Shadow Warden AI — Gateway v7.0 — Explore the API Reference
Home / Cyber Security / Cryptography

Cryptography

8 features

CR-01

Post-Quantum Keypairs

✅ Shipped

Hybrid Ed25519 + ML-DSA-65 (FIPS 204). HybridKEM: X25519 + ML-KEM-768 (FIPS 203). liboqs fail-open.

Enterprise v4.1
CR-02

Sovereign AI Cloud

✅ Shipped

8 jurisdictions: EU/US/UK/CA/SG/AU/JP/CH. MASQUE tunnels (H3/H2/TCP). TOFU TLS pinning. Least-latency routing.

Enterprise v4.4
CR-03

Sovereign Data Pods

✅ Shipped

Per-jurisdiction MinIO routing. Fernet-encrypted pod keys. 5s health probes. Jurisdiction→data_class resolution.

Enterprise v4.7
CR-04

Sovereignty Attestation

✅ Shipped

HMAC-SHA256 signed. 7-year Redis TTL. 10K cap per tenant. O(1) historical routing verification.

Enterprise v4.4
CR-05

Transfer Rules Matrix

✅ Shipped

CLASSIFIED → never. PHI → 5 jurisdictions. GENERAL → all with adequacy. EU↔UK/CA/JP/CH decisions built-in.

Enterprise v4.4
CR-13

ML-KEM-1024 upgrade path (FIPS 203 Level 5)

📋 Planned

Upgrade path to ML-KEM-1024 for post-quantum key exchange at FIPS 203 Security Level 5. Higher lattice dimension than ML-KEM-768 — stronger quantum resistance for long-lived keys.

Enterprise
CR-14

HSM integration — PKCS#11 bridge for sovereign key material

📋 Planned

PKCS#11 bridge to Hardware Security Modules for protecting sovereign key material. Keys never leave tamper-resistant hardware — enforced at the driver level.

Enterprise
CR-15

Certificate-pinned MASQUE tunnels — TOFU → CA-signed upgrade path

✅ Shipped

Upgrade path from Trust-On-First-Use certificate pinning to CA-signed certificates for MASQUE tunnels. Enables enterprise-managed PKI with zero connectivity interruption during migration. Includes cert_mode field, issue_tunnel_certificate(), revoke_certificate_by_id(), upgrade_to_ca() with atomic rollback, and POST /sovereign/tunnels/{id}/upgrade-cert API.

Enterprise v6.8