swt3-mcp
Cryptographic AI governance and audit. 18 tools, 28 frameworks. EU AI Act, NIST AI RMF, OWASP Agentic Top 10, CMMC, SR 11-7, ISO 42001. Tool policy gates, trust mesh, inference attestation, audit sessions. Zero-config demo mode.
README
SWT3 - Sovereign Witness Protocol for AI
Don't audit the agent's thoughts. Audit the agent's actions.
The Problem
AI agents are making production decisions: approving loans, triaging patients, managing infrastructure, writing code. In 2026, 65% of firms reported AI agent security incidents. Only 14.4% of agents go live with full security approval. When something goes wrong, there is no tamper-proof audit trail. Logs are mutable. Metrics are averaged. Nobody can prove what the agent actually did.
GPAI transparency obligations are enforceable now. EU AI Act high-risk enforcement begins December 2, 2027. NIST AI RMF, SR 11-7, and CMMC impose similar obligations. 72% of enterprises believe they have AI governance but lack actual control. Most teams have nothing but dashboards and hope.
The Protocol
SWT3 (Sovereign Witness Traceability) is a deterministic witness protocol for AI systems. It intercepts AI actions, hashes the evidence, and anchors cryptographic proof to an immutable ledger. Your code gets the full response. The auditor gets tamper-proof evidence. Raw prompts and responses never leave your infrastructure.
- Deterministic, not probabilistic. The witness engine uses fixed logic, not AI, to evaluate compliance.
- Zero data retention. Configurable clearing levels strip sensitive content before it leaves your environment.
- Framework-mapped. Every anchor maps to EU AI Act articles, NIST AI RMF functions, and federal controls.
Try It (10 Seconds, No Account)
Python
pip install swt3-ai
python -m swt3_ai.demo
TypeScript
npm install @tenova/swt3-ai
npx swt3-demo
No API keys. No account. No network calls. You will see the full witnessing pipeline run locally.
Three Lines to Production
from swt3_ai import Witness
from openai import OpenAI
witness = Witness(endpoint="https://sovereign.tenova.io", api_key="axm_live_...", tenant_id="YOUR_TENANT")
client = witness.wrap(OpenAI())
# Every inference is now witnessed. Your code does not change.
response = client.chat.completions.create(
model="gpt-4o",
messages=[{"role": "user", "content": "Summarize this contract"}],
)
Works with OpenAI, Anthropic, AWS Bedrock, Vercel AI SDK, LangChain, LiteLLM (100+ providers), and any OpenAI-compatible endpoint (vLLM, Ollama, Azure OpenAI).
K8s Hardware Attestation
AI compliance doesn't stop at the model layer. Regulators want to know what hardware ran the inference, whether it was authorized, and whether the compute environment changed between audit periods. Today, no platform provides cryptographic proof of which silicon processed which workload. SWT3 does.
Deploy a DaemonSet that discovers accelerator hardware on every node and mints AI-HW.1 attestation anchors. Zero application code changes. One Helm install.
helm install swt3-witness oci://ghcr.io/tenova-labs/charts/swt3-witness \
--set config.endpoint="https://sovereign.tenova.io" \
--set config.apiKey="axm_live_..." \
--set config.tenantId="YOUR_TENANT"
The DaemonSet auto-discovers 6 accelerator types per node:
| Discovery Path | Silicon | Method |
|---|---|---|
| NVIDIA GPU | A100, H100, H200, B200, GB200, NVL72 | nvidia-smi |
| Google TPU | v4, v5e, v5p, v6e, Trillium | TPU_NAME env |
| AMD MI | MI300X, MI325X, MI250 | rocm-smi |
| AWS Trainium | Trainium2, Inferentia2 | neuron-ls |
| Intel Gaudi | Gaudi3, Gaudi2 | hl-smi |
| PCI Fallback | Any 3D controller / processing accelerator | /sys/bus/pci |
Each node reports its silicon vendor, topology, memory, and per-accelerator detail. Non-accelerator nodes produce a valid anchor attesting "no accelerator detected" -- absence of hardware is also auditable evidence. Mixed-silicon clusters (NVIDIA + TPU + AMD in the same cluster) are fully supported.
