An attestation is only as strong as its stated scope. Wardin attests to
gateway-routed traffic only — requests it processed and signed. It does not cover
AI activity that bypasses the gateway, and it is not a compliance certification
(SOC 2 / ISO / EU AI Act) and not legal advice. The
scope and disclaimer fields
are returned with every attestation; surface them verbatim. Claim language is draft,
pending compliance-counsel review.What it states
For a period,GET /v1/compliance/attestation
returns:
- receipts — signed receipts produced for gateway-routed traffic;
- chainVerified — whether the hash chain recomputed end-to-end with no gap or break in sequence (a single altered field breaks every later hash);
- signaturesVerified — whether every receipt’s ED25519 signature verified against the signing-key registry;
- policyEvaluated — receipts carrying signed in-path check records (across both receipt kinds), and the percentage;
- modelReceipts / toolReceipts — the split of the period into model-inference vs agent tool-call receipts; the two carry different checks, so they anchor the coverage denominators below;
- enforcementActions — receipts where an in-path check blocked (BUDGET, ALLOWLIST, or
GUARDRAIL on a model call; AGENT_IDENTITY or TOOL_ALLOWLIST on a tool call) or redacted
(a GUARDRAIL REDACTED result). A genuine upstream/provider failure (UPSTREAM FAIL) is
not an enforcement action — it’s counted separately as
upstreamFailures; - checkCoverage — per in-path check,
receiptscarrying it andapplicableReceipts(the receipts that could carry it: model checks BUDGET/ALLOWLIST/GUARDRAIL overmodelReceipts, tool checks AGENT_IDENTITY/TOOL_ALLOWLIST overtoolReceipts, UPSTREAM over all).pctisreceipts / applicableReceipts, floored — so a check’s coverage is never diluted by receipts of the other kind that could never carry it; - packsInForce — the framework packs in effect;
- merkle.root — an RFC 6962 Merkle root over the period’s receipt chain hashes.
GET /v1/compliance/attestation for the full
response shape.
Why it’s trustworthy without trusting us
The Merkle root commits to which receipts exist and their order — using each receipt’sthis_hash (its chain hash) as the leaf. The leaf is a hash, never prompt or
response content, so an inclusion proof reveals structure, not content. Two independent
facts mean the root can’t be forged without detection:
- Each receipt is individually ED25519-signed — verify any leaf’s signature against Wardin’s published signing-key registry.
- The leaves chain — each
this_hashcommits to the previous, so the set can’t be reordered or padded without breaking the chain.
GET /v1/compliance/attestation/receipts/{id}/inclusion —
a content-free audit path you verify against merkle.root.
Reproduce the root yourself
The Merkle tree is RFC 6962 (the Certificate-Transparency standard), SHA-256, with domain-separated leaf and node prefixes. Any auditor can reimplement it in any language:d0…d(n-1) are the receipts’ this_hash bytes, in ascending seq order (exactly
the order the Evidence Bundle lists them). Inclusion-proof
verification walks the same split structure: reconstruct the root from your leaf, its
index, the treeSize, and the sibling proof path, then compare to root. The 0x00
/ 0x01 prefixes are what stop the “duplicate the last node” forgery that plagues naive
Merkle trees.
Publishing the root to a public transparency log (CT-style), so the attestation itself is
tamper-evident beyond “recompute from the receipts you were shown”, is in development.
Today the root is reproducible from the period’s signed receipts, which already can’t be
forged without forging ED25519 signatures.