Local-first agent delegation protocol and reference implementation
Project description
Sovereignty
.-.
/___\
(|o o|)
.--.\_-_/ .--.
/ _ '-' _ \
/__/ | | \__\
| | | | | |
|__| |_____| |__|
/ | \
/___|___\
______ _ __
/ ___/ /___ _ _____ ________ (_)___ _____ / /___ __
\__ \/ __ \ | / / _ \/ ___/ _ \/ / __ `/ __ \/ __/ / / /
___/ / /_/ / |/ / __/ / / __/ / /_/ / / / / /_/ /_/ /
/____/\____/|___/\___/_/ \___/_/\__, /_/ /_/\__/\__, /
/____/ /____/
local models do the prep. your agent keeps authority.
Sovereignty is an open-source protocol and reference implementation for local-first agent delegation. It defines how local model lanes can perform private prep work — classification, extraction, drafting, code triage, and sensitivity checks — while a main agent retains authority over final answers and side effects.
Sovereignty is not an LLM gateway. It is a contract for local-prep / cloud-authority workflows; see docs/protocol-not-gateway.md for the design note on why this is a protocol, not a gateway:
- local lanes produce structured review packets;
- local lanes do not invoke side-effecting tools;
- model and lane metadata is redacted before it leaves the local boundary;
- cloud exposure claims are explicit about their trust model;
- measured exposure reports can attach evidence without leaking raw prompts or endpoints;
- proposed side effects use a strict review-only schema before any authority-bearing tool acts;
- callers can validate packets and policies before a main agent acts.
Status
v0.1.0 protocol release. The public surface is intentionally small and falsifiable: schema contracts, policy checks, metadata redaction, measured exposure reporting, side-effect review boundaries, a sober threat model, and Hermes adapter examples.
Sovereignty is still not a router or gateway. The private router implementation can evolve independently; this repository publishes the boundary contract local-prep systems must satisfy before an authority-bearing agent acts.
Repository layout
sovereignty/
SPEC.md # Local-prep / cloud-authority protocol
THREAT_MODEL.md # Assumptions, non-goals, failure modes
docs/measured-exposure.md # Evidence-backed exposure report shape
docs/telemetry.md # Metadata-only packet telemetry contract
docs/side-effect-review.md # Authority-side side-effect review records
docs/policy.md # Policy-origin validation and exposure/side-effect gates
docs/operations.md # Guardrail events and lane health records
docs/broker-decision.md # Metadata-only execution broker decision packets
docs/protocol-not-gateway.md # Why this is a protocol, not a gateway
docs/public-private-boundary.md # What belongs in public vs private implementations
docs/current-router-compatibility.md # Current Hermes local-router adapter boundary
docs/release-checklist.md # v0.1.0 package/release checklist
schemas/ # Language-agnostic JSON Schema contracts
src/sovereignty/ # Reference Python implementation
examples/hermes/ # Hermes local-router adapter examples
tests/ # Contract tests
Design principles
- Local models can prepare. They do not decide.
- Side effects require main-agent or human authority.
- Exposure accounting must state whether it is measured or caller-attested.
- Review packets are structured, versioned, and validated.
- Privacy/security claims should be falsifiable, not vibes.
First public proof
The v0.1 proof is intentionally narrow: a local lane reads raw diagnostic context, emits a compact ReviewPacket, attaches measured exposure evidence, and proposes a side effect that remains review-only until the authority-bearing agent acts.
Run it from a checkout:
PYTHONPATH=src .venv/bin/python examples/hermes/local_router_review_packet.py
What to look for in the JSON output:
review_packet.local_outputcontains the compact local summary, not the raw incident text.review_packet.model_metadatakeeps sanitizedworker_profile,model_used, andlane_model_mapfields, without base URLs, host paths, or tokens.review_packet.exposure.trust_modelismeasured, and the attachedmeasured_exposure_reportavoids raw request bodies.packet_telemetry.token_accountingseparates estimated local/input/output counts from exposed-to-cloud counts.current_router_compatibility.actual_avoided_cloud_tokensis only claimed for the pre-cloud/local-ingress shape whereraw_context_seen_by_cloud=false.- Side effects are proposals only; the local lane cannot create issues, send messages, publish, deploy, trade, pay, or order.
That is the positioning wedge: LiteLLM, Portkey, and RouteLLM are useful gateway/routing layers; Sovereignty is the local-prep / cloud-authority contract around what local workers may prepare, what evidence crosses the boundary, and who is allowed to act.
Quick start
python3 -m venv .venv
.venv/bin/python -m pip install --upgrade pip
.venv/bin/python -m pip install -e '.[dev]'
.venv/bin/python -m pytest tests -q
The PyPI distribution name is sovereignty-protocol because sovereignty is already taken on PyPI. The import package and CLI command remain sovereignty.
