cryptomem 2026.6.1__py3-none-any.whl

cryptomem/__init__.py

@@ -0,0 +1,51 @@
+from cryptomem.adapters.mock_adapter import MockAdapter
+from cryptomem.adapters.ollama_adapter import OllamaAdapter
+from cryptomem.client import ABSTAIN, MemoryClient
+from cryptomem.config import Settings
+from cryptomem.embeddings.minilm import MiniLMEmbedder
+from cryptomem.embeddings.stub import StubEmbedder
+from cryptomem.models import (
+    Contradiction,
+    CryptoEnvelope,
+    MemoryNode,
+    Relationship,
+    ScoredNode,
+)
+from cryptomem.proactive import Planner, TriggerEngine, WriteBack
+from cryptomem.store.remote_store import RemoteStore
+from cryptomem.store.sqlite_store import SqliteStore
+from cryptomem.verification import (
+    ChainOfVerification,
+    Citer,
+    FaithfulnessChecker,
+    GroundingGate,
+    SemanticEntropy,
+)
+
+__version__ = "2026.06.1"
+
+__all__ = [
+    "ABSTAIN",
+    "MemoryClient",
+    "Settings",
+    "MemoryNode",
+    "Relationship",
+    "CryptoEnvelope",
+    "ScoredNode",
+    "Contradiction",
+    "StubEmbedder",
+    "MiniLMEmbedder",
+    "MockAdapter",
+    "OllamaAdapter",
+    "GroundingGate",
+    "FaithfulnessChecker",
+    "Citer",
+    "SemanticEntropy",
+    "ChainOfVerification",
+    "Planner",
+    "TriggerEngine",
+    "WriteBack",
+    "SqliteStore",
+    "RemoteStore",
+    "__version__",
+]

cryptomem/adapters/__init__.py

@@ -0,0 +1,5 @@
+from cryptomem.adapters.base import LLMAdapter
+from cryptomem.adapters.mock_adapter import MockAdapter
+from cryptomem.adapters.ollama_adapter import OllamaAdapter
+
+__all__ = ["LLMAdapter", "MockAdapter", "OllamaAdapter"]

cryptomem/adapters/base.py

@@ -0,0 +1,11 @@
+from __future__ import annotations
+
+from abc import ABC, abstractmethod
+
+
+class LLMAdapter(ABC):
+    """Uniform completion interface across model backends."""
+
+    @abstractmethod
+    def complete(self, prompt: str) -> str:
+        """Return the model completion for ``prompt``."""

cryptomem/adapters/mock_adapter.py

@@ -0,0 +1,14 @@
+from __future__ import annotations
+
+from cryptomem.adapters.base import LLMAdapter
+
+
+class MockAdapter(LLMAdapter):
+    """Model-free adapter for deterministic, offline development and tests.
+
+    Echoes the verified context it was handed so grounding and abstention can
+    be asserted without downloading or running any model.
+    """
+
+    def complete(self, prompt: str) -> str:
+        return f"[mock] grounded answer based on:\n{prompt.strip()}"

cryptomem/adapters/ollama_adapter.py

@@ -0,0 +1,41 @@
+from __future__ import annotations
+
+import httpx
+
+from cryptomem.adapters.base import LLMAdapter
+
+
+class OllamaAdapter(LLMAdapter):
+    """Completion adapter that forwards prompts to a local Ollama server.
+
+    Speaks Ollama's native ``/api/generate`` wire protocol with streaming
+    disabled, so it works against any stock Ollama install with zero config.
+    """
+
+    def __init__(
+        self,
+        base_url: str = "http://localhost:11434",
+        model: str = "qwen2.5:0.5b",
+        timeout: float = 60.0,
+    ):
+        self.base_url = base_url.rstrip("/")
+        self.model = model
+        self._client = httpx.Client(base_url=self.base_url, timeout=timeout)
+
+    def complete(self, prompt: str) -> str:
+        resp = self._client.post(
+            "/api/generate",
+            json={"model": self.model, "prompt": prompt, "stream": False},
+        )
+        resp.raise_for_status()
+        return str(resp.json().get("response", ""))
+
+    def is_alive(self) -> bool:
+        """Return ``True`` if the Ollama server answers ``GET /api/tags``."""
+        try:
+            return self._client.get("/api/tags").status_code == 200
+        except httpx.HTTPError:
+            return False
+
+    def close(self) -> None:
+        self._client.close()

