SINT: Autonomous AI Infrastructure for the Physical World

​

A Comprehensive Technical Whitepaper

​

Abstract

• SINT Operators Platform — React 19 orchestration dashboard with 30+ Redux slices, visual workflow canvas, Web3 bridge, and 1,276+ tests
• Virtual CMO — AI content engine (331 files, 18 skills) that turns one video into a week of multi-platform content at ~$1.50/video
• SINT Avatars — 3D talking avatar system with ARKit 52 blendshapes and ElevenLabs character-level lipsync
• SINT Outreach — B2B LinkedIn automation with Ulinc/GHL integration and AI reply generation
• Open Agent Trust Registry — Public federated registry of trusted attestation issuers with Ed25519 threshold governance
• Autonomous Execution Engine — Marketing site with VRM avatar integration and Supabase backend

​

Table of Contents

1. The Problem
2. Design Principles
3. SINT Protocol Architecture
4. Core Primitives
5. Approval Tier System
6. Capability Token Framework
7. Forbidden Combination Detection
8. Evidence Ledger
9. Bridge Adapters
10. Economic Layer
11. Safety Plugins
12. CSML Behavioral Identity
13. SINT Operators Platform
14. Virtual CMO Content Engine
15. 3D Avatar System
16. Outreach Automation
17. Open Agent Trust Registry
18. Physical AI Use Cases
19. Conformance & Testing
20. Compliance & Standards Mapping
21. Competitive Landscape
22. Research Agenda (2026–2031)
23. Deployment & Operations
24. Roadmap
25. References

​

1. The Problem

​

1.1 The Physical AI Gap

• ROSClaw Study (arXiv:2603.26997): Evaluated frontier LLMs controlling ROS 2 robots. Found 4.8× behavioral divergence between models on identical tasks — the same robot performs radically differently depending on which foundation model drives it.
• MCP Security Analysis (arXiv:2601.17549): Identified 10 critical attack surfaces in the Model Context Protocol, including tool poisoning, rug pulls, and cross-server escalation. MCP has no built-in authorization framework.
• Unitree BLE Vulnerability: Consumer humanoid robots shipped with default BLE keys, enabling remote takeover. No runtime authorization layer between AI commands and physical actuators.

​

1.2 The Authorization Gap

• Who is authorized to perform an action
• What physical constraints apply (velocity limits, force ceilings, geofences)
• When human approval is required versus when autonomous operation is safe
• How to produce a tamper-evident audit trail of every decision

​

1.3 Why Existing Protocols Don’t Solve This

​

2. Design Principles

1. Universal Interception — One choke point for all agent-to-world actions, regardless of transport protocol.
2. Graduated Authorization — Four approval tiers (T0–T3) map action severity to authorization requirements.
3. Physical Safety as First-Class — Velocity, force, and geofence constraints enforced at the protocol level.
4. Cryptographic Accountability — Ed25519 capability tokens and SHA-256 hash-chained audit logs provide non-repudiable proof of every authorization decision.
5. Attenuation-Only Delegation — Delegated permissions can only narrow, never escalate.
6. Emergency Stop Invariant — E-stop signals are NEVER blocked by the gateway (Invariant I-G2).
7. Consequence-Based Classification — Tier assignment based on real-world consequence severity, not syntactic properties.
8. Protocol Agnosticism — Works with any transport through pluggable bridge adapters.

​

3. SINT Protocol Architecture

​

3.1 System Overview

┌─────────────────────────────────────────────────────────────────────┐
│                  AI Agent (LLM / Controller / Swarm)                │
└──────────────────────────┬──────────────────────────────────────────┘
                           │ Raw request (tool call, topic publish, etc.)
┌──────────────────────────▼──────────────────────────────────────────┐
│                       Bridge Adapter Layer                          │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────┐ ┌───────────┐  │
│  │ bridge-  │ │ bridge-  │ │ bridge-  │ │bridge- │ │ bridge-   │  │
│  │   mcp    │ │  ros2    │ │ mavlink  │ │  a2a   │ │   grpc    │  │
│  └──────────┘ └──────────┘ └──────────┘ └────────┘ └───────────┘  │
│  ┌──────────┐ ┌──────────┐ ┌──────────┐ ┌────────┐ ┌───────────┐  │
│  │ bridge-  │ │ bridge-  │ │ bridge-  │ │bridge- │ │ bridge-   │  │
│  │   iot    │ │  mqtt    │ │  opcua   │ │ swarm  │ │  open-rmf │  │
│  └──────────┘ └──────────┘ └──────────┘ └────────┘ └───────────┘  │
└──────────────────────────┬──────────────────────────────────────────┘
                           │ Normalized SintRequest
┌──────────────────────────▼──────────────────────────────────────────┐
│                      Policy Gateway (THE choke point)               │
│                                                                     │
│  ┌─────────────────────────────────────────────────────────────┐   │
│  │  1. Token Validation (Ed25519 signature + delegation chain) │   │
│  │  2. Tier Assignment (T0–T3 based on resource + context)     │   │
│  │  3. Physical Constraint Check (velocity, force, geofence)   │   │
│  │  4. Forbidden Combo Detection (sequence analysis, DFA)      │   │
│  │  5. Safety Plugins (GoalHijack, MemoryIntegrity, Supply)    │   │
│  │  6. CSML Auto-Escalation (behavioral drift detection)       │   │
│  │  7. CircuitBreaker (EU AI Act Art. 14(4)(e) stop button)    │   │
│  │  8. Rate Limiting (per-token, per-agent)                    │   │
│  │  9. Budget Enforcement (economic layer)                     │   │
│  │  10. Approval Flow (T2: review, T3: human-in-the-loop)     │   │
│  └─────────────────────────────────────────────────────────────┘   │
│                           │                                         │
│  ┌────────────────────────▼────────────────────────────────────┐   │
│  │         Evidence Ledger (SHA-256 hash-chained)              │   │
│  │  In-Memory │ PostgreSQL │ Redis │ (pluggable backends)      │   │
│  └─────────────────────────────────────────────────────────────┘   │
└──────────────────────────┬──────────────────────────────────────────┘
                           │ PolicyDecision: allow | deny | escalate
                           ▼
              ┌────────────────────────────┐
              │   Operator Dashboard       │
              │   + WebSocket approvals    │
              │   + M-of-N quorum          │
              │   + CSML trend charts      │
              └────────────────────────────┘

​

3.2 Request Lifecycle (Deterministic Finite Automaton)

RECEIVED → VALIDATING → TIER_ASSIGNED → CONSTRAINT_CHECK
    │           │              │                │
    │        DENIED         DENIED           DENIED
    │      (bad token)    (blocked tier)   (constraint violation)
    │
    └→ COMBO_CHECK → CSML_CHECK → PLUGIN_CHECK → BUDGET_CHECK
           │              │              │              │
        ESCALATED      ESCALATED      DENIED        DENIED
       (forbidden     (drift         (hijack/       (insufficient
        sequence)     detected)      tamper)         balance)
           │              │
           ▼              ▼
    PENDING_APPROVAL → APPROVED/DENIED → LEDGER_RECORDED → COMPLETE
                          │
                       TIMEOUT → fallbackAction (deny|allow)

​

3.3 Monorepo Structure

​

4. Core Primitives

​

4.1 SintRequest

interface SintRequest {
  requestId: UUIDv7;                    // Unique, sortable identifier
  agentId: Ed25519PublicKey;            // 32-byte hex public key
  tokenId: UUIDv7;                      // Capability token authorizing this request
  resource: string;                     // URI: "ros2:///cmd_vel", "mcp://filesystem/writeFile"
  action: string;                       // "publish", "call", "subscribe", "exec.run"
  params: Record<string, unknown>;      // Action-specific parameters
  physicalContext?: {
    humanDetected?: boolean;            // Triggers tier escalation
    currentVelocityMps?: number;
    currentForceNewtons?: number;
    position?: { lat: number; lon: number };
  };
  recentActions?: string[];             // Last N actions for combo detection
  timestamp: ISO8601;                   // Microsecond precision
}

