Cryptographic non-repudiation + real-time control plane for agentic AI workflows. Two-tier product: AUDIT (async, EU AI Act Art. 12 compliance) and GUARD (sync attest, real-time gating).
This repository contains the open core: SDK, Sidecar, and Open Verifier (Apache 2.0). Server components (Ingest API, Attest API, Verify API, Merkle Builder) ship under BSL 1.1 in a separate repo.
End-to-end claim pack pipeline working today: sign → Merkle build → STH + RFC 3161 timestamp → receipts → ZIP claim pack → offline verifier. See Roadmap below for planned extensions.
| Folder | Purpose |
|---|---|
architecture/ |
System design — five layered views (overview, step flows, verification & A2A, trust & keys, data model). Mermaid diagrams; read in order. |
learning/ |
Self-study curriculum — 20 files in three parts (foundations, context, AgentSig specifics). Read alongside architecture/. Estimated 2–3 days end to end. Start with learning/README.md. |
Three properties most logging tools don't deliver:
- Operator-independent non-repudiation — auditor doesn't trust the vendor running the log.
- Real-time control plane — sync attest gate blocks sensitive tool calls before execution.
- Cross-org agent trust — multi-agent A2A protocols with dual-signed receipts and DID-based identity.
EU AI Act Article 12 (logging) and Article 26 (deployer obligations) apply to high-risk systems from 2026-08-02.
Full architecture is in architecture/ (this repo). Self-study path in learning/.
| Layer | Choice | Reference |
|---|---|---|
| Signature | Ed25519 | RFC 8032 |
| Envelope | COSE_Sign1 | RFC 9052 |
| Serialization | CBOR | RFC 8949 |
| Hash (high-entropy) | SHA-256 | FIPS 180-4 |
| Hash (low-entropy fields) | HMAC-SHA-256 | RFC 2104 |
| AEAD (payload encryption) | AES-256-GCM | NIST SP 800-38D |
| Trusted timestamp | RFC 3161 TSA | RFC 3161 |
| Transparency log | Merkle tree | RFC 6962 pattern |
| Identity | did:web (orgs) + did:key (ephemeral) | W3C DID Core |
| Standards alignment | SCITT, W3C VC, OTel GenAI | (drafts/specs) |
# 1. Install deps in a venv
python -m venv .venv
source .venv/bin/activate
pip install -r requirements.txt
# 2. Generate 10 signed envelopes (fake agent steps)
python -m cli.sign --count 10 --out data/envelopes/
# 3. Build Merkle tree, sign STH, get RFC 3161 timestamp from FreeTSA,
# generate per-envelope receipts, pack as ZIP for delivery
python -m cli.merkle_build \
--envelopes data/envelopes/ \
--out data/build/ \
--incident-id demo-001
# 4. Verify the claim pack (what an auditor / insurer / court would do)
python -m cli.verify data/build/claim-pack-demo-001.zip
# Expected output:
# Envelopes seen: 11
# Ed25519 valid: 11/11
# CBOR shape valid: 11/11
# Chain valid: 11/11
# Counter monotonic: 11/11
# DAG closed: 11/11
# STH signature: ✓
# Inclusion proofs: 11/11
# TSA timestamps: 1/1 structurally valid
# VERIFIED ✓Eight independent cryptographic checks, each a separate failure mode. Verifier runs entirely offline (after the one TSA call during build).
Offline-only mode (no FreeTSA call — useful in CI / air-gapped):
python -m cli.merkle_build --envelopes data/envelopes/ --out data/build/ \
--incident-id demo-001 --skip-tsaagentsig/ ← library (Apache 2.0)
├── __init__.py
├── crypto.py ← Ed25519, HMAC, SHA-256 helpers
├── cose.py ← COSE_Sign1 build/verify (RFC 9052, hand-rolled)
├── envelope.py ← StepEnvelope schema (CBOR-shaped dict)
├── merkle.py ← RFC 6962 Merkle tree + inclusion proofs
├── sth.py ← Signed Tree Head (CBOR + Ed25519 service sig)
├── receipt.py ← per-envelope inclusion proof + STH binding
├── tsa.py ← RFC 3161 client (FreeTSA today; diversity pool planned)
└── claim_pack.py ← ZIP bundle for delivery to auditor / insurer
cli/ ← CLI commands
├── sign.py ← generate signed envelopes
├── merkle_build.py ← Merkle tree + STH + TSA + receipts + claim pack
└── verify.py ← offline verifier (envelopes dir or claim pack ZIP)
data/ ← gitignored — keys, envelopes, log, bundles
gtm/ ← gitignored — go-to-market materials
- Signer / verifier roundtrip (Ed25519 + COSE_Sign1 + CBOR)
- HMAC layer for low-entropy fields
- Merkle tree + inclusion proofs (RFC 6962-style)
- Signed Tree Head (CBOR + Ed25519 service signature)
- RFC 3161 timestamp from FreeTSA wired in
- Per-envelope receipts (audit path + STH binding)
- Claim pack ZIP bundle for delivery
- Verifier checks signatures, inclusion proofs, STH and TSA structure
- Public anchor channel — STH published to an append-only GitHub repo
- Verifier cross-checks STH against the public anchor
- TSA diversity pool (additional providers alongside FreeTSA)
- Full TSA cert-chain validation
- Sidecar HTTP server for framework-agnostic integration
- n8n demo workflow + HTTP-Request-node integration
- Trillian backend at production scale
- External witness service (different cloud) for STH co-signing
- ML-DSA-65 post-quantum signature path (envelope slot already reserved)
Apache License 2.0 — see LICENSE.