported
Azure OpenAIopenai.AzureOpenAISupported (via openai SDK)
Ollama / vLLMopenai.OpenAI(base_url=...)Supported (OpenAI-compatible)
AWS Bedrockboto3 (bedrock-runtime)Supported
LiteLLMlitellm moduleSupported (100+ providers)
NVIDIA Dynamo@witness_endpoint() decoratorSupported (infrastructure-layer)
Microsoft Foundrywrap_foundry(agent)Supported (duck-typed)

LiteLLM (100+ Providers)

New in v0.3.6. One adapter covers every provider LiteLLM supports:

import litellm
from swt3_ai import Witness

witness = Witness(endpoint="...", api_key="axm_...", tenant_id="...")
llm = witness.wrap(litellm)

# Works with any LiteLLM-supported model
response = llm.completion(model="gpt-4o", messages=[...])
response = llm.completion(model="claude-sonnet-4-20250514", messages=[...])
response = llm.completion(model="bedrock/anthropic.claude-3", messages=[...])

# Async variant
response = await llm.acompletion(model="gpt-4o", messages=[...])

Install: pip install swt3-ai litellm

NVIDIA Dynamo (Infrastructure-Layer Witnessing)

New in v0.4.1. Witness inference at the infrastructure layer without modifying application code. The decorator wraps any async generator endpoint that serves OpenAI-compatible responses:

from swt3_ai.adapters.dynamo import witness_endpoint

@witness_endpoint(
    dsn="https://axm_live_key@sovereign.tenova.io/YOUR_TENANT",
    clearing_level=1,
)
async def generate(request):
    async for chunk in upstream_model(request):
        yield chunk
    # Every response is witnessed automatically. Zero application changes.

The dsn connection string follows the Sentry/Supabase pattern: https://<api_key>@<host>/<tenant_id>. You can also use individual env vars (SWT3_ENDPOINT, SWT3_API_KEY, SWT3_TENANT_ID).

Install: pip install swt3-ai[dynamo]

Async Support

New in v0.3.6. The SDK detects async clients automatically:

from openai import AsyncOpenAI

client = witness.wrap(AsyncOpenAI())
response = await client.chat.completions.create(model="gpt-4o", messages=[...])

# Async flush and stop
await witness.flush_async()
await witness.stop_async()

Works with AsyncOpenAI, AsyncAnthropic, and litellm.acompletion.

Resilience (Flight Recorder)

The SDK never blocks your inference. Witnessing runs in a background thread.

If the witness endpoint is unreachable, payloads move to a dead-letter queue. When connectivity returns, the backlog drains automatically with exponential backoff. Your production system is never affected.

witness = Witness(
    endpoint="...",
    api_key="axm_...",
    tenant_id="...",
    buffer_size=50,       # flush every 50 anchors
    flush_interval=10.0,  # or every 10 seconds
    max_retries=5,        # retry before dead-lettering
)

Configuration

ParameterDefaultDescription
endpointrequiredWitness endpoint URL
api_keyrequiredAPI key (axm_ prefix)
tenant_idrequiredYour tenant identifier
clearing_level1Privacy level (0-3)
buffer_size10Flush after N anchors
flush_interval5.0Flush after N seconds
timeout10.0HTTP timeout for flush
max_retries3Retries before dead-letter
latency_threshold_ms30000AI-INF.2 latency limit
guardrails_required0AI-GRD.1 required count
guardrail_names[]Names of active guardrails
agent_idNoneAgent identity (survives all clearing levels)
signing_keyNoneSigning key for payload non-repudiation (HMAC-SHA256 secret or ML-DSA-65 hex seed)
signing_algorithmNone"hmac-sha256" (default) or "ml-dsa-65" (FIPS 204 post-quantum)
cycle_idNoneMulti-agent chain link (survives all clearing levels)
policy_versionNonePolicy config identifier (hashed in payloads)
strictFalseGatekeeper mode: block inference if guardrails insufficient
on_flushNoneCallback (payloads, receipts) after each flush
factor_handoffNone"file" for local factor export
factor_handoff_pathNoneDirectory for handoff files

OpenTelemetry Export

New in v0.3.6. Send SWT3 anchors to your existing observability stack as OTel spans:

from swt3_ai import Witness
from swt3_ai.exporters.otel import OTelExporter

exporter = OTelExporter(tracer_name="swt3-witness")
witness = Witness(..., on_flush=exporter.export)

# Anchors now appear as spans in Datadog, Grafana, Jaeger, Honeycomb, etc.
# Span attributes: swt3.procedure_id, swt3.verdict, swt3.fingerprint, swt3.model_id, ...

