Home/Open Source
Open Source · AGPL-3.0 + Apache-2.0 · Verifiable Supply Chain

Open source, top to bottom. Hosted trust anchor.

The whole stack is open: the SDKs your agents run are Apache-2.0, and the entire platform — certificate authority, risk engine, tamper-proof audit log — is AGPL-3.0 on GitHub, published with cryptographic provenance. Only the canonical CA and public verification endpoint run as a hosted service, because a trust anchor you can fork is not a trust anchor.

7Packages on npm + PyPI
AGPL + ApachePlatform AGPL-3.0 · SDKs Apache-2.0
ProvenanceEvery artifact attested to a public commit
6Public repositories
01 — WHAT LIVES WHERE

Open source vs hosted, feature by feature

No ambiguity, no “open-washing”: the entire codebase is open — SDKs under Apache-2.0, the platform under AGPL-3.0. What stays hosted is the canonical service: the one certificate authority and verification endpoint that counterparties and regulators must be able to trust independently of you.

CapabilityOpen source (AGPL / Apache)Hosted platform
SDKs & framework integrations✓ Apache-2.0 — full source, fork freelySame packages — no private forks
Enforcement middleware (gateway, RLS binding)✓ Apache-2.0 — runs in your infrastructureSame code, verifying against the hosted CA
MCP server✓ Apache-2.0 — run it next to your agentsAlso available hosted at kakunin.ai/api/mcp
Supply-chain verifiability✓ npm provenance + PyPI attestations — every artifact traceable to a public commit and CI runInherits the same published artifacts
X.509 certificate authority✓ AGPL-3.0 source — self-hostable; the canonical Kakunin CA stays hosted (see below)✓ AWS KMS RSA-2048, keys never leave the HSM
Behavioral risk engine✓ AGPL-3.0 source✓ Real-time scoring, 30-day baselines, drift detection
WORM audit log✓ AGPL-3.0 source (independent hosted custody keeps evidence admissible)✓ Append-only, S3 Object-Lock backed, regulator-exportable
Auto-revocation & CRL✓ AGPL-3.0 source✓ Sub-60s revocation, CDN-cached CRL, revocation webhooks
Compliance reports (MiCA / EU AI Act)✓ AGPL-3.0 source✓ Signed PDF exports for regulators and counterparties
Public certificate verification✓ Keyless — anyone can verify any cert serial, no accountServed by the hosted platform, free for all parties
CostFree foreverFree sandbox tier · paid plans for production CA

Verify any package yourself: npm audit signatures checks the provenance attestation on every @kakunin/* install, and PyPI shows the attested GitHub workflow for kakunin on the release page.

02 — THE REPOSITORIES

Six public repos

The platform lives in kakunin-core (AGPL-3.0); the SDKs publish from public source under the @kakunin npm scope and the kakunin PyPI project (Apache-2.0). Each repo carries a security policy (48-hour acknowledgment, 90-day coordinated disclosure), a contribution guide, and CI with dependency audits.

kakunin-core

the platform · AGPL-3.0

The full platform / control plane — the Next.js application, the certificate-authority integration, the behavioral risk engine, the API surface, and the compliance-reporting pipeline. The source behind the hosted service, released under AGPL-3.0.

kakunin-sdk-typescript

@kakunin/sdk · npm

Core TypeScript SDK — agent registration, certificate issuance, event ingestion, public verification, webhook signatures, and the @kakunin/sdk/verify enforcement middleware (incl. the Supabase RLS binding).

kakunin-sdk-python

kakunin · PyPI

Async Python SDK with framework integrations for LangChain, LlamaIndex, CrewAI, AutoGen, LangGraph, CAMEL-AI, and OpenAI Assistants — plus the verify_agent_scope decorator.

kakunin-integrations

@kakunin/middleware · @kakunin/langchain · @kakunin/mastra · @kakunin/ai-sdk · npm

Gateway middleware (Express / Fastify / Next.js) and typed compliance tools for LangChain JS, Mastra, and the Vercel AI SDK.

kakunin-mcp

@kakunin/mcp · npm

Model Context Protocol server — lets any MCP-capable agent check its own scope, read its risk score, and append audit events.

kakunin-samples

13 runnable examples · GitHub

End-to-end sample agents across the supported frameworks: certificate lifecycle, scope enforcement, and risk-event patterns you can copy.

03 — THE HONEST PART

The CA code is open. Why is the canonical CA still hosted?

You can read and run every line — but you verify against one canonical authority. Not a business dodge, a trust-model constraint. Three concrete reasons:

1

A forkable trust anchor is worthless

The value of a Kakunin certificate is that any counterparty can verify it against one canonical CA — keylessly, without asking you. A thousand self-hosted CAs would mean a thousand roots nobody recognizes. Verification stays free and public for everyone precisely because issuance is centralized.

2

Key custody is the product

Agent private keys live in AWS KMS HSMs and never leave. Running the code yourself is fine — but self-custodying keys recreates the exact secrets-sprawl problem agent identity is meant to solve. The hosted CA is what carries the MiCA Art. 70 custody story.

3

Audit logs must be adversarial-proof

A WORM audit log you host yourself proves nothing to a regulator — you could have rewritten it. Independent custody of the append-only log is what makes the evidence admissible. That independence is structural, not a feature flag.

4

You can audit everything

The entire platform is AGPL-3.0 — certificate issuance, the risk-scoring model, revocation logic, the audit pipeline. For a compliance product, that transparency is the pitch: no black box deciding whether your agent is trustworthy. Run it yourself, or let us host the canonical authority.

Read the source. Then certify an agent.

Start with the sandbox — 100 free test certificates a day, real X.509, no card. Every SDK you install is code you can audit first.