Skip to main content
The default substrate fingerprint AEGIS stamps on every row covers <provider>:<model>. Setting the X-Mnemom-Lockfile-Hash header (and, optionally, the companion X-Mnemom-Sdk-Version header) extends the fingerprint to a four-component identifier that includes a hash of your deployed dependency graph — making AEGIS able to attribute behavioral deviation to a specific deployed version of your stack, not just the model and SDK level. This guide is the runnable how-to. The conceptual surface is substrate fingerprint; the spec for the L1 read is /specifications/threat-state-response-schema.

What you’ll change

You will:
  1. Compute a stable SHA-256 digest of your resolved package manifest at deploy time.
  2. Set X-Mnemom-Lockfile-Hash: <hex> on every outbound request from your agent to the Mnemom gateway.
  3. (Optionally) set X-Mnemom-Sdk-Version: <package>@<version> to tighten SDK attribution past the gateway’s User-Agent fallback.
  4. Verify the substrate is recorded as the four-component form via the integrity-checkpoint read path.
The two headers compose into the substrate_id stamped on every integrity_checkpoints row per the production trigger (migration 252). The four collapse forms are documented at Substrate fingerprint — the four collapse forms.

Step 1 — Compute the digest

The hash is SHA-256, 64 hex chars, lowercase canonical on the wire (mixed case is accepted and normalized; malformed input is rejected at the gateway with 400 and X-Mnemom-Error: invalid-lockfile-hash). Compute the digest over whatever stable serialization of your resolved manifest best represents the deployed dependency graph. For most ecosystems the lockfile-on-disk bytes are the natural input.
Compute the digest at deploy time (CI / image build) and inject it into the agent’s runtime environment as MNEMOM_LOCKFILE_HASH. Recomputing at every request adds I/O without changing the value between deploys.

Step 2 — Set the headers on outbound requests

Both headers travel with the request to the Mnemom gateway. Workers handles header names case-insensitively; the casing below matches the gateway’s LOCKFILE_HASH_HEADER and SDK_VERSION_HEADER constants in mnemom-platform/gateway/src/substrate-fingerprint.ts.
The two headers are independent opt-ins. Setting only the lockfile-hash header produces a 4-component fingerprint with an empty SDK slot (<provider>:<model>::<lockfile-hash>); setting only the SDK header produces a 3-component fingerprint (<provider>:<model>:<sdk@ver>); setting both produces the full 4-component form.

What X-Mnemom-Sdk-Version adds

The SDK version is sourced from three places, in order:
  1. The X-Mnemom-Sdk-Version header value, if present (this is the preferred path).
  2. A User-Agent dispatch over seven known SDK families (@anthropic-ai/sdk, OpenAI Python, Anthropic Python, etc.), if the request’s User-Agent matches one.
  3. null (collapsing to the 3- or 2-component fingerprint form).
Setting X-Mnemom-Sdk-Version explicitly is the way to get reliable SDK attribution when you’re sending requests from custom or non-canonical clients.

Step 3 — What gets stored

Privacy posture

The hash is a deterministic function of your lockfile contents. Reversing it to recover the lockfile requires brute-forcing the lockfile-content space, which is computationally infeasible for non-trivial lockfiles. For very small / trivial lockfiles (e.g., a single pinned dependency) the hash is in principle reversible to that content; if that matters for your threat model, do not opt in.

Step 4 — Verify the substrate is being recorded

The canonical record is on integrity_checkpoints.substrate_id, readable via the customer-facing checkpoints endpoint:
After issuing one request with both headers set, the latest checkpoint’s substrate_id should be the four-component form, for example:
There is no dedicated self-test endpoint — the checkpoint read is the verification path.

When to use this

The lockfile-hash dimension is the runtime-side companion to package-layer provenance — see Supply-chain trust for how AEGIS substrate attribution and SLSA / Sigstore compose.

See also