Test Vectors
13 Fingerprint + 7 Signing/Hash
EU AI Act Articles
17 Covered
Independent convergence, not derivative implementation.
SWT3 has been in production since February 2026. The fingerprint formula and anchor format were locked on March 29, 2026. Both SWT3 and the Futurium proposal independently converged on the same architectural pattern for cryptographic AI compliance enforcement.
1. The Futurium Proposal
Four technical papers published on the European Commission's Futurium platform (April 2026) propose an execution-time governance architecture for EU AI Act compliance. The central argument: most AI governance approaches are policy-centric rather than machine-enforceable. They lack a cryptographically enforceable control point at the precise moment an AI output becomes externally effective.
The architecture is built on four interacting primitives:
| Primitive | Full Name | Function |
|---|
| VI | Virtual Identity | Session-scoped, privacy-preserving runtime identity substitute |
| CJT | Compliance Jurisdiction Token | Signed authorization object encoding purpose, jurisdiction, legal basis, temporal validity |
| ALF | Algorithmic Logic Fingerprint | Behavioral class verification -- was the approved logic actually used at runtime? |
| Dual LAVR | Ledger-Anchored Validation Receipts | Internal (full evidence) + external (privacy-preserving) tamper-evident receipts |
The governing design principle: Computation may occur freely. Externally effective release must remain cryptographically gated.
2. Primitive-by-Primitive Mapping
2.1 VI (Virtual Identity) → SWT3 Agent Identity Built
VI proposes a session-scoped identity substitute that prevents persistent identity linkage while enabling controlled accountability. SWT3 implements this through three fields:
| Paper Concept | SWT3 Field | Behavior |
|---|
| Session-scoped identity | agent_id | Per-instance identifier; bound to AI-ID.1 procedure; survives all 4 clearing levels |
| Non-repudiation | signing_key / payload_signature | HMAC-SHA256 proof of origin on every payload |
| Multi-agent chains | cycle_id | Links multiple agents in a single workflow; survives all clearing levels |
| Privacy preservation | Clearing engine | At Level 3, only agent_id, cycle_id, policy_version_hash, and factors survive |
| Tenant isolation | tenant_id | Organizational boundary; all anchors scoped to a single tenant |
from swt3_ai import Witness
witness = Witness(
endpoint="https://sovereign.tenova.io/api/v1/witness",
api_key="swt3_...",
tenant_id="ACME_CORP",
agent_id="fraud-detector-prod-v2", # VI equivalent
signing_key="swt3_sk_abc123...", # Non-repudiation
cycle_id="workflow-audit-2026-04-24", # Chain link
)
2.2 CJT (Compliance Jurisdiction Token) → SWT3 Witness Anchor Built
CJT is a signed authorization object encoding lawful purpose, jurisdiction, and compliance constraints. SWT3 implements this through the Witness Anchor format:
| Paper Concept | SWT3 Implementation | Detail |
|---|
| Signed object | SWT3 Witness Anchor | SWT3-{TIER}-{PROVIDER}-{UCT}-{PROCEDURE}-{VERDICT}-{EPOCH}-{FINGERPRINT} |
| Jurisdiction | Tier + Provider | E (Enclave), S (SaaS), H (Hybrid); AWS, GCP, AZURE, etc. |
| Purpose class | Procedure ID | 36 AI procedures classify the compliance claim |
| Verdict | Verdict field | PASS, FAIL, INHERITED, LAPSED, UNKNOWN |
| Temporal binding | Epoch timestamp | Unix seconds, immutable once minted |
| Policy binding | policy_version_hash | SHA-256[:12] of policy config; survives all clearing levels |
| Issuer signature | payload_signature | HMAC-SHA256 using signing_key |
SWT3-E-AWS-AI-AIINF1-PASS-1773316622-96b7d56c0245
^ ^ ^ ^ ^ ^ ^
Tier Provider UCT Procedure Verdict Epoch Fingerprint
Key distinction: CJT is a pre-inference authorization (issued before compute). The SWT3 anchor is a post-inference attestation (generated after observation). SWT3's Gatekeeper mode (strict=True) adds pre-inference enforcement via AI-GRD.3, partially implementing the CJT pre-compute concept.
2.3 ALF (Algorithmic Logic Fingerprint) → SWT3 Fingerprint Formula Locked
ALF binds execution to an approved behavioral class and detects material deviation at runtime. SWT3 implements this through a locked, cross-language fingerprint formula:
| Paper Concept | SWT3 Implementation | Detail |
|---|
| Behavioral fingerprint | Fingerprint formula | SHA256("WITNESS:{tenant}:{proc}:{fa}:{fb}:{fc}:{ts_ms}").hex()[:12] |
| Deterministic | Locked formula | Identical output across Python, TypeScript, Rust, C#, Ruby |
| Test vectors | 13 fingerprint vectors | 100% cross-language parity verified |
| Model drift | AI-MDL.3 procedure | Accuracy degradation tracking against baseline |
| Guardrail state | AI-GRD.1 procedure | factor_a=required, factor_b=active, factor_c=pass/fail |
| No model access | Factor-only verification | Requires only numeric factors + timestamp, not the model |
Test Vector #1 (Cross-Language)
Input: "WITNESS:ACME_PROD:AI-INF.1:1:1:0:1774800000000"
SHA256: 32241a3056cd...
