Metadata-Version: 2.4
Name: vaulttrace
Version: 0.1.0
Summary: Cryptographic audit trail for AI systems. EU AI Act Annex IV compliance in one line of code.
Author-email: ForgeSynapse LTD <fsalazar@forgesynapse.com>
License-Expression: Apache-2.0
Project-URL: Homepage, https://github.com/forgesynapseltd/vaulttrace
Project-URL: Documentation, https://github.com/forgesynapseltd/vaulttrace#readme
Project-URL: Repository, https://github.com/forgesynapseltd/vaulttrace
Project-URL: Bug Tracker, https://github.com/forgesynapseltd/vaulttrace/issues
Project-URL: EU AI Act, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
Keywords: ai,compliance,audit,eu-ai-act,cryptography,llm,governance,annex-iv,verifiable-compute
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Legal Industry
Classifier: Intended Audience :: Financial and Insurance Industry
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security :: Cryptography
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: Office/Business :: Financial :: Accounting
Requires-Python: >=3.11
Description-Content-Type: text/markdown
Requires-Dist: cryptography==42.0.8
Requires-Dist: jsonschema==4.23.0
Requires-Dist: pydantic==2.8.2
Requires-Dist: ntplib==0.4.0
Requires-Dist: aiohttp==3.10.5
Requires-Dist: reportlab==4.2.2
Requires-Dist: click==8.1.7
Requires-Dist: rich==13.7.1
Requires-Dist: psutil==6.0.0
Provides-Extra: anthropic
Requires-Dist: anthropic>=0.34.0; extra == "anthropic"
Provides-Extra: openai
Requires-Dist: openai>=1.40.0; extra == "openai"
Provides-Extra: google
Requires-Dist: google-generativeai>=0.7.0; extra == "google"
Provides-Extra: ollama
Requires-Dist: ollama>=0.3.0; extra == "ollama"
Provides-Extra: xai
Requires-Dist: openai>=1.40.0; extra == "xai"
Provides-Extra: all
Requires-Dist: anthropic>=0.34.0; extra == "all"
Requires-Dist: openai>=1.40.0; extra == "all"
Requires-Dist: google-generativeai>=0.7.0; extra == "all"
Requires-Dist: ollama>=0.3.0; extra == "all"
Provides-Extra: dev
Requires-Dist: pytest==8.3.2; extra == "dev"
Requires-Dist: pytest-asyncio==0.23.8; extra == "dev"
Requires-Dist: pytest-cov==5.0.0; extra == "dev"
Requires-Dist: black==24.8.0; extra == "dev"
Requires-Dist: ruff==0.6.3; extra == "dev"
Requires-Dist: mypy==1.11.2; extra == "dev"

# VaultTrace

**Cryptographic audit trail for AI systems. EU AI Act Annex IV compliance in one line of code.**

> The EU AI Act enforcement begins **2 August 2026**. Penalties reach **7% of global annual revenue**.
> VaultTrace gives you audit-ready proof of every AI session — automatically.

---

## The Problem

Any AI system can claim it ran model X, with data Y, at time Z. None can *prove* it.

EU AI Act Annex III high-risk systems must maintain verifiable audit trails for their entire operational lifetime. The technical solutions that exist today require Intel TDX hardware, months of engineering, and $200K+ implementations.

**Nobody has packaged this for companies that can't afford that.**

## The Solution

VaultTrace is a **cryptographic notary for AI compute**. It answers, with mathematical proof:

> *"Which model ran, on what hardware, with what inputs, producing what outputs, under what governance policies — and can any third party verify this independently, years from now?"*

Not a logger. Not a monitor. A **cryptographic audit trail** that survives after the session ends.

---

## Quickstart

```bash
pip install vaulttrace
```

```python
import vaulttrace

# Initialize once at startup
vaulttrace.init(
    organization_id = "org_your_company",
    task_category   = "legal_analysis",
    human_oversight = True,
)

# Add one decorator. That's it.
@vaulttrace.audit
def analyze_contract(prompt):
    return anthropic.messages.create(
        model    = "claude-sonnet-4-6",
        messages = [{"role": "user", "content": prompt}]
    )

response = analyze_contract("Review this NDA for GDPR compliance.")
# ↑ Full EU AI Act Annex IV audit trail generated automatically.
```

Or one line, no decorator:

```python
response = vaulttrace.audit(anthropic.messages.create)(
    model    = "claude-sonnet-4-6",
    messages = [{"role": "user", "content": prompt}]
)
```

---

## Export Your Annex IV Report

```bash
vaulttrace export --format euaiact --from 2026-01-01 --to 2026-08-01
```

→ Generates a signed PDF with all 8 Annex IV sections, ready to present to a regulator.

---

## What VaultTrace Proves

For every AI session, VaultTrace generates five cryptographic proofs:

| Proof | What it certifies |
|-------|------------------|
| **Identity** | Which model ran (API-declared or SHA-256 of weights for local models) |
| **Environment** | Exact hardware, OS, Python version, and all dependencies at runtime |
| **Confidentiality** | Inputs/outputs were hashed — never stored in plaintext |
| **Correctness** | Output was not modified after generation |
| **Governance** | All configured policies were evaluated and passed |

These proofs are assembled into a signed **AI Certificate** (W3C Verifiable Credentials format) stored in an **append-only Vault Ledger** (SQLite WAL with database-level immutability triggers).

Any third party can verify any certificate **without access to the original system**.

---

## Verify a Certificate

```bash
# Verify a single certificate
vaulttrace verify --cert path/to/cert.json

# Verify the complete ledger chain
vaulttrace verify --ledger
```

---

## Supported Providers

| Provider | Adapter | Model fingerprinting |
|----------|---------|---------------------|
| **Anthropic (Claude)** | `anthropic_adapter` | API-declared |
| **OpenAI (GPT)** | `openai_adapter` | API-declared |
| **xAI (Grok)** | `xai_adapter` | API-declared — first-class support |
| **Google (Gemini)** | `google_adapter` | API-declared |
| **Local (Ollama)** | `ollama_adapter` | SHA-256 of model weights |

```python
# Claude
from vaulttrace.adapters.anthropic_adapter import AuditedAnthropicClient

# Grok
from vaulttrace.adapters.xai_adapter import AuditedXAIClient

# Local models (stronger identity guarantee)
from vaulttrace.adapters.ollama_adapter import AuditedOllamaClient
```

---

## Guarantee Tiers

| Tier | Identity method | Price |
|------|----------------|-------|
| **Community** | API-declared | Free |
| **Professional** | API-declared + distributed ledger anchoring | £500/month |
| **Enterprise** | TEE-attested (Intel TDX / NVIDIA PPCIE) | £2,000–£5,000/month |

> **Note on identity guarantees:** No LLM provider today exposes a mechanism to cryptographically verify — independent of their own declaration — which model executed a session. VaultTrace documents this honestly in every AI Certificate. The Enterprise tier (Phase 5) resolves this via TEE hardware attestation. This transparency is a feature, not a limitation.

---

## Docker Deploy

```bash
git clone https://github.com/forgesynapse/vaulttrace
cd vaulttrace
cp .env.example .env  # Fill in your values
docker-compose up
```

VaultTrace is ready in under 2 minutes.

---

## EU AI Act Coverage

VaultTrace covers **~78% of Annex IV Technical Documentation automatically**. The remaining 22% is collected once at operator onboarding (system description, development methods, oversight mechanism).

| Annex IV Section | Coverage |
|-----------------|---------|
| 1 — General Description | ✅ Automatic |
| 2 — Development Process | 🟡 Partial (operator profile) |
| 3 — Training Data | 🟡 Partial (structural limitation for cloud LLMs) |
| 4 — Capabilities & Limitations | ✅ Automatic |
| 5 — System Components | ✅ Automatic |
| 6 — Human Oversight | ✅ Automatic |
| 7 — Cybersecurity | ✅ Automatic (VaultTrace IS the evidence) |
| 8 — Post-Market Monitoring | ✅ Automatic |

---

## Architecture

```
[Your AI Call]
      ↓
┌─────────────────────────────────┐
│        VAULTTRACE CORE          │
│                                 │
│  Identity Prover                │ ← Which model?
│  Environment Attestor           │ ← What hardware?
│  Input/Output Hasher            │ ← SHA-256 only, no plaintext
│  Governance Validator           │ ← Policies evaluated
│  Cryptographic Notary           │ ← ECDSA-384 signature
│  Vault Ledger (SQLite WAL)      │ ← Append-only, immutable
└─────────────────────────────────┘
      ↓
[AI Certificate — W3C Verifiable Credentials]
      ↓
[PDF Report — EU AI Act Annex IV]
```

**Design invariants:**
- Inputs/outputs are **never stored in plaintext**. Only SHA-256 hashes.
- The Vault Ledger has **no UPDATE or DELETE** — enforced by database triggers.
- Any AI Certificate is **independently verifiable** without access to the original system.
- VaultTrace runs **fully async** — zero latency impact on your AI pipeline.

---

## Built by ForgeSynapse LTD

VaultTrace is the product that no LLM provider can build internally without conflict of interest. **The auditor cannot audit themselves.**

ForgeSynapse LTD (Company No. 16692140 — England and Wales)
Unit A, 82 James Carter Road, Mildenhall, IP28 7DE, UK

---

## License

```
/core    Apache License 2.0
/sdk     Apache License 2.0
/cli     Apache License 2.0
/enterprise  ForgeSynapse Commercial License (contact: fsalazar@forgesynapse.com)
```

---

## Follow the Build

VaultTrace is built in public. Follow the development across the ForgeSynapse ecosystem:

- 🐦 **X:** [@forgesynapse](https://x.com/forgesynapse) — daily updates, building in public
- 💼 **LinkedIn:** [Fernando Salazar](https://www.linkedin.com/in/salazar-fernando/) — technical deep dives and strategy
- 📧 **Contact:** fsalazar@forgesynapse.com

---

*"The only proof that an AI was honest is a proof the AI itself cannot forge."*
*— ForgeSynapse LTD, 2026*