What this proves to your auditor:
- Which hardware ran each AI workload (EU AI Act Art. 15(4), NIST 800-53 SI-7)
- Whether the compute environment changed between assessments (drift detection)
- That inference didn't silently migrate to unauthorized or unqualified silicon
- Full hardware provenance from silicon to model, combined with AI-HW.3 (TPM attestation)
The witness context includes silicon_vendor, discovery_method, and accelerators[]. All device identifiers are SHA-256 hashed before leaving the node. Serial numbers, UUIDs, and bus IDs are never transmitted in plaintext.
See the Cross-Silicon K8s Attestation Guide for GKE, EKS, AKS, and on-prem deployment patterns.
What Gets Witnessed
Each inference produces anchors across 103 AI procedures spanning 52 namespaces:
| Procedure | Domain | What It Proves | Regulatory Mapping |
|---|---|---|---|
| AI-INF.1 | Inference | Prompt and response captured (provenance) | EU AI Act Art. 12 |
| AI-INF.2 | Inference | Latency within threshold (detects model swaps) | NIST AI RMF MEASURE 2.6 |
| AI-MDL.1 | Model | Deployed model matches approved hash (integrity) | EU AI Act Art. 9 |
| AI-MDL.2 | Model | Model version identifier recorded (tracking) | EU AI Act Art. 72 |
| AI-MDL.5 | Model | Weight file SHA-256 verified (tamper detection) | EU AI Act Art. 15(4) |
| AI-MDL.6 | Model | LoRA/PEFT adapter stack attested | EU AI Act Art. 12(2)(b) |
| AI-MDL.7 | Model | Quantization method recorded | EU AI Act Art. 15(3) |
| AI-GRD.1 | Guardrail | Required safety filters were active (enforcement) | NIST AI RMF GOVERN 1.5 |
| AI-GRD.2 | Safety | No content filter or refusal triggered | EU AI Act Art. 14 |
| AI-GRD.3 | Gatekeeper | Pre-call guardrail gate enforced | EU AI Act Art. 9(2) |
| AI-RAG.1 | Retrieval | RAG context chunks and corpus attested | EU AI Act Art. 12(2)(a) |
| AI-RAG.2 | Retrieval | Retrieval relevance scoring verified | EU AI Act Art. 10(2) |
| AI-TOOL.1 | Tool Use | Agent tool/function call recorded (latency, success) | NIST AI RMF MANAGE 4.1 |
| AI-ID.1 | Identity | Witness instance identity attested (agent accountability) | EU AI Act Art. 13 |
| AI-ACC.1 | Access | Resource access granted or denied with scope | EU AI Act Art. 9(4)(c) |
| AI-REV.1 | Revocation | Previously-issued anchor revoked with reason | EU AI Act Art. 12(3) |
| AI-SEC.1 | Security | Adversarial threat detection performed | EU AI Act Art. 15(4) |
| AI-SEC.2 | Security | Input validated and sanitized before inference | EU AI Act Art. 15(3) |
| AI-SKILL.1 | Skills | Loaded skill/tool/plugin manifest attested | EU AI Act Art. 12(2)(b) |
| AI-SKILL.2 | Memory | Active memory sources bound to decision | EU AI Act Art. 12(2)(a) |
| AI-SKILL.3 | Alignment | RLHF/DPO reward model binding recorded | EU AI Act Art. 9(4)(a) |
| AI-CHAIN.1 | Chain | Multi-agent handoff witnessed with cycle tracking | EU AI Act Art. 12(2)(a) |
| AI-VIO.1 | Violation | Policy violation detected during inference | EU AI Act Art. 9(4)(a) |
| AI-CHR.1 | Charter | Agent charter/system prompt hash attested | EU AI Act Art. 13 |
| AI-MDL.8 | Model | Model verified against approved registry | EU AI Act Art. 51 |
| AI-HITL.3 | Oversight | Reviewer identity bound to human review | EU AI Act Art. 12(3)(d) |