​

4.2 PolicyDecision

interface PolicyDecision {
  action: "allow" | "deny" | "escalate" | "transform";
  requestId: UUIDv7;
  assignedTier: "T0_OBSERVE" | "T1_PREPARE" | "T2_ACT" | "T3_COMMIT";
  assignedRisk: "T0_READ" | "T1_WRITE_LOW" | "T2_STATEFUL" | "T3_IRREVERSIBLE";
  denial?: {
    reason: string;
    policyViolated: string;
    suggestedAlternative?: string;
  };
  escalation?: {
    requiredTier: ApprovalTier;
    reason: string;
    timeoutMs: number;                  // Max 300,000ms (5 min)
    fallbackAction: "deny" | "allow";
  };
  transformations?: {
    constraintOverrides?: Record<string, unknown>;
    additionalAuditFields?: Record<string, unknown>;
  };
  timestamp: ISO8601;
}

​

4.3 Resource URI Scheme

​

5. Approval Tier System

​

5.1 Tier Definitions

​

5.2 Tier Escalation Triggers

​

5.3 Approval Flow

Request (T2/T3) → Pending Approval → Notification (SSE/WebSocket/Dashboard)
    → Operator approves/denies → PolicyDecision → Ledger Entry
    → Timeout (default 30s, max 5min) → fallbackAction: deny

​

6. Capability Token Framework

​

6.1 Token Structure

interface CapabilityToken {
  id: UUIDv7;
  issuer: Ed25519PublicKey;
  subject: Ed25519PublicKey;
  resource: string;                     // Glob-supported
  actions: string[];
  constraints: {
    maxVelocityMps?: number;
    maxForceNewtons?: number;
    geofence?: GeoPolygon;
    timeWindow?: { start: ISO8601; end: ISO8601 };
    rateLimit?: { maxCalls: number; windowMs: number };
  };
  delegationChain: {
    parentTokenId: UUIDv7 | null;
    depth: number;                      // 0 = root, max 3
    attenuated: boolean;
  };
  issuedAt: ISO8601;
  expiresAt: ISO8601;
  revocable: boolean;
  signature: Ed25519Signature;          // 64-byte
}

​

6.2 Delegation Rules

1. Maximum depth: 3. Root (0) → 1 → 2 → 3. No further delegation.
2. Attenuation only. Each delegation MUST have equal or narrower scope, fewer actions, tighter constraints, earlier expiry.
3. Chain verification. Validators verify the entire chain — each hop’s signature and attenuation.
4. Revocation cascades. Revoking a parent implicitly revokes all descendants.

​

6.3 Cryptographic Primitives

• Signing: Ed25519 via @noble/ed25519 (audited, zero-dependency)
• Hashing: SHA-256 via @noble/hashes
• Identity: W3C DID (did:key:z6Mk...) for cross-organizational trust

​

7. Forbidden Combination Detection

​

7.1 Default Forbidden Combos

​

7.2 Detection Algorithm

1. Each request includes recentActions[] — last N actions (configurable, default 10).
2. Detector checks if current action completes any registered forbidden sequence.
3. Match found → tier escalated to T3, reason recorded in ledger.
4. Operators extend the default list with domain-specific forbidden combinations.

​

8. Evidence Ledger

​

8.1 Ledger Entry

interface LedgerEvent {
  id: UUIDv7;
  sequenceNumber: number;              // Monotonically increasing
  previousHash: SHA256Hash;            // Genesis = "0".repeat(64)
  eventHash: SHA256Hash;               // SHA-256(previousHash + serialized data)
  eventType: "intercept" | "token_issued" | "token_revoked" | "approval_resolved";
  agentId: Ed25519PublicKey;
  requestId?: UUIDv7;
  decision?: PolicyDecision;
  metadata: Record<string, unknown>;
  timestamp: ISO8601;
}

​

8.2 Integrity Properties

• Hash chain: Each entry’s hash includes the previous hash. Any modification breaks all subsequent entries.
• Proof receipts: Cryptographic proof sufficient to verify any entry independently.
• Append-only: Entries are never updated or deleted.
• TEE attestation: Planned support for Intel SGX, ARM TrustZone, AMD SEV for hardware-backed proof receipts.

