swt3-mcp

swt3-mcp

Cryptographic AI governance and audit. 18 tools, 28 frameworks. EU AI Act, NIST AI RMF, OWASP Agentic Top 10, CMMC, SR 11-7, ISO 42001. Tool policy gates, trust mesh, inference attestation, audit sessions. Zero-config demo mode.

Category
Visit Server

README

SWT3 - Sovereign Witness Protocol for AI

Don't audit the agent's thoughts. Audit the agent's actions.

npm PyPI npm downloads PyPI downloads License

The Problem

AI agents are making production decisions: approving loans, triaging patients, managing infrastructure, writing code. In 2026, 65% of firms reported AI agent security incidents. Only 14.4% of agents go live with full security approval. When something goes wrong, there is no tamper-proof audit trail. Logs are mutable. Metrics are averaged. Nobody can prove what the agent actually did.

GPAI transparency obligations are enforceable now. EU AI Act high-risk enforcement begins December 2, 2027. NIST AI RMF, SR 11-7, and CMMC impose similar obligations. 72% of enterprises believe they have AI governance but lack actual control. Most teams have nothing but dashboards and hope.

The Protocol

SWT3 (Sovereign Witness Traceability) is a deterministic witness protocol for AI systems. It intercepts AI actions, hashes the evidence, and anchors cryptographic proof to an immutable ledger. Your code gets the full response. The auditor gets tamper-proof evidence. Raw prompts and responses never leave your infrastructure.

  • Deterministic, not probabilistic. The witness engine uses fixed logic, not AI, to evaluate compliance.
  • Zero data retention. Configurable clearing levels strip sensitive content before it leaves your environment.
  • Framework-mapped. Every anchor maps to EU AI Act articles, NIST AI RMF functions, and federal controls.

Try It (10 Seconds, No Account)

Python

pip install swt3-ai
python -m swt3_ai.demo

TypeScript

npm install @tenova/swt3-ai
npx swt3-demo

No API keys. No account. No network calls. You will see the full witnessing pipeline run locally.

Three Lines to Production

from swt3_ai import Witness
from openai import OpenAI

witness = Witness(endpoint="https://sovereign.tenova.io", api_key="axm_live_...", tenant_id="YOUR_TENANT")
client = witness.wrap(OpenAI())

# Every inference is now witnessed. Your code does not change.
response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Summarize this contract"}],
)

Works with OpenAI, Anthropic, AWS Bedrock, Vercel AI SDK, LangChain, LiteLLM (100+ providers), and any OpenAI-compatible endpoint (vLLM, Ollama, Azure OpenAI).

K8s Hardware Attestation

AI compliance doesn't stop at the model layer. Regulators want to know what hardware ran the inference, whether it was authorized, and whether the compute environment changed between audit periods. Today, no platform provides cryptographic proof of which silicon processed which workload. SWT3 does.

Deploy a DaemonSet that discovers accelerator hardware on every node and mints AI-HW.1 attestation anchors. Zero application code changes. One Helm install.

helm install swt3-witness oci://ghcr.io/tenova-labs/charts/swt3-witness \
  --set config.endpoint="https://sovereign.tenova.io" \
  --set config.apiKey="axm_live_..." \
  --set config.tenantId="YOUR_TENANT"

The DaemonSet auto-discovers 6 accelerator types per node:

Discovery Path Silicon Method
NVIDIA GPU A100, H100, H200, B200, GB200, NVL72 nvidia-smi
Google TPU v4, v5e, v5p, v6e, Trillium TPU_NAME env
AMD MI MI300X, MI325X, MI250 rocm-smi
AWS Trainium Trainium2, Inferentia2 neuron-ls
Intel Gaudi Gaudi3, Gaudi2 hl-smi
PCI Fallback Any 3D controller / processing accelerator /sys/bus/pci

Each node reports its silicon vendor, topology, memory, and per-accelerator detail. Non-accelerator nodes produce a valid anchor attesting "no accelerator detected" -- absence of hardware is also auditable evidence. Mixed-silicon clusters (NVIDIA + TPU + AMD in the same cluster) are fully supported.

What this proves to your auditor:

  • Which hardware ran each AI workload (EU AI Act Art. 15(4), NIST 800-53 SI-7)
  • Whether the compute environment changed between assessments (drift detection)
  • That inference didn't silently migrate to unauthorized or unqualified silicon
  • Full hardware provenance from silicon to model, combined with AI-HW.3 (TPM attestation)

The witness context includes silicon_vendor, discovery_method, and accelerators[]. All device identifiers are SHA-256 hashed before leaving the node. Serial numbers, UUIDs, and bus IDs are never transmitted in plaintext.

