|
| 1 | +# SINT Protocol — AI Agent Guide |
| 2 | + |
| 3 | +> This file is optimized for AI agents (LLMs) working in this codebase. |
| 4 | +> For human contributor guidance, see CONTRIBUTING.md. |
| 5 | +> For implementation details and pitfalls, see CLAUDE.md. |
| 6 | +
|
| 7 | +## What This Repo Does |
| 8 | + |
| 9 | +SINT Protocol is a security enforcement layer that sits between AI agents and physical systems (robots, PLCs, drones, tool calls), ensuring every action is authorized via capability tokens, constrained to safe physical limits, and recorded in a tamper-evident audit log. It is a pnpm monorepo with 30 workspace members built on TypeScript 5.7 + Node.js 22. |
| 10 | + |
| 11 | +## Key Invariants (Never Violate These) |
| 12 | + |
| 13 | +1. Every authorization decision flows through `PolicyGateway.intercept()` — no bridge or route handler makes authorization decisions directly |
| 14 | +2. Tokens are attenuation-only: `scope(child) ⊆ scope(parent)` — permissions only narrow, never expand (invariant I-T1) |
| 15 | +3. `EvidenceLedger` is append-only and SHA-256 hash-chained — never modify or delete emitted events (invariant I-G3) |
| 16 | +4. UUID v7 is required for `requestId` — `crypto.randomUUID()` gives v4 and WILL fail schema validation. Use `generateUUIDv7()` from `@sint/gate-capability-tokens` |
| 17 | +5. Physical constraints live in the token, not in config files — velocity, force, geofence are enforced cryptographically |
| 18 | +6. E-stop is unconditional — `estop` event transitions any non-terminal DFA state to ROLLEDBACK, bypassing all token checks (invariant I-G2) |
| 19 | + |
| 20 | +## Quick Orientation |
| 21 | + |
| 22 | +### Package Dependency Graph |
| 23 | + |
| 24 | +``` |
| 25 | +@sint/core |
| 26 | + ↓ |
| 27 | +@sint/gate-capability-tokens @sint/persistence |
| 28 | + ↓ ↓ |
| 29 | +@sint/gate-evidence-ledger |
| 30 | + ↓ |
| 31 | +@sint/gate-policy-gateway |
| 32 | + ↓ |
| 33 | +@sint/bridge-* @sint/engine-* @sint/avatar |
| 34 | + ↓ |
| 35 | +@sint/gateway-server @sint/mcp |
| 36 | + ↓ |
| 37 | +@sint/conformance-tests @sint/dashboard |
| 38 | +``` |
| 39 | + |
| 40 | +### Workspace Layout |
| 41 | + |
| 42 | +``` |
| 43 | +packages/core/ → Shared types, Zod schemas, tier constants, DFA states |
| 44 | +packages/capability-tokens/ → Ed25519 token issuance, delegation, revocation |
| 45 | +packages/policy-gateway/ → THE choke point: tiers, constraints, rate limiting, M-of-N |
| 46 | +packages/evidence-ledger/ → SHA-256 hash-chained append-only audit log |
| 47 | +packages/bridge-*/ → Protocol adapters (MCP, ROS2, A2A, IoT, OPC-UA, MAVLink, ...) |
| 48 | +packages/engine-*/ → AI execution layer (System1, System2, HAL, capsule sandbox) |
| 49 | +packages/avatar/ → Behavioral identity profiles, CSML-driven tier escalation |
| 50 | +packages/persistence/ → Storage interfaces + in-memory implementations |
| 51 | +packages/persistence-postgres/ → PostgreSQL adapters |
| 52 | +packages/client/ → TypeScript HTTP client for the gateway API |
| 53 | +packages/conformance-tests/ → Security regression suite (must pass on every PR) |
| 54 | +apps/gateway-server/ → Hono HTTP API (port 3100) |
| 55 | +apps/sint-mcp/ → Security-first multi-MCP proxy |
| 56 | +apps/dashboard/ → Real-time approval dashboard |
| 57 | +sdks/typescript/ → Zero-dependency public SDK |
| 58 | +capsules/navigation/ → Reference capsule: waypoint navigation |
| 59 | +capsules/inspection/ → Reference capsule: visual anomaly detection |
| 60 | +capsules/pick-and-place/ → Reference capsule: gripper control |
| 61 | +``` |
| 62 | + |
| 63 | +### How to Run Tests |
| 64 | + |
| 65 | +```bash |
| 66 | +pnpm run test # all 815 tests, whole workspace |
| 67 | +pnpm --filter @sint/gate-policy-gateway test # single package |
| 68 | +pnpm --filter @sint/bridge-mcp test # single bridge |
| 69 | +pnpm run build && pnpm run test # full clean run |
| 70 | +``` |
| 71 | + |
| 72 | +### Before Starting Work |
| 73 | + |
| 74 | +```bash |
| 75 | +git pull --rebase |
| 76 | +pnpm run build |
| 77 | +pnpm run test # must be 0 failures before you begin |
| 78 | +``` |
| 79 | + |
| 80 | +## Multi-Agent Collaboration Rules |
| 81 | + |
| 82 | +Several agents may work on this repo concurrently. Follow these rules: |
| 83 | + |
| 84 | +1. **Before starting**: `git pull --rebase && pnpm run build && pnpm run test` — must be 0 failures |
| 85 | +2. **Package ownership**: see CLAUDE.md for the package ownership table |
| 86 | +3. **Never amend published commits** — always create new commits |
| 87 | +4. **Test gate**: your PR/commit must maintain 0 failures on all 815+ tests |
| 88 | +5. **Branch naming**: `feat/<topic>` or `fix/<topic>` — describe what changes, not who made it |