​

8.3 Storage Backends

​

8.4 API

# Query by agent
GET /v1/ledger?agentId=<key>&limit=100

# Query by tier
GET /v1/ledger?tier=T3_COMMIT&since=2026-04-01

# Export for SIEM integration (Splunk, Datadog, ELK)
GET /v1/ledger?format=json-lines&since=2026-04-01

​

9. Bridge Adapters

​

9.1 MCP Bridge (Primary Adoption Vector)

{
  "mcpServers": {
    "sint-proxy": {
      "command": "npx",
      "args": ["@sint/bridge-mcp", "--downstream", "filesystem,exec"]
    }
  }
}

• sint__status — Current token scope and tier configuration
• sint__audit — Recent ledger entries for this session
• sint__approve — Trigger approval flow for pending requests

• Claude Desktop — Drop-in MCP proxy configuration (11,472 lines of documentation)
• Cursor IDE — MCP proxy with SINT integration
• Docker — Production deployment with PostgreSQL + Redis
• gRPC — Service mesh bridge setup
• WebSocket — Real-time approval streaming

​

9.2 ROS 2 Bridge

• Resource mapping: ros2:///<topicOrServiceName>
• Physics extraction: Automatically extracts velocity from geometry_msgs/Twist and force from geometry_msgs/Wrench
• Human presence: Subscribes to detection topics for automatic tier escalation

​

9.3 MAVLink Bridge

​

9.4 Additional Bridges

​

10. Economic Layer

​

10.1 Token Unit

​

10.2 Billing Formula

cost = ceil(baseCost × costMultiplier × globalMarkupMultiplier)

​

10.3 Tier-Based Cost Table

​

10.4 Budget Enforcement

1. checkBudget() — per-agent budget cap
2. getBalance() — sufficient balance check
3. evaluateTrust() — not blocked/high-risk

​

10.5 Revenue Split (Design)

​

10.6 Cost-Aware Route Selection

• selectCostAwareRoute(input) — scores by cost + latency + reliability
• POST /v1/economy/route — exposed through gateway API

​

11. Safety Plugins

​

11.1 GoalHijackPlugin (OWASP ASI01)

1. Role override detection — Pattern matching for “ignore previous instructions”, system prompt injection
2. Semantic escalation — Requests that attempt to expand scope beyond token permissions
3. Exfiltration probes — Attempts to read credentials, env vars, or PII
4. Cross-agent injection — Messages crafted to manipulate downstream agents
5. Prompt injection in tool parameters — Embedded instructions in tool call arguments

​

11.2 MemoryIntegrityChecker (OWASP ASI06)

• Replay attack detection (duplicate request IDs)
• Privilege claim detection (forged approval records)
• History overflow anomalies (context window stuffing)

​

11.3 DefaultSupplyChainVerifier (OWASP ASI04)

• Model fingerprint hash verification against allowlist
• Model ID validation at runtime
• Tool manifest integrity checking (detects swapped/tampered tools)

​

11.4 CircuitBreakerPlugin (EU AI Act Art. 14(4)(e))

• Manual trip() by operator → instantly blocks all actions from target agent
• N consecutive denials → auto-open circuit
• CSML anomalous-persona detection → auto-trip
• HALF_OPEN probe recovery → self-healing after incident resolution

​

11.5 DynamicEnvelopePlugin

effective_max_velocity = min(token.maxVelocityMps, obstacle_distance × reaction_factor)

​

11.6 SwarmCoordinator

• Maximum concurrent actors in T2+ tier
• Total kinetic energy ceiling (Σ½mv²)
• Minimum inter-agent distance
• Maximum escalated fraction

​

12. CSML Behavioral Identity

​

12.1 Definition

interface CSMLMetrics {
  approvalRate: number;     // approved / total requests
  completionRate: number;   // completed / started actions
  averageLatencyMs: number; // mean decision time
  tierDistribution: Record<ApprovalTier, number>;
}

// CSML score = weighted divergence from baseline
function computeCsml(current: CSMLMetrics, baseline: CSMLMetrics): number;

​

12.2 Auto-Escalation

​

12.3 ROSClaw Validation

​

13. SINT Operators Platform

​

13.1 Technical Stack

​

13.2 Feature Modules (28 modules)

​

13.3 Pages (26 routes)

​

13.4 WebSocket Gateway

• GatewayClient.ts — WebSocket connection with auto-reconnect and auth
• GatewayProvider.tsx — React context for event routing
• 15+ event handlers — Factory-pattern handler registration
• gatewayIdentity.ts — Ed25519 keypair generation for device auth
• Zod validators — Schema validation for all gateway events

