Pilot Onboarding Guide

Audience

For: Client development team. Total setup time: approximately 15 minutes for Steps 1 through 6.

Pre-requisites

What You Need

An AI system endpoint (OpenAI, Anthropic, AWS Bedrock, vLLM, Ollama, or any OpenAI-compatible API)
Python 3.9 or later, or Node.js 18 or later
Network access to sovereign.tenova.io on port 443

What TeNova Provides

Enclave-tier tenant ID (in your welcome email)
API key (shown once at signup -- save it immediately)
Calendar invites for three scheduled working sessions

Verify Your Account

5 minutes

Check your email for the verification link and click to confirm.
Sign in at sovereign.tenova.io/login with the email and password from signup.
Confirm your tenant ID appears in the dashboard header (top-left corner).
Bookmark these resources:
- AI Witness Quickstart
- SDK Documentation

Install the SDK

2 minutes

Python

TypeScript

pip install swt3-ai

Verify the installation:

python -c "import swt3_ai; print(swt3_ai.__version__)"

npm install @tenova/swt3-ai

Verify the installation:

node -e "console.log(require('@tenova/swt3-ai').version)"

Zero external dependencies. The SDK uses only standard library cryptography.

Choose Your Clearing Level

Decision point

Level	Name	What Leaves Your Infrastructure	Choose This If
0	Analytics	Hashes, factors, model name, provider	Internal analytics, no regulatory constraint
1	Standard	Hashes, factors, model name	Most production applications (RECOMMENDED)
2	Sensitive	Hashes and factors only	Healthcare, legal, PII-adjacent workloads
3	Classified	Numeric factors only, model name hashed	Defense, classified, air-gapped environments

We recommend Level 1 for most pilots. At Level 1 and above, raw prompts and responses never leave your infrastructure. Only cryptographic hashes and numeric compliance factors cross the network.

Wrap Your AI Client

5 minutes

OpenAI (Python)

Anthropic (Python)

OpenAI (TypeScript)

vLLM / Ollama

Vercel AI SDK

# OpenAI + Python
from swt3_ai import Witness
from openai import OpenAI

# --- Add these 3 lines ---
witness = Witness(
    endpoint="https://sovereign.tenova.io",
    api_key="YOUR_API_KEY",       # From signup email
    tenant_id="YOUR_TENANT_ID",   # From signup email
    clearing_level=1,             # See Step 3
)
client = witness.wrap(OpenAI())
# --- Your existing code below does not change ---

response = client.chat.completions.create(
    model="gpt-4o",
    messages=[{"role": "user", "content": "Summarize this contract"}],
)

# Anthropic + Python
from swt3_ai import Witness
from anthropic import Anthropic

witness = Witness(
    endpoint="https://sovereign.tenova.io",
    api_key="YOUR_API_KEY",
    tenant_id="YOUR_TENANT_ID",
    clearing_level=1,
)
client = witness.wrap(Anthropic())

response = client.messages.create(
    model="claude-sonnet-4-20250514",
    max_tokens=1024,
    messages=[{"role": "user", "content": "Summarize this contract"}],
)

// OpenAI + TypeScript
import { Witness } from '@tenova/swt3-ai';
import OpenAI from 'openai';

const witness = new Witness({
  endpoint: 'https://sovereign.tenova.io',
  apiKey: 'YOUR_API_KEY',
  tenantId: 'YOUR_TENANT_ID',
  clearingLevel: 1,
});
const client = witness.wrap(new OpenAI());

const response = await client.chat.completions.create({
  model: 'gpt-4o',
  messages: [{ role: 'user', content: 'Summarize this contract' }],
});

# vLLM or Ollama (OpenAI-compatible)
from swt3_ai import Witness
from openai import OpenAI

witness = Witness(
    endpoint="https://sovereign.tenova.io",
    api_key="YOUR_API_KEY",
    tenant_id="YOUR_TENANT_ID",
    clearing_level=1,
)

