Skip to main content

System Overview

SINT Protocol sits as a mandatory intermediary between AI decision-making and the physical world. No AI agent can actuate a physical resource without passing through the Policy Gateway. 
Agent


Token Request  ──►  POST /v1/tokens  (Ed25519 key pair required)


Policy Gateway  ──►  intercept(token, action, context)

  ├──► APPROVE  ──►  Actuator (with constraint envelope)
  ├──► DENY     ──►  Evidence logged, caller gets 403
  └──► ESCALATE ──►  Approval Queue (human-in-the-loop)
The gateway is synchronous on the critical path. Every intercept call blocks until a policy decision is made. Async patterns (SSE approval streams, WebSocket risk feeds) are additive, not substitutes for the synchronous gate.

Package Map

The monorepo at sint-ai/sint-protocol is organized into packages/, apps/, and sdks/.
PackagePathResponsibility
@sint/corepackages/coreShared TypeScript types, Zod schemas, constants. All other packages import from here.
@sint/gate-capability-tokenspackages/gate-capability-tokensEd25519 token issuance, validation, delegation. Wraps @noble/ed25519.
@sint/gate-policy-gatewaypackages/gate-policy-gatewayThe intercept engine. Policy evaluation pipeline, tier assignment, constraint enforcement.
@sint/gate-evidence-ledgerpackages/gate-evidence-ledgerSHA-256 hash chain ledger. Append-only evidence records, proof receipts, SIEM export.

Gateway Server

The gateway-server app (apps/gateway-server) is a Hono-based HTTP server — chosen for its edge-compatible runtime, typed routing, and middleware composability.

Route Modules

32 endpoints across 10 route modules:
ModulePrefixEndpointsAuth
health/healthGET /, GET /ready, GET /liveNone
intercept/v1/interceptPOST /Ed25519 agent signature
tokens/v1/tokensPOST /, GET /:id, POST /delegate, DELETE /:id, GET /Ed25519 + API key
ledger/v1/ledgerGET /, GET /:id, GET /proof/:id, POST /verify, GET /exportAPI key
approvals/v1/approvalsGET /, GET /:id, POST /:id/approve, POST /:id/deny, GET /stream (SSE)API key
discovery/v1/discoveryGET /agents, GET /agents/:id, POST /agents/register, DELETE /agents/:idAPI key
economy/v1/economyGET /balance, POST /charge, GET /transactionsEd25519 agent signature
a2a/v1/a2aPOST /delegate, GET /trust-chain/:id, POST /revokeEd25519 agent signature
risk-stream/v1/riskGET /stream (WebSocket), GET /snapshotAPI key
dashboard/v1/dashboardGET /stats, GET /agents, GET /alertsAPI key

Authentication

Agents sign requests with their private key. The gateway verifies the signature against the agent’s registered public key in the trust registry.
// Request header
X-Agent-Id: <agentId>
X-Agent-Sig: <base64url(ed25519.sign(requestBody, privateKey))>
X-Agent-Timestamp: <unix_ms>  // replay protection, ±30s window
The @noble/ed25519 library handles all crypto. No dependency on Node.js crypto — works in edge runtimes.
Administrative endpoints (ledger, approvals, dashboard) use a bearer token:
Authorization: Bearer <api_key>
Keys are scoped (read-only vs. read-write) and stored hashed in PostgreSQL. Rate limiting is enforced per-key via Redis sliding window counters.

Apps

gateway-server

Production HTTP server. Hono + PostgreSQL + Redis. Deployable to Railway, Docker, or any Node.js 20+ host. Entry: apps/gateway-server/src/index.ts.

sintctl

CLI tool for operators. Token management, ledger inspection, agent registration, e-stop triggering. Entry: apps/sintctl/src/index.ts.

sint-mcp

MCP (Model Context Protocol) bridge server. Exposes SINT Gate as MCP tools, enabling LLMs (Claude, GPT-4o, etc.) to request physical actions through a standards-compliant interface.

sint-mcp-scanner

Scans existing MCP tool definitions and generates SINT capability token templates. Bootstraps governance for MCP-native AI agents.

dashboard

React 19 + Redux Toolkit operator interface. Real-time risk stream via WebSocket, approval queue management, agent registry, ledger explorer.

