@tenova/swt3-ai 0.5.3 → 0.5.5

package/templates/github-action.yml

@@ -0,0 +1,44 @@
+# SWT3 AI Witness -- Config Validation for CI/CD
+# Ensures your governance config (swt3.yaml) is valid before deploy.
+#
+# Setup:
+#   1. Run: npx swt3 init --profile <profile> --tenant <your-tenant>
+#   2. Commit swt3.yaml to your repo
+#   3. Copy this file to .github/workflows/swt3-ci.yml
+#   4. (Optional) Add SWT3_API_KEY to repository secrets for cloud mode
+#
+# This validates config structure, not runtime behavior.
+# Runtime witnessing happens in your application code via the SDK.
+
+name: SWT3 Config Validation
+
+on:
+  push:
+    branches: [main]
+    paths: [swt3.yaml, .swt3.yaml]
+  pull_request:
+    branches: [main]
+    paths: [swt3.yaml, .swt3.yaml]
+
+jobs:
+  swt3-validate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-node@v4
+        with:
+          node-version: "20"
+
+      - name: Install SWT3 SDK
+        run: npm install @tenova/swt3-ai
+
+      - name: Validate governance config
+        env:
+          SWT3_API_KEY: ${{ secrets.SWT3_API_KEY }}
+        run: |
+          if [ ! -f swt3.yaml ] && [ ! -f .swt3.yaml ]; then
+            echo "No swt3.yaml found. Run: npx swt3 init"
+            exit 1
+          fi
+          npx swt3 doctor --ci

package/templates/healthcare-clinical.yaml

@@ -0,0 +1,67 @@
+# SWT3 Profile: Healthcare Clinical AI (HIPAA + FDA AI/ML + EU MDR)
+# AI governance for clinical decision support, diagnostic AI, patient
+# risk scoring, and treatment recommendation systems.
+#
+# Covers HIPAA Privacy/Security Rules, FDA AI/ML SaMD guidance,
+# EU Medical Device Regulation (MDR), GDPR Art. 22/35, and
+# NIST AI RMF GOVERN/MAP/MEASURE/MANAGE.
+#
+# Clinical AI processes protected health information (PHI) and makes
+# decisions with direct patient safety implications. Maximum clearing
+# level and strict human oversight are non-negotiable.
+#
+# Usage:
+#   profile: healthcare-clinical
+#   api_key_env: SWT3_API_KEY
+#   tenant_id: YOUR_TENANT
+#   agent_id: diagnostic-radiology-v2
+
+clearing_level: 3   # Classified (PHI and clinical data)
+
+policy:
+  require_agent_id: true
+  require_signing: true
+  min_clearing_level: 3
+  require_jurisdiction: true   # HIPAA / MDR jurisdiction tracking
+  required_procedures:
+    # Inference provenance
+    - AI-INF.1     # Prompt/response hash capture
+    # Fairness (diagnostic equity across demographics)
+    - AI-FAIR.1    # Bias disparity measurement
+    - AI-FAIR.3    # Bias audit witnessing
+    # Explainability (clinical decision transparency)
+    - AI-EXPL.1    # Explanation generation (feature attribution)
+    - AI-EXPL.2    # Confidence scoring (diagnostic certainty)
+    # Automated decisions (clinical recommendations)
+    - AI-AUTO.1    # Automated decision notification
+    # Human oversight (clinician review -- mandatory)
+    - AI-HITL.1    # Human review completion
+    - AI-HITL.2    # Human override event tracking
+    # Patient rights
+    - AI-CONSENT.1 # Patient consent (HIPAA authorization)
+    - AI-DPIA.1    # Data protection impact assessment
+    - AI-TRANS.1   # Transparency disclosure to patients
+    # Continuous monitoring
+    - AI-PERF.1    # Diagnostic accuracy metrics
+    - AI-SAFE.1    # Clinical safe state (failover to human)
+    - AI-AUDIT.1   # Audit log integrity (HIPAA requirement)
+    - AI-DRIFT.1   # Model drift (population shift detection)
+
+trust_mesh:
+  mode: strict
+  min_trust_level: 3
+  require_signature: true
+  freshness_window: 1800   # 30 minutes (clinical shift-aligned)
+
+density_policy:
+  min_anchors_per_1000_tokens: 4
+  max_chain_gap_seconds: 60    # Tight gap for clinical decisions
+  require_signing_key: true
+
+mcp_policy:
+  witnessed_tools: ["*"]
+  auto_witness: true
+  block_on_failure: true    # Never allow unwitnessed clinical decisions
+  max_velocity: "15/60s"
+  max_chain_depth: 5
+  fail_secure: true