cryptomem/cli.py

@@ -0,0 +1,38 @@
+from __future__ import annotations
+
+import argparse
+
+from cryptomem import __version__
+
+
+def main(argv: list[str] | None = None) -> int:
+    """Entry point for the ``cryptomem`` command."""
+    parser = argparse.ArgumentParser(prog="cryptomem", description="cryptomem CLI")
+    parser.add_argument("--version", action="version", version=f"cryptomem {__version__}")
+    sub = parser.add_subparsers(dest="command")
+
+    serve = sub.add_parser("serve", help="run the Ollama-compatible sidecar")
+    serve.add_argument("--host", default="127.0.0.1")
+    serve.add_argument("--port", type=int, default=8088)
+    serve.add_argument("--ollama-url", default="http://localhost:11434")
+
+    args = parser.parse_args(argv)
+
+    if args.command == "serve":
+        try:
+            import uvicorn
+
+            from cryptomem.server.app import create_app
+        except ImportError:
+            print("The sidecar needs the 'serve' extra: pip install 'cryptomem[serve]'")
+            return 1
+        app = create_app(ollama_url=args.ollama_url)
+        uvicorn.run(app, host=args.host, port=args.port)
+        return 0
+
+    parser.print_help()
+    return 0
+
+
+if __name__ == "__main__":
+    raise SystemExit(main())

