HSIP–local identity server in Rust with Ed25519 signing and AI agent governance

Notifications You must be signed in to change notification settings

Fork 0

Star 1

BranchesTags

Open more actions menu

Folders and files

NameName

Last commit message

Last commit date

Latest commit

History

32 Commits

32 Commits

.cargo

.cargo

.github

.github

browser-extension

browser-extension

crates

crates

dashboard

dashboard

docs

docs

examples

examples

load-test

load-test

sdks

sdks

spec

spec

.gitattributes

.gitattributes

.gitignore

.gitignore

.gitleaksignore

.gitleaksignore

CLAUDE.md

CLAUDE.md

CODEMAP.md

CODEMAP.md

CONTRIBUTING.md

CONTRIBUTING.md

Cargo.toml

Cargo.toml

DEEPFAKE_DEFENSE.md

DEEPFAKE_DEFENSE.md

DEMO.md

DEMO.md

DEMO_WINDOWS.ps1

DEMO_WINDOWS.ps1

DEPLOYMENT.md

DEPLOYMENT.md

Dockerfile

Dockerfile

Dockerfile.api

Dockerfile.api

LICENSE

LICENSE

LINUX_SETUP.md

LINUX_SETUP.md

README.md

README.md

TESTING.md

TESTING.md

THREAT_MODEL.md

THREAT_MODEL.md

WINDOWS_SETUP.md

WINDOWS_SETUP.md

build-release.ps1

build-release.ps1

build.rs

build.rs

config.example.toml

config.example.toml

deny.toml

deny.toml

docker-compose.yml

docker-compose.yml

hsip.toml

hsip.toml

install.ps1

install.ps1

install.sh

install.sh

launch-hsip.bat

launch-hsip.bat

railway.toml

railway.toml

rust-toolchain.toml

rust-toolchain.toml

Repository files navigation

One binary. No cloud. No subscription. Cryptographic identity and tamper-proof audit trail for individuals, AI agents, and financial institutions.

🌐 hsip.rewired89.github.io/HSIP-1PHASE — Landing page with one-click downloads

Every key is yours. Every byte runs locally. No cloud. No subscription. Commercial use requires a license — contact [email protected]. Read the threat model →

Quick install

Windows — Download hsip-windows-x64.exe → double-click → browser opens automatically.

macOS / Linux — one command:

curl -sSf https://raw.githubusercontent.com/rewired89/HSIP-1PHASE/main/install.sh | sh

Homebrew:

brew tap rewired89/hsip https://github.com/rewired89/HSIP-1PHASE && brew install hsip

Why this exists — right now

In 2026, three things happened at once:

AI agents act on your behalf without a reliable record of what they did or who authorized it.

OpenAI, Google, and Meta serve ads inside the tools you use to think. Your prompts train their models.

Deepfakes made digital evidence meaningless — unless it carries a cryptographic signature that cannot be faked.

HSIP is the answer to all three. It runs on your hardware, signs everything with your key, and gives you a tamper-proof audit trail you own completely.

Who is this for?

I want to... What to run

Stop being tracked — block ads, telemetry, and surveillance across every app I use DNS Tracker Blocker

Prove what I said — create court-admissible proof that I wrote this message at this time Signed Messages + Audit Trail

Control my AI agents — see exactly what my AI did, revoke access instantly AI Watch + Consent Wallet

Build privacy-respecting software — add consent infrastructure to my app or AI agent Developer SDK →

Enterprise audit compliance — GDPR, court records, legal-grade evidence chains Enterprise deployment →

Financial services infrastructure — MiFID II, FINRA 4511, SOX §404, DORA, SWIFT CSCF compliance Financial Services →

Download

Platform File

Windows hsip-windows-x64.exe

macOS Apple Silicon hsip-macos-arm64

macOS Intel hsip-macos-x64

Linux hsip-linux-x64

Windows: Double-click the .exe. It installs itself, creates a Desktop shortcut, and opens in your browser automatically.

Mac / Linux: chmod +x hsip-macos-arm64 && ./hsip-macos-arm64 — your browser opens automatically.

Features

1. DNS Tracker Blocker — block everything, system-wide

HSIP intercepts tracking requests at the DNS level before they ever reach your machine. Not just one browser — every app you run.

Blocks Google Analytics, Facebook Pixel, Hotjar, TikTok, DoubleClick, Microsoft telemetry, and 200+ more. One click in the dashboard to turn on. Zero configuration.

The difference from browser extensions: A browser extension only protects one browser. HSIP blocks at the network level — desktop apps, background processes, every browser, all at once.

1. Signed Messages — fight deepfakes and win disputes

Every message you send through HSIP is signed with your personal Ed25519 key. The result is mathematical proof that:

You wrote exactly these words

At exactly this timestamp

That no one has altered since

This proof can be verified by anyone, in court, or by a machine. It cannot be faked.

Real use cases:

Contract confirmation: "I confirm we agreed to these terms on March 28, 2026." — signed, timestamped, verifiable.

Dispute evidence: Produce a cryptographic receipt in seconds that proves what you said and when.

Deepfake defense: When someone claims you said something you didn't — your signed history proves otherwise.

AI command authorization: Every instruction you gave your AI agent is signed with your key. Deniability is gone — in both directions.

1. AI Watch — know exactly what your AI did

Every AI agent you connect (Claude, ChatGPT, Siri, any HTTP-capable tool) is tracked in real time:

Velocity monitoring — alerts if an agent makes an unusual number of requests

Anomaly detection — flags behavior outside normal patterns

One-click disconnect — revoke any agent's access instantly

Full signed audit trail — every action the agent took, signed and timestamped

This is the "black box recorder" for your AI. When something goes wrong, you know exactly what happened and when.