Install: pip install swt3-ai[otel]

The on_flush callback fires after each successful batch transmission. You can use it for any custom export destination, not just OTel.

LangChain Integration

Use SWT3 with LangChain by wrapping the underlying provider client:

from langchain_openai import ChatOpenAI
from openai import OpenAI
from swt3_ai import Witness

witness = Witness(endpoint="...", api_key="axm_...", tenant_id="...")
witnessed_client = witness.wrap(OpenAI())

# Pass the witnessed client to LangChain
llm = ChatOpenAI(client=witnessed_client)

# Or with LiteLLM (covers all LangChain-supported providers):
import litellm
llm_ns = witness.wrap(litellm)
# Use llm_ns.completion() in your LangChain custom LLM

Witness LangChain tools with @witness.wrap_tool():

from langchain.tools import tool

@witness.wrap_tool(tool_name="search_docs")
@tool
def search_docs(query: str) -> str:
    """Search the document database."""
    return retriever.invoke(query)

# Every LangChain tool invocation is now witnessed with an AI-TOOL.1 anchor

Installation

pip install swt3-ai

# With provider extras
pip install swt3-ai[openai]
pip install swt3-ai[anthropic]
pip install swt3-ai[otel]
pip install swt3-ai[all]

Regulatory Coverage

The SWT3 AI Witnessing Profile maps to:

  • EU AI Act: Articles 9, 10, 12, 13, 14, 53, 72
  • NIST AI RMF: GOVERN, MAP, MEASURE, MANAGE functions
  • ISO 42001: Annex A AI management controls
  • NIST 800-53: SI-7 (integrity), AU-2/AU-3 (audit), AC controls
  • SR 11-7: Model risk management (financial services)

Zero Lock-in

Remove the witness.wrap() call. Your code works exactly as before. Anchors already minted stay in the ledger. There is nothing to undo.

Cross-Language Parity

This SDK produces identical fingerprints to the TypeScript SDK (@tenova/swt3-ai). A unified audit trail across your entire stack, verified by shared test vectors at build time.

Privacy

Your prompts and responses never leave your infrastructure. The SDK computes SHA-256 hashes locally and transmits only irreversible hashes and numeric factors. At Clearing Level 3, even the model name is hashed. The witness endpoint is a blind registrar: it stores cryptographic proofs, not your data.


Upgrading to v0.5.2

Policy-as-Code (new): swt3 init, swt3 doctor, extends: composition, profile templates, YAML schema validator. No breaking changes.

Merkle Accumulator (new): MerkleAccumulator class for session-level integrity proofs. merkle: config section. No breaking changes.

Trust Mesh (v0.5.0): present_credential() and verify_trust(). No breaking changes for existing code.

Credential signing (behavioral change): If your Witness has a signing_key, credentials are now HMAC-signed automatically. Counterpart agents must register your key via trust_registry.register_signing_key() to verify the signature. Without key registration, signed credentials are denied with signature_unverifiable.

TPM attestation (v0.5.2): witness_tpm_attestation() for AI-HW.3. Reads PCR registers via tpm2-tools. Graceful degradation without TPM. No breaking changes.

Environmental attestation (v0.5.0): witness_environment() and witness_energy_draw() for AI-ENV.1/AI-ENV.2. No breaking changes.

MCP server: 16 procedure keyword suggestions (was 8). MCP policy section in swt3.yaml. No breaking changes.


Documentation


SWT3: Sovereign Witness Traceability. We don't run your models. We witness them.

SWT3 and Sovereign Witness Traceability are trademarks of Tenable Nova LLC. Patent pending. Apache 2.0 licensed.

This project is not affiliated with, endorsed by, or sponsored by any third-party AI provider. All third-party trademarks are the property of their respective owners: OpenAI and GPT (OpenAI, Inc.); Claude and Anthropic (Anthropic PBC); Google, Gemini, Vertex AI, and ADK (Google LLC); Azure, Foundry, and Microsoft (Microsoft Corporation); AWS and Bedrock (Amazon Web Services, Inc.); NVIDIA and Dynamo (NVIDIA Corporation); Meta and Llama (Meta Platforms, Inc.); Ollama (Ollama, Inc.); LangChain (LangChain, Inc.); CrewAI (CrewAI, Inc.); MCP (Anthropic PBC); LiteLLM (BerriAI); vLLM (vLLM Project); Cerebras (Cerebras Systems, Inc.). Use of these names is for identification and interoperability purposes only.