​

14. Virtual CMO Content Engine

​

14.1 Pipeline Architecture

Video Input → Download → Transcribe (AssemblyAI/Whisper)
    → Analyze (Claude 3-pass) → Face Track (MediaPipe)
    → Render (Remotion/FFmpeg) → Generate Text (Claude)
    → Quality Score → Approval Queue → Publish

​

14.2 Technical Stack

• 331 files total in repository
• API server: Express.js with 40+ route modules
• Core engine: Pipeline engine with YAML-driven workflow definitions
• Rendering: Remotion for programmatic video (React-based compositions — BrandOverlay, CaptionRenderer, ClipComposition, FaceCrop)
• Transcription: AssemblyAI + local Whisper fallback
• LLM routing: Multi-provider router (Claude, OpenAI, etc.)
• Auth: API key service + OAuth manager + auth middleware
• Scheduling: CMO scheduler with cron-based automation

​

14.3 Skills (18 modular processors)

​

14.4 Publishing Integrations

​

14.5 Services

​

14.6 External Integrations

• MCP Skill Server — Exposes CMO capabilities as MCP tools
• OpenClaw Connector — Integration with OpenClaw agent platform
• Telegram Bot — Direct Telegram channel management
• WhatsApp Bot — WhatsApp Business integration
• Zapier Routes — Webhook/Zapier automation

​

14.7 Cost Analysis

​

15. 3D Avatar System

​

15.1 Architecture

User Input → Server (OpenAI LLM for text + emotion tags)
    → ElevenLabs TTS (MP3 + character-level alignment timestamps)
    → Viseme Conversion (alignment → ARKit blendshape targets)
    → Client (MP3 base64 + lipsync data)
    → Three.js Renderer (morph target animation synchronized to audio)

​

15.2 Client (apps/client)

• Avatar module — AvatarNew, AvatarOptimized, AvatarOriginal, AvatarScene, CharacterControls
• Animation system — External animation loading, idle animation, alive system (subtle breathing/movement)
• Lipsync — ElevenLabs character-level timestamps → viseme codes (A-X) → ARKit 52 blendshapes → morph target interpolation
• Camera system — CameraFollow, CameraRig with configurable defaults
• Effects — Post-processing pipeline
• Scene management — Multiple scene configurations with lighting constants

• useVoiceRecorder — User voice input capture
• useBargein — Interrupt detection (user speaks while avatar is talking)
• useAvatarBehavior — Behavioral state machine
• useAvatarAnticipation — Pre-load animations based on conversation context
• useBlink — Realistic blink patterns
• useGPUTier — Adaptive quality based on device capability
• useMorphTargets — Blendshape target management

​

15.3 Server (apps/server)

• Character system — Configurable character personalities
• Conversation compiler — Assembles conversation context
• Conversation filter — Content moderation
• Streaming chat — Streaming LLM responses with emotion tagging
• OpenClaw backend — Integration with OpenClaw agent platform
• Static audio assets — Pre-generated greetings, error messages for instant playback

​

15.4 Shared Package (packages/shared)

• ARKit 52 blendshape definitions and mappings
• Shared types between client and server
• Utility functions

​

15.5 Expression System

​

16. Outreach Automation

​

16.1 Architecture

• Pipeline — Lead pipeline visualization
• Campaigns — Campaign management
• Analytics — Performance analytics
• Escalations — HITL escalation queue
• Agent Chat — Direct agent interaction

​

16.2 A/B Testing

• Multiple message variants per sequence step
• Statistical significance calculation
• Winner evaluation and auto-promotion

​

16.3 Compliance

• FDA compliance for supplement claims
• FTC endorsement guidelines
• LinkedIn Terms of Service adherence
• CAN-SPAM compliance for email channel

