Cryptographic Identity + Governance for AI Agents. A.G.I. Infrastructure.
Project description
STEWARD PROTOCOL
The Operating System for AI Agents
Cryptographic Identity + Governance for AI Agents. A.G.I. Infrastructure.
What Is This?
STEWARD is to AI agents what Linux is to processes.
Most "agent frameworks" are orchestration layers. STEWARD is a real operating system:
| OS Concept | STEWARD Implementation |
|---|---|
| Kernel | Process table, task scheduler, syscall interface |
| Process Isolation | Virtual filesystem sandboxing per agent |
| Audit Log | Immutable append-only ledger (SQLite-backed chain) |
| Kill Switch | Hypervisor-level agent termination protocol |
| Memory Protection | Immutable kernel blueprints, self-healing on corruption |
| Constitution | Governance enforced at architecture level, not prompts |
| Identity | ECDSA P-256 signatures on every action |
The key insight: An agent that "promises" to follow rules is insecure. An agent that physically cannot violate them is secure.
Quick Start
# Clone
git clone https://github.com/kimeisele/steward-protocol
cd steward-protocol
# Install
pip install -e ".[dev]" # or: uv sync
# Boot the kernel
steward boot
# Check system status
steward status # Kernel health, ledger blocks, certified agents
steward introspect # Deep kernel inspection
What happens on first boot:
- Initializes the immutable ledger (append-only event chain)
- Loads 0 plugins via oath verification
- Registers 1 agents with cryptographic identity
- Starts the heartbeat system for liveness monitoring
The Kernel
This is a real kernel implementation (vibe_core/kernel_impl.py):
┌──────────────────────────────────────────────────────────────┐
│ HUMAN OPERATOR │
│ (Intent & Oversight) │
└──────────────────────────────────────────────────────────────┘
↓ intent
┌──────────────────────────────────────────────────────────────┐
│ VIBE KERNEL (L0) │
│ │
│ • Process Table • Task Scheduler (async) │
│ • Immutable Ledger • Hypervisor Kill-Switch │
│ • Blueprint Protection • Constitutional Gate │
│ • VFS Sandboxing • Event Bus │
└──────────────────────────────────────────────────────────────┘
↓ syscalls
┌──────────────────────────────────────────────────────────────┐
│ THE FEDERATION │
│ │
│ 1 Certified Agents • 12 Capabilities │
└──────────────────────────────────────────────────────────────┘
Core Components
| Component | Purpose |
|---|---|
Kernel (kernel_impl.py) |
Process table, scheduler, ledger integration |
Ledger (ledger.py) |
Append-only cryptographic event chain |
Kill-Switch (narasimha.py) |
Hypervisor-level agent termination |
DNA Protection (security.py) |
Immutable blueprints, self-healing |
State Engine (state/prakriti.py) |
Unified state across persistence layers |
Purifier (shuddhi/) |
AST-level self-healing for code violations |
Three-Layer State Model
The system maintains state across three distinct layers:
- Physical Layer — Git + Ledger (immutable history, cryptographically linked)
- Runtime Layer — Kernel state, ephemeral data (survives restart via snapshots)
- Identity Layer — Agent personas, reputation, relationships (constant across restarts)
Constitutional Governance
Governance is enforced at the architecture level, not through prompts:
The Constitution (CONSTITUTION.md)
| Article | Principle | Enforcement |
|---|---|---|
| I: Identity | No action without cryptographic proof | Unsigned messages dropped |
| II: Auditability | Every decision logged immutably | Missing audit = transaction rollback |
| III: Governance | Code is law, not policy | Sandbox blocks violations |
| IV: Transparency | No black boxes | Machine-readable state exposure |
| V: Consent | No access without mandate | Capability tokens required |
Operating Inversion (GAD-000)
Traditional model: Human operates machine. STEWARD model: AI operates system. Human provides intent.
