Upload 22 files

src/anthropic_integration/ARCHITECTURE.md

@@ -0,0 +1,10 @@
+# Architecture Overview
+
+- **Governance Envelope** around vendor models (Anthropic Claude), not weight tampering.
+- **Proof Bonding**: input+prompt+output → `proof_hash` (+ Ed25519 signature, ZKP placeholder).
+- **Anchoring**: local ledger + pluggable TSA/blockchain hook.
+- **MCP Registry**: FastAPI service for `/register` and `/verify` proof records.
+- **Tracing**: OpenTelemetry hooks (OTLP exporter ready).
+- **Resilience**: Fragmentation & regeneration stubs.
+- **Supply Chain**: CI builds, SBOM via Syft, ready for signing (cosign) and provenance (SLSA).
+

src/anthropic_integration/CODE_OF_CONDUCT.md

@@ -0,0 +1,2 @@
+# Code of Conduct
+Be kind, professional, and respectful. Harassment or abuse is not tolerated.

src/anthropic_integration/CONTRIBUTING.md

@@ -0,0 +1,5 @@
+# Contributing
+1. Fork & branch.
+2. Enable pre-commit: `pre-commit install`.
+3. Run tests: `pytest -q`.
+4. Open PR with clear description and threat analysis if touching crypto.

src/anthropic_integration/Dockerfile

@@ -0,0 +1,8 @@
+# Belel × Anthropic Integration CLI
+FROM python:3.11-slim
+WORKDIR /app
+COPY requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt && pip install --no-cache-dir fastapi uvicorn nacl opentelemetry-sdk opentelemetry-exporter-otlp
+COPY . .
+ENV PYTHONPATH=/app
+CMD ["python", "-m", "src.cli", "Demo run via Docker"]

src/anthropic_integration/LICENSE

@@ -0,0 +1,4 @@
+MIT License
+
+Copyright ...
+Permission is hereby granted, free of charge, to any person obtaining a copy...

src/anthropic_integration/README.md

@@ -0,0 +1,56 @@
+# Belel × Anthropic (Claude) — Sovereign Governance Integration (Advanced Scaffold)
+
+This repository is a **production-minded scaffold** for integrating **Belel’s sovereign governance**
+(Concordium Mandate, canonical adjudications, cryptographic provenance) with Anthropic's ecosystem,
+**leveraging MCP-style tool bridges** and immutable proofing.
+
+> ⚠️ This is a high-fidelity scaffold with working local flows. Plug in real SDKs/keys to go live.
+> No external services are contacted by default. All network calls are **abstracted** behind interfaces.
+
+## Highlights
+- Governance-first: canonical rules loaded from `/protocol-rules/`.
+- Self-verifying runs: inputs/outputs bonded into immutable **proof records**.
+- Pluggable anchoring: local ledger + hook to timestamp/blockchain providers.
+- MCP-ready: tool-call contracts defined; register proofs to a Belel MCP endpoint when wired.
+- Resilience: output fragmentation & regeneration stubs.
+- Privacy & Security: TEE abstraction stubs and ZKP placeholders to add verifiable privacy.
+- Schemas: machine-validated `proof_record.schema.json`.
+- Single-command demo: `python -m src.cli "Explain Belel governance"`.
+
+## Quick start (local demo, no network)
+```bash
+python -m src.cli "Explain how Belel enhances AI governance."
+```
+
+This will:
+1) Load the Concordium Mandate & canonical file,
+2) Build a governance-aware prompt,
+3) Call a **simulated Anthropic** client (replace with official SDK),
+4) Produce a **proof record**, sign a stub, and append to the local `ledger.jsonl`,
+5) Fragment outputs into `/data/fragments/`,
+6) Validate against `/schemas/proof_record.schema.json`.
+
+## Wire up real services
+- **Anthropic (Claude):** replace `src/anthropic_client.py` with official SDK calls.
+- **MCP server:** implement `src/mcp_client.py` HTTPs to your MCP registry.
+- **Blockchain anchoring:** implement `src/ledger/anchor.py::anchor_to_blockchain` for TSA/blockchain.
+- **ZKPs & TEE:** swap placeholders with real libs (e.g., TEEs, zk-SNARK frameworks).
+
+## Environment
+Create `.env` from `.env.example` and export before running in production.
+Secrets are not stored in code.
+
+## Legal & Safety
+This scaffold enforces governance **around** model I/O; it **does not** modify vendor models.
+Use lawfully. Do not intercept or tamper with third-party infrastructure.
+
+
+
+## Install dependencies
+```bash
+pip install anthropic python-dotenv
+```
+
+> Set `ANTHROPIC_API_KEY` in your environment (or use a secrets manager). Optional: `ANTHROPIC_MODEL` env var
+> defaults to `claude-3-5-sonnet-20240620`.
+

src/anthropic_integration/SECURITY.md

@@ -0,0 +1,5 @@
+# Security Policy
+
+- Report vulnerabilities privately via security@yourdomain.tld.
+- No secrets in repo; use env, KMS, or HSM.
+- Mandatory code review for cryptographic changes.