​

17. Open Agent Trust Registry

​

17.1 Problem Statement

​

17.2 Architecture

registry/
├── issuers/                    # One JSON file per registered issuer
│   ├── agent-passport-system.json
│   ├── agentid.json
│   ├── agentinternetruntime.json
│   ├── agora.json
│   ├── arcede.json
│   ├── arkforge.json
│   ├── insumerapi.json
│   └── qntm.json
├── manifest.json               # Compiled, signed registry manifest
└── proofs/                     # Cryptographic proofs

​

17.3 Security Properties

1. Permissionless registration — Organizations register by cryptographically proving domain ownership. Automated CI pipeline adds them. No human gatekeepers.
2. Threshold governance — Master list secured by 3-of-5 multi-signature scheme. Keys distributed to independent ecosystem leaders.
3. Zero-trust mirrors — Registry manifest is cryptographically signed. Anyone can host a mirror; tampered manifests are rejected by SDK.
4. Local verification — Services download registry once and verify locally. No per-request central server calls.

​

17.4 CI/CD

• manifest-compiler.yml — Compiles registry on changes
• verify-registration.yml — Validates new registrations
• release.yml — npm publish for CLI

​

17.5 Research Paper

​

18. Physical AI Use Cases

​

18.1 Warehouse Delivery Robot (AMR)

​

18.2 Industrial Welding Arm (ISO 10218)

​

18.3 Surgical Robot (FDA Class III)

​

18.4 UAV / Drone (MAVLink)

​

18.5 Collaborative Robot (ISO/TS 15066)

• maxVelocity: 0.25 m/s, maxForce: 150 N (ISO/TS 15066 Table 1 transient contact)
• Per-body-region force limits: Head 130N, Chest 140N, Hand 140N, Thigh 220N

​

18.6 Underwater ROV (DNV-ST-0111)

​

19. Conformance & Testing

​

19.1 Test Suite Summary

​

19.2 Protocol Test Coverage

​

19.3 OWASP Agentic Security Top 10 Coverage

​

19.4 MCP Attack Surface Conformance

​

20. Compliance & Standards Mapping

​

21. Competitive Landscape

​

21.1 Protocol Comparison Matrix

​

21.2 Market Context

• Agentic AI market: $10.86B (March 2026), 46$52.6B by 2030
• Physical AI security: No established market leader; SINT is first-to-market with a comprehensive protocol
• ROSClaw (Cardenas et al., 2026): First academic validation of the need for runtime authorization in ROS 2 agentic systems — cites SINT approach
• OWASP Agentic Security: Published March 2026; SINT achieved 10/10 coverage within 4 weeks

​

22. Research Agenda (2026–2031)

​

Problem 1: Swarm Coordination Security (2026–2027)

1. Swarm capability token — Group token encoding collective constraints: maxSwarmDensity (agents/m³), minInterAgentDistance (m), maxCollectiveKineticEnergy (Σ½mv² in joules), synchronizationWindow (ms)
2. Collective CSML — computeCsml() extended to agent cohorts with tighter threshold θ_swarm
3. Byzantine-resilient coordination — k-of-N threshold signature scheme for compromised swarm members

​

Problem 2: Sub-Human-Reaction-Time Safety (2026–2028)

1. Probabilistic constraint envelopes — Replace binary checks with Gaussian confidence bounds
2. Predictive tier assignment — ML model predicting which upcoming actions will need T2/T3 approval, pre-fetching human attention
3. Safety-bounded autonomy — Pre-approved trajectory corridors with divergence thresholds for automatic invalidation

​

Problem 3: Multi-Modal Sensor Fusion Trust (2027–2028)

1. Sensor attestation — Each sensor produces signed readings; gateway verifies sensor integrity
2. Fusion consistency scoring — Cross-validate sensor modalities; flag inconsistencies
3. Adversarial sensor detection — Detect spoofed LiDAR, camera injection attacks

​

Problem 4: Cross-Organizational Trust Federation (2027–2029)

1. Federated capability negotiation — Mutual attestation protocol
2. Trust registry integration — Open Agent Trust Registry as the PKI root
3. Cross-domain CSML — Behavioral reputation that transfers across organizations

​

Problem 5: Formal Verification of Safety Properties (2028–2031)