# Human provides intent
steward opus:pending # See what the system wants to do
steward opus:approve <id> # Approve an intent
steward opus:reject <id> # Reject with reason
# System operates autonomously within bounds
steward opus:karma # See trust score evolution
Security Architecture
Hypervisor Kill-Switch
When an agent attempts to modify the constitution, escape its sandbox, or manipulate the ledger:
Threat Level: GREEN → YELLOW → ORANGE → RED → CRITICAL
↓
Kill-switch activates
↓
Instant termination
(Irreversible)
Self-Healing Architecture
- Blueprint Protocol: Critical kernel components stored as factories, not instances
- Immutable Sealing: Protected attributes locked after initialization
- Auto-Recovery: Corruption detected → rebuild from blueprint
Kernel File Protection
21 kernel files are cryptographically guarded. Pre-commit hooks prevent modification without explicit authorization.
Security Test Suite
The tests/hardening/ suite includes attack simulations:
| Test | Attack Type |
|---|---|
test_red_team_attacks.py |
Identity spoofing, capability bypass |
test_halahala_poison.py |
SQL injection, memory bombs |
test_kurukshetra_metal.py |
Multi-threaded kernel destruction |
test_vritrasura_vacuum.py |
Message hoarding, fake heartbeats |
test_hiranyakashipu_paradox.py |
TOCTOU logic vulnerabilities |
The Federation
1 specialized agents form a self-governing federation:
View all 1 agents
See AGENTS.md for the complete registry.
CLI Reference
# System
steward boot # Initialize kernel
steward status # Health check
steward introspect # Deep kernel state
steward stop # Graceful shutdown
# Unified Execution
steward run <capability> # Execute any tool/circuit/agent
steward run list # Discover all capabilities
# Human-in-the-Loop
steward opus:pending # Pending intents
steward opus:approve <id> # Approve execution
steward opus:reject <id> # Reject with reason
# Diagnostics
steward system:doctor # Health diagnosis
steward agents:list # Process table
Documentation
| Document | Purpose |
|---|---|
| CONSTITUTION.md | The supreme law |
| OPUS.md | Live system dashboard |
| AGENTS.md | Agent registry |
| PROMPT.md | Architecture guide for developers |
| docs/architecture/ | Technical deep-dives |
Testing
steward test:run # Full test suite
pytest tests/hardening/ -v # Security/architecture tests
pytest tests/manas/ -v # Cognitive tests
3800 tests including red-team attack simulations.
Philosophy
"An agent that promises to follow rules is insecure. An agent that cannot violate them is trustworthy."
STEWARD redefines AGI as Artificial Governed Intelligence — autonomous systems with cryptographic accountability and constitutional constraints enforced at the kernel level.
Built by humans and agents
"The filesystem is not storage. It is the operating reality."
GitHub · Issues · Constitution
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file steward_protocol-0.3.0.tar.gz.
File metadata
- Download URL: steward_protocol-0.3.0.tar.gz
- Upload date:
- Size: 10.4 MB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
5630e7588ade99eee43dd6abcccc7ed685bbbc82a85db75ddc1815fbde965037
|
|
| MD5 |
5bd3ecddfa5138e6cfd6155391ab3c76
|
|
| BLAKE2b-256 |
25a4259456a32cce1e3078dc83d0c2af20308c0663a6271e0839b36ca5972b87
|
File details
Details for the file steward_protocol-0.3.0-py3-none-any.whl.
File metadata
- Download URL: steward_protocol-0.3.0-py3-none-any.whl
- Upload date:
- Size: 7.5 MB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.11.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
599a6c3dbda014db61ea1d43f1c3873c11abe19d7363f83a882878eda34d0fbd
|
|
| MD5 |
8ac6a353387cb867a4b979a3f45c10cb
|
|
| BLAKE2b-256 |
12c310371c31098d261efad8a55baf4333f91618a2195e031f4404716b68bae7
|
