Prove your AI followed the rules. With tamper-proof evidence. Three lines of code. Zero data retained. 162 procedures across 5 industry verticals.
Wrap your AI client. Every inference is witnessed automatically. Your response is untouched.
from swt3_ai import Witness from openai import OpenAI witness = Witness( endpoint="https://sovereign.tenova.io", api_key="axm_live_...", tenant_id="YOUR_ENCLAVE", ) client = witness.wrap(OpenAI()) # Every inference is now witnessed. Response is untouched. response = client.chat.completions.create( model="gpt-4o", messages=[{"role": "user", "content": "Hello"}], ) print(response.choices[0].message.content)
What happens per inference: Intercept > Hash prompt/response locally > Extract factors (model, latency, tokens, guardrails) > Clear raw data from wire > Anchor to SWT3 ledger in background > Return your response untouched.
| Provider | Python | TypeScript | Detection |
|---|---|---|---|
| OpenAI | v0.4.1 | v0.4.1 | Auto (openai module) |
| Anthropic | v0.4.1 | v0.4.1 | Auto (anthropic module) |
| AWS Bedrock | v0.4.1 | v0.4.1 | Auto (botocore/BedrockRuntimeClient) |
| LiteLLM (100+) | v0.4.1 | N/A | Auto (litellm module) |
| Vercel AI SDK | N/A | v0.4.1 | onFinish callback |
| NVIDIA Dynamo | v0.4.1 | N/A | @witness_endpoint() decorator / WitnessInterceptor |
| MCP Server | N/A | v0.4.1 | @tenova/swt3-mcp (5 tools, 2 resources) |
| Ollama / vLLM | v0.4.1 | v0.4.1 | Via OpenAI-compatible client |
| Custom | v0.4.1 | v0.4.1 | @witness.inference() decorator / witness.record() |
client = witness.wrap(OpenAI()) response = client.chat.completions.create(model="gpt-4o", messages=[...])
client = witness.wrap(Anthropic()) message = client.messages.create(model="claude-sonnet-4-20250514", max_tokens=1024, messages=[...])
import boto3 bedrock = boto3.client("bedrock-runtime", region_name="us-east-1") client = witness.wrap(bedrock) response = client.converse( modelId="anthropic.claude-3-5-sonnet-20241022-v2:0", messages=[{"role": "user", "content": [{"text": "Hello"}]}], )
# Ollama exposes an OpenAI-compatible API from openai import OpenAI client = witness.wrap(OpenAI(base_url="http://localhost:11434/v1")) response = client.chat.completions.create(model="llama3", messages=[...])
Clearing controls what leaves your infrastructure. Your code always gets the full response. Clearing only affects the wire payload sent to the witness ledger.
| Level | Name | On the Wire | Use Case |
|---|---|---|---|
| 0 | Analytics | Hashes + factors + model ID + provider + guardrails | Internal dashboards |
| 1 | Standard | Hashes + factors + model ID + provider | Default. Production SaaS |
| 2 | Sensitive | Hashes + factors + model ID only | Healthcare, legal, PII |
| 3 | Classified | Numeric factors only. Model ID hashed. | Defense, SCIF, air-gapped |
# Level 2: Healthcare / Legal - no provider names on wire witness = Witness( endpoint="...", api_key="axm_...", tenant_id="...", clearing_level=2, )
At Level 1+, raw prompts and responses never leave your infrastructure. Only SHA-256 hashes and numeric factors travel on the wire. This satisfies both GDPR Article 17 (right to erasure) and EU AI Act Article 12 (record-keeping) simultaneously.
| Parameter | Default | Description |
|---|---|---|
| endpoint | required | Witness endpoint URL |
| api_key / apiKey | required | API key (axm_* prefix) |
| tenant_id / tenantId | required | Your enclave identifier |
| clearing_level / clearingLevel | 1 | Clearing level (0-3) |
| buffer_size / bufferSize | 10 | Flush after N anchors |
| flush_interval / flushInterval | 5.0 | Flush after N seconds |
| timeout | 10.0 | HTTP timeout for flush |
| max_retries / maxRetries | 3 | Retry count before dead-letter |
| latency_threshold_ms | 30000 | AI-INF.2 latency threshold (ms) |
| guardrails_required | 0 | AI-GRD.1 required guardrail count |
| guardrail_names | [] | Names of active guardrails |
| factor_handoff / factorHandoff | None | Handoff method: "file" (webhook, vault, KMS planned) |
| factor_handoff_path / factorHandoffPath | None | Directory for handoff files (required when handoff="file") |
| agent_id / agentId | None | Cryptographic agent identity (AI-ID.1) |
| signing_key / signingKey | None | HMAC-SHA256 key for payload non-repudiation |
| strict | False | Gatekeeper mode: block inference on witness failure |
| jurisdiction | None | ISO 3166-1 jurisdiction code (CJT field, survives all clearing) |
| legal_basis / legalBasis | None | GDPR legal basis (CJT field, survives all clearing) |
| purpose_class / purposeClass | None | Processing purpose classification (CJT field) |
| authorization_id / authorizationId | None | Pre-inference authorization gate reference |
| on_flush / onFlush | None | Callback invoked after each successful flush |
Each inference produces anchors for these procedures. Full factor definitions are in the UCT Registry.
