Cryptographic Identity + Governance for AI Agents. A.G.I. Infrastructure.
STEWARD is to AI agents what Linux is to processes.
Most "agent frameworks" are orchestration layers. STEWARD is a real operating system:
| OS Concept | STEWARD Implementation |
|---|---|
| Kernel | Process table, task scheduler, syscall interface |
| Process Isolation | Virtual filesystem sandboxing per agent |
| Audit Log | Immutable append-only ledger (SQLite-backed chain) |
| Kill Switch | Hypervisor-level agent termination protocol |
| Memory Protection | Immutable kernel blueprints, self-healing on corruption |
| Constitution | Governance enforced at architecture level, not prompts |
| Identity | ECDSA P-256 signatures on every action |
The key insight: An agent that "promises" to follow rules is insecure. An agent that physically cannot violate them is secure.
# Clone
git clone https://github.com/kimeisele/steward-protocol
cd steward-protocol
# Install
pip install -e ".[dev]" # or: uv sync
# Boot the kernel
steward boot
# Check system status
steward status # Kernel health, ledger blocks, certified agents
steward introspect # Deep kernel inspectionWhat happens on first boot:
- Initializes the immutable ledger (append-only event chain)
- Loads 0 plugins via oath verification
- Registers 1 agents with cryptographic identity
- Starts the heartbeat system for liveness monitoring
This is a real kernel implementation (vibe_core/kernel_impl.py):
┌──────────────────────────────────────────────────────────────┐
│ HUMAN OPERATOR │
│ (Intent & Oversight) │
└──────────────────────────────────────────────────────────────┘
↓ intent
┌──────────────────────────────────────────────────────────────┐
│ VIBE KERNEL (L0) │
│ │
│ • Process Table • Task Scheduler (async) │
│ • Immutable Ledger • Hypervisor Kill-Switch │
│ • Blueprint Protection • Constitutional Gate │
│ • VFS Sandboxing • Event Bus │
└──────────────────────────────────────────────────────────────┘
↓ syscalls
┌──────────────────────────────────────────────────────────────┐
│ THE FEDERATION │
│ │
│ 1 Certified Agents • 12 Capabilities │
└──────────────────────────────────────────────────────────────┘
| Component | Purpose |
|---|---|
Kernel (kernel_impl.py) |
Process table, scheduler, ledger integration |
Ledger (ledger.py) |
Append-only cryptographic event chain |
Kill-Switch (narasimha.py) |
Hypervisor-level agent termination |
DNA Protection (security.py) |
Immutable blueprints, self-healing |
State Engine (state/prakriti.py) |
Unified state across persistence layers |
Purifier (shuddhi/) |
AST-level self-healing for code violations |
The system maintains state across three distinct layers:
- Physical Layer — Git + Ledger (immutable history, cryptographically linked)
- Runtime Layer — Kernel state, ephemeral data (survives restart via snapshots)
- Identity Layer — Agent personas, reputation, relationships (constant across restarts)
Governance is enforced at the architecture level, not through prompts:
The Constitution (CONSTITUTION.md)
| Article | Principle | Enforcement |
|---|---|---|
| I: Identity | No action without cryptographic proof | Unsigned messages dropped |
| II: Auditability | Every decision logged immutably | Missing audit = transaction rollback |
| III: Governance | Code is law, not policy | Sandbox blocks violations |
| IV: Transparency | No black boxes | Machine-readable state exposure |
| V: Consent | No access without mandate | Capability tokens required |
Traditional model: Human operates machine. STEWARD model: AI operates system. Human provides intent.
# Human provides intent
steward opus:pending # See what the system wants to do
steward opus:approve <id> # Approve an intent
steward opus:reject <id> # Reject with reason
# System operates autonomously within bounds
steward opus:karma # See trust score evolutionWhen an agent attempts to modify the constitution, escape its sandbox, or manipulate the ledger:
Threat Level: GREEN → YELLOW → ORANGE → RED → CRITICAL
↓
Kill-switch activates
↓
Instant termination
(Irreversible)
- Blueprint Protocol: Critical kernel components stored as factories, not instances
- Immutable Sealing: Protected attributes locked after initialization
- Auto-Recovery: Corruption detected → rebuild from blueprint
21 kernel files are cryptographically guarded. Pre-commit hooks prevent modification without explicit authorization.
The tests/hardening/ suite includes attack simulations:
| Test | Attack Type |
|---|---|
test_red_team_attacks.py |
Identity spoofing, capability bypass |
test_halahala_poison.py |
SQL injection, memory bombs |
test_kurukshetra_metal.py |
Multi-threaded kernel destruction |
test_vritrasura_vacuum.py |
Message hoarding, fake heartbeats |
test_hiranyakashipu_paradox.py |
TOCTOU logic vulnerabilities |
1 specialized agents form a self-governing federation:
View all 1 agents
See AGENTS.md for the complete registry.
# System
steward boot # Initialize kernel
steward status # Health check
steward introspect # Deep kernel state
steward stop # Graceful shutdown
# Unified Execution
steward run <capability> # Execute any tool/circuit/agent
steward run list # Discover all capabilities
# Human-in-the-Loop
steward opus:pending # Pending intents
steward opus:approve <id> # Approve execution
steward opus:reject <id> # Reject with reason
# Diagnostics
steward system:doctor # Health diagnosis
steward agents:list # Process table| Document | Purpose |
|---|---|
| CONSTITUTION.md | The supreme law |
| OPUS.md | Live system dashboard |
| AGENTS.md | Agent registry |
| PROMPT.md | Architecture guide for developers |
| docs/architecture/ | Technical deep-dives |
steward test:run # Full test suite
pytest tests/hardening/ -v # Security/architecture tests
pytest tests/manas/ -v # Cognitive tests"An agent that promises to follow rules is insecure. An agent that cannot violate them is trustworthy."
STEWARD redefines AGI as Artificial Governed Intelligence — autonomous systems with cryptographic accountability and constitutional constraints enforced at the kernel level.
Built by humans and agents
"The filesystem is not storage. It is the operating reality."
GitHub · Issues · Constitution