Install from a local checkout:
python3 -m pip install -e .
sovereignty --help
Create a basic review packet:
.venv/bin/python examples/basic_packet.py
Run the measured-exposure recording boundary example:
.venv/bin/python examples/recording_boundary.py
Run the Hermes local-router integration example:
PYTHONPATH=src .venv/bin/python examples/hermes/local_router_review_packet.py
The local-router integration demonstrates a local prep lane producing a review packet with measured exposure evidence, metadata-only packet telemetry, and a review-only side-effect proposal for the main Hermes agent.
Validate a packet JSON file:
sovereignty validate packet.json
Redact model metadata:
sovereignty redact metadata.json
CLI
Sovereignty's first CLI commands are protocol utilities, not router commands:
validate packet.jsonvalidates a review packet and returns a JSON status object.redact metadata.jsonremoves secrets, host-local URLs, and private paths from model metadata.
JSON Schema contracts
Language-agnostic schemas live in schemas/:
schemas/review-packet.schema.jsonschemas/exposure.schema.jsonschemas/measured-exposure-report.schema.jsonschemas/side-effect-proposal.schema.jsonschemas/packet-telemetry.schema.jsonschemas/side-effect-review-record.schema.jsonschemas/policy.schema.jsonschemas/guardrail-event.schema.jsonschemas/lane-health.schema.jsonschemas/exposure-budget.schema.jsonschemas/broker-decision.schema.json
These schemas mirror the v0.1 protocol surface for non-Python validators and integrations. Packet telemetry is documented in docs/telemetry.md and is metadata-only by default. Side-effect review records are documented in docs/side-effect-review.md and remain separate from local-lane side-effect proposals. Policy-origin validation and exposure budgets are documented in docs/policy.md. Guardrail events and lane health are documented in docs/operations.md. Broker decisions are documented in docs/broker-decision.md; the public/private boundary is documented in docs/public-private-boundary.md.
Release path
The v0.1.0 release checklist lives at docs/release-checklist.md. python -m build is part of CI, and the package is published under the distribution name sovereignty-protocol while preserving the sovereignty import package and CLI.
License
Apache-2.0. Sovereignty is intended to remain open source.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file sovereignty_protocol-0.1.0.tar.gz.
File metadata
- Download URL: sovereignty_protocol-0.1.0.tar.gz
- Upload date:
- Size: 34.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
eb96947d8981c9345f9251d22411ac6ce2e3fd5fe519d961b6392438fe610bc8
|
|
| MD5 |
7f1dc594a1ce204a182f99e78426b390
|
|
| BLAKE2b-256 |
a60ef0a4c26237a74d146a3b2b0a198a3d6f4b787225d3c439f7f9edb3901131
|
Provenance
The following attestation bundles were made for sovereignty_protocol-0.1.0.tar.gz:
Publisher:
publish.yml on m0ntydad0n/sovereignty
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sovereignty_protocol-0.1.0.tar.gz -
Subject digest:
eb96947d8981c9345f9251d22411ac6ce2e3fd5fe519d961b6392438fe610bc8 - Sigstore transparency entry: 2126135412
- Sigstore integration time:
-
Permalink:
m0ntydad0n/sovereignty@821fe9de827a65b99afa04398e1a81346693e617 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/m0ntydad0n
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@821fe9de827a65b99afa04398e1a81346693e617 -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file sovereignty_protocol-0.1.0-py3-none-any.whl.
File metadata
- Download URL: sovereignty_protocol-0.1.0-py3-none-any.whl
- Upload date:
- Size: 25.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
79ba1044fe8f9fcb15c7e7873516ff355aa3803ca2eed42b90cf6cd298906501
|
|
| MD5 |
e79570b62cf9dd7ac5d33247ea861fc9
|
|
| BLAKE2b-256 |
fa04b741fe101dd27398b5102aae94d96de7c367fad388342ed0bbac880b4051
|
Provenance
The following attestation bundles were made for sovereignty_protocol-0.1.0-py3-none-any.whl:
Publisher:
publish.yml on m0ntydad0n/sovereignty
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
sovereignty_protocol-0.1.0-py3-none-any.whl -
Subject digest:
79ba1044fe8f9fcb15c7e7873516ff355aa3803ca2eed42b90cf6cd298906501 - Sigstore transparency entry: 2126135910
- Sigstore integration time:
-
Permalink:
m0ntydad0n/sovereignty@821fe9de827a65b99afa04398e1a81346693e617 -
Branch / Tag:
refs/heads/main - Owner: https://github.com/m0ntydad0n
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@821fe9de827a65b99afa04398e1a81346693e617 -
Trigger Event:
workflow_dispatch
-
Statement type: