# Aevum — Full LLM Reference
> This is the full-content reference for AI agents. See /llms.txt for the index.
> Version: corresponds to aevum-core package version on PyPI.
## What Aevum is
Aevum is an open-source AI governance and context kernel. It is a Python library
(Apache 2.0) that runs from a Raspberry Pi to Kubernetes without changing a line of code.
Its purpose: give AI agents a signed audit trail, consent-checked data access, and
verifiable decision records with cryptographic audit trails. It does not generate, evaluate, or control
LLM output — it governs the agent's memory and action record.
## The five governed functions (RELATE / NAVIGATE / GOVERN / REMEMBER / REPLAY)
Every operation in Aevum maps to exactly one of these five functions. No exceptions.
**RELATE** — Protocol verb: `ingest()`
Ingests input, verifies provenance, establishes weighted relationships. Never generates
synthetic inputs or modifies inputs before recording. Output: weighted edges + RELATE
audit event.
**NAVIGATE** — Protocol verb: `query()`
Traverses the relationship graph for a declared purpose. Consent is a precondition
checked by the kernel before traversal begins. Never presents context as
complete — uncertainty markers are mandatory output.
**GOVERN** — Protocol verb: `review()`
Presents navigated context to an authorized human at a consequential moment. Receives
their decision. Records it with full provenance. The veto is a first-class output.
**REMEMBER** — Protocol verb: `commit()`
Commits the full record to the append-only sigchain with cryptographic integrity.
Every loop pass produces a COMMIT. Without exception.
**replay** — Reconstructs any past decision faithfully from the episodic ledger for
cryptographic audit. Returns the original payload with provenance intact.
## The five unconditional barriers
These cannot be disabled by configuration, policy, or emergency override:
1. **Crisis** — halts processing on crisis-pattern content before graph write
2. **Classification ceiling** — enforces data classification limits per Cedar policy
3. **Consent** — requires valid, unexpired consent for every context traversal
4. **Audit immutability** — prevents modification of any sigchain entry after commit
5. **Provenance** — records verified principal identity on every entry
## Adapters (eight supported)
| Adapter | Class | Framework version |
|---------|-------|-------------------|
| OpenAI Agents SDK | `AevumAgentHooks` | openai-agents >=0.0.9 |
| LangChain | `AevumLangChainCallback` | langchain-core >=1.2.22 |
| LangGraph | `AevumCheckpointer` | langgraph-checkpoint >=4.1.0 |
| CrewAI | `AevumCrewAIHooks` | crewai >=0.80 |
| A2A (Agent-to-Agent) | `AevumA2AAdapter` | a2a-sdk v1.0 |
| MCP | `AevumMCPInterceptor` | fastmcp >=2.0 |
| Google ADK | `AevumADKPlugin` | google-adk >=2.2,<3 (BasePlugin 2.x API) |
| Microsoft Agent Framework | `AevumMAFMiddleware` | agent-framework >=1.8,<2 |

## Quickstart (10 lines)
```python
from aevum.core import Engine
from aevum.core.consent.models import ConsentGrant
engine = Engine()  # SQLite backend, no config needed
engine.add_consent_grant(ConsentGrant(
    grant_id="demo-grant",
    subject_id="user-1",
    grantee_id="my-agent",
    operations=["ingest", "query"],
    purpose="demo",
    classification_max=0,
    granted_at="2026-01-01T00:00:00Z",
    expires_at="2030-01-01T00:00:00Z",
))
engine.ingest(
    data={"finding": "disk_full", "host": "host-42"},
    provenance={"source_id": "scanner", "chain_of_custody": ["scanner"], "classification": 0},
    purpose="demo",
    subject_id="user-1",
    actor="my-agent",
)
context = engine.query(
    purpose="demo",
    subject_ids=["user-1"],
    actor="my-agent",
)
engine.commit(actor="my-agent", action="review", resource="host-42")
intact = engine.verify_sigchain()  # True
print(f"Chain intact: {intact}")
# See docs/learn/quickstart.md for current examples
```
## Sigchain technical detail
- Every entry: `event_type`, `actor`, `payload`, `prior_hash`, `sequence`, `timestamp`
- Chain hash: SHA3-256 of canonical JSON (RFC 8785 JCS) of the prior entry
- Genesis hash: `sha3_256(b"aevum:genesis").hexdigest()`
- Ed25519 signing: each entry signed by the kernel's private key
- `verify_sigchain()` checks every link from genesis to current tip — O(n)
- A single tampered field in any entry produces a hash mismatch detected on next verify
## Consent model
- Consent ledger is CRDT-backed (OR-Set semantics) — concurrent grants don't conflict
- `operations`: list of permitted verbs (`["ingest", "query", "replay", "commit"]`)
- `classification_max`: integer ceiling — agent cannot access data classified above this
- `purpose`: string — NAVIGATE calls with a different purpose are rejected
- Expired grants are rejected at check time; no lazy deletion
## MCP server configuration
For Claude Desktop / Cursor / Windsurf:
```json
{
  "mcpServers": {
    "aevum": {
      "command": "uvx",
      "args": ["aevum-mcp"],
      "tools": ["aevum_ingest", "aevum_query", "aevum_commit", "aevum_verify"]
    }
  }
}
```
Available MCP tools: `aevum_ingest`, `aevum_query`, `aevum_commit`, `aevum_verify`,
`aevum_grant_consent`, `aevum_replay`.
## Install options
```bash
pip install aevum-core                    # core only (SQLite backend)
pip install "aevum-core[cedar]"           # + real Cedar consent enforcement
pip install "aevum-core[postgres]"        # + PostgreSQL backend
pip install "aevum-core[postgres,cedar]"  # full team-tier stack
```
## EU AI Act Article 12 compliance
The `/v1/compliance/{session_id}` endpoint (demo.aevum.build or your own deployment)
generates a structured compliance report mapping sigchain entries to the three Article
12(2) purposes: (a) risk identification, (b) post-market monitoring, (c) deployer oversight.
`human_oversight_demonstrated: true` when at least one consent record exists in the session.
`chain_valid: true` when the hash chain is unbroken from genesis to head.
## OWASP Agentic Top 10 coverage
| Code  | Risk                           | Aevum mechanism                              |
|-------|-------------------------------|----------------------------------------------|
| ASI01 | Prompt injection / goal hijack | Crisis barrier + Cedar TaintLabel            |
| ASI02 | Insecure tool / plugin use     | Cedar forbid trifecta policy                 |
| ASI03 | Excessive agency               | L1–L5 autonomy via Cedar context attributes  |
| ASI04 | Resource overuse               | Crisis barrier halts flagged actions         |
| ASI05 | Data privacy breach            | Classification ceiling (Cedar)               |
| ASI06 | Insufficient logging           | Append-only sigchain — cannot be suppressed  |
| ASI07 | Intent misalignment            | Human-readable consent; GOVERN checkpoint    |
| ASI08 | Context manipulation           | Audit immutability — entries immutable       |
| ASI09 | Human–agent trust deficit      | Consent receipt hash verified before execute |
| ASI10 | Supply chain exploit           | OIDC provenance on all ingested scan results |
## Source and license
- Repository: https://github.com/aevum-labs/aevum
- License: Apache 2.0
- Security issues: security@aevum.build (72h response)
- PyPI: https://pypi.org/project/aevum-core/