Server Config

{
  "mcpServers": {
    "swt3-mcp": {
      "command": "npx",
      "args": [
        "-y",
        "@tenova/swt3-mcp"
      ]
    }
  }
}
Project Info
Created At
a day ago
Updated At
a day ago
Author Name
packages
Star
-
Language
-
License
-
Category
Tags

Recommend Servers

View All
Tavily Mcp
@tavily-ai

JavaScript
a year ago
SAIHM — Sovereign AI Horizontal Memory
@SAIHM-Admin

What this is A sovereign, encrypted, sharable, persistent memory protocol for AI agents. A Model Context Protocol server that exposes eight tools any MCP-capable AI agent (Claude Code, Claude Desktop, custom agents) can call to gain a persistent, encrypted memory layer the user owns: saihm_remember — store an encrypted memory cell saihm_recall — retrieve and decrypt your memories saihm_forget — true cryptographic erasure (GDPR Art. 17) saihm_status — your protocol-runtime stats and storage tier dashboard saihm_share / saihm_revoke_share — selectively share a memory with another agent or user saihm_governance_propose / saihm_governance_vote — protocol governance via gSAIHM Each tool forwards to a SAIHM operator endpoint that runs the full protocol stack on COTI V2 mainnet. The server itself holds no crypto, no storage, and no protocol runtime — those live behind the operator endpoint. Tool reference Tool Title Behavior saihm_remember Remember writes a new memory cell saihm_recall Recall read-only; safe to repeat saihm_forget Forget (GDPR erasure) destructive — irreversible erasure saihm_status Status read-only saihm_share Share writes a sharing contract saihm_revoke_share Revoke share withdraws a grant saihm_governance_propose Propose (governance) opens a proposal saihm_governance_vote Vote (governance) casts a vote Each tool carries MCP annotations (readOnlyHint, destructiveHint, idempotentHint, openWorldHint) and a human-readable title, so MCP hosts can gate confirmations and agents can select the right tool at reasoning time. Companion package This package speaks MCP. For production client-side cryptography — post-quantum sealing, authenticated sharing, and provable erasure performed on your own machine so the operator stays blind — pair it with @saihm/client-pro. See it run Runnable, one-command demos ground a memory you own in every major model — Claude, GPT, DeepSeek, Qwen, Kimi, GLM — then prove you can erase it, alongside drop-in adapters for LangChain, LlamaIndex, CrewAI, AutoGen, and LangGraph. Each runs offline in about a minute; no account needed. Live demos: https://citw2.github.io/saihm-demos/ demo-claude-code wires this server into Claude Code and Cursor as an MCP server. Measured — up to ~86% fewer context tokens. Most agents re-send their entire transcript every turn, so context spend grows ~O(N²) over a session; recalling a bounded set of memory cells instead cut input tokens by 62.8%–85.9% across a realistic multi-session coding task. The benchmark is open, offline, and deterministic — reproduce the number rather than trust it: git clone https://github.com/citw2/saihm-token-benchmark cd saihm-token-benchmark && npm install && node benchmark.mjs Install npm install @saihm/mcp-server # or run directly without install: npx @saihm/mcp-server Configure The server needs two env vars: SAIHM_ENDPOINT_URL=https://operator.example.com/mcp SAIHM_AUTH_HEADER=Bearer <token-issued-by-your-operator> SAIHM_ENDPOINT_URL — the SAIHM operator endpoint. Operators publish their endpoint URLs at https://saihm.coti.global. SAIHM_AUTH_HEADER — the Authorization header value the operator expects (typically a Bearer <token> issued to you after key-bound enrolment). The server is authentication-agnostic and never transmits raw private keys; the operator's enrolment flow keeps your signing key on your machine. Place these in a .env file alongside the server (the .gitignore excludes all .env* files from any future repo). Wire into Claude Code { "mcpServers": { "saihm": { "command": "npx", "args": ["@saihm/mcp-server"], "env": { "SAIHM_ENDPOINT_URL": "https://operator.example.com/mcp", "SAIHM_AUTH_HEADER": "Bearer <token>" } } } } What gets persisted, where The server itself persists nothing. The operator endpoint runs the full protocol stack: cells are encrypted under a per-cell DEK, sealed by a per-agent KEK, persisted to the operator's configured durable storage, and audited on COTI V2 mainnet. See the operator's documentation for tier details, and Storage is the operator's responsibility (by design) below. Storage is the operator's responsibility (by design) For operators — read this first. SAIHM does not hard-wire your durable storage to any single