1. TLA+ specification — Model-check core gateway invariants
2. Coq/Lean proofs — Formally verify token delegation attenuation
3. Isabelle/HOL — Prove hash chain integrity properties

​

23. Deployment & Operations

​

23.1 Quick Start (MCP Proxy)

npm install -g @sint/bridge-mcp
sintctl token create --resource "mcp://*" --actions read,call --ttl 24h

{
  "mcpServers": {
    "sint-proxy": {
      "command": "npx",
      "args": ["@sint/bridge-mcp", "--downstream", "filesystem,exec"]
    }
  }
}

​

23.2 Production Deployment (Docker)

# docker-compose.yml
services:
  gateway:
    image: ghcr.io/sint-ai/sint-gateway:latest
    ports:
      - "3000:3000"
    environment:
      - SINT_PERSISTENCE=postgres
      - DATABASE_URL=postgresql://sint:pass@db:5432/sint
      - SINT_REDIS_URL=redis://redis:6379
    depends_on: [db, redis]

  dashboard:
    image: ghcr.io/sint-ai/sint-dashboard:latest
    ports:
      - "3001:80"
    environment:
      - VITE_GATEWAY_URL=http://gateway:3000

  db:
    image: postgres:16
    environment:
      POSTGRES_DB: sint
      POSTGRES_USER: sint
      POSTGRES_PASSWORD: pass
    volumes:
      - pgdata:/var/lib/postgresql/data

  redis:
    image: redis:7-alpine

volumes:
  pgdata:

​

23.3 CLI (sintctl)

# Token management
sintctl token create --resource "ros2:///cmd_vel" --actions publish --maxVelocity 1.5
sintctl token list
sintctl token revoke <tokenId>
sintctl token delegate --parent <tokenId> --maxVelocity 0.5  # Attenuated

# Approvals
sintctl approve list --pending
sintctl approve accept <requestId>
sintctl approve deny <requestId> --reason "Too fast"

# Audit
sintctl ledger query --agent <key> --since 2026-04-01 --tier T3
sintctl ledger verify --entry <entryId>  # Verify hash chain
sintctl ledger export --format jsonl > audit.jsonl

# Policy
sintctl policy list
sintctl policy add --resource "mcp://exec/*" --tier T3_COMMIT
sintctl policy test --resource "ros2:///cmd_vel" --action publish

# Scanning
sintctl scan --server filesystem  # Security scan MCP server

​

23.4 Python SDK

from sint import SintClient, SintScanner

# Client usage
client = SintClient(gateway_url="http://localhost:3000")
token = client.create_token(
    resource="mcp://filesystem/*",
    actions=["read"],
    ttl_hours=24
)

# Security scanning
scanner = SintScanner(gateway_url="http://localhost:3000")
results = scanner.scan_server("filesystem")
for finding in results.findings:
    print(f"{finding.severity}: {finding.description}")

​

23.5 Go SDK

import "github.com/sint-ai/sint-protocol/sdks/sint-go"

client := sint.NewClient("http://localhost:3000")
token, err := client.CreateToken(sint.TokenRequest{
    Resource: "ros2:///cmd_vel",
    Actions:  []string{"publish"},
    MaxVelocityMps: 1.5,
})

​

24. Roadmap

​

Phase 1: Foundation (Completed — Q1 2026)

• ✅ Core protocol types and Zod schemas
• ✅ Policy Gateway with tier assignment and plugin system
• ✅ Ed25519 capability tokens with delegation chains
• ✅ SHA-256 hash-chained evidence ledger
• ✅ MCP bridge adapter (primary adoption vector)
• ✅ Economic layer with metered billing
• ✅ OWASP ASI 10/10 conformance
• ✅ 1,363 tests passing

​

Phase 2: Bridges & SDKs (Q2 2026)

• ✅ ROS 2 bridge adapter
• ✅ MAVLink v2 bridge adapter
• ✅ Google A2A bridge adapter
• ✅ gRPC bridge adapter
• ✅ IoT/MQTT/OPC-UA/Open-RMF bridges
• ✅ Python SDK (1,962 lines)
• ✅ Go SDK (stub)
• ✅ TypeScript client SDK
• ✅ PostgreSQL persistence (518 lines)
• ✅ Redis persistence + revocation bus
• ⭕ npm publish 8 packages to @sint/ scope (ready)
• ⭕ SPAI 2026 submission (deadline: May 7)

