sealed-for-ai 0.1.0

Cryptographic receipts for AI-generated artifacts. One POST per artifact, public verifier URL, 7-year retention.

sealed-for-ai (Python)

Cryptographic receipts for AI-generated artifacts. One POST per artifact, public verifier URL, 7-year retention.

Install

pip install sealed-for-ai

Requires Python 3.11+.

Five-minute quickstart

import hashlib
from sealed_for_ai import SealedAIClient

client = SealedAIClient(api_key="sk-ai-...")  # get one at https://ai.epochpay.today

output_bytes = b"This is whatever your AI just produced."
receipt = client.seal(
    artifact_kind="llm_output",
    subject="Generated for customer #42",
    payload_sha256=hashlib.sha256(output_bytes).hexdigest(),
    metadata={
        "model": "claude-opus-4-7",
        "tokens": 1284,
    },
)

print("Verifier URL:", receipt.verifier_url)
print("Seal ID:", receipt.seal_id)
# Verifier URL is now a public link anyone can open to confirm this artifact.

Async usage

import asyncio
from sealed_for_ai import AsyncSealedAIClient

async def main():
    async with AsyncSealedAIClient(api_key="sk-ai-...") as client:
        receipt = await client.seal(
            artifact_kind="llm_output",
            subject="...",
            payload_sha256="...",
        )
        print(receipt.verifier_url)

asyncio.run(main())

Chaining (multi-step pipelines)

seal_1 = client.seal(artifact_kind="rag_response", ...)
seal_2 = client.seal(artifact_kind="llm_output", chain_prev=seal_1.full_hash, ...)
seal_3 = client.seal(artifact_kind="agent_action", chain_prev=seal_2.full_hash, ...)

If any intermediate artifact is tampered with, the chain root changes and downstream seals self-invalidate.

Verification

verified = client.verify("EP-DKAP-A5C2F07B...")
assert verified.found
assert verified.signatures.ed25519_valid
print(verified.sealed_at, verified.retention_until)

Anyone can verify any seal — they don't need an API key. Pass them the verifier_url from a seal response and they can confirm in any browser.

Configuration

client = SealedAIClient(
    api_key="sk-ai-...",
    base_url="https://ai.epochpay.today",  # default
    timeout=30.0,                          # seconds, default
    max_retries=3,                         # exponential backoff on 5xx
)

Environment variables (used as defaults if not passed explicitly):

Env var	Default
SEALED_AI_KEY	(required)
SEALED_AI_BASE_URL	https://ai.epochpay.today
SEALED_AI_TIMEOUT	30

Errors

Every API error raises a typed exception:

• SealedAuthError — 401 (bad / missing key)
• SealedRateLimitError — 429 (over plan limit; retry_after attr in seconds)
• SealedValidationError — 400 (bad request body)
• SealedServerError — 5xx (we're down or in maintenance; the SDK retries first)
• SealedError — base class; catch this if you want all of the above

from sealed_for_ai.exceptions import SealedRateLimitError

try:
    receipt = client.seal(...)
except SealedRateLimitError as e:
    print(f"Wait {e.retry_after}s")

Compliance

Every seal carries:

• SHA-256 (FIPS 180-4)
• Ed25519 signature (RFC 8032)
• ML-DSA-87 signature (FIPS 204, post-quantum)
• Base L2 anchor
• 7-year retention floor (SEC 17 CFR § 240.17a-4, FINRA Rule 4370)

For SOC 2 / EU AI Act mapping, see compliance.md.

License

Proprietary · © 2026 EpochCore LLC · All Rights Reserved · Patent Pending.

See LICENSE.md.