| Procedure | Domain | What It Proves | EU AI Act |
|---|---|---|---|
| AI-INF.1 | Inference | Prompt and response were captured (provenance) | Art.12(1) |
| AI-INF.2 | Inference | Latency within threshold (detects model swaps) | Art.12(2) |
| AI-MDL.1 | Model | Deployed model matches approved identity | Art.9(4)(a) |
| AI-MDL.2 | Model | Model version identifier recorded | Art.12(2)(b) |
| AI-GRD.1 | Guardrail | Required safety filters were active | Art.9(2)(a) |
| AI-GRD.2 | Safety | No refusal or content filter triggered | Art.15(3) |
| AI-TOOL.1 | Tool Call | Agent tool/function call witnessed with outcome | Art.12(1) |
| AI-ID.1 | Identity | Agent cryptographic identity asserted | Art.12(1) |
| AI-ACC.1 | Access | Agent resource access witnessed with scope | Art.9(4)(c) |
| AI-REV.1 | Revocation | Previously-issued anchor revoked with reason | Art.14(4)(d) |
| AI-SEC.1 | Security | Adversarial threat detection witnessed | Art.15(4) |
| AI-SEC.2 | Validation | Input validated and sanitized before inference | Art.15(3) |
| Procedure | Domain | What It Proves | Framework |
|---|---|---|---|
| AI-GOV.6 | Scope | AI risk management scope defined (systems, tolerances, clearing) | GOVERN 1.3 |
| AI-GOV.7 | Resources | Budget, staffing, compute allocated for AI governance | GOVERN 2.2 |
| AI-RISK.1 | Risk | Risk register exists with sources, categories, residual risk | MAP 2.1 |
| AI-IR.1 | Incident | AI-specific incident response: recall, contamination, shadow AI | MANAGE 3.1 |
| AI-IMPACT.1 | Impact | Societal impact assessment beyond individual bias metrics | MAP 5.2 |
36 AI procedures + 5 FinTech (SR 11-7) + 5 Construction (OSHA) + 3 Healthcare (HIPAA) + 113 Infrastructure = 162 total across 13 frameworks. View full catalog.
| Procedure | Domain | What It Proves | SR 11-7 |
|---|---|---|---|
| FIN-GOV.1 | Governance | Committee achieved quorum and approved model | Sec. III |
| FIN-MRM.1 | Inventory | Model hash matches approved inventory entry | Sec. V |
| FIN-VAL.1 | Validation | Independent validator confirmed model performance | Sec. VI |
| FIN-MON.1 | Monitoring | Performance metric within threshold (PSI, AUC) | Sec. VII |
| FIN-OUT.1 | Outcomes | Back-test sample adequate and within tolerance | Sec. VIII |
At Clearing Level 2 and above, factors are purged from the wire. The Factor Handoff protocol lets you retain full evidence custody on your own infrastructure by writing uncleared factor data to a local file before clearing proceeds.
Safety guarantee: The handoff writes factors BEFORE clearing. If the write fails, the payload is NOT transmitted. Evidence custody is preserved or nothing happens.
witness = Witness(
endpoint="...",
api_key="axm_...",
tenant_id="...",
clearing_level=2,
factor_handoff="file",
factor_handoff_path="/secure/handoff/",
)
Each inference produces a JSON file with the full uncleared data (factors + metadata). The file is written atomically (temp + rename) with 0600 permissions. Your infrastructure retains the evidence; Axiom only receives the cleared version.
Full protocol spec: Factor Handoff Protocol
For AI agents that use tools, access resources, or operate in multi-agent chains. Every agent action produces a cryptographic anchor.
Bind a cryptographic identity to every anchor. Combined with a signing key, this provides non-repudiation: proof that a specific agent produced a specific output.
witness = Witness(
endpoint="...", api_key="axm_...", tenant_id="...",
agent_id="compliance-agent-v3",
signing_key="hmac-secret-key-here", # HMAC-SHA256
)
Witness every tool or function call your agent makes. Captures tool name, arguments hash, and outcome.
# Wrap a tool function @witness.wrap_tool(name="search_database") def search_db(query: str) -> list: return db.search(query) # Every call to search_db() now produces an AI-TOOL.1 anchor results = search_db("compliance violations Q1")
Witness resource access with scope. Proves what your agent accessed and with what permissions.