cryptomem/client.py

@@ -0,0 +1,361 @@
+from __future__ import annotations
+
+import uuid
+from datetime import datetime, timezone
+
+from cryptomem.adapters.base import LLMAdapter
+from cryptomem.adapters.mock_adapter import MockAdapter
+from cryptomem.config import Settings
+from cryptomem.crypto.hashing import sha256
+from cryptomem.crypto.keys import build_signer
+from cryptomem.crypto.merkle import merkle_proof, merkle_root, verify_proof
+from cryptomem.crypto.signer import Signer
+from cryptomem.efficiency.budgeter import fit_to_budget
+from cryptomem.efficiency.cache import SemanticCache
+from cryptomem.efficiency.compressor import compress_heuristic
+from cryptomem.efficiency.deduper import dedupe
+from cryptomem.embeddings.base import Embedder, cosine_similarity
+from cryptomem.embeddings.stub import StubEmbedder
+from cryptomem.models import (
+    Contradiction,
+    CryptoEnvelope,
+    MemoryNode,
+    Relationship,
+    ScoredNode,
+)
+from cryptomem.proactive.planner import Planner
+from cryptomem.proactive.triggers import TriggerEngine
+from cryptomem.proactive.writeback import WriteBack
+from cryptomem.retrieval.retriever import Retriever
+from cryptomem.store.base import MemoryStore
+from cryptomem.store.sqlite_store import SqliteStore
+from cryptomem.verification.citations import Citer
+from cryptomem.verification.cove import ChainOfVerification
+from cryptomem.verification.entropy import SemanticEntropy
+from cryptomem.verification.faithfulness import FaithfulnessChecker
+from cryptomem.verification.grounding import GroundingGate, render_context
+
+ABSTAIN = "I cannot answer that from verified memory."
+
+
+class MemoryClient:
+    """High-level verifiable memory: archive, query, verify, traverse, ground.
+
+    Every fact is SHA-256 hashed and Ed25519 signed at write time. At read time
+    each node is re-verified; tampered or unsigned facts are dropped and the
+    agent abstains rather than guessing. Retrieval runs a
+    retrieve -> dedupe -> rank -> budget -> (compress) -> ground pipeline.
+    """
+
+    def __init__(
+        self,
+        settings: Settings | None = None,
+        store: MemoryStore | None = None,
+        signer: Signer | None = None,
+        embedder: Embedder | None = None,
+    ):
+        self.settings = settings or Settings()
+        self.signer = signer or build_signer(self.settings)
+        self.store = store or self._build_store()
+        self.embedder = embedder or StubEmbedder()
+        self.retriever = Retriever(
+            store=self.store,
+            embedder=self.embedder,
+            verify=self.verify,
+            require_verification=self.settings.require_verification,
+        )
+        self.gate = GroundingGate()
+        self.cache = SemanticCache()
+        self.citer = Citer(self.embedder, min_support=self.settings.citation_min_support)
+        self.faithfulness = FaithfulnessChecker(
+            self.embedder, threshold=self.settings.faithfulness_threshold
+        )
+        self.entropy = SemanticEntropy(
+            self.embedder, cluster_threshold=self.settings.entropy_cluster_threshold
+        )
+
+    def _build_store(self) -> MemoryStore:
+        """Select the store from ``settings.mode``; fall back to SQLite offline.
+
+        ``mode="remote"`` (with a ``backend_url``) uses a :class:`RemoteStore`,
+        but if the backend fails its health check at init the client degrades
+        gracefully to a local SQLite store so edge devices keep working.
+        """
+        mode = self.settings.mode.lower()
+        if mode == "neo4j":
+            from cryptomem.store.neo4j_store import Neo4jStore
+
+            return Neo4jStore(
+                uri=self.settings.neo4j_uri,
+                user=self.settings.neo4j_user,
+                password=self.settings.neo4j_password,
+                database=self.settings.neo4j_database,
+            )
+        if mode == "remote" and self.settings.backend_url:
+            from cryptomem.store.remote_store import RemoteStore
+
+            remote = RemoteStore(self.settings.backend_url, self.settings.backend_api_key)
+            if remote.healthz():
+                return remote
+            return SqliteStore(self.settings.sqlite_path)
+        return SqliteStore(self.settings.sqlite_path)
+
+    def archive(
+        self,
+        entity: str,
+        content: str,
+        relationships: list[Relationship] | None = None,
+        metadata: dict | None = None,
+        node_id: str | None = None,
+    ) -> MemoryNode:
+        """Sign and persist a new memory node, returning the stored node."""
+        rels = relationships or []
+        meta = dict(metadata or {})
+        meta.setdefault("timestamp", datetime.now(timezone.utc).isoformat())
+        nid = node_id or f"mem_{uuid.uuid4().hex[:12]}"
+
+        unsigned = MemoryNode(
+            node_id=nid,
+            entity=entity,
+            content=content,
+            relationships=rels,
+            metadata=meta,
+        )
+        return self._seal(unsigned)
+
+    def _seal(self, node: MemoryNode) -> MemoryNode:
+        """Hash, Merkle-anchor, sign, embed, and persist ``node`` in place."""
+        node.crypto = None
+        node.embedding = None
+        digest = sha256(node.model_dump())
+        existing = [
+            n.crypto.hash
+            for n in self.store.all()
+            if n.crypto is not None and n.node_id != node.node_id
+        ]
+        root = merkle_root([*existing, digest])
+        node.embedding = self.embedder.embed(f"{node.entity} {node.content}")
+        node.crypto = CryptoEnvelope(
+            hash=digest,
+            signature=self.signer.sign(digest),
+            public_key_ref=self.signer.public_key_hex,
+            merkle_root=root,
+        )
+        self.store.write(node)
+        return node
+
+    def verify(self, node: MemoryNode) -> bool:
+        """Re-derive the hash and check the signature; ``False`` on any tamper."""
+        if node.crypto is None:
+            return False
+        recomputed = sha256(node.model_dump())
+        if recomputed != node.crypto.hash:
+            return False
+        return Signer.verify(node.crypto.public_key_ref, node.crypto.hash, node.crypto.signature)
+
+    def query(self, text: str, top_k: int = 5, depth: int = 0) -> list[ScoredNode]:
+        """Retrieve verified nodes ranked by similarity and graph distance."""
+        return self.retriever.retrieve(text, top_k=top_k, depth=depth)
+
+    def neighbors(self, node_id: str, depth: int = 1) -> list[MemoryNode]:
+        """Return verified neighbours reachable within ``depth`` hops."""
+        return [n for n in self.store.neighbors(node_id, depth=depth) if self.verify(n)]
+
+    def _ledger_leaves(self) -> tuple[list[MemoryNode], list[str]]:
+        nodes = sorted(
+            (n for n in self.store.all() if n.crypto is not None), key=lambda n: n.node_id
+        )
+        return nodes, [n.crypto.hash for n in nodes if n.crypto is not None]
+
+    def ledger_root(self) -> str | None:
+        """Merkle root over every stored node's hash (current ledger anchor)."""
+        return merkle_root(self._ledger_leaves()[1])
+
+    def proof(self, node_id: str) -> dict | None:
+        """Return a verifiable Merkle inclusion proof for a node.
+
+        Includes the node's write-time anchor plus an audit path against the
+        current ledger root, so an auditor can confirm membership offline via
+        :func:`verify_proof` without trusting this process.
+        """
+        node = self.store.get(node_id)
+        if node is None or node.crypto is None:
+            return None
+        nodes, leaves = self._ledger_leaves()
+        index = next((i for i, n in enumerate(nodes) if n.node_id == node_id), -1)