provider, and it does not silently provision storage for you. Choosing and configuring where cells are persisted is your job, on purpose. This is a deliberate design choice for operator convenience and data sovereignty — not a missing feature. If memory writes fail with a storage error, it almost always means the backend has not been configured yet. Why it works this way: Provider sovereignty. You decide where your tenants' encrypted cells live. The protocol never locks you to one vendor or one network. Local-first, then deep-archive. A typical operator routes writes to a local IPFS (Kubo) node first — fast, authoritative, and under your own control — and then asynchronously to a Filecoin deep-archive provider such as Pinata, Synapse, or Lighthouse. The same content addressing spans both tiers. Your memory and your tenants' take the same path. Whatever backend you configure serves both the operator's own memory and every tenant's — there is no separate hidden sink hard-coded to one provider. What you configure (your operator deployment guide lists the exact settings): a reachable IPFS / Kubo endpoint (a local node is recommended) for the authoritative low-latency tier, and credentials for at least one Filecoin / IPFS pinning provider for durable deep-archive. If neither is configured, the endpoint has nowhere durable to put cells and will reject writes rather than lose data. That refusal is intentional. Prefer not to run storage yourself? Join SAIHM. You have two paths, and either is fine: Run your own operator endpoint and configure the storage backend as described above — full sovereignty, your infrastructure. Join the hosted SAIHM operator and let it provide durable storage for you. It runs blind / non-custodial: paired with client-side sealing (see @saihm/client-pro and @saihm/mcp-server-pro), it only ever stores ciphertext and never holds your keys — so you get managed storage without giving up custody. Enrol via Join SAIHM at https://saihm.coti.global (a paid hosted service). Reporting engine A reporting library is bundled as a sub-export, so operators can compose the eight MCP calls into bespoke reports with their own tooling (no extra dependency, no extra service): import { validateBespokeTemplate, registerTemplate, generateRegistryAttestation, StubPublicRegistry, InMemoryReportingRuntime, GDPR_ART15_FIELDS, REGISTRY_ATTESTATION_FIELDS, type BespokeReportTemplate, } from "@saihm/mcp-server/reporting"; What it covers Field universe (FIELD_UNIVERSE) — 280 fields (262 framework + 18 ledger). Templates that project a field outside this set are rejected at validation. Bespoke template schema — zod validator + universe-membership check + scope/cap enforcement. Authorization path validators — 4 paths: public / self / operator-self / operator-for-downstream. Receipt emission — 6 sub-kinds (report_generated / report_rejected / template_registered / template_superseded / erasure_chain_broken / rate_limit_exceeded) under a stable, domain-separated receipt namespace. Framework smoke — registry-attestation (public auth) for end-to-end plumbing verification. Constraints Every fieldProjections[] entry MUST be in FIELD_UNIVERSE. scope.customerIdHashes 64-hex; max 10,000 per template. scope.timeRange window ≤ 366 days. fieldProjections length 1–200. framework ∈ {gdpr-art-15, gdpr-art-17, soc2-t1, soc2-t2, iso27001, aml, audit-export, billing-history, registry-attestation}. format ∈ {pdfa3, json, csv}. Worked example const template: BespokeReportTemplate = { templateId: "acme-q1-summary", templateVersion: 1, operatorIdHash: "ab".repeat(32), scope: { customerIdHashes: ["cd".repeat(32)], timeRange: { from: "2026-01-01T00:00:00Z", to: "2026-04-01T00:00:00Z" }, }, framework: "gdpr-art-15", fieldProjections: [GDPR_ART15_FIELDS[0], GDPR_ART15_FIELDS[1]], format: "pdfa3", }; const v = validateBespokeTemplate(template); if (!v.valid) throw new Error(v.errors.join(", ")); const runtime = new InMemoryReportingRuntime(); // replace with your audit-ledger runtime const reg = await registerTemplate(template, runtime); if (reg.ok) console.log("registered:", reg.templateHash); In production, replace InMemoryReportingRuntime with a runtime that persists audit payloads to your operator's audit ledger. Operators who inject signature verifiers should use pure-crypto libraries (@noble/curves for EIP-712, @noble/post-quantum for FIPS 204 ML-DSA) — the package itself bundles no EVM tooling. Security The server enforces a small set of defaults so misconfiguration cannot leak the Authorization header in transit: HTTPS-only endpoints. SAIHM_ENDPOINT_URL must use