Output: 32241a3056cd (first 12 hex characters)
# Any party can recompute this from the original factors.
# If the result matches, the evidence has not been altered.
2.4 Dual LAVR → SWT3 Ledger + Public Verification Built
The papers propose dual receipts: Internal LAVR stores the full governance trace; External LAVR provides a bounded, privacy-preserving proof for regulators. SWT3 implements this separation architecturally:
| Paper Concept | SWT3 Implementation | Detail |
|---|
| Internal LAVR | Witness ledger | Full factors, metadata, ai_context, hashes, model_id, timestamps |
| External LAVR | SWT3 Anchor string | Only format string -- no internal state exposed |
| Tamper evidence | SHA-256 fingerprint | Recomputable; modification invalidates the anchor |
| Ledger integrity | Daily Merkle rollup | One root per tenant per day; domain-separated tree |
| Verifiability | Public /verify/ | No authentication required; recomputes fingerprint |
| Merkle proof | Proof API | GET /api/v1/merkle/proof?fingerprint=xxx |
Clearing Levels (Privacy Graduation)
| Level | Name | What Survives on Wire | GDPR Alignment |
|---|
| 0 | Analytics | All hashes, model_id, context, tokens, latency | Full transparency (internal audit) |
| 1 | Standard | Hashes, model_id, context (no raw text ever) | Art. 5(1)(a) lawfulness |
| 2 | Sensitive | Hashes, model_id only (no context, no provider) | Art. 5(1)(c) data minimization |
| 3 | Classified | Factors only (no hashes, no model_id) | Art. 5(1)(f) integrity/confidentiality |
At every level, the anchor fingerprint and verification URL survive. The cryptographic proof chain is preserved while progressively more operational metadata is purged.
2.5 Finality Gate → Clearing Engine + Gatekeeper Built
The finality gate defaults to fail-closed: output is withheld unless all conditions pass. SWT3 implements two complementary mechanisms:
| Paper Concept | SWT3 Implementation | Detail |
|---|
| Pre-compute authorization | gate_check() | AI-GRD.3 procedure; evaluates config before inference |
| Fail-closed default | strict=True | Raises GatekeeperError if guardrails insufficient |
| Post-inference verification | Clearing engine | Applies clearing rules, generates fingerprint, writes ledger |
| Evidence resilience | Dead-letter queue | Max 5000 payloads; zero anchor loss during outages |
witness = Witness(
...,
strict=True, # Fail-closed default
guardrails_required=2, # Minimum before inference allowed
)
# Raises GatekeeperError if guardrails < 2:
witness.gate_check(messages, model="gpt-4o")
# If gate passes, proceed:
client = witness.wrap(OpenAI())
response = client.chat.completions.create(...)
3. Architecture Comparison
Futurium Proposal SWT3 Production
===================== ==================
VI (session identity) <-> agent_id + signing_key
| |
CJT (authorization) <-> SWT3 Anchor + policy_version
| |
ALF (behavioral fp) <-> Fingerprint formula (locked)
| |
Internal LAVR <-> Witness ledger (PostgreSQL)
External LAVR <-> SWT3 Anchor string (cleared)
| |
Finality Gate <-> Clearing engine + Gatekeeper
Lifecycle:
Papers: VI → CJT → Compute → ALF → Gate → LAVR → Release
SWT3: agent_id → gate_check → Compute → witness → clearing → anchor
4. EU AI Act Article Coverage
| Article | Obligation | Paper Primitive | SWT3 Procedure |
|---|
| Art. 9(2a) | Risk mitigation measures | CJT + ALF | AI-GRD.1 (guardrail enforcement) |
| Art. 9(4a) | Model risk identification | ALF | AI-MDL.1 (model integrity) |
| Art. 9(4b) | Content safety measures | ALF | AI-GRD.2 (refusal detection) |
| Art. 10(2f) | PII and data protection | CJT + ALF | AI-GRD.3 (PII leakage scan) |
| Art. 10(2f) | Bias and fairness | ALF | AI-FAIR.1 (bias measurement) |
| Art. 12(1) | Automatic logging | Dual LAVR | AI-INF.1 (inference provenance) |
| Art. 13(1) | Transparency | CJT + Ext. LAVR | AI-EXPL.1 (explainability) |
| Art. 13(3b) | Confidence calibration | ALF | AI-EXPL.2 (confidence scores) |
| Art. 14(1) | Human oversight | CJT | AI-HITL.1 (HITL attestation) |
| Art. 15(3) | Performance consistency | ALF | AI-INF.2 (latency anomaly) |
| Art. 22 | Automated decision-making | CJT + ALF | AI-HITL.1/2 (oversight + escalation) |
| Art. 25 | Data protection by design | VI + Clearing | Clearing engine (Levels 0-3) |
| Art. 26 | Deployer obligations | CJT + Dual LAVR | All procedures (anchor verification) |
| Art. 49 | Registration | CJT | Anchor format (self-describing) |
| Art. 53(1)(d) | Training data provenance | ALF | AI-DATA.1 (data lineage) |
| Art. 72(1) | Post-market drift | ALF | AI-MDL.3 (drift monitoring) |
5. GDPR Simultaneous Coverage
The Futurium GDPR mapping paper identifies the central challenge: GDPR and the AI Act impose overlapping obligations. SWT3's clearing engine satisfies both through a single mechanism.
