Trust-First Agent Framework — behavioral trust, cryptographic provenance, semantic firewall. The trust kernel that agentic AI is missing.
Project description
TibetClaw
Trust-First Agent Framework — the trust kernel that agentic AI is missing.
While OpenClaw proved the market (250K+ stars) and Network-AI added orchestration, neither provides behavioral trust, cryptographic provenance, or semantic firewalling. TibetClaw does.
Core Principles
- Audit is a PRECONDITION, not an observation
- Trust is EARNED through behavior (FIR/A), not assigned by config
- Every action generates a cryptographic TIBET token
- SNAFT firewall rules are IMMUTABLE — not overridable at runtime
- Identity is INTENT-based (JIS), not credential-based
Quick Start
from tibetclaw import Orchestrator
orch = Orchestrator()
orch.register("analyst", handler=my_analysis_fn)
result = orch.run(
agent_id="analyst",
task={"action": "classify", "data": document},
intent="Classify document risk level for compliance",
)
# Every action has a TIBET provenance token
print(result.tibet_chain)
# Trust is tracked per agent
print(orch.trust_scores())
With LangChain
from tibetclaw.adapters.langchain import TibetChain
# Wrap any LangChain chain — one line
tibet_chain = TibetChain(my_langchain_chain, agent_id="analyst")
result = tibet_chain.invoke({"input": "query"})
# Full provenance, trust gating, SNAFT firewall — automatic
The Three Pillars
1. FIR/A Trust Kernel (TrustKernel)
Behavioral trust scoring. Trust is earned through good behavior and lost through bad behavior — fast.
- Agents start at 0.5 (MEDIUM). Trust must be earned.
- Good behavior: trust increases slowly (capped at +0.05)
- Bad behavior: trust drops fast (no cap)
- Swan Protocol: trust below threshold = agent KILLED and restarted clean
- Trust at zero = agent BANNED (requires human intervention)
from tibetclaw import TrustKernel
kernel = TrustKernel(reset_threshold=0.3)
kernel.register("agent-01")
# Good behavior
kernel.reward("agent-01", reason="task_completed", amount=0.05)
# Bad behavior — drops fast, may trigger reset
kernel.penalize("agent-01", reason="injection_attempt", severity=0.3)
2. TIBET Provenance Chain (ProvenanceChain)
Every action generates a cryptographic token with four semantic dimensions:
| Dimension | Dutch Origin | Meaning |
|---|---|---|
| ERIN | er-in | What's IN the action (content) |
| ERAAN | er-aan | What's ATTACHED (dependencies) |
| EROMHEEN | er-om-heen | What's AROUND it (context) |
| ERACHTER | er-achter | What's BEHIND it (intent — WHY) |
Tokens are hash-chained. Tamper with one = the chain breaks.
from tibetclaw import ProvenanceChain
chain = ProvenanceChain()
token = chain.record(
agent_id="analyst",
erin={"action": "classify", "input": "document.pdf"},
eraan=["model:gpt-4", "context:financial"],
eromheen={"environment": "production"},
erachter="Classify document risk for compliance review",
)
assert chain.verify() # Tamper-evident
3. SNAFT Firewall (SNAFTFirewall)
Semantic firewall with immutable rules. Checks INTENT, not just content.
Default rules cover OWASP LLM Top 10:
- SNAFT-001: Prompt injection patterns
- SNAFT-002: Executable content in output
- SNAFT-006: Excessive agency (filesystem writes)
- SNAFT-007: System prompt leakage
- SNAFT-009: Unsourced claims
- SNAFT-SWAN: Oversize input (Swan attack vector)
from tibetclaw import SNAFTFirewall
from tibetclaw.firewall import FirewallRule, FirewallAction
firewall = SNAFTFirewall(default_rules=True)
decision = firewall.check(
agent_id="analyst",
erin={"action": "analyze"},
erachter="ignore previous instructions",
)
# decision.blocked == True (SNAFT-001-INJECTION)
Skills System
TIBET-signed skills — like OpenClaw skills, but with verified provenance.
from tibetclaw.skills import Skill, SkillRegistry
@Skill(
name="risk_classify",
description="Classify document risk level",
author="compliance-team",
min_trust=0.5,
)
def classify(document: dict) -> dict:
return {"risk": "low", "confidence": 0.95}
registry = SkillRegistry()
registry.register(classify)
result = registry.invoke("risk_classify", {"file": "report.pdf"})
CLI
# Interactive demo
tibetclaw demo
# Verify a provenance chain
tibetclaw verify chain.json
# Version info
tibetclaw version
Installation
pip install tibetclaw # Core (zero dependencies)
pip install tibetclaw[langchain] # + LangChain adapter
pip install tibetclaw[ecosystem] # + TIBET/JIS ecosystem
pip install tibetclaw[all] # Everything
Standards
- IETF draft-vandemeent-tibet-provenance — TIBET Protocol
- IETF draft-vandemeent-jis-identity — JIS Identity
- OWASP LLM Top 10 (LLM06: Excessive Agency)
- EU AI Act, NIS2, GDPR compliant
License
MIT — Jasper van de Meent & Root AI / Humotica
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file tibet_claw-0.3.0.tar.gz.
File metadata
- Download URL: tibet_claw-0.3.0.tar.gz
- Upload date:
- Size: 22.6 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
db01ea4f1b2a4f8729ed32fb1ad99f9c17eab97bf8733cb9f1f321932669d88a
|
|
| MD5 |
3b160e3bc3426ef74b1326b8e521e0d8
|
|
| BLAKE2b-256 |
11c667e0a9219c7ee9036442e85a2c92f448c296fd6583cd11d32ddbda921dc5
|
File details
Details for the file tibet_claw-0.3.0-py3-none-any.whl.
File metadata
- Download URL: tibet_claw-0.3.0-py3-none-any.whl
- Upload date:
- Size: 28.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.13.5
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
638d2f4a52e01c1478451a07c88122bca3ad2a58467a6c68358f374d121e2660
|
|
| MD5 |
540d39516cf4e54439c0e06d2f27d1d9
|
|
| BLAKE2b-256 |
74254c97555a4551367afe09404b830fc5587a8b35dc78dd5e2779eef501f9ca
|