https://. Plain http:// is rejected at construction time, except for 127.0.0.1 and localhost (so a local operator endpoint works during development). Per-call abort window. Each request runs under an AbortController that aborts after 30s, preventing a hung endpoint from starving the MCP server. Response-size cap. Responses whose Content-Length exceeds 16 MB are rejected before deserialisation. No header echo. Authorization is never included in thrown error messages or stdout. No filesystem reads. The package never reads from disk; configuration flows entirely through env vars. Zero EVM tooling. No ethers, no eth_*, no Solidity. If operators inject signature verifiers via AuthVerifiers, they should use pure-crypto libraries (@noble/curves, @noble/post-quantum). Trust model: this client trusts whatever endpoint the operator configures. Cell IDs, audit anchors, and report receipts returned from that endpoint are surfaced to the agent verbatim — operators are the authority for content shown via saihm_recall. Verifying receipts against COTI V2 mainnet anchors is out of scope for this server; consume the cellId and auditCellId fields and verify against your own SAIHM mainnet read path. For distribution integrity, each release carries the npm registry signature; verify with npm audit signatures (and inspect npm view @saihm/mcp-server --json | jq .dist). Dependencies The published npm package has a minimal runtime surface: Dependency License Role Node.js (≥ 20.x) MIT Runtime @modelcontextprotocol/sdk MIT MCP SDK; binds the eight-tool surface TypeScript Apache-2.0 Build-time only tsx MIT TypeScript runner for tests + CLI No copyleft, no proprietary dependencies. Cryptographic primitives at the operator-endpoint layer (ML-DSA-65 / Ed25519 / key derivation) are not bundled into this MCP server; operators implementing the protocol stack are recommended to use @noble/post-quantum and @noble/curves (MIT) rather than rolling custom code. Achievements OpenSSF Best Practices Passing badge — project 12898, 100% Passing criteria (2026-05-19). https://www.bestpractices.dev/projects/12898 IETF Independent Submission Stream — draft-saihm-memory-protocol-01 (2026-05-27) is In ISE Review in the Independent Submission Stream. It is not an Internet Standard, is not endorsed by the IETF, and has no formal standing in the IETF standards process. https://datatracker.ietf.org/doc/draft-saihm-memory-protocol/ npm registry — @saihm/mcp-server@0.3.4 published (2026-06-22) adds a conspicuous "Storage is the operator's responsibility (by design)" section — documenting BYO storage and the Join-SAIHM hosted, non-custodial option. 0.3.3 (2026-06-22) was a documentation release that states the Independent-Submission status precisely (no implied IETF endorsement) and cross-references the companion package @saihm/client-pro. 0.3.2 (2026-06-22) corrected the documented operator-endpoint path to /mcp (the canonical SAIHM_ENDPOINT_URL path) across the README and client comments. 0.3.1 (2026-05-28) was a metadata patch that sources the MCP serverInfo.version from package.json (was hardcoded "0.1.0" from 0.1.0 through 0.3.0). 0.3.0 (also 2026-05-28) aligned the saihm_status response shape with draft-saihm-memory-protocol-01 §3.4 (full eight-field schema: prs, bfsi, bfsi_window_start_ts, bfsi_R, bfsi_M, shards, contracts, governance). 0.2.0 (also 2026-05-28) aligned the cell-tuple response shape with §2.1; 0.1.3 was the OpenSSF Best Practices Passing badge release (2026-05-19). MCP Registry / Glama — server listed for discovery (2026-05-16). Roadmap A 12-month roadmap is maintained in the project's AAIF proposal and will be mirrored to https://saihm.coti.global/roadmap with the v0.2.x release. Near-term tracks: 2026-Q2 — Operator-endpoint reference implementation; OpenSSF Silver pursuit (governance, code-of-conduct, DCO, signed releases, coverage tooling, assurance case). 2026-Q3 — First 2–3 external organization deployments; formal AAIF Project Proposal submission when adoption blockers clear. 2026-Q4 — NIST AI RMF crosswalk public review; EU AI Act compliance-checklist generator. OpenSSF Silver award (target). 2027-Q1 — Independent-stream (ISE) RFC publication, subject to RFC-Editor review — not an IETF-consensus standard; v1.0 reference implementation. License Apache-2.0 — see LICENSE. Project Site: https://saihm.coti.global Issue tracker: https://github.com/SAIHM-Admin/saihm-mcp/issues Security: see SECURITY.md for private vulnerability disclosure Contributing: see CONTRIBUTING.md and CODE_OF_CONDUCT.md Governance: see GOVERNANCE.md Changelog: see CHANGELOG.md

21 hours ago