+        path = merkle_proof(leaves, index) if index >= 0 else []
+        root = merkle_root(leaves)
+        included = root is not None and verify_proof(node.crypto.hash, path, root)
+        return {
+            "node_id": node.node_id,
+            "leaf_hash": node.crypto.hash,
+            "merkle_root": node.crypto.merkle_root,
+            "ledger_root": root,
+            "proof": [{"sibling": sibling, "position": pos} for sibling, pos in path],
+            "included": included,
+            "verified": self.verify(node),
+        }
+
+    def contradictions(self) -> list[Contradiction]:
+        """Surface same-entity nodes whose content diverges (contradiction radar)."""
+        by_entity: dict[str, list[MemoryNode]] = {}
+        for node in self.store.all():
+            if self.verify(node):
+                by_entity.setdefault(node.entity, []).append(node)
+
+        found: list[Contradiction] = []
+        threshold = self.settings.contradiction_threshold
+        for entity, nodes in by_entity.items():
+            for i in range(len(nodes)):
+                for j in range(i + 1, len(nodes)):
+                    left, right = nodes[i], nodes[j]
+                    if left.embedding is None or right.embedding is None:
+                        continue
+                    sim = cosine_similarity(left.embedding, right.embedding)
+                    if sim < threshold:
+                        found.append(
+                            Contradiction(
+                                entity=entity,
+                                left_id=left.node_id,
+                                right_id=right.node_id,
+                                similarity=round(sim, 4),
+                            )
+                        )
+        return found
+
+    def _ground(self, question: str, top_k: int, depth: int, compress: bool) -> list[ScoredNode]:
+        scored = dedupe(self.query(question, top_k=top_k, depth=depth))
+        admitted, grounded = self.gate.admit(scored)
+        if not grounded:
+            return []
+        admitted = fit_to_budget(admitted, self.settings.max_context_tokens)
+        if compress:
+            for s in admitted:
+                s.node.content = compress_heuristic(s.node.content)
+        return admitted
+
+    def respond(
+        self,
+        question: str,
+        adapter: LLMAdapter | None = None,
+        top_k: int = 5,
+        depth: int = 0,
+        compress: bool = False,
+    ) -> tuple[str, dict]:
+        """Answer plus a provenance block (injected nodes, verification, root)."""
+        admitted = self._ground(question, top_k, depth, compress)
+        if not admitted:
+            return ABSTAIN, {"injected_nodes": [], "verified": False, "merkle_root": None}
+
+        adapter = adapter or MockAdapter()
+        prompt = (
+            "Answer using ONLY the verified facts below. "
+            "If they do not cover the question, say you cannot answer.\n\n"
+            f"Verified facts:\n{render_context(admitted)}\n\nQuestion: {question}"
+        )
+        text = adapter.complete(prompt)
+        head_crypto = admitted[0].node.crypto
+        provenance: dict = {
+            "injected_nodes": [s.node.node_id for s in admitted],
+            "verified": all(s.verified for s in admitted),
+            "merkle_root": head_crypto.merkle_root if head_crypto else None,
+        }
+        if self.settings.enable_citations:
+            text, citations = self.citer.annotate(text, admitted)
+            provenance["citations"] = citations
+        if self.settings.enable_faithfulness:
+            score, _ = self.faithfulness.score(text, admitted)
+            provenance["faithfulness"] = score
+            provenance["faithful"] = score >= self.settings.faithfulness_threshold
+        if self.settings.enable_proactive:
+            provenance["proactive_suggestions"] = self.suggest(
+                [s.node for s in admitted], limit=self.settings.proactive_suggestions
+            )
+        if self.settings.enable_writeback:
+            provenance["staged_nodes"] = [n.node_id for n in self.stage_facts(text)]
+        return text, provenance
+
+    def answer(
+        self,
+        question: str,
+        adapter: LLMAdapter | None = None,
+        top_k: int = 5,
+        depth: int = 0,
+        compress: bool = False,
+        use_cache: bool = True,
+    ) -> str:
+        """Answer strictly from verified memory, or abstain if none is found.
+
+        Pipeline: retrieve -> dedupe -> ground -> token-budget -> (compress) ->
+        adapter, with a semantic answer cache in front.
+        """
+        query_vec = self.embedder.embed(question)
+        if use_cache:
+            cached = self.cache.get(query_vec)
+            if cached is not None:
+                return cached
+
+        text, _ = self.respond(
+            question, adapter=adapter, top_k=top_k, depth=depth, compress=compress
+        )
+        if use_cache:
+            self.cache.put(query_vec, text)
+        return text
+
+    def confidence(
+        self,
+        question: str,
+        adapter: LLMAdapter | None = None,
+        samples: int | None = None,
+        top_k: int = 5,
+        depth: int = 0,
+    ) -> dict:
+        """Estimate epistemic confidence via semantic entropy over samples.
+
+        Grounds the question once, then samples the adapter repeatedly and
+        clusters the answers by meaning: agreement -> high confidence, scatter
+        -> low. Returns ``{clusters, entropy, confidence}``; abstains (zero
+        confidence) when nothing grounds.
+        """
+        admitted = self._ground(question, top_k=top_k, depth=depth, compress=False)
+        if not admitted:
+            return {"clusters": 0, "entropy": 1.0, "confidence": 0.0}
+        adapter = adapter or MockAdapter()
+        prompt = (
+            "Answer using ONLY the verified facts below.\n\n"
+            f"Verified facts:\n{render_context(admitted)}\n\nQuestion: {question}"
+        )
+        n = samples if samples is not None else self.settings.entropy_samples
+        return self.entropy.estimate(prompt, adapter, samples=n)
+
+    def verify_answer(self, draft: str, top_k: int = 3) -> dict:
+        """Re-check a draft answer claim-by-claim against verified memory (CoVe)."""
+        cove = ChainOfVerification(self, self.embedder, self.settings.faithfulness_threshold)
+        return cove.verify(draft, top_k=top_k)
+
+    def suggest(self, injected: list[MemoryNode], limit: int | None = None) -> list[dict]:
+        """Pre-stage adjacent verified facts for the likely next turn (planner)."""
+        n = limit if limit is not None else self.settings.proactive_suggestions
+        return Planner(self.store, self.verify).suggest(injected, limit=n)
+
+    def triggers(self) -> list[dict]:
+        """Evaluate proactive triggers (reconcile / refresh / link-gap)."""
+        return TriggerEngine(self).evaluate()
+
+    def stage_facts(self, text: str, entity: str | None = None) -> list[MemoryNode]:
+        """Extract facts from ``text`` and stage them as signed pending nodes."""
+        return WriteBack(self).stage(text, entity=entity)
+
+    def pending(self) -> list[MemoryNode]:
+        """Return verified nodes awaiting confirmation (``status="pending"``)."""
+        return [
+            n for n in self.store.all() if self.verify(n) and n.metadata.get("status") == "pending"
+        ]
+
+    def confirm(self, node_id: str) -> MemoryNode | None:
+        """Promote a pending node to ``confirmed`` and re-sign it."""
+        node = self.store.get(node_id)
+        if node is None or node.metadata.get("status") != "pending":
+            return None
+        node.metadata["status"] = "confirmed"
+        return self._seal(node)