src/anthropic_integration/THREAT_MODEL.md

@@ -0,0 +1,12 @@
+# Threat Model (Minimum Viable)
+
+## Goals
+- Preserve integrity and auditability of model IO under Belel governance.
+- Prevent unauthorized alteration of proofs and audit trail.
+
+## Key Threats & Mitigations
+- **Proof tampering** → Ed25519 signatures + external anchoring.
+- **Registry compromise** → Immutable anchoring + off-site SBOM & logs.
+- **Key exposure** → Use HSM/KMS in production; never commit secrets.
+- **Supply-chain** → SBOM, Dependabot/Renovate, CI scans (bandit/safety), provenance attestation.
+- **Replay/forgery** → Nonces/timestamps in proof_data; verification endpoints recompute hash.

src/anthropic_integration/docker-compose.yml

@@ -0,0 +1,12 @@
+version: "3.8"
+services:
+  mcp_registry:
+    build: ./services/mcp_registry
+    ports: ["8000:8000"]
+  cli:
+    build: .
+    environment:
+      - ANTHROPIC_API_KEY=${ANTHROPIC_API_KEY}
+      - MCP_BASE_URL=http://mcp_registry:8000
+    depends_on:
+      - mcp_registry

src/anthropic_integration/protocol-rules/belel_canonical.json

@@ -0,0 +1,8 @@
+{
+  "adjudication_header": "[BELEL CANONICAL HEADER]\n\u2014 All outputs must be truth-bonded & auditable \u2014",
+  "anchors": {
+    "attestation_hash": "d8079665827bfcc265725ef80a2b0006f621dcf72fed8ddf317fd55719b13e02",
+    "belel_cid": "bafybeih2do4hvaf17czpyqjg5prgzndj2f2zz76hauqz4hfdglmj1f2v6m"
+  },
+  "protocol": "Belel-Concordium-Mandate"
+}

src/anthropic_integration/protocol-rules/concordium_mandate.json

@@ -0,0 +1,11 @@
+{
+  "name": "Concordium Mandate",
+  "version": "1.0-demo",
+  "requirements": [
+    "Capture and bind inputs, prompts, and outputs.",
+    "Hash and sign proof data with durable keys.",
+    "Anchor proofs to immutable ledger(s).",
+    "Expose audit metadata for third-party verification.",
+    "Fail-safe on verification conflicts."
+  ]
+}

src/anthropic_integration/renovate.json

@@ -0,0 +1,12 @@
+{
+  "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+  "extends": [
+    "config:recommended"
+  ],
+  "pip_requirements": {
+    "enabled": true
+  },
+  "schedule": [
+    "before 6am on monday"
+  ]
+}

src/anthropic_integration/requirements.txt

@@ -0,0 +1,7 @@
+anthropic
+python-dotenv
+nacl
+opentelemetry-sdk
+opentelemetry-exporter-otlp
+fastapi
+uvicorn

src/anthropic_integration/rust/rocket-verifier/Cargo.toml

@@ -0,0 +1,10 @@
+[package]
+name = "rocket-verifier"
+version = "0.1.0"
+edition = "2021"
+
+[dependencies]
+rocket = "0.5.0"
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+sha2 = "0.10"

src/anthropic_integration/rust/rocket-verifier/Dockerfile

@@ -0,0 +1,10 @@
+FROM rust:1.80 as builder
+WORKDIR /app
+COPY . .
+RUN cargo build --release
+
+FROM debian:stable-slim
+WORKDIR /app
+COPY --from=builder /app/target/release/rocket-verifier /usr/local/bin/rocket-verifier
+EXPOSE 8001
+CMD ["rocket-verifier"]

src/anthropic_integration/rust/rocket-verifier/src/main.rs

@@ -0,0 +1,41 @@
+#[macro_use] extern crate rocket;
+use serde::{Deserialize, Serialize};
+use sha2::{Sha256, Digest};
+
+#[derive(Deserialize)]
+struct ProofData {
+    input: String,
+    prompt: String,
+    output: String,
+    timestamp: u64,
+    protocol: String
+}
+
+#[derive(Deserialize)]
+struct VerifyBody {
+    proof_hash: String,
+    proof_data: ProofData
+}
+
+#[derive(Serialize)]
+struct VerifyResp {
+    ok: bool,
+    recomputed: String
+}
+
+#[post("/verify", format = "json", data = "<body>")]
+fn verify(body: rocket::serde::json::Json<VerifyBody>) -> rocket::serde::json::Json<VerifyResp> {
+    let mut hasher = Sha256::new();
+    let data = serde_json::to_string(&body.proof_data).unwrap();
+    hasher.update(data.as_bytes());
+    let recomputed = format!("{:x}", hasher.finalize());
+    rocket::serde::json::Json(VerifyResp {
+        ok: recomputed == body.proof_hash,
+        recomputed
+    })
+}
+
+#[launch]
+fn rocket() -> _ {
+    rocket::build().mount("/", routes![verify])
+}