| 89 | +6. **No force-push to main/master** — create a PR instead |
| 90 | + |
| 91 | +## Common Mistakes |
| 92 | + |
| 93 | +- **UUID v4 vs v7**: `crypto.randomUUID()` produces v4. Use `generateUUIDv7()` from `@sint/gate-capability-tokens` — see CLAUDE.md "Common Name Collision Risks" |
| 94 | +- **CircuitBreaker**: `trip()` sets `manualTrip=true` permanently preventing auto-HALF_OPEN. Use `recordDenial()` to test auto-recovery — see CLAUDE.md |
| 95 | +- **`SintDeploymentProfile`** exists in both `policy.ts` (site profiles) and was renamed in `engine.ts` to `SintHardwareDeploymentProfile`. Do not re-add generic names in engine packages |
| 96 | +- **Throwing errors**: All fallible operations must return `Result<T, E>` using `ok()` / `err()` helpers from `@sint/core`. Never throw or use try/catch for control flow |
| 97 | +- **Modifying the ledger**: Evidence ledger events are immutable once written. If you need to correct a record, append a new correction event |
| 98 | + |
| 99 | +## Entry Points |
| 100 | + |
| 101 | +If you're asked to: |
| 102 | + |
| 103 | +- **Add a new bridge** → create `packages/bridge-<name>/`, follow `packages/bridge-iot/` as template. Register in `apps/gateway-server/src/routes/`. |
| 104 | +- **Add a security plugin** → see `packages/policy-gateway/src/goal-hijack.ts` as template. Plugins implement `PolicyPlugin` and are registered via `PolicyGateway` constructor. |
| 105 | +- **Add conformance tests** → see `packages/conformance-tests/src/` for patterns. Every new security invariant should have a conformance test. |
| 106 | +- **Add an API route** → see `apps/gateway-server/src/routes/` for patterns. Routes use Hono; all requests go through `PolicyGateway.intercept()`. |
| 107 | +- **Add a reference capsule** → create `capsules/<name>/`, follow `capsules/navigation/` as template. |
| 108 | +- **Add a new engine component** → see `packages/engine-system1/` (perception) or `packages/engine-system2/` (reasoning) for patterns. |
| 109 | + |
| 110 | +## Architecture in One Paragraph |
| 111 | + |
| 112 | +SINT Protocol implements a T0–T3 tiered authorization model where every agent request is classified into one of four tiers by consequence severity: T0 (observe/read), T1 (low-impact write), T2 (physical state change, e.g. robot movement), or T3 (irreversible/high-value commitment). All requests flow through `PolicyGateway.intercept()`, the single choke point that validates Ed25519 capability tokens, enforces physical constraints (velocity, force, geofence) embedded in the token, runs per-token rate limiting, detects forbidden action sequences, and either auto-approves T0/T1 or escalates T2/T3 to a human approval queue. Every decision is written to the `EvidenceLedger`, an append-only SHA-256 hash-chained log that provides cryptographic tamper evidence. Bridge adapters (for MCP, ROS2, MAVLink, OPC-UA, A2A, etc.) translate protocol-specific calls into `SintRequest` objects and forward them to the gateway — they never make authorization decisions themselves. |
| 113 | + |
| 114 | +## Approval Tiers Reference |
| 115 | + |
| 116 | +| Tier | Auto-approved? | Example actions | |
| 117 | +|------|---------------|-----------------| |
| 118 | +| T0 — OBSERVE | Yes (logged) | Read sensor, query DB, status check | |
| 119 | +| T1 — PREPARE | Yes (audited) | Write file, save waypoint, stage plan | |
| 120 | +| T2 — ACT | No — requires review | Move robot, operate gripper, `/cmd_vel` | |
| 121 | +| T3 — COMMIT | No — requires human + M-of-N quorum | Execute trade, novel env entry, irreversible | |
| 122 | + |
| 123 | +## Key Types (Quick Reference) |
| 124 | + |
| 125 | +```typescript |
| 126 | +// The request entering the gate |
| 127 | +interface SintRequest { |
| 128 | + requestId: UUIDv7; // MUST be v7 — use generateUUIDv7() |
| 129 | + agentId: Ed25519PublicKey; |
| 130 | + tokenId: UUIDv7; |
| 131 | + resource: string; // "ros2:///cmd_vel" | "mcp://filesystem/*" |
| 132 | + action: string; // "publish" | "call" | "subscribe" |
| 133 | + params: Record<string, unknown>; |
| 134 | + physicalContext?: { humanDetected?: boolean; currentVelocityMps?: number; currentForceNewtons?: number }; |
| 135 | + recentActions?: string[]; // For forbidden combo detection |
| 136 | +} |
| 137 | + |
| 138 | +// The gateway's decision |
| 139 | +type PolicyDecision = |
| 140 | + | { action: "allow"; assignedTier: ApprovalTier } |
| 141 | + | { action: "deny"; assignedTier: ApprovalTier; denial: { reason: string; policyViolated: string } } |
| 142 | + | { action: "escalate"; assignedTier: ApprovalTier; escalation: { requiredTier: string; timeoutMs: number } } |
| 143 | + | { action: "transform"; assignedTier: ApprovalTier; transformations: { constraintOverrides?: unknown } }; |
| 144 | +``` |
0 commit comments