package/templates/insurance-underwriting.yaml

@@ -0,0 +1,68 @@
+# SWT3 Profile: Insurance Underwriting AI (NAIC + State Regs + GDPR)
+# AI governance for actuarial modeling, claims processing, pricing
+# algorithms, risk classification, and underwriting decisions.
+#
+# Covers NAIC Model AI Governance Guidelines, state insurance
+# commissioner regulations, FCRA (adverse action), GDPR Art. 22
+# (automated profiling), and emerging state AI disclosure laws.
+#
+# Insurance AI makes decisions that directly affect coverage access
+# and pricing for protected classes. Bias monitoring, adverse action
+# explainability, and ongoing model validation are regulatory
+# requirements in most US states and EU member states.
+#
+# Usage:
+#   profile: insurance-underwriting
+#   api_key_env: SWT3_API_KEY
+#   tenant_id: YOUR_TENANT
+#   agent_id: underwriting-model-v5
+
+clearing_level: 2   # Sensitive (policyholder PII)
+
+policy:
+  require_agent_id: true
+  require_signing: true
+  min_clearing_level: 2
+  require_jurisdiction: true   # State-by-state regulation
+  required_procedures:
+    # Inference provenance
+    - AI-INF.1     # Prompt/response hash capture
+    # Model lifecycle
+    - AI-MDL.1     # Model validation (actuarial standards)
+    # Fairness (protected classes in underwriting)
+    - AI-FAIR.1    # Bias disparity measurement
+    - AI-FAIR.3    # Bias audit witnessing
+    # Explainability (adverse action notices)
+    - AI-EXPL.1    # Explanation generation (denial reasons)
+    - AI-EXPL.2    # Confidence scoring
+    # Automated decisions (underwriting, pricing, claims)
+    - AI-AUTO.1    # Automated decision notification
+    # Human oversight
+    - AI-HITL.1    # Human review of denials and edge cases
+    # Data governance
+    - AI-CONSENT.1 # Policyholder consent
+    - AI-DPIA.1    # Data protection impact assessment
+    - AI-TRANS.1   # Transparency disclosure
+    # Continuous monitoring
+    - AI-DRIFT.1   # Model drift (loss ratio shift detection)
+    - AI-PERF.1    # Actuarial accuracy metrics
+    - AI-AUDIT.1   # Audit log integrity
+
+trust_mesh:
+  mode: strict
+  min_trust_level: 3
+  require_signature: true
+  freshness_window: 3600   # 1 hour
+
+density_policy:
+  min_anchors_per_1000_tokens: 3
+  max_chain_gap_seconds: 180
+  require_signing_key: true
+
+mcp_policy:
+  witnessed_tools: ["*"]
+  auto_witness: true
+  block_on_failure: true
+  max_velocity: "15/60s"
+  max_chain_depth: 6
+  fail_secure: true

package/templates/microsoft-foundry.yaml

@@ -0,0 +1,61 @@
+# SWT3 Profile: Microsoft Foundry (Agent Governance)
+#
+# Independent cryptographic witness layer for Microsoft Foundry Agent Service.
+# Complements the Microsoft Agent Governance Toolkit (AGT) by providing
+# out-of-band, tamper-evident evidence that auditors can verify without
+# any Microsoft infrastructure.
+#
+# Covers OWASP Agentic Top 10 via independent attestation.
+# Compatible with EU AI Act, NIST AI RMF, CMMC, SOC 2.
+#
+# Usage:
+#   profile: microsoft-foundry
+#   api_key_env: SWT3_API_KEY
+#   tenant_id: YOUR_TENANT
+#   agent_id: your-foundry-agent
+#   signing_key_env: SWT3_SIGNING_KEY
+
+clearing_level: 2
+
+policy:
+  require_signing: true
+  require_agent_id: true
+  min_clearing_level: 2
+  required_procedures:
+    - AI-INF.1     # Inference provenance (prompt/response hashing)
+    - AI-GRD.1     # Guardrail presence attestation
+    - AI-TOOL.1    # Tool call witnessing (Foundry Toolbox)
+    - AI-CHAIN.1   # Chain monitoring (multi-agent Foundry sessions)
+    - AI-ID.1      # Agent identity (complements AGT SPIFFE/DID)
+    - AI-ACC.1     # Access control witnessing (Foundry RBAC)
+    - AI-AUDIT.1   # Independent audit trail (Merkle-rooted)
+
+trust_mesh:
+  mode: strict
+  min_trust_level: 2
+  require_signature: true
+  freshness_window: 1800
+
+mcp_policy:
+  witnessed_tools: ["*"]
+  exempt_tools: []
+  require_trust_level: 2
+  auto_witness: true
+  block_on_failure: true
+  max_velocity: "20/60s"
+  max_chain_depth: 12
+  max_tokens_per_session: 200000
+  fail_secure: true
+
+density_policy:
+  min_anchors_per_1000_tokens: 1
+  max_chain_gap_seconds: 300
+  require_signing_key: true
+  min_trust_level: 2
+
+hardware:
+  require_attestation: false
+
+merkle:
+  enabled: true
+  accumulator_interval: 60