| AI-SAFE.1 | Safety | Stop mechanism tested, safe state confirmed | EU AI Act Art. 14(4)(e) |
| AI-HW.1 | Hardware | GPU/accelerator inventory attested at startup | EU AI Act Art. 15(4) |
| AI-TRUST.1 | Trust | Mutual compliance trust verified between agents | EU AI Act Art. 9(4)(c) |
| AI-TRUST.2 | Trust | Trust handshake details recorded | EU AI Act Art. 12(2)(a) |
| AI-MARK.1 | Content | Content provenance marking attested | EU AI Act Art. 50(2) |
| AI-BASE.1 | Baseline | Agent behavioral baseline monitored | NIST AI RMF MEASURE 2.6 |
| AI-ENV.1 | Environment | Runtime environment fingerprint recorded | EU AI Act Art. 15(4) |
| AI-ENV.2 | Environment | Dependency manifest attested | EU AI Act Art. 15(3) |
| AI-DATA.3 | Data | Training data lineage attested | EU AI Act Art. 10(2) |
| AI-DATA.4 | Data | Data quality metrics recorded | EU AI Act Art. 10(3) |
| AI-CHAIN.2 | Chain | Chain-of-trust credential verified | EU AI Act Art. 9(4)(c) |
Plus 65 additional procedures covering fairness, explainability, inference volume, model drift, human oversight, cybersecurity, supply chain, content marking, agent lifecycle, financial transactions, and cross-border routing. See the full procedure registry.
View an Anchor
A Level 1 anchor for AI-INF.1 (Inference Provenance). This is what reaches the witness ledger. No prompts, no responses, just cryptographic proof.
{
"procedure_id": "AI-INF.1",
"factor_a": 1,
"factor_b": 1,
"factor_c": 0,
"clearing_level": 1,
"anchor_fingerprint": "c059eb5938c0",
"anchor_epoch": 1774800000,
"fingerprint_timestamp_ms": 1774800000000,
"ai_prompt_hash": "315f5bdb76d078c4",
"ai_response_hash": "a1b2c3d4e5f60718",
"ai_latency_ms": 842,
"ai_model_id": "gpt-4o",
"ai_context": {
"provider": "openai",
"guardrails": ["content-filter", "pii-redaction"]
}
}
The anchor_fingerprint is computed from SHA256("WITNESS:{tenant}:{procedure}:{fa}:{fb}:{fc}:{ts}"). Anyone with the factors can independently verify the math. Trust is a vulnerability. Math is the remedy.
Clearing Levels
The clearing engine controls what leaves your infrastructure. Your code always gets the full response. Clearing only affects what reaches the witness ledger.
| Level | Name | On the Wire | Use Case |
|---|---|---|---|
| 0 | Analytics | Hashes + factors + model + provider + guardrails | Internal analytics |
| 1 | Standard | Hashes + factors + model + provider | Default. Production apps |
| 2 | Sensitive | Hashes + factors + model only | Healthcare, legal, PII workloads |
| 3 | Classified | Numeric factors only. Model ID hashed. | Defense, air-gapped environments |
At Level 1+, raw prompts and responses never leave your infrastructure.
SDKs
| Language | Package | Install |
|---|---|---|
| Python | swt3-ai |
pip install swt3-ai |
| TypeScript | @tenova/swt3-ai |
npm install @tenova/swt3-ai |
| Swift | swt3-ai |
Swift Package Manager |
| Rust | swt3-ai |
cargo add swt3-ai |
| C# | swt3-ai |
dotnet add package swt3-ai |
| Ruby | swt3-ai |
gem install swt3-ai |
| MCP Server | @tenova/swt3-mcp |
npx @tenova/swt3-mcp |
7 SDKs, identical fingerprints. 207 cross-language test vectors validated at build time.
Get Started
- Create a free account - instant API key, no credit card
pip install swt3-aiornpm install @tenova/swt3-ai- Wrap your AI client. Every inference is witnessed.
