Architecture
The SovereignClaw architecture is built for AI agent runtime security: deterministic execution gating, 20 Rust crates, 829+ tests, and 9 formal security properties.
SovereignClaw's architecture treats every LLM-proposed action as untrusted input. The seven-stage execution pipeline turns model output into a deterministic, policy-evaluated decision before any side effect can occur. For teams evaluating enterprise AI governance, this page shows how runtime security, evidence generation, and operational control fit together in one system.
This architecture is designed for organizations that need more than best-effort AI guardrails. Instead of filtering or post-hoc review, SovereignClaw canonicalizes intent, verifies facts, assigns risk, and binds any permitted execution to signed artifacts and receipts. Pair this architecture view with the security properties, compliance coverage, and deployment tiers to understand the full operating model. Published on SSRN (ID 6290760). Patent applications pending: USPTO 74981727 · 74483691 · 73809451 · 72763061.
Execution Pipeline
Every agent action passes through a deterministic 7-stage pipeline before any execution can occur. No shortcuts. No bypasses.
Stage-by-stage execution flow
Risk Tier Classification
Every action is classified into one of four risk tiers. The gate behavior is determined by the tier, not by the LLM's self-assessment.
Policy behavior by tier
| Tier | Name | Example | Gate Behavior |
|---|---|---|---|
| T0 | Observe | ls -la | Auto-allow |
| T1 | Standard | Write app config | Allow with signed receipt |
| T2 | Elevated | Restart production service | Requires threshold signatures (m-of-n) |
| T3 | Sovereign | Delete IAM / DB / infra | Mechanical refusal — blocked by default |
Crate Architecture (20 Crates)
The crates are grouped around three jobs: immutable intent representation, enforcement and authorization, and enterprise runtime operations. That separation is what lets SovereignClaw map execution controls cleanly into audit and compliance evidence.
Core, control-plane, and runtime crates
| Crate | Role |
|---|---|
| libs/core | Immutable SovereignIR schema, canonical hashing, execution graph |
| libs/gate | Policy engine: fact inference, tier classification, threshold signatures, WASM plugin sandbox, revocation check |
| libs/adapter | Attested runtime: 10-step verification, nonce replay protection, AEAD credential store, SQLite revocation registry |
| libs/receipt | Append-only Merkle-anchored ledger of signed authority receipts |
| libs/tenant | Multi-tenant isolation: context hashing, quotas, cross-tenant denial |
| libs/vault | Per-tenant, per-environment credential vaults with lease-gated access |
| libs/crypto | Threshold signature collection (m-of-n) and key rotation |
| libs/identity | SSO/SCIM identity bridge: IdP group → approval quorum mapping |
| libs/approval | Persistent async approval workflows with quorum, TTL, escalation |
| libs/enterprise | 16 enterprise skill modules with tier classification (T0–T3) |
| libs/skill_registry | Verified manifests, publication state, quarantine, intake freeze, tenant allowlisting |
| libs/skill_scanner | WASM bytecode behavioral analysis — flags network, file-write, env-read imports against declared scope |
| libs/mesh | Ed25519-signed inter-agent envelopes, delegation chains with scope attenuation, propagation depth limits |
| libs/agent | LLM orchestration loop, provenance-tagged memory, context injection boundary, swarm execution runtime |
| libs/gateway | HTTP control plane with deployment attestation, compliance metrics (CEF/SIEM), production mode profile |