AI agent governance - audit trails, policy enforcement, compliance
Project description
asqav
Python SDK for asqav.com. All ML-DSA cryptography runs server-side. Drop-in for AI agent governance: audit trails, policy enforcement, compliance.
Install
pip install asqav
Quick start
import asqav
asqav.init(api_key="sk_...")
agent = asqav.Agent.create("my-agent")
sig = agent.sign("api:call", {"model": "gpt-4"})
print(sig.verification_url)
Each signed action is recorded server-side with an ML-DSA-65 (FIPS 204) signature, a chain hash, and a public verification URL.
CLI
The package ships an asqav CLI mirroring the Python API. Set ASQAV_API_KEY and run:
asqav verify <signature_id> [--output json] # IETF axes when present
asqav sign --agent-id ID --action-type T --action-json action.json \
--compliance-mode --receipt-type protectmcp:decision \
--risk-class high --issuer-id legal:Acme
asqav agents list / create / revoke
asqav sessions list / end
asqav replay <agent_id> <session_id> # Pro
asqav replay-verify <agent_id> <session_id> [--strict] # IETF chain
asqav preflight <agent_id> <action_type> # Pro
asqav budget check / record # Pro
asqav approve <session_id> <entity_id> # Pro
asqav compliance frameworks / export # Business
asqav audit-pack export --start ISO --end ISO --output-file bundle.json
asqav audit-pack policy <sha256:hex>
asqav payloads erase <signature_id> # P4: GDPR right-to-erasure
asqav org set-compliance-strict <org_id> --enable|--disable
asqav keys generate --algorithm ed25519|es256 [--out priv.pem]
asqav migrate run v3-20|v3-21|v3-22 # X-Maintenance-Key required
asqav policies / webhooks list / create / delete # Pro
Pro and Business commands are gated client-side via GET /account so a free-tier key gets a clean upgrade message instead of a mid-pipeline 402.
The IETF Compliance Receipts profile commands (sign --compliance-mode, audit-pack export, audit-pack policy, payloads erase, replay-verify --strict, org set-compliance-strict) match the SDK kwargs on Agent.sign(...) and verify_compliance_receipt(...). See docs/CLI.md for full flag reference.
Roadmap
Six-line view of what is shipped on Asqav:
- Hash-only mode for cloud - Today (default for
*.asqav.com). - Self-hosted signer (split-trust) - Today.
- Bring-your-own KMS (AWS KMS / GCP KMS) - Today, Enterprise tier.
- Customer-owned storage - Today (self-hosted; relay payload allowlist enforced in code).
- SCITT / COSE_Sign1 receipt export - Today (public
GET /api/v1/signatures/{id}/cosereturnsapplication/cose). - Air-gapped / on-prem mode - Today (offline license + zero-egress, see
docs/airgapped-mode.mdin the backend repo).
See the docs at https://asqav.com/docs for the current feature set.
Standards
Asqav's compliance receipts are profiled in IETF Internet-Draft draft-marques-asqav-compliance-receipts, profiling the upstream draft-farley-acta-signed-receipts for EU AI Act Articles 12 and 26, and DORA Article 17 bindings.
Compliance receipts (IETF profile)
Pass compliance_mode=True to agent.sign(...) to emit a Compliance Receipt under draft-marques-asqav-compliance-receipts. The SDK fills action_ref automatically (sha256: over the JCS-canonical action object) so callers only need to supply policy-relevant context.
import asqav
asqav.init(api_key="sk_...")
agent = asqav.Agent.create("payments-agent")
sig = agent.sign(
"payment.wire_transfer",
{"amount_eur": 850000, "beneficiary_iban": "DE89370400440532013000"},
compliance_mode=True,
receipt_type="protectmcp:decision",
risk_class="high",
issuer_id="legal:Acme GmbH",
iteration_id="task-2026-Q2-4821",
sandbox_state="enabled",
)
print(sig.compliance_mode) # True
print(sig.receipt_type) # "protectmcp:decision"
print(sig.action_ref) # "sha256:..."
print(sig.previous_receipt_hash) # 64 hex; "0"*64 on the first record per agent
Local-side sanity checks (presence of REQUIRED fields, namespace, 300s skew bound, predecessor rederivation) are available as asqav.verify_compliance_receipt(envelope, predecessor_envelope=...). The cloud is the authoritative verifier; this helper is a convenience.
Algorithm agility per profile section 10.8 is exposed via asqav.SUPPORTED_ALGORITHMS. Pass algorithm="ed25519" or "es256" to Agent.create(...) for non-post-quantum identities, or asqav.generate_local_keypair("ed25519") for offline scenarios.
Documentation
- Repository: https://github.com/jagmarques/asqav-sdk
- Full docs: https://asqav.com/docs
- Roadmap: https://asqav.com/roadmap
License
MIT. Get an API key at asqav.com.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file asqav-0.3.10.tar.gz.
File metadata
- Download URL: asqav-0.3.10.tar.gz
- Upload date:
- Size: 93.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c88b8456807ec93fcc7bedc4027d84e4372e9a9b31d215d6f0e3c35cb31ef62a
|
|
| MD5 |
0c1c6902ca2f293554b096aa421514e7
|
|
| BLAKE2b-256 |
a0c511449f76d577d28c4dcff725fd56c0bbd0960839419dfb0b2eb97d650887
|
File details
Details for the file asqav-0.3.10-py3-none-any.whl.
File metadata
- Download URL: asqav-0.3.10-py3-none-any.whl
- Upload date:
- Size: 111.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.14.4
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
34f66f0ef95e4d2452f08bf7a6a1eae38d2ad41b671a9f4f8a06f64064fdefdc
|
|
| MD5 |
51159d29b19d003e2c833379ee131745
|
|
| BLAKE2b-256 |
51b3e4716450896f70d535defde08c63d91e1e7b09b36e392b06110d7b50ea88
|