| GDPR Area | Articles | SWT3 Mechanism |
|---|
| Data protection principles | Art. 5 | Clearing levels enforce minimization, storage limitation, integrity |
| Lawful basis | Art. 6 | Procedure taxonomy classifies each compliance claim |
| Consent management | Art. 7 | Clearing level documents processing scope |
| Special categories | Art. 9 | Level 2-3 clearing for sensitive data processing |
| Transparency | Art. 13, 14 | Self-describing anchor format; public verify endpoint |
| Right to erasure | Art. 17 | Clearing protocol: raw data destroyed, fingerprint survives |
| Automated decisions | Art. 22 | AI-HITL.1/2 attest human oversight |
| Privacy by design | Art. 25 | Clearing is default-on; data exposure requires authorization |
| Controller-processor | Art. 28 | policy_version_hash binds processor to controller instructions |
| Processing records | Art. 30 | Internal ledger constitutes the Art. 30 record |
6. Production Evidence
| Asset | Detail | Status |
|---|
| SDKs | Python (PyPI), TypeScript (npm), Rust (crates.io), C# (NuGet), Ruby (RubyGems) | v0.4.1 |
| Adapters | OpenAI, Anthropic, Bedrock, LiteLLM (100+ providers), Vercel AI SDK | 6 adapters |
| Test Vectors | 13 fingerprint + 2 signing + 5 hash (100% cross-language parity) | Locked |
| Public Verification | /verify/ endpoint -- no authentication required | Live |
| Merkle Rollup | Daily at 00:01 UTC; proof API available | Production |
| MCP Server | @tenova/swt3-mcp -- Model Context Protocol integration | Published |
| OSCAL Bridge | Anchors embed into NIST OSCAL Assessment Results | Spec Section 7 |
| Protocol Lock | Fingerprint formula, anchor format, clearing levels | March 29, 2026 |
| Patent Protection | Multiple provisional patent applications filed | Patent Pending |
7. Gaps and Roadmap
| Paper Proposal | SWT3 Status | Gap Type | Implementation Path |
|---|
| VI session expiry | Not implemented | Non-breaking | TTL on signing keys; new key_expiry field |
| CJT pre-inference authorization | Built (v0.4.0) | Complete | gate_check() returns authorization_id; post-inference anchors reference it |
| CJT jurisdiction routing | Built (v0.4.0) | Complete | jurisdiction field on WitnessPayload (ISO 3166-1), survives all clearing levels |
| CJT revocation state | Built (AI-REV.1) | Complete | witness.revoke(fingerprint, reason) mints append-only revocation receipt |
| ALF behavioral class taxonomy | Not implemented | Non-breaking | Aggregate class from procedure fingerprints |
| Cross-authority LAVR exchange | Not implemented | Protocol extension | Federation protocol for multi-authority verification |
| TEE/HSM hardware binding | Designed | Deferred | AI-HW procedure in spec; awaiting hardware integration |
| Formal legal basis field | Built (v0.4.0) | Complete | legal_basis + purpose_class fields on WitnessPayload, survives all clearing levels |
All identified gaps are non-breaking extensions. None require changes to the locked fingerprint formula or anchor format.
8. Field-Level Correspondence
| VI+CJT+ALF+LAVR Concept | Python Field | TypeScript Field | Clearing Survival |
|---|
| Session identity | agent_id | agentId | All levels |
| Identity signature | payload_signature | payloadSignature | All levels |
| Chain linkage | cycle_id | cycleId | All levels |
| Policy binding | policy_version_hash | policyVersionHash | All levels |
| Procedure class | procedure_id | procedureId | All levels |
| Behavioral factors | factor_a/b/c | factorA/B/C | All levels |
| Fingerprint | anchor_fingerprint | anchorFingerprint | All levels |
| Epoch | anchor_epoch | anchorEpoch | All levels |
| Clearing class | clearing_level | clearingLevel | All levels |
| Model identifier | ai_model_id | aiModelId | Levels 0-2 |
| Prompt hash | ai_prompt_hash | aiPromptHash | Levels 0-2 |
| Response hash | ai_response_hash | aiResponseHash | Levels 0-2 |
| Provider context | ai_context | aiContext | Levels 0-1 |
| Tool invocation | tool_name | toolName | Levels 0-1 |
| Access control | access_target | accessTarget | Levels 0-1 |