> ## Documentation Index
> Fetch the complete documentation index at: https://docs.mnemom.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Protocol Overview

> Understanding AAP, AIP, and CLPI — the protocol stack for agent trust

# Protocol overview

Mnemom is built on two complementary open-source verification protocols (AAP and AIP) plus a governance layer (CLPI). Together, they provide retrospective verification, real-time integrity assurance, and active policy enforcement for AI agent behavior.

<Note>
  **A note on what is and is not a protocol.** AAP and AIP are wire-format protocols; their specifications live at [`/protocols/aap/specification`](/protocols/aap/specification) and [`/protocols/aip/specification`](/protocols/aip/specification). [CLPI](/concepts/clpi) is a governance layer documented in `/concepts/`. [AEGIS](/concepts/aegis) — the cross-tenant defensive substrate that consumes AAP, AIP, CLPI, and Safe House outputs at runtime — is a *runtime substrate*, not a wire-format protocol. AEGIS does not have a `/protocols/aegis/*` specification; its surface is documented under [`/concepts/aegis`](/concepts/aegis) and [`/concepts/protection-network`](/concepts/protection-network).
</Note>

|                    | AAP                                                           | AIP                                                                |
| ------------------ | ------------------------------------------------------------- | ------------------------------------------------------------------ |
| **Full name**      | Agent Alignment Protocol                                      | Agent Integrity Protocol                                           |
| **When it checks** | After the agent acts (post-hoc)                               | While the agent thinks (real-time)                                 |
| **What it checks** | "Did the agent behave consistently with its declared values?" | "Is the agent's reasoning being compromised right now?"            |
| **Core mechanism** | Alignment Cards + AP-Traces + verification                    | Thinking block analysis + integrity checkpoints                    |
| **Detects**        | Value drift, autonomy violations, missