import os import json import time import uuid import hashlib ENGINE_NAME = "AI_Sovereign_Sentinel_Core_v1" AUTHORITY_NAME = "DataClear Sovereign Authority" class SovereignFingerprint: """ Minimal fingerprint generator for AI Sovereign Sentinel. Creates a JSON file with engine, fingerprint and issued_at. """ def __init__(self, engine: str, output: str = "sovereign_fingerprint.json"): self.engine = engine self.output = output def _build(self): issued_at = int(time.time()) base = f"{self.engine}|{issued_at}" fp_hash = hashlib.sha256(base.encode()).hexdigest() return { "engine": self.engine, "fingerprint": fp_hash, "issued_at": issued_at, "version": "1.0", } def export(self): fp = self._build() with open(self.output, "w") as f: json.dump(fp, f, indent=4) return self.output, fp["fingerprint"] class SovereignValidator: """ Simple registry to bind engine name → fingerprint string. Stored in sovereign_registry.json """ def __init__(self, path: str = "sovereign_registry.json"): self.path = path if os.path.exists(self.path): with open(self.path, "r") as f: self.registry = json.load(f) else: self.registry = {} def register(self, engine: str, fingerprint: str) -> bool: self.registry[engine] = { "fingerprint": fingerprint, "registered_at": int(time.time()), } with open(self.path, "w") as f: json.dump(self.registry, f, indent=4) return True def validate(self, engine: str, fingerprint: str) -> bool: entry = self.registry.get(engine) if not entry: return False return entry.get("fingerprint") == fingerprint def attestation_signature(att: dict) -> str: """ Unified, stable signature generation for attestation objects. """ base = f"{att['attestation_id']}|{att['issued_at']}|{att['fingerprint']}|{att['issuer']}|{att['version']}" return hashlib.sha256(base.encode()).hexdigest() def generate_attestation(fp): """ Create a signed attestation for a given fingerprint (dict or string). """ if isinstance(fp, dict): fp_value = fp.get("fingerprint", "") else: fp_value = fp att = { "attestation_id": str(uuid.uuid4()), "issued_at": int(time.time()), "fingerprint": fp_value, "issuer": AUTHORITY_NAME, "version": "1.0", } att["signature"] = attestation_signature(att) return att def verify_attestation(att: dict) -> bool: expected = attestation_signature(att) return expected == att.get("signature") def build_lineage_record( engine: str, fingerprint: str, parent_model: str | None = None, model_version: str = "1.0", data_tags: list[str] | None = None, notes: str | None = None, ) -> dict: """ Create a minimal, cryptographically-bound lineage record for a model. This ties: - engine - fingerprint - version - optional parent model - optional dataset / domain tags into a single signed lineage_id. """ created_at = int(time.time()) payload = f"{engine}|{fingerprint}|{model_version}|{parent_model or ''}|{created_at}" lineage_hash = hashlib.sha256(payload.encode()).hexdigest() return { "lineage_id": str(uuid.uuid4()), "engine": engine, "fingerprint": fingerprint, "parent_model": parent_model, "model_version": model_version, "data_tags": data_tags or [], "notes": notes, "created_at": created_at, "lineage_hash": lineage_hash, } def generate_integrity_certificate( fp, att, output: str = "sovereign_certificate.json", parent_model: str | None = None, model_version: str = "1.0", data_tags: list[str] | None = None, notes: str | None = None, ): """ Bundle fingerprint + attestation + lineage into a single integrity certificate file. """ if isinstance(fp, dict): fp_value = fp.get("fingerprint", "") else: fp_value = fp lineage = build_lineage_record( engine=ENGINE_NAME, fingerprint=fp_value, parent_model=parent_model, model_version=model_version, data_tags=data_tags, notes=notes, ) cert = { "engine": ENGINE_NAME, "fingerprint": fp_value, "issued_at": att["issued_at"], "attestation": att, "lineage": lineage, "certificate_version": "1.0", "authority": AUTHORITY_NAME, } with open(output, "w") as f: json.dump(cert, f, indent=4) return cert def verify_lineage(cert: dict) -> bool: """ Basic sanity + integrity check for lineage section inside a certificate. """ lineage = cert.get("lineage") if not lineage: return False if lineage.get("engine") != ENGINE_NAME: return False # fingerprint inside lineage must match certificate fingerprint if lineage.get("fingerprint") != cert.get("fingerprint"): return False # recompute lineage_hash and compare engine = lineage.get("engine", "") fingerprint = lineage.get("fingerprint", "") model_version = lineage.get("model_version", "") parent_model = lineage.get("parent_model") or "" created_at = lineage.get("created_at") if created_at is None: return False payload = f"{engine}|{fingerprint}|{model_version}|{parent_model}|{created_at}" expected_hash = hashlib.sha256(payload.encode()).hexdigest() return expected_hash == lineage.get("lineage_hash") def verify_certificate(cert: dict) -> bool: """ High-level check over the full certificate. """ if cert.get("engine") != ENGINE_NAME: return False if cert.get("authority") != AUTHORITY_NAME: return False att = cert.get("attestation", {}) if not verify_attestation(att): return False if not verify_lineage(cert): return False return True