Regulatory Coverage
| Framework | Coverage |
|---|---|
| EU AI Act | Articles 9, 10, 12, 13, 14, 15, 50, 51, 53, 72 |
| NIST AI RMF | GOVERN, MAP, MEASURE, MANAGE (10 subcategories) |
| NIST 800-53 | SI-7, AU-2, AU-3, AC controls |
| CMMC v2.0 | Level 2 practice mappings |
| SR 11-7 | Model Risk Management (5 examination areas) |
| ISO 42001 | Annex A AI management controls |
Repository Structure
packages/swt3-ai/ Python SDK (PyPI: swt3-ai)
packages/swt3-ai-ts/ TypeScript SDK (npm: @tenova/swt3-ai)
packages/swt3-ai-swift/ Swift SDK (Swift Package Index)
packages/swt3-ai-rust/ Rust SDK (crates.io: swt3-ai)
packages/swt3-ai-dotnet/ C# SDK (NuGet: swt3-ai)
packages/swt3-ai-ruby/ Ruby SDK (RubyGems: swt3-ai)
packages/swt3-mcp/ MCP Server (npm: @tenova/swt3-mcp)
packages/swt3-witness/ K8s DaemonSet (GHCR + Helm)
packages/libswt3/ Protocol reference implementation
config/ Control definitions and framework crosswalks
Compliance & Privacy
Your prompts and responses never leave your infrastructure. The SDK computes SHA-256 hashes locally and transmits only irreversible hashes and numeric factors to the witness ledger. At Clearing Level 3, even the model name is hashed.
- Data Flow and Privacy Architecture - Visual data boundary for legal and DPO review
- Clearing & Data Sovereignty Addendum - Shared responsibility, incident response SLA, regulatory applicability
- Air-Gap Deployment Guide - Zero-egress operation, sneakernet sync, offline verification
Documentation
- SDK Developer Docs - Quickstart, providers, clearing levels
- Factor Handoff Protocol - Secure factor custody transfer
- CMMC Compliance Overlay - Defense industrial base mappings
- SR 11-7 Compliance Overlay - Model risk management mappings
Contributing
See CONTRIBUTING.md for development setup and guidelines.
License
Apache 2.0. See LICENSE. Patent pending.
If you believe AI systems should prove they followed the rules, give us a star.
SWT3: Sovereign Witness Traceability. We don't run your models. We witness them.
TeNova - Defining the AI Accountability Standard.
Recommended Servers
playwright-mcp
A Model Context Protocol server that enables LLMs to interact with web pages through structured accessibility snapshots without requiring vision models or screenshots.
Magic Component Platform (MCP)
An AI-powered tool that generates modern UI components from natural language descriptions, integrating with popular IDEs to streamline UI development workflow.
Audiense Insights MCP Server
Enables interaction with Audiense Insights accounts via the Model Context Protocol, facilitating the extraction and analysis of marketing insights and audience data including demographics, behavior, and influencer engagement.
VeyraX MCP
Single MCP tool to connect all your favorite tools: Gmail, Calendar and 40 more.
graphlit-mcp-server
The Model Context Protocol (MCP) Server enables integration between MCP clients and the Graphlit service. Ingest anything from Slack to Gmail to podcast feeds, in addition to web crawling, into a Graphlit project - and then retrieve relevant contents from the MCP client.
Kagi MCP Server
An MCP server that integrates Kagi search capabilities with Claude AI, enabling Claude to perform real-time web searches when answering questions that require up-to-date information.
E2B
Using MCP to run code via e2b.
Neon Database
MCP server for interacting with Neon Management API and databases
Exa Search
A Model Context Protocol (MCP) server lets AI assistants like Claude use the Exa AI Search API for web searches. This setup allows AI models to get real-time web information in a safe and controlled way.
Qdrant Server
This repository is an example of how to create a MCP server for Qdrant, a vector search engine.