The whole stack is open: the SDKs your agents run are Apache-2.0, and the entire platform — certificate authority, risk engine, tamper-proof audit log — is AGPL-3.0 on GitHub, published with cryptographic provenance. Only the canonical CA and public verification endpoint run as a hosted service, because a trust anchor you can fork is not a trust anchor.
No ambiguity, no “open-washing”: the entire codebase is open — SDKs under Apache-2.0, the platform under AGPL-3.0. What stays hosted is the canonical service: the one certificate authority and verification endpoint that counterparties and regulators must be able to trust independently of you.
| Capability | Open source (AGPL / Apache) | Hosted platform |
|---|---|---|
| SDKs & framework integrations | ✓ Apache-2.0 — full source, fork freely | Same packages — no private forks |
| Enforcement middleware (gateway, RLS binding) | ✓ Apache-2.0 — runs in your infrastructure | Same code, verifying against the hosted CA |
| MCP server | ✓ Apache-2.0 — run it next to your agents | Also available hosted at kakunin.ai/api/mcp |
| Supply-chain verifiability | ✓ npm provenance + PyPI attestations — every artifact traceable to a public commit and CI run | Inherits the same published artifacts |
| X.509 certificate authority | ✓ AGPL-3.0 source — self-hostable; the canonical Kakunin CA stays hosted (see below) | ✓ AWS KMS RSA-2048, keys never leave the HSM |
| Behavioral risk engine | ✓ AGPL-3.0 source | ✓ Real-time scoring, 30-day baselines, drift detection |
| WORM audit log | ✓ AGPL-3.0 source (independent hosted custody keeps evidence admissible) | ✓ Append-only, S3 Object-Lock backed, regulator-exportable |
| Auto-revocation & CRL | ✓ AGPL-3.0 source | ✓ Sub-60s revocation, CDN-cached CRL, revocation webhooks |
| Compliance reports (MiCA / EU AI Act) | ✓ AGPL-3.0 source | ✓ Signed PDF exports for regulators and counterparties |
| Public certificate verification | ✓ Keyless — anyone can verify any cert serial, no account | Served by the hosted platform, free for all parties |
| Cost | Free forever | Free sandbox tier · paid plans for production CA |
Verify any package yourself: npm audit signatures checks the provenance attestation on every @kakunin/* install, and PyPI shows the attested GitHub workflow for kakunin on the release page.
The platform lives in kakunin-core (AGPL-3.0); the SDKs publish from public source under the @kakunin npm scope and the kakunin PyPI project (Apache-2.0). Each repo carries a security policy (48-hour acknowledgment, 90-day coordinated disclosure), a contribution guide, and CI with dependency audits.
the platform · AGPL-3.0
The full platform / control plane — the Next.js application, the certificate-authority integration, the behavioral risk engine, the API surface, and the compliance-reporting pipeline. The source behind the hosted service, released under AGPL-3.0.
@kakunin/sdk · npm
Core TypeScript SDK — agent registration, certificate issuance, event ingestion, public verification, webhook signatures, and the @kakunin/sdk/verify enforcement middleware (incl. the Supabase RLS binding).
kakunin · PyPI
Async Python SDK with framework integrations for LangChain, LlamaIndex, CrewAI, AutoGen, LangGraph, CAMEL-AI, and OpenAI Assistants — plus the verify_agent_scope decorator.
@kakunin/middleware · @kakunin/langchain · @kakunin/mastra · @kakunin/ai-sdk · npm
Gateway middleware (Express / Fastify / Next.js) and typed compliance tools for LangChain JS, Mastra, and the Vercel AI SDK.
@kakunin/mcp · npm
Model Context Protocol server — lets any MCP-capable agent check its own scope, read its risk score, and append audit events.
13 runnable examples · GitHub
End-to-end sample agents across the supported frameworks: certificate lifecycle, scope enforcement, and risk-event patterns you can copy.
You can read and run every line — but you verify against one canonical authority. Not a business dodge, a trust-model constraint. Three concrete reasons:
The value of a Kakunin certificate is that any counterparty can verify it against one canonical CA — keylessly, without asking you. A thousand self-hosted CAs would mean a thousand roots nobody recognizes. Verification stays free and public for everyone precisely because issuance is centralized.
Agent private keys live in AWS KMS HSMs and never leave. Running the code yourself is fine — but self-custodying keys recreates the exact secrets-sprawl problem agent identity is meant to solve. The hosted CA is what carries the MiCA Art. 70 custody story.
A WORM audit log you host yourself proves nothing to a regulator — you could have rewritten it. Independent custody of the append-only log is what makes the evidence admissible. That independence is structural, not a feature flag.
The entire platform is AGPL-3.0 — certificate issuance, the risk-scoring model, revocation logic, the audit pipeline. For a compliance product, that transparency is the pitch: no black box deciding whether your agent is trustworthy. Run it yourself, or let us host the canonical authority.
Start with the sandbox — 100 free test certificates a day, real X.509, no card. Every SDK you install is code you can audit first.