What's actually built
An honest description of the SONATE platform — the stack, the layers, and a maturity matrix that says plainly what ships, what's hardening, and what's still research.
The stack
Backend
- • Node.js + Express.js
- • MongoDB (Mongoose ODM)
- • Socket.IO for live updates
- • JWT auth + refresh tokens, RBAC
- • Prometheus metrics, Winston structured logging
- • Ed25519 signing (local or external HTTP signer)
Frontend
- • Next.js 14 (App Router)
- • TanStack Query for data fetching
- • shadcn/ui + Tailwind CSS
- • TypeScript end-to-end
Open packages
- •
@sonate/verify-sdk— MIT, independent verification - •
@yseeku/trust-receipts— receipt generation - •
@sonate/schemas— shared schema definitions
Cryptography
- • Ed25519 signatures (RFC 8032)
- • SHA-256 hashing (FIPS 180-4)
- • RFC 8785 canonicalization (JCS)
- • Optional KMS/HSM-backed signer
Three layers
Layer 1 · Open
Trust Receipt
Cryptographic primitive: signing, canonicalization, hash chaining, verification. Open spec, MIT verify SDK.
Layer 2 · Beta
Detect
Drift and manipulation signals, violation persistence, replay debugging. Treated as advisory; kept separate from production controls.
Layer 3 · Production
Orchestrate
Policy enforcement, multi-model routing, RBAC, SSO, tenant isolation, provider-agnostic governance.
Execution flow
User Prompt ↓ SONATE Gateway ← intercepts request ↓ Policy Engine ← evaluates governance ↓ Model Provider ← provider-agnostic (any LLM) ↓ Signing Layer ← Ed25519, RFC 8785 canonicalization ↓ Trust Receipt Generated ↓ Independent Verification (anyone, anywhere)
The receipt is the artifact that survives outside the platform. Verification does not require contacting SONATE.
Feature maturity
We maintain a published Feature Maturity Matrix so that product claims stay aligned with what's defensibly built. The full matrix lives in the repository.
| Capability | Maturity |
|---|---|
| Trust Receipt generation, signing, verification | Production |
| Hash chaining | Production |
| Hash-only mode & detached content archive | Production |
| Policy decision metadata in receipts | Production |
| Dashboard, alerts, webhooks, reports | Beta |
| Drift & manipulation detection | Beta |
| Model comparison | Beta |
| Emergence metrics, lab experiments | Research |
| Autonomous reasoning / semantic coprocessor | Research |
We don't currently hold SOC 2 or ISO 27001 certifications. Compliance posture is built on cryptographic verifiability and a published maturity matrix.