cryptomem/config.py

@@ -0,0 +1,37 @@
+from __future__ import annotations
+
+from pydantic_settings import BaseSettings, SettingsConfigDict
+
+
+class Settings(BaseSettings):
+    """Typed configuration, overridable via ``CRYPTOMEM_*`` env vars or ``.env``."""
+
+    model_config = SettingsConfigDict(env_prefix="CRYPTOMEM_", env_file=".env", extra="ignore")
+
+    profile: str = "potato"
+    mode: str = "sqlite"
+    sqlite_path: str = ":memory:"
+    ollama_url: str = "http://localhost:11434"
+    default_model: str = "qwen2.5:0.5b"
+    embedder: str = "stub"
+    backend_url: str | None = None
+    backend_api_key: str | None = None
+    neo4j_uri: str = "bolt://localhost:7687"
+    neo4j_user: str = "neo4j"
+    neo4j_password: str = "neo4j"
+    neo4j_database: str = "neo4j"
+    signing_key_path: str = "./cryptomem.key"
+    byok_provider: str | None = None
+    signing_seed_env: str = "CRYPTOMEM_SIGNING_SEED"
+    max_context_tokens: int = 1500
+    require_verification: bool = True
+    contradiction_threshold: float = 0.6
+    enable_citations: bool = False
+    citation_min_support: float = 0.2
+    enable_faithfulness: bool = False
+    faithfulness_threshold: float = 0.25
+    entropy_samples: int = 5
+    entropy_cluster_threshold: float = 0.8
+    enable_proactive: bool = False
+    proactive_suggestions: int = 3
+    enable_writeback: bool = False