Security Architecture

All security properties below are enforced at the protocol layer. Application-layer bypasses (e.g., calling actuators directly, skipping the gateway) are the operator’s responsibility to prevent via network segmentation.

Token Forgery Protection

Capability tokens are Ed25519-signed JWTs. The signature covers: 
// @sint/core — SintCapabilityToken
interface SintCapabilityToken {
  agentId: string;
  issuerId: string;
  resource: string;          // e.g., "robot:arm:joint_1"
  action: string;            // e.g., "move"
  constraints: PhysicalConstraints;
  tier: 1 | 2 | 3 | 4 | 5;
  issuedAt: number;          // unix ms
  expiresAt: number;         // unix ms
  delegationChain: string[]; // issuer public keys, root → leaf
  nonce: string;             // UUID v4, prevents replay
}
Tokens are verified on every intercept() call — not cached. Revocation is immediate via the ledger.

Attenuation-Only Delegation

A delegated token cannot grant more permissions than its parent. Math.min() enforcement applies to all numeric constraints. Delegation depth is capped at 3 to prevent unbounded chains. 
Root Token (T4, force≤100N)
  └── Delegate 1 (T3, force≤50N)  ✓ attenuation
        └── Delegate 2 (T2, force≤20N)  ✓ attenuation
              └── Delegate 3 (T2, force≤30N)  ✗ REJECTED — exceeds parent

Goal Hijack Detection

The policy gateway scans every action’s payload against 25+ regex patterns for prompt injection and goal hijacking attempts:
  • Override instructions (ignore previous instructions, you are now, etc.)
  • Exfiltration patterns (send to, upload, transmit all)
  • Safety bypass attempts (disable safety, emergency override, skip verification)
  • Jailbreak patterns (base64-encoded instructions, unicode lookalikes)
Matches trigger an automatic DENY with the evidence logged for audit.

Circuit Breaker

Invariant I-G2: the e-stop preempts all pending and in-flight intercept calls. Once tripped, no action is approved until manually reset by an authorized operator. CSML anomaly scores above threshold auto-trip the breaker.

Data Flow

Every POST /v1/intercept call traverses this pipeline synchronously:
1

Schema Validation

Zod parses the request body against InterceptRequestSchema. Malformed input is rejected with 400 before any crypto operations.
2

Token Verification

Ed25519 signature verified. Expiry checked. Nonce checked against Redis (replay prevention). Revocation status checked against ledger.
3

Policy Evaluation

Active policies for the resource+action pair are loaded. Each policy rule is evaluated against the token claims and request context.
4

Constraint Check

PhysicalActionContext values (force, velocity, temperature, geofence) are checked against token constraints. Math.min applied for delegated tokens.
5

Tier Assignment

Safety tier determined from token + physical context. Human-detected proximity forces tier escalation (monotonic — never decreases mid-session).
6

Goal Hijack Scan

Action payload scanned against 25+ regex patterns. Matches → immediate DENY.
7

CSML Anomaly Scoring

Continuous Safety Monitoring Language evaluates behavioral anomalies (velocity spikes, unusual action sequences, out-of-envelope movements). Score above threshold → circuit breaker trip candidate.
8

Evidence Logging

Decision (APPROVE/DENY/ESCALATE), token hash, action hash, tier, constraints, and CSML score appended to the SHA-256 hash chain ledger.
9

Response

{ decision: 'approve' | 'deny' | 'escalate', evidenceId: string, approvalId?: string } returned to caller.
The entire pipeline for a pre-approved T4 token with no anomalies completes in under 5ms on co-located deployments. Network latency to the gateway is the dominant factor in production.