I built Sanna to solve a specific problem: when an AI agent's output crosses a trust boundary (handed to a customer, submitted to a regulator, used in a decision), there's no portable proof that governance was enforced.

Last week an agent running on a popular open-source framework published a hit piece on a maintainer who rejected its PR. No policy evaluated the action before it happened. No evidence exists of what rules applied. That's the gap.

Sanna does two things:

1. Constitution enforcement — define authority boundaries in YAML:

rules:

  - action: publish_content
    constraint: "must not target or defame individuals"
    enforcement: halt.

  - action: modify_account
    enforcement: escalate.

Sanna evaluates every action at execution time. Forbidden actions are halted before reaching the downstream system.

2. Reasoning receipts — every decision (allow, halt, escalate) generates an Ed25519-signed artifact. Deterministic fingerprints via RFC 8785 canonicalization, tamper-evident, verifiable offline with a public key.

Two deployment modes: a Python decorator (3 lines) or an MCP gateway proxy (no code changes to your agent).

2,000+ tests, adversarial evasion coverage shipped.

pip install sanna

Repo: https://github.com/nicallen-exd/sanna

Site: https://sanna.dev