<provider>:<model>. Setting the X-Mnemom-Lockfile-Hash header (and, optionally, the companion X-Mnemom-Sdk-Version header) extends the fingerprint to a four-component identifier that includes a hash of your deployed dependency graph — making AEGIS able to attribute behavioral deviation to a specific deployed version of your stack, not just the model and SDK level.
This guide is the runnable how-to. The conceptual surface is substrate fingerprint; the spec for the L1 read is /specifications/threat-state-response-schema.
What you’ll change
You will:- Compute a stable SHA-256 digest of your resolved package manifest at deploy time.
- Set
X-Mnemom-Lockfile-Hash: <hex>on every outbound request from your agent to the Mnemom gateway. - (Optionally) set
X-Mnemom-Sdk-Version: <package>@<version>to tighten SDK attribution past the gateway’s User-Agent fallback. - Verify the substrate is recorded as the four-component form via the integrity-checkpoint read path.
substrate_id stamped on every integrity_checkpoints row per the production trigger (migration 252). The four collapse forms are documented at Substrate fingerprint — the four collapse forms.
Step 1 — Compute the digest
The hash is SHA-256, 64 hex chars, lowercase canonical on the wire (mixed case is accepted and normalized; malformed input is rejected at the gateway with400 and X-Mnemom-Error: invalid-lockfile-hash).
Compute the digest over whatever stable serialization of your resolved manifest best represents the deployed dependency graph. For most ecosystems the lockfile-on-disk bytes are the natural input.
MNEMOM_LOCKFILE_HASH. Recomputing at every request adds I/O without changing the value between deploys.
Step 2 — Set the headers on outbound requests
Both headers travel with the request to the Mnemom gateway. Workers handles header names case-insensitively; the casing below matches the gateway’sLOCKFILE_HASH_HEADER and SDK_VERSION_HEADER constants in mnemom-platform/gateway/src/substrate-fingerprint.ts.
<provider>:<model>::<lockfile-hash>); setting only the SDK header produces a 3-component fingerprint (<provider>:<model>:<sdk@ver>); setting both produces the full 4-component form.
What X-Mnemom-Sdk-Version adds
The SDK version is sourced from three places, in order:
- The
X-Mnemom-Sdk-Versionheader value, if present (this is the preferred path). - A User-Agent dispatch over seven known SDK families (
@anthropic-ai/sdk, OpenAI Python, Anthropic Python, etc.), if the request’sUser-Agentmatches one. null(collapsing to the 3- or 2-component fingerprint form).
X-Mnemom-Sdk-Version explicitly is the way to get reliable SDK attribution when you’re sending requests from custom or non-canonical clients.
Step 3 — What gets stored
Privacy posture
The hash is a deterministic function of your lockfile contents. Reversing it to recover the lockfile requires brute-forcing the lockfile-content space, which is computationally infeasible for non-trivial lockfiles. For very small / trivial lockfiles (e.g., a single pinned dependency) the hash is in principle reversible to that content; if that matters for your threat model, do not opt in.Step 4 — Verify the substrate is being recorded
The canonical record is onintegrity_checkpoints.substrate_id, readable via the customer-facing checkpoints endpoint:
substrate_id should be the four-component form, for example:
When to use this
The lockfile-hash dimension is the runtime-side companion to package-layer provenance — see Supply-chain trust for how AEGIS substrate attribution and SLSA / Sigstore compose.
See also
- Substrate fingerprint — the conceptual page
- Supply-chain trust — the package-layer + runtime-layer story
- AEGIS — the protection-layer framing
- Protection Network — L0 axis identity — where substrate-fingerprint sits in the L0-L5 model
- Threat state response schema — the customer-readable read of the L1 aggregator