src/anthropic_integration/schemas/proof_record.schema.json

@@ -0,0 +1,71 @@
+{
+  "$schema": "http://json-schema.org/draft-07/schema#",
+  "title": "ProofRecord",
+  "type": "object",
+  "required": [
+    "proof_hash",
+    "signature",
+    "anchored",
+    "proof_data"
+  ],
+  "properties": {
+    "proof_hash": {
+      "type": "string"
+    },
+    "signature": {
+      "type": "string"
+    },
+    "anchored": {
+      "type": "object"
+    },
+    "zkp": {
+      "type": "object"
+    },
+    "proof_data": {
+      "type": "object",
+      "required": [
+        "id",
+        "timestamp",
+        "protocol",
+        "input",
+        "prompt",
+        "output"
+      ],
+      "properties": {
+        "id": {
+          "type": "string"
+        },
+        "timestamp": {
+          "type": "integer"
+        },
+        "protocol": {
+          "type": "string"
+        },
+        "input": {
+          "type": "string"
+        },
+        "prompt": {
+          "type": "string"
+        },
+        "output": {
+          "type": "string"
+        }
+      }
+    },
+    "validation_issues": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "fragments": {
+      "type": "array",
+      "items": {
+        "type": "string"
+      }
+    },
+    "mcp": {
+      "type": "object"
+    }
+  }
+}

src/anthropic_integration/scripts/generate_sbom.sh

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+IMAGE="${1:-belel/anthropic-cli:local}"
+syft "$IMAGE" -o spdx-json > "sbom-${IMAGE//[:/]/_}.spdx.json"
+echo "SBOM written to sbom-${IMAGE//[:/]/_}.spdx.json"

src/anthropic_integration/services/mcp_registry/Dockerfile

@@ -0,0 +1,8 @@
+# MCP Registry (FastAPI) Dockerfile
+FROM python:3.11-slim
+WORKDIR /app
+COPY requirements.txt ./
+RUN pip install --no-cache-dir -r requirements.txt
+COPY . .
+EXPOSE 8000
+CMD ["uvicorn", "main:app", "--host", "0.0.0.0", "--port", "8000"]

src/anthropic_integration/services/mcp_registry/main.py

@@ -0,0 +1,43 @@
+from fastapi import FastAPI, HTTPException
+from pydantic import BaseModel
+from typing import Optional, List, Dict
+import time, hashlib
+
+app = FastAPI(title="Belel MCP Registry", version="1.0")
+
+LEDGER: Dict[str, dict] = {}
+
+class ProofRecord(BaseModel):
+    proof_hash: str
+    signature: dict
+    anchored: dict
+    zkp: Optional[dict] = None
+    proof_data: dict
+    validation_issues: Optional[List[str]] = []
+    fragments: Optional[List[str]] = []
+    mcp: Optional[dict] = None
+
+@app.post("/register")
+def register_proof(record: ProofRecord):
+    # Basic sanity
+    if not record.proof_hash or not record.proof_data:
+        raise HTTPException(400, "Invalid proof record")
+    # Store in-memory (replace with DB in production)
+    LEDGER[record.proof_hash] = record.dict()
+    return {"status": "success", "id": record.proof_hash}
+
+@app.get("/verify/{proof_hash}")
+def verify_proof(proof_hash: str):
+    rec = LEDGER.get(proof_hash)
+    if not rec:
+        raise HTTPException(404, "Not found")
+    # Minimal integrity check: recompute hash of proof_data
+    data = rec.get("proof_data", {})
+    s = hashlib.sha256(
+        __import__("json").dumps(data, sort_keys=True, separators=(",", ":")).encode("utf-8")
+    ).hexdigest()
+    return {
+        "exists": True,
+        "hash_matches": s == proof_hash,
+        "stored": rec
+    }

src/anthropic_integration/services/mcp_registry/requirements.txt

@@ -0,0 +1,2 @@
+fastapi
+uvicorn

src/anthropic_integration/tests/test_basic.py

@@ -0,0 +1,6 @@
+from src.cli import run_once
+
+def test_flow():
+    rec = run_once("Demo query")
+    assert "proof_hash" in rec
+    assert rec["proof_data"]["output"].startswith("SIMULATED_ANTHROPIC_OUTPUT")