cryptomem/crypto/__init__.py

@@ -0,0 +1,5 @@
+from cryptomem.crypto.hashing import canonical_bytes, sha256
+from cryptomem.crypto.merkle import merkle_root
+from cryptomem.crypto.signer import Signer
+
+__all__ = ["Signer", "canonical_bytes", "sha256", "merkle_root"]

cryptomem/crypto/hashing.py

@@ -0,0 +1,25 @@
+from __future__ import annotations
+
+import hashlib
+import json
+from typing import Any
+
+
+def canonical_bytes(node: dict[str, Any]) -> bytes:
+    """Serialize the identity-bearing fields of a node deterministically.
+
+    Write-time and read-time serialization must be byte-identical for
+    verification to hold, so relationships are sorted and keys are ordered.
+    """
+    payload = {
+        "entity": node["entity"],
+        "content": node["content"],
+        "relationships": sorted((r["type"], r["target_id"]) for r in node.get("relationships", [])),
+        "metadata": node.get("metadata", {}),
+    }
+    return json.dumps(payload, sort_keys=True, separators=(",", ":")).encode()
+
+
+def sha256(node: dict[str, Any]) -> str:
+    """Return the hex SHA-256 digest of a node's canonical bytes."""
+    return hashlib.sha256(canonical_bytes(node)).hexdigest()

cryptomem/crypto/keys.py

@@ -0,0 +1,63 @@
+from __future__ import annotations
+
+import os
+from abc import ABC, abstractmethod
+from typing import TYPE_CHECKING
+
+from nacl.signing import SigningKey
+
+from cryptomem.crypto.signer import Signer
+
+if TYPE_CHECKING:
+    from cryptomem.config import Settings
+
+
+class KeyProvider(ABC):
+    """Pluggable source of the Ed25519 signing key (BYOK seam).
+
+    Lets deployments keep the private key wherever policy dictates — a local
+    file for dev, an environment-injected seed for containers, or (via a custom
+    provider) a KMS/Vault integration — without the engine ever hard-coding key
+    storage.
+    """
+
+    @abstractmethod
+    def get_signer(self) -> Signer:
+        """Return a ready-to-use :class:`Signer`."""
+
+
+class LocalFileKeyProvider(KeyProvider):
+    """Load (or generate-and-persist) a hex seed on the local filesystem."""
+
+    def __init__(self, path: str):
+        self.path = path
+
+    def get_signer(self) -> Signer:
+        return Signer.from_key_file(self.path)
+
+
+class EnvKeyProvider(KeyProvider):
+    """Read a hex-encoded Ed25519 seed from an environment variable.
+
+    Suited to containerised/secret-manager workflows where the key is injected
+    at runtime and never written to disk.
+    """
+
+    def __init__(self, env_var: str):
+        self.env_var = env_var
+
+    def get_signer(self) -> Signer:
+        seed = os.environ.get(self.env_var)
+        if not seed:
+            raise RuntimeError(f"BYOK env provider: ${self.env_var} is not set")
+        return Signer(SigningKey(bytes.fromhex(seed.strip())))
+
+
+def build_signer(settings: Settings) -> Signer:
+    """Resolve a :class:`Signer` from ``settings.byok_provider``."""
+    provider = (settings.byok_provider or "file").lower()
+    if provider == "file":
+        return LocalFileKeyProvider(settings.signing_key_path).get_signer()
+    if provider == "env":
+        return EnvKeyProvider(settings.signing_seed_env).get_signer()
+    raise ValueError(f"unknown byok_provider: {settings.byok_provider!r}")