See the Cross-Silicon K8s Attestation Guide for GKE, EKS, AKS, and on-prem deployment patterns.

What Gets Witnessed

Each inference produces anchors across 103 AI procedures spanning 52 namespaces:

Procedure Domain What It Proves Regulatory Mapping
AI-INF.1 Inference Prompt and response captured (provenance) EU AI Act Art. 12
AI-INF.2 Inference Latency within threshold (detects model swaps) NIST AI RMF MEASURE 2.6
AI-MDL.1 Model Deployed model matches approved hash (integrity) EU AI Act Art. 9
AI-MDL.2 Model Model version identifier recorded (tracking) EU AI Act Art. 72
AI-MDL.5 Model Weight file SHA-256 verified (tamper detection) EU AI Act Art. 15(4)
AI-MDL.6 Model LoRA/PEFT adapter stack attested EU AI Act Art. 12(2)(b)
AI-MDL.7 Model Quantization method recorded EU AI Act Art. 15(3)
AI-GRD.1 Guardrail Required safety filters were active (enforcement) NIST AI RMF GOVERN 1.5
AI-GRD.2 Safety No content filter or refusal triggered EU AI Act Art. 14
AI-GRD.3 Gatekeeper Pre-call guardrail gate enforced EU AI Act Art. 9(2)
AI-RAG.1 Retrieval RAG context chunks and corpus attested EU AI Act Art. 12(2)(a)
AI-RAG.2 Retrieval Retrieval relevance scoring verified EU AI Act Art. 10(2)
AI-TOOL.1 Tool Use Agent tool/function call recorded (latency, success) NIST AI RMF MANAGE 4.1
AI-ID.1 Identity Witness instance identity attested (agent accountability) EU AI Act Art. 13
AI-ACC.1 Access Resource access granted or denied with scope EU AI Act Art. 9(4)(c)
AI-REV.1 Revocation Previously-issued anchor revoked with reason EU AI Act Art. 12(3)
AI-SEC.1 Security Adversarial threat detection performed EU AI Act Art. 15(4)
AI-SEC.2 Security Input validated and sanitized before inference EU AI Act Art. 15(3)
AI-SKILL.1 Skills Loaded skill/tool/plugin manifest attested EU AI Act Art. 12(2)(b)
AI-SKILL.2 Memory Active memory sources bound to decision EU AI Act Art. 12(2)(a)
AI-SKILL.3 Alignment RLHF/DPO reward model binding recorded EU AI Act Art. 9(4)(a)
AI-CHAIN.1 Chain Multi-agent handoff witnessed with cycle tracking EU AI Act Art. 12(2)(a)
AI-VIO.1 Violation Policy violation detected during inference EU AI Act Art. 9(4)(a)
AI-CHR.1 Charter Agent charter/system prompt hash attested EU AI Act Art. 13
AI-MDL.8 Model Model verified against approved registry EU AI Act Art. 51
AI-HITL.3 Oversight Reviewer identity bound to human review EU AI Act Art. 12(3)(d)
AI-SAFE.1 Safety Stop mechanism tested, safe state confirmed EU AI Act Art. 14(4)(e)
AI-HW.1 Hardware GPU/accelerator inventory attested at startup EU AI Act Art. 15(4)
AI-TRUST.1 Trust Mutual compliance trust verified between agents EU AI Act Art. 9(4)(c)
AI-TRUST.2 Trust Trust handshake details recorded EU AI Act Art. 12(2)(a)
AI-MARK.1 Content Content provenance marking attested EU AI Act Art. 50(2)
AI-BASE.1 Baseline Agent behavioral baseline monitored NIST AI RMF MEASURE 2.6
AI-ENV.1 Environment Runtime environment fingerprint recorded EU AI Act Art. 15(4)
AI-ENV.2 Environment Dependency manifest attested EU AI Act Art. 15(3)
AI-DATA.3 Data Training data lineage attested EU AI Act Art. 10(2)
AI-DATA.4 Data Data quality metrics recorded EU AI Act Art. 10(3)
AI-CHAIN.2 Chain Chain-of-trust credential verified EU AI Act Art. 9(4)(c)

Plus 65 additional procedures covering fairness, explainability, inference volume, model drift, human oversight, cybersecurity, supply chain, content marking, agent lifecycle, financial transactions, and cross-border routing. See the full procedure registry.

View an Anchor

A Level 1 anchor for AI-INF.1 (Inference Provenance). This is what reaches the witness ledger. No prompts, no responses, just cryptographic proof.

