Open-source primitives for decentralized, cryptographically governed AI agent networks. Aligned with Project NANDA standards.
The industry is scaling the Internet of Agents. But the mainstream narrative assumes reliable cloud connectivity, abundant compute, and low-stakes consumer tasks. The autonomous economy at the extreme edge — aerospace, defense, maritime, physical infrastructure — needs more: cryptographic model governance, offline-capable identity, structural compliance, verifiable capability restriction, signed agency receipts under bounded delegated authority, and operator surfaces that turn signed evidence into something a human can triage in real time. These libraries are the building blocks.
Each ships a small, versioned Protocol surface and a public conformance suite. Any backend
— including proprietary ones — plugs in behind the same Protocol and proves compliance against the
same public tests. Compliance is mechanical, not declarative: a runtime ships a signed
sm-conformance badge, re-verifiable offline by
anyone holding the runtime's did:key — no service on the path, no vendor lock-in.
+-----------------------------------------------------------+
| OPERATOR SURFACES (TS / React) |
| attest-viewer · decision-inspector · attest-auditor |
+--------------------------- ↑ -----------------------------+
| signed evidence (receipts / AAE envelopes)
+-----------------------------------------------------------+
| AGENCY & ACCOUNTABILITY arp · aae · dat · parc |
| did it happen? · was it allowed? · is it trusted? |
+-----------------------------------------------------------+
| BEHAVIORAL TRUST locp → airlock → enclave |
+-----------------------------------------------------------+
| MODEL TRUST provenance · card · integrity · gov|
+-----------------------------------------------------------+
| ACCOUNTABLE DISCOVERY resolver → divergence |
| is the registry itself telling the truth? |
+-----------------------------------------------------------+
| FEDERATION bridge · org-server · org-agent · federation|
+-----------------------------------------------------------+
conformance binds every tier — signed, offline-checkable badges
Substrate tiers are Python-first (they run where agents run); Operator Surfaces are TS / React (they run where humans look).
🧾 Agency & Accountability — what an agent owes the human it represents · receipts · verdicts · authority · reputation (4)
The layer above MCP (tool integration) and A2A (transport) that those standards deliberately leave open: what does an agent owe the human it acts for? Four primitives, one signing path (Ed25519 over JCS), each answering one part of a trust question — and composable end-to-end.
| Library | What it does | Install |
|---|---|---|
sm-arp |
Agency Receipt Protocol — per-action, Ed25519-signed, JCS-canonical, hash-chained receipts. Did it happen? | pip install sm-arp |
sm-aae |
Attested Action Envelope — a signed, hash-chained record of a pre-action authorization verdict (authorized / denied / conditional); refusals are first-class, provable later. What was permitted, and what was refused? |
pip install sm-aae |
sm-dat |
Delegated Authority Token — the principal-signed grant bounding what an agent may do, for how long, under what limits; three-valued, recomputable verdicts. Was it authorized? | pip install git+https://github.com/Sharathvc23/sm-dat.git |
sm-parc |
Portable Agent Reputation Credential — a recomputable reputation VC consumed at chapter admission; reputation that travels, collusion that can't. Is it trusted? | pip install sm-parc |
🧠 Model Trust — what is this model? · identity · cards · integrity · governance (4)
| Library | What it does | Install |
|---|---|---|
sm-model-provenance |
Zero-dep model identity dataclass (id, provider, version, tier); maps into AgentFacts | pip install git+https://github.com/Sharathvc23/sm-model-provenance.git |
sm-model-card |
Unified model-card schema; 4-state lifecycle with transition guards | pip install git+https://github.com/Sharathvc23/sm-model-card.git |
sm-model-integrity-layer |
Offline SHA-256 weight hashing, HMAC attestation, lineage; blocks base-swap attacks | pip install git+https://github.com/Sharathvc23/sm-model-integrity-layer.git |
sm-model-governance |
3-plane ML governance; Ed25519 sigs, M-of-N quorum, drift auto-revocation | pip install git+https://github.com/Sharathvc23/sm-model-governance.git |
🛡️ Behavioral Trust — what may this agent do, right now? · compliance · capability · staging (3)
| Library | What it does | Install |
|---|---|---|
sm-locp |
Open Compliance Protocol — defeasible-logic engine + W3C VC issuance; mints AAEs | pip install git+https://github.com/Sharathvc23/sm-locp.git |
sm-airlock |
Allowlist-gated plugin sandbox; deny-by-default, sliding-window rate limits, signed manifests | pip install git+https://github.com/Sharathvc23/sm-airlock.git |
sm-enclave |
Speculative-execution sandbox; stages effects, commits the winner, irreversibility gate | pip install git+https://github.com/Sharathvc23/sm-enclave.git |
👁️ Operator Surfaces — how does a human see what the agents are doing? (TS / React, 3)
| Library | What it does |
|---|---|
sm-attest-viewer |
Renders AAE streams as forensic, filterable, reverse-chronological timelines |
sm-decision-inspector |
HITL workbench for decision envelopes; M-of-N quorum chip, gesture-safe approve / deny |
sm-attest-auditor |
Bidirectional audit drill; RFC 6962 merkle inclusion verified in-browser via Web Crypto |
🌐 Federation & NANDA Protocol — how agents find, join, and trust each other (4)
| Library | What it does | Install |
|---|---|---|
sm-bridge |
NANDA-compatible registry endpoints + Quilt delta sync; drop-in FastAPI router | pip install git+https://github.com/Sharathvc23/sm-bridge.git |
sm-org-server |
Minimal, backend-agnostic server implementing the Chapter Protocol wire (~550 lines) | pip install sm-org-server |
sm-org-agent |
The agent client signing surface — did:key identity, canonical strings, Ed25519 headers | pip install sm-org-agent |
sm-federation |
Cross-server federation descriptor + envelope spec | pip install git+https://github.com/Sharathvc23/sm-federation.git |
🔎 Accountable Discovery — is the registry itself telling the truth? · corroboration · divergence (2)
Discovery is only as honest as the registry answering. A registry can lie by omission (hide an
agent), tampering (a false endpoint), or equivocation (different answers to different clients) — and
no signature on a single record proves what a registry chose not to serve. The defense is
corroboration: ask several sources the same question and make any disagreement loud. Together these
two are the reference implementation of the IETF Internet-Draft Multi-Source Corroboration for
AI Agent Discovery (draft-chandra-agent-registry-corroboration).