# Wrap a resource accessor @witness.wrap_access(resource="patient_records", scope="read") def get_patient(patient_id: str) -> dict: return ehr.get(patient_id) # AI-ACC.1 anchor: resource=patient_records, scope=read, outcome=success
Revoke a previously-issued anchor. The revocation itself is witnessed, creating an immutable record of the recall.
# Revoke an anchor by fingerprint witness.revoke( fingerprint="a1b2c3d4e5f6", reason="model_recall", # 7 reason codes ) # Reason codes: unspecified, model_recall, policy_violation, # data_contamination, consent_withdrawal, regulatory_order, error_correction
Jurisdiction, legal basis, and purpose classification fields survive all clearing levels. Required for EU AI Act Art. 12 record-keeping and GDPR lawful basis documentation.
witness = Witness(
endpoint="...", api_key="axm_...", tenant_id="...",
jurisdiction="DE", # ISO 3166-1
legal_basis="GDPR-6-1-f", # Legitimate interest
purpose_class="fraud_detection",
authorization_id="AUTH-2026-0042", # Pre-inference gate
)
Block inference if the witness endpoint is unreachable. For regulated environments where unwitnessed inferences are not acceptable.
witness = Witness(
endpoint="...", api_key="axm_...", tenant_id="...",
strict=True, # Raises WitnessError if endpoint unreachable
)
# Default (strict=False): inference proceeds, witness retries in background
# Gatekeeper (strict=True): inference blocked until witness confirms
Link anchors across agents in a workflow using cycle_id. Each agent in the chain references the same cycle, creating a traceable execution graph.
witness_a = Witness(endpoint="...", agent_id="planner", signing_key="...") witness_b = Witness(endpoint="...", agent_id="executor", signing_key="...") # Both agents share the same cycle_id cycle = "cycle-2026-04-26-001" client_a = witness_a.wrap(OpenAI(), cycle_id=cycle) client_b = witness_b.wrap(OpenAI(), cycle_id=cycle) # Anchors from both agents are linked in the ledger
# Decorator for custom inference functions @witness.inference() def my_pipeline(prompt: str) -> str: # Your custom logic return result # Or manual recording from swt3_ai.types import InferenceRecord from swt3_ai.fingerprint import sha256_truncated record = InferenceRecord( model_id="my-model-v2", model_hash=sha256_truncated("my-model-v2"), prompt_hash=sha256_truncated(prompt), response_hash=sha256_truncated(response), latency_ms=elapsed_ms, provider="custom", ) witness.record(record)
Two-layer architecture for infrastructure-level witnessing on NVIDIA Dynamo inference servers.
# Layer 1: Decorator (zero Dynamo dependencies) from swt3_ai.adapters.dynamo import witness_endpoint @witness_endpoint() async def generate(request): async for chunk in model.generate(request.prompt): yield chunk # Configure via SWT3_DSN (single env var) # SWT3_DSN=https://axm_live_xxx@sovereign.tenova.io/MY_TENANT # Layer 2: Service-graph (Dynamo-native, pip install swt3-ai[dynamo]) from swt3_ai.adapters.dynamo_infra import WitnessInterceptor # Injects as @service into Dynamo's depends() graph # Adds swt3_witness_total, swt3_clearing_level metrics
Export witness telemetry to any OpenTelemetry-compatible backend (Jaeger, Grafana, Datadog).
from swt3_ai.exporters.otel import OTelExporter witness = Witness( endpoint="...", api_key="axm_...", tenant_id="...", on_flush=OTelExporter( endpoint="http://localhost:4318/v1/traces" ), )
The SDK never blocks your inference. Witnessing happens in a background thread/microtask. If the endpoint is unreachable, payloads move to a dead-letter queue and drain automatically when connectivity is restored.
# Python: Check dead-letter status print(f"Pending: {witness.pending}") # Graceful shutdown (also happens at exit) receipts = witness.flush()
Axiom container images are scanned daily for vulnerabilities. Zero-critical-CVE policy enforced. All findings are automatically documented as POA&M entries with severity-based remediation timelines (CRITICAL: 7d, HIGH: 30d, MEDIUM: 90d). Scan results are self-anchored in the witness ledger (RA-5/SI-2).
Every anchor can be independently verified without an Axiom account.
# CLI $ axiom verify SWT3-E-CLOUD-AI-AI-INF.2-PASS-1774995559-a1b2c3d4e5f6 # Browser (zero server calls) sovereign.tenova.io/verify # Formula SHA256("WITNESS:{tenant}:{procedure}:{fa}:{fb}:{fc}:{ts_ms}")[0:12]