Kevros Governance API

Verify an action against policy bounds before execution. Returns ALLOW, CONSTRAIN, or DENY with a signed release token. Downstream services verify the token independently. Fail-closed: verification failure results in DENY.

Generate a portable compliance evidence package containing hash-chained provenance, intent binding proofs, post-quantum block signatures, and verification instructions. Independently verifiable without Kevros access.

Bind a declared intent to a command and verify the outcome matches. HMAC-signed binding proves the chain from intent to command to result is unbroken.

Look up a media attestation certificate by its certificate ID. Returns the full certificate including hash, timestamp, and provenance chain position. No charge, no authentication required.

Submit a media file hash for cryptographic attestation. Returns a signed certificate proving the hash was recorded at a specific timestamp in the provenance ledger. Useful for content provenance, media integrity, and audit trails.

Verify a media file hash against a previously issued attestation certificate. Returns the attestation status and certificate details. No charge, no authentication required.

Close a streaming payment session and seal the provenance record. Reports final spend, transaction count, and close reason. Returns sealed provenance hash and compliance bundle availability. No charge. POST /governance/mpp/close

Create a governed streaming payment session. Declare budget, duration, spending rate limit, and allowed service categories. Returns a signed session token for continuous streaming payments within policy bounds. Every session is recorded in the provenance ledger. $0.02/session. POST /governance/mpp/session

Mid-session drift check during a streaming payment session. Reports current spend, transaction count, active service, and spending rate. Kevros checks for budget overruns, rate limit violations, and unauthorized service usage. Returns session status (active, warning, suspended, expired) and remaining budget/time. No charge. POST /governance/mpp/heartbeat

Prompt injection detection via ONNX DeBERTa-v3 classifier. Scans text for injection attacks, jailbreaks, and role hijacking attempts. Returns confidence score, risk level, and HMAC-signed result. $0.01/scan or 10 trial scans/day.

Record an action in a hash-chained, append-only evidence ledger. Each attestation extends the provenance chain. Block signatures issued every 100 records using ML-DSA-87 (FIPS 204). Third parties verify the chain without Kevros access.