# vLLM
client = witness.wrap(OpenAI(base_url="http://localhost:8000/v1"))

# Ollama
client = witness.wrap(OpenAI(base_url="http://localhost:11434/v1"))

// Vercel AI SDK
import { Witness } from '@tenova/swt3-ai';
import { openai } from '@ai-sdk/openai';
import { streamText } from 'ai';

const witness = new Witness({
  endpoint: 'https://sovereign.tenova.io',
  apiKey: 'YOUR_API_KEY',
  tenantId: 'YOUR_TENANT_ID',
  clearingLevel: 1,
});
const model = witness.wrapModel(openai('gpt-4o'));

const result = await streamText({
  model,
  prompt: 'Summarize this contract',
});

Your existing application code does not change. The witness observes silently in the background. Inference latency is unaffected.

Run Your First Inference

1 minute

Make one API call through the wrapped client. Use any prompt.

Open your dashboard at sovereign.tenova.io. Navigate to the AI Witness page. You should see your first anchor within 30 seconds.

If no anchor appears:

Is your API key correct? It should start with axm_
Can your machine reach sovereign.tenova.io? Test: curl -s https://sovereign.tenova.io/api/v1/health
Is your tenant ID correct? Check Settings in the dashboard.
Did you set a clearing level? Default is Level 0 if not specified.

Verify Your First Anchor

2 minutes

Navigate to the Verify page at sovereign.tenova.io/verify.
Copy the SWT3 anchor token from the AI Witness page (it starts with SWT3-).
Paste it into the verification field and click Verify.
You should see VERIFIED with the fingerprint decomposition.

This proves the inference was witnessed and the evidence has not been tampered with. Your auditor can verify this same anchor independently at any time, with no login required.

Explore the Dashboard

Self-guided

Page	What It Shows
Command	Sovereign Score, drift monitor, overall compliance posture
Controls	Full control catalog with family grouping and verdict filters
Compliance Ledger	Chronological witness record with type, verdict, and family filters
Drift Monitor	CA-7 continuous monitoring with severity classification
AI Witness	KPI cards, per-model table, amnesia indicator, anchor history
Exports	OSCAL, Compliance Passport, conformity checklist, CSV export
Verify	Independent anchor verification (also available publicly)
Settings	API keys, account management, tenant configuration

To generate an auditor share link during the pilot: navigate to Settings, then Auditor Share Links. Your Enclave-tier access includes full share link capability.

Troubleshooting

No anchors appearing

Verify your API key starts with axm_ and contains no extra whitespace.
Test network connectivity: curl -s https://sovereign.tenova.io/api/v1/health should return {"status":"healthy",...}
Confirm your tenant ID matches the one shown in Settings.
Check that your AI client is using the wrapped client, not the original.

API key rejected (401)

Verify the key was copied completely from the signup screen.
Check for leading or trailing spaces.
If the key is lost, generate a new one at Settings > API Keys.

Dashboard shows wrong tenant

Sign out completely (sidebar > Logout).
Clear browser cookies for sovereign.tenova.io.
Sign in again with your pilot email and password.

I need to rotate my API key

Navigate to Settings > API Keys.
Click Create New Key (save it immediately -- shown once).
Update the key in your application code or SWT3_DSN environment variable.
Revoke the old key.

Connection timeout

Verify your firewall allows outbound HTTPS to sovereign.tenova.io (port 443).
If behind a corporate proxy, configure HTTPS_PROXY in your environment.
The SDK retries automatically. Check your application logs for retry messages.

Still stuck? Email engineering@tenovaai.com with your tenant ID and a description of the issue.

Pilot Timeline

Phase 1 -- Days 1-3: Setup
Complete Steps 1 through 6. First inferences witnessed and verified. Kickoff session with TeNova: tenant walkthrough, clearing level confirmation, initial anchor review.

Phase 2 -- Days 4-7: Evidence Generation
Run production-representative workload through the wrapped client. Accumulate witness anchors across your inference patterns. Mid-point session with TeNova: auditor portal walkthrough, evidence review, clearing level tuning.

Phase 3 -- Days 8-10: Review
Generate export packages (Compliance Passport, OSCAL AR, conformity checklist). Review evidence quality with your assessment team. Findings session with TeNova: gap identification, export walkthrough, transition discussion.