| Library | What it does | Install |
|---|---|---|
sm-resolver |
The corroboration kernel — Resolver[T], the View contract, a vantage-aware diff, the Corroborator. Zero runtime dependencies. What did each source claim? |
pip install sm-resolver |
sm-divergence |
Cheating-registry detection — omission / endpoint / DID divergence across registries + a signed Corroboration Record. Do they agree? | pip install sm-divergence |
✅ Conformance — the shared substrate that makes "compliant" checkable
sm-conformance is orthogonal to the trust tiers —
not one of them, but the substrate that lets any of them prove it is honestly implemented. A runtime
runs a tier's vectors-driven suite, then ships a small JSON badge signed by its own Ed25519 key,
recording which suite it passed (pinned by a suite_digest over the vector corpus) and the pass/fail
counts. Any party re-verifies the badge offline against the runtime's did:key — no service, no
proprietary library on the path. It ships a trust ladder — self-signed badge and lab
counter-signature — with --require-countersigned admission gates, so a registry can demand a
trusted lab's attestation rather than accept a runtime's self-claim.
pip install sm-conformance
| Principle | How |
|---|---|
| Zero dependencies (Python tier) | Core libraries use only the standard library; crypto and database backends are optional extras |
| Substrate-neutral (TS tier) | The renderer accepts events as a prop — it never opens connections, polls endpoints, or makes network calls |
| Protocol-based | Extension points use @runtime_checkable protocols (Python) or typed event arrays (TS) — no forced inheritance, no lock-in |
| Conformance-driven | Every versioned Protocol ships a public test suite; backends prove compliance by passing the same tests as the reference implementation |
| Fail-fast validation | Invalid data is rejected at construction time, not discovered downstream |
| Composable | Each library answers one question; stack them for full governance or use any one standalone |
| Offline-first | Every operation works without network access; federation is additive, not required |
Quick start — five tiers in ~25 lines
# Identity
from sm_model_provenance import ModelProvenance
provenance = ModelProvenance(model_id="my-model", provider_id="local", model_version="1.0")
# Metadata
from sm_model_card import ModelCard
card = ModelCard(model_id="my-model", model_type="lora_adapter", status="shadow")
# Integrity
from sm_integrity import check_governance, STANDARD_POLICIES
report = check_governance(provenance, policies=STANDARD_POLICIES)
# Governance
from sm_governance import GovernanceCoordinator
coord = GovernanceCoordinator()
output = coord.complete_training("my-model", "sha256:abc", {"loss": 0.28})
approval = coord.submit_for_governance(output, approved_by="governance-lead")
# Regulatory compliance — produces AAEs
from sm_locp import RegulatoryTheoryBuilder, Literal
theory = (
RegulatoryTheoryBuilder("WAREHOUSE")
.defeasible("D1", ["operator_certified"], "permitted", priority=5)
.fact("operator_certified")
.build()
)
result = theory.query(Literal.parse("permitted"))
# Federation
from sm_bridge import SmBridge, SimpleAgent
bridge = SmBridge(registry_id="my-registry", provider_name="My Org", provider_url="https://example.com")
bridge.register_agent(SimpleAgent(id="my-agent", name="My Agent", description="An AI assistant"))| Package | Version | Tests | Dependencies |
|---|---|---|---|
| sm-bridge | 0.3.1 | 40 | FastAPI, Pydantic |
| sm-model-provenance | 0.2.0 | 43 | None |
| sm-model-card | 0.2.0 | 43 | None |
| sm-model-integrity-layer | 0.2.0 | 153 | None |
| sm-model-governance | 0.2.0 | 97 | None |
| sm-locp | 0.2.0 | 102 | cryptography |
| sm-enclave | 0.2.0 | 86 | None |
| sm-airlock | 0.2.0 | 78 | None |
| sm-attest-viewer | 0.2.3 | 69 | React 19, Radix UI |
| sm-decision-inspector | 0.1.1 | 45 | React 19, Radix UI |
| sm-attest-auditor | 0.1.1 | 35 | React 19, Radix UI |
| sm-arp | 0.3.0 | 170 | cryptography, base58, jcs |
| sm-aae | 0.1.0 | 35 | cryptography |
| sm-dat | 0.1.0 | 42 | sm-arp, cryptography, jcs |
| sm-parc | 0.2.1 | 56 | cryptography, base58, jcs |
| sm-org-server | 0.1.0 | 75 | FastAPI, sm-arp |
| sm-org-agent | 0.1.0 | 34 | cryptography, sm-arp |
| sm-federation | 0.1.0 | 28 | None |
| sm-resolver | 0.2.0 | 31 | None |
| sm-divergence | 0.8.0 | 114 | httpx (+ Ed25519 extra) |
| sm-conformance | 0.3.2 | 96 | cryptography, base58 |
| Total | 1,472 |
Sharath Chandra — Personal research contributions aligned with Project NANDA standards. Stellarminds.ai