{
  "procedure_id": "AI-INF.1",
  "factor_a": 1,
  "factor_b": 1,
  "factor_c": 0,
  "clearing_level": 1,
  "anchor_fingerprint": "c059eb5938c0",
  "anchor_epoch": 1774800000,
  "fingerprint_timestamp_ms": 1774800000000,
  "ai_prompt_hash": "315f5bdb76d078c4",
  "ai_response_hash": "a1b2c3d4e5f60718",
  "ai_latency_ms": 842,
  "ai_model_id": "gpt-4o",
  "ai_context": {
    "provider": "openai",
    "guardrails": ["content-filter", "pii-redaction"]
  }
}

The anchor_fingerprint is computed from SHA256("WITNESS:{tenant}:{procedure}:{fa}:{fb}:{fc}:{ts}"). Anyone with the factors can independently verify the math. Trust is a vulnerability. Math is the remedy.

Clearing Levels

The clearing engine controls what leaves your infrastructure. Your code always gets the full response. Clearing only affects what reaches the witness ledger.

Level Name On the Wire Use Case
0 Analytics Hashes + factors + model + provider + guardrails Internal analytics
1 Standard Hashes + factors + model + provider Default. Production apps
2 Sensitive Hashes + factors + model only Healthcare, legal, PII workloads
3 Classified Numeric factors only. Model ID hashed. Defense, air-gapped environments

At Level 1+, raw prompts and responses never leave your infrastructure.

SDKs

Language Package Install
Python swt3-ai pip install swt3-ai
TypeScript @tenova/swt3-ai npm install @tenova/swt3-ai
Swift swt3-ai Swift Package Manager
Rust swt3-ai cargo add swt3-ai
C# swt3-ai dotnet add package swt3-ai
Ruby swt3-ai gem install swt3-ai
MCP Server @tenova/swt3-mcp npx @tenova/swt3-mcp

7 SDKs, identical fingerprints. 207 cross-language test vectors validated at build time.

Get Started

  1. Create a free account - instant API key, no credit card
  2. pip install swt3-ai or npm install @tenova/swt3-ai
  3. Wrap your AI client. Every inference is witnessed.

Regulatory Coverage

Framework Coverage
EU AI Act Articles 9, 10, 12, 13, 14, 15, 50, 51, 53, 72
NIST AI RMF GOVERN, MAP, MEASURE, MANAGE (10 subcategories)
NIST 800-53 SI-7, AU-2, AU-3, AC controls
CMMC v2.0 Level 2 practice mappings
SR 11-7 Model Risk Management (5 examination areas)
ISO 42001 Annex A AI management controls

Repository Structure

packages/swt3-ai/        Python SDK (PyPI: swt3-ai)
packages/swt3-ai-ts/     TypeScript SDK (npm: @tenova/swt3-ai)
packages/swt3-ai-swift/  Swift SDK (Swift Package Index)
packages/swt3-ai-rust/   Rust SDK (crates.io: swt3-ai)
packages/swt3-ai-dotnet/ C# SDK (NuGet: swt3-ai)
packages/swt3-ai-ruby/   Ruby SDK (RubyGems: swt3-ai)
packages/swt3-mcp/       MCP Server (npm: @tenova/swt3-mcp)
packages/swt3-witness/   K8s DaemonSet (GHCR + Helm)
packages/libswt3/        Protocol reference implementation
config/                  Control definitions and framework crosswalks

Compliance & Privacy

Your prompts and responses never leave your infrastructure. The SDK computes SHA-256 hashes locally and transmits only irreversible hashes and numeric factors to the witness ledger. At Clearing Level 3, even the model name is hashed.

Documentation

Contributing

See CONTRIBUTING.md for development setup and guidelines.

License

Apache 2.0. See LICENSE. Patent pending.


If you believe AI systems should prove they followed the rules, give us a star.

SWT3: Sovereign Witness Traceability. We don't run your models. We witness them.

TeNova - Defining the AI Accountability Standard.

Recommended Servers

playwright-mcp

playwright-mcp

A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.

Official
Featured
TypeScript
Magic Component Platform (MCP)

Magic Component Platform (MCP)

An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.

Official
Featured
Local
TypeScript
Audiense Insights MCP Server

Audiense Insights MCP Server

Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.

Official
Featured
Local
TypeScript
VeyraX MCP

VeyraX MCP

Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.

Official
Featured
Local
graphlit-mcp-server

graphlit-mcp-server

The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.

Official
Featured
TypeScript
Kagi MCP Server

Kagi MCP Server

An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.

Official
Featured
Python
E2B

E2B

Using MCP to run code via e2b.

Official
Featured
Neon Database

Neon Database

MCP server for interacting with Neon Management API and databases

Official
Featured
Exa Search

Exa Search

A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.

Official
Featured
Qdrant Server

Qdrant Server

This repository is an example of how to create a MCP server for Qdrant, a vector search engine.

Official
Featured