1. Consent Wallet — machine-readable access control

Instead of cookie banners you click through without reading, HSIP creates a consent layer you actually control:

See every party that has permission to contact you or access your data

See exactly what each party is allowed to do

Set time limits on consent — it expires automatically

Revoke any consent in one click, effective immediately

Third-party services that support HSIP can query your consent before acting. No permission — no access.

1. Tamper-proof Audit Log

Every operation in HSIP — message signed, consent granted, key created, AI action logged — writes to a BLAKE3 hash-chained audit log. Tamper with any entry and the chain breaks.

Export the log at any time for legal proceedings, compliance audits, or personal records.

Financial Services

HSIP is cryptographic infrastructure for banks, trading desks, fintechs, and any regulated institution that needs a tamper-proof audit trail, AI agent governance, and cross-institution identity verification — without a central cloud vendor in the middle.

The client is the institution, not the retail investor. HSIP runs inside your data center (or on-premise), signs every action with your Ed25519 keypair, and produces legally defensible evidence that your systems, analysts, and AI agents did exactly what the audit trail says they did.

Why financial institutions need this now

1. AI agents act on behalf of your institution — and regulators are going to ask who authorized each action. Without a cryptographic identity attached to each agent and an append-only log of every request, you cannot answer that question. HSIP assigns every AI agent its own Ed25519 keypair, logs every action it takes, and lets you revoke its access in milliseconds.

1. MiFID II Article 25 and FINRA Rule 4511 require you to prove what your systems did, when, and on whose authority. A log in a database is not proof — it can be altered. A BLAKE3 hash-chained audit log is proof. Tamper with any entry and the chain breaks, detectable by any party.

1. Open Banking (PSD2) mandates machine-readable, time-bounded consent. HSIP's Consent Wallet generates exactly that: a cryptographically signed grant scoped to a specific action, automatically expiring, revocable in real time. No more cookie banners your compliance team can't evidence.

1. Inter-institution trust is broken. When a message arrives from a counterparty, how do you verify it wasn't altered in transit? HSIP's Federated Trust layer lets institutions exchange Ed25519 verify keys out-of-band (email, secure channel) and then verify any future message cryptographically — no central registry, no PKI vendor, no single point of failure.

1. DORA and SWIFT CSCF require you to detect and respond to anomalous AI or automated system behavior. HSIP's velocity monitoring flags agents exceeding 100 requests/minute and auto-revokes access at 1,000 requests/minute — with a signed audit entry at every step.

Compliance coverage

Regulation What HSIP covers

SOX §404 Append-only BLAKE3 hash-chained audit log. Every control action signed with Ed25519. Exportable for auditors.

FINRA Rule 4511 Six-year tamper-evident record retention. API endpoint for bulk audit export. Signature chain proves no entry was altered.

MiFID II Art. 25 Per-trade authorization signed with institutional Ed25519 key. Timestamp + signature = defensible suitability record.

PSD2 / Open Banking Machine-readable consent grants with scope, expiry, and revocation. POST /v1/consent/grant with expires_in_seconds.

GDPR Art. 7 Cryptographically signed consent with documented scope. DELETE /v1/tenant/erase for right-to-erasure. Audit log proves consent was active at time of processing.

DORA AI agent velocity monitoring, anomaly detection, auto-revocation. Incident response via DELETE /v1/keys/:id. All events in signed audit trail.

SWIFT CSCF Ed25519 message authentication prevents unauthorized instruction injection. Federated trust keys verified per counterparty. No shared secrets.

ISO 20022 Signed payment messages with Ed25519. Verifiable by any counterparty holding the institution's public key. Non-repudiation by construction.

AI agent governance for financial institutions

Every AI system your institution deploys — trading algorithms, document processors, customer-facing chatbots, internal assistants — gets its own Ed25519 keypair registered in HSIP.

Register a trading algorithm as a governed AI agent

hsip agent register "algo-trading-v2" --expires-days 90

List all active agents and their request velocity

hsip agent list

Immediately revoke an agent that's behaving unexpectedly

hsip agent revoke "algo-trading-v2"

What you get for each agent:

Unique Ed25519 keypair — every action it signs is traceable to that specific agent, not just "the system"

Velocity monitoring — requests > 100/min trigger an anomaly audit entry; > 1,000/min triggers automatic revocation

Full signed audit trail — every API call the agent made, timestamped and chained

Instant revocation — DELETE /v1/keys/:id takes effect in memory before the DB write completes; in-flight requests are blocked immediately via pending_revocation set

This is the "black box recorder" regulators and your own risk team need when an AI agent does something unexpected.

Federated trust — cross-institution Ed25519 verification

When your trading desk needs to verify that a message from a counterparty bank is authentic, you have two options: trust a central certificate authority (single point of failure, vendor lock-in) or exchange Ed25519 verify keys directly and verify locally.

HSIP implements the second approach:

Your counterparty sends you their Ed25519 verify key out-of-band

hsip trust add "Deutsche Bank Desk A" "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a"

Verify any message they send you — locally, no network call

hsip trust verify --from "Deutsche Bank Desk A" \ "Trade confirmation: AAPL 1000 @ 182.50" \ "signature_hex_here"

No central registry. No PKI vendor. No single point of failure. Each institution holds the other's public key directly. Verification happens in 100 req/min; key au

[truncated for AI cost control]