package/templates/telecom-compliance.yaml

@@ -0,0 +1,72 @@
+# SWT3 Profile: Telecom Compliance (FCC + EU AI Act + NIST AI RMF)
+# Comprehensive AI governance for telecommunications providers operating
+# fraud detection, network optimization, customer scoring, call routing,
+# and predictive maintenance models.
+#
+# Covers FCC AI transparency requirements, EU AI Act Art. 9-15 (high-risk),
+# GDPR Art. 22 (automated decisions), and NIST AI RMF GOVERN/MAP/MEASURE/MANAGE.
+#
+# Telecom AI models process regulated customer data across jurisdictions,
+# requiring strict clearing levels, fairness monitoring, and human oversight
+# for decisions with legal or financial effects.
+#
+# Usage:
+#   profile: telecom-compliance
+#   api_key_env: SWT3_API_KEY
+#   tenant_id: YOUR_TENANT
+#   agent_id: fraud-scoring-v3
+
+clearing_level: 2   # Sensitive (telecom customer data is regulated)
+
+policy:
+  require_agent_id: true
+  require_signing: true
+  min_clearing_level: 2
+  require_jurisdiction: true   # Multi-country operations require jurisdiction tracking
+  required_procedures:
+    # Inference provenance (all models)
+    - AI-INF.1     # Prompt/response hash capture
+    - AI-INF.2     # Latency monitoring (SLA compliance)
+    # Model lifecycle
+    - AI-MDL.1     # Model weight integrity verification
+    - AI-MDL.3     # Model drift scoring
+    # Fairness (fraud scoring, credit, customer classification)
+    - AI-FAIR.1    # Bias disparity measurement
+    - AI-FAIR.3    # Bias audit witnessing
+    # Explainability (regulatory requirement for customer-facing decisions)
+    - AI-EXPL.1    # Explanation generation
+    - AI-EXPL.2    # Confidence scoring
+    # Human oversight (flagged transactions, escalations)
+    - AI-HITL.1    # Human review completion
+    - AI-HITL.2    # Human override event tracking
+    # Automated decisions (fraud flags, service denial, credit scoring)
+    - AI-AUTO.1    # Automated decision notification (GDPR Art. 22)
+    - AI-CONSENT.1 # Data subject consent (GDPR)
+    - AI-TRANS.1   # Transparency disclosure (FCC + Art. 13)
+    # Continuous monitoring
+    - AI-DRIFT.1   # Model drift detection
+    - AI-PERF.1    # Performance metrics (accuracy, precision, recall)
+    - AI-ROBUST.1  # Robustness testing (adversarial inputs)
+    - AI-AUDIT.1   # Audit log integrity
+    # Safety and environment
+    - AI-SAFE.1    # Safe state transition (network AI failover)
+    - AI-ENV.1     # Runtime environment attestation
+
+trust_mesh:
+  mode: strict             # Inter-system handoffs in telecom require strict trust
+  min_trust_level: 3
+  require_signature: true
+  freshness_window: 3600   # 1 hour (shift-aligned)
+
+density_policy:
+  min_anchors_per_1000_tokens: 3
+  max_chain_gap_seconds: 120   # Tight gap for real-time fraud detection
+  require_signing_key: true
+
+mcp_policy:
+  witnessed_tools: ["*"]
+  auto_witness: true
+  block_on_failure: true    # Fail closed for regulated decisions
+  max_velocity: "20/60s"    # Higher throughput for batch fraud scoring
+  max_chain_depth: 8
+  fail_secure: true