AI is moving into decisions that carry real consequences. We make every AI action cryptographically verifiable — a signed, tamper-evident receipt any auditor or regulator can check on their own hardware, with public tooling, after the fact. We sell the one thing the AI market still can't buy off the shelf: proof.
| Product | What it does | Try it now |
|---|---|---|
| a11oy | Signed-receipt substrate — every AI decision leaves a cryptographic Khipu receipt; receipts.in ≡ receipts.out audit-fiber continuity |
 |
| sentra | Deny-by-default policy immune system — 8 gates; every verdict signed and chained |  |
| amaru | Reasoning that refuses to fabricate — every answer cites a real source or declines |  |
| rosie | Operator console — human-on-the-loop confirmation; surfaces verdicts across the mesh |  |
| killinchu | Counter-UAS edge organ — 13-axis Λ-gate; every interdiction signed with a DSSE receipt |  |
All five return HTTP 200. All five emit DSSE Khipu receipts. All five ship as signed OCI images.
Six live Three.js/WebGL explorations of the proof architecture. Static. No login.
| Space | What you see |
|---|---|
| anatomy-3d | 3D anatomy of the governed-AI organs — Λ-gate, Khipu DAG, Ouroboros loop |
| rosie-3d | 3D operator console — live mesh of cross-session receipt routing |
| mesh-cathedral | Ouroboros loop geometry — 5-organ bounded-recursion visualization |
| khipu-constellation | 3D Merkle-DAG receipt visualizer — Khipu knot-graph in space |
| doctrine-cathedral | 3D doctrine visualization — 749 declarations rendered as cathedral geometry |
| llm-router-live | Live model-routing topology — real-time LLM dispatch mesh |
-2C5F2D?style=flat-square){kind=icon}
-f59e0b?style=flat-square){kind=icon}
# Verify the entire szl-mesh:v0.4.0 UDS bundle — keyless cosign, public Sigstore
cosign verify oci://ghcr.io/szl-holdings/szl-mesh:v0.4.0 \
--certificate-identity-regexp="^https://github.com/szl-holdings/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"# SLSA L1 (honest) — PASSES today: every flagship image is cosign keyless-signed:
cosign verify ghcr.io/szl-holdings/a11oy:uds-v0.2.0 \
--certificate-identity-regexp="^https://github.com/szl-holdings/" \
--certificate-oidc-issuer="https://token.actions.githubusercontent.com"
# SLSA L2 build-provenance attestation — roadmap via Wire D, NOT yet earned
# (currently returns "no matching attestations"; do not claim L2 until it passes):
# cosign verify-attestation --type slsaprovenance ghcr.io/szl-holdings/a11oy:uds-v0.2.0 \
# --certificate-identity-regexp="^https://github.com/szl-holdings/" \
# --certificate-oidc-issuer="https://token.actions.githubusercontent.com"
# Rekor transparency-log entries (public Sigstore instance):
# a11oy: https://search.sigstore.dev/?logIndex=1723769508
# sentra: https://search.sigstore.dev/?logIndex=1723794608
# amaru: https://search.sigstore.dev/?logIndex=1723784350
# rosie: https://search.sigstore.dev/?logIndex=1722745939uds deploy oci://ghcr.io/szl-holdings/szl-mesh:v0.4.0 --confirm
# or from local tarball:
uds-cli bundle deploy szl-mesh-v0.4.0.tar.zst --confirmFull verify-it-yourself guide →
| Claim | Status | Verify |
|---|---|---|
| 5 live HF demos | ✅ All HTTP 200 | curl any /healthz |
| SLSA Build L1 honest (L2 roadmap) | ✅ L1 — all 5 organs cosign-signed + Rekor-logged. L2 attestation NOT yet earned (cosign verify-attestation returns "no matching attestations") |
cosign verify above |
| cosign keyless signed | ✅ All 5 organs, Public Good Rekor | cosign verify above |
| UDS bundle published | ✅ szl-mesh:v0.4.0 on GHCR |
uds deploy oci://ghcr.io/szl-holdings/szl-mesh:v0.4.0 |
| Lean kernel | ✅ 749 decl / 14 axioms / 163 sorries @ c7c0ba17 |
lutar-lean@main |
| Λ-uniqueness | BOUNTY.md |
|
| SLSA L3 | ❌ Not claimed (requires isolated signing workflow) | — |
| FedRAMP / CMMC / Iron Bank | ❌ Not claimed | — |
The problem: AI is being deployed into consequential decisions — defense, compliance, critical infrastructure — with no standard way to show what the AI decided, why, and whether it stayed in bounds.
Our answer: Every SZL action emits a DSSE-enveloped Khipu receipt — an ECDSA P-256 signed, SHA-256 hash-linked Merkle DAG node. The chain satisfies receipts.in ≡ receipts.out: what came in is what got signed; nothing is lost between the decision and the proof.
Competitive position: Palantir, New Relic, Anduril — none ship a signed-receipt substrate for individual AI decisions. We match their AIP policy layer (sentra), their observability surface (rosie), and their edge deployment (killinchu). We exceed them on one dimension they don't offer: every decision is a verifiable artifact, not a log entry.
The Warhacker / Cannonico fit: Defense Unicorns published a problem: "an autonomous drone loses contact — is it still inside authorized parameters, or has it gone off script? There's no independent system today that can monitor AI behavior in real time, catch the moment a line gets crossed, and back it up with a permanent, tamper-evident record." — Warhacker 2026. That is exactly what SZL ships. killinchu → sentra → amaru → a11oy is the Cannonico answer, deployable in one signed UDS command.
For engineers, auditors, and technical reviewers. Investors can stop above.
graph LR
A[Drone/Edge event] --> K[killinchu\n13-axis Λ-gate\nDSSE receipt]
K --> S[sentra\n8-gate immune system\nSigned verdict]
S --> M[amaru\nCited reasoning\nRefuses to fabricate]
M --> R[rosie\nOperator console\nHuman-on-the-loop]
K & S & M & R --> A11[a11oy\nKhipu Merkle DAG\nreceipts.in ≡ receipts.out]
A11 --> GHCR[(GHCR\nSigned OCI images)]
A11 --> REKOR[(Rekor\nTransparency log)]
- SLSA Build L1 honest (L2 roadmap via Wire D) — every flagship image is cosign keyless-signed and Rekor-logged (
cosign verifyPASSES). All 5 build workflows haveactions/attest-build-provenance@v2.4.0wired inghcr-build-push.yml, but the L2 attestation is NOT yet earned on the deployed images (cosign verify-attestation --type slsaprovenancereturns "no matching attestations" — likely org-levelattestations: writeis the remaining founder step). L2 is not claimed until that command passes. - cosign keyless signed — every image signed via Fulcio OIDC short-lived cert bound to the GitHub Actions workflow identity; entries in public Sigstore Rekor transparency log (indexes above)
- UDS bundle
szl-mesh:v0.4.0— real baked images (SBOM-only regression fixed); keyless cosign-signed; deployable viauds deploy oci://...into any UDS Core cluster - DCO required on every commit; OpenSSF Scorecard monitored; Trivy + Grype + Gitleaks in CI
- Lean 4 + Mathlib v4.13.0 —
lutar-lean: 749 declarations / 14 unique axioms / 163 tracked sorries @c7c0ba17 - Λ (verdict aggregator):
Λ(x) = Σᵢ wᵢ φᵢ(x)— 13-axisyuyay_v3;Σwᵢ = 1,wᵢ ≥ 0 - Λ-uniqueness: Conjecture 1 — conditional uniqueness machine-checked; unconditional case remains open (
CAUCHY_NDsorry open); F23 open bounty - DOI-pinned thesis:
10.5281/zenodo.20434276(v18.0 master); concept DOI10.5281/zenodo.19944926
- Apache-2.0 source / CC-BY-4.0 papers
- Section 889: exactly 5 vendors (Huawei, ZTE, Hytera, Hikvision, Dahua)
- ORCID: 0009-0001-0110-4173
- Not claimed: FedRAMP, Iron Bank, CMMC, SLSA L3
@software{szl_holdings_2026,
author = {Lutar, Stephen P.},
title = {SZL Holdings: a formally-grounded governance substrate for agentic AI},
year = {2026},
publisher = {Zenodo},
version = {Doctrine v11 LOCKED},
doi = {10.5281/zenodo.20434276},
url = {https://github.com/szl-holdings},
note = {749 declarations / 14 axioms / 163 sorries, kernel c7c0ba17}
}Doctrine v11 LOCKED · 749/14/163 · kernel c7c0ba17 · Λ = Conjecture 1 (F23 open bounty, not a theorem) · SLSA L1 honest (L2 roadmap via Wire D — not yet earned) · Apache-2.0 code / CC-BY-4.0 papers · DOI 10.5281/zenodo.20434276 · ORCID 0009-0001-0110-4173
Signed-off-by: stephenlutar2-hash stephenlutar2@gmail.com