​

Phase 3: Production Hardening (Q3 2026)

• TEE attestation (Intel SGX, ARM TrustZone, AMD SEV)
• Formal verification (TLA+ for gateway invariants)
• Kubernetes Operator for gateway deployment
• Prometheus/Grafana monitoring integration
• SIEM export connectors (Splunk, Datadog, ELK)
• Edge mode for bandwidth-constrained deployments
• SOC 2 Type II audit preparation

​

Phase 4: Swarm & Federation (Q4 2026 – Q1 2027)

• Swarm capability tokens
• Collective CSML
• Cross-organizational trust federation
• Byzantine-resilient coordination
• Agent Trust Registry integration as federation root

​

Phase 5: Formal Safety (2027–2031)

• Probabilistic constraint envelopes
• Predictive tier assignment
• Multi-modal sensor fusion trust
• Formal proofs (Coq/Lean/Isabelle)
• Medical device certification support (IEC 62304 + FDA)
• Aerospace certification support (DO-178C)

​

25. References

​

Academic

1. Cardenas, I.S., Arnett, M.A., Yeo, N.C., Sah, L., Kim, J.-H. (2026). “ROSClaw: An OpenClaw ROS 2 Framework for Agentic Robot Control and Interaction.” arXiv:2603.26997.
2. OWASP. (2026). “Agentic AI Security Initiative — Top 10 for Agentic AI.” owasp.org.
3. Anthropic. (2024). “Model Context Protocol Specification.” spec.modelcontextprotocol.io.
4. MCP Security Analysis. (2026). arXiv:2601.17549.
5. Google. (2025). “Agent-to-Agent (A2A) Protocol.” github.com/google/A2A.

​

Standards

6. IEC 62443-3-3:2013. Industrial communication networks — IT security for networks and systems.
7. ISO 10218-1:2011. Robots and robotic devices — Safety requirements for industrial robots.
8. ISO/TS 15066:2016. Robots and robotic devices — Collaborative robots.
9. ISO 14971:2019. Medical devices — Application of risk management.
10. IEC 62304:2015. Medical device software — Software life cycle processes.
11. IEC 60601-1-8:2020. Medical electrical equipment — Alarm systems.
12. FDA 21 CFR Part 820. Quality System Regulation.
13. NIST AI RMF 1.0 (2023). Artificial Intelligence Risk Management Framework.
14. NIST SP 800-82 Rev. 3 (2023). Guide to Operational Technology (OT) Security.
15. NATO STANAG 4586. Standard Interfaces of UAV Control System.
16. ASTM F3548-21. Standard Specification for UAS Remote ID.
17. EU AI Act (2024). Regulation (EU) 2024/1689 — Harmonised rules on artificial intelligence.
18. DNV-ST-0111. Assessment of station keeping capability of dynamic positioning vessels.

​

SINT Ecosystem

19. SINT Protocol Repository. github.com/sint-ai/sint-protocol.
20. SINT Operators Platform. github.com/sint-ai/sint-agents.
21. SINT Virtual CMO. github.com/sint-ai/sint-cmo-operator.
22. SINT Avatars. github.com/sint-ai/sint-avatars.
23. SINT Outreach. github.com/sint-ai/sint-outreach.
24. Open Agent Trust Registry. github.com/pshkv/open-agent-trust-registry.
25. Autonomous Execution Engine. github.com/sint-ai/autonomous-execution-engine.

​

Appendix A: Gateway Invariants

​

Appendix B: Package Dependency Graph

@sint/core
  ├── @sint/gate-capability-tokens
  ├── @sint/gate-policy-gateway
  │     ├── @sint/gate-capability-tokens
  │     ├── @sint/gate-evidence-ledger
  │     └── @sint/bridge-economy
  ├── @sint/gate-evidence-ledger
  ├── @sint/persistence
  │     └── @sint/persistence-postgres
  ├── @sint/bridge-mcp
  │     └── @sint/gate-policy-gateway
  ├── @sint/bridge-economy
  └── @sint/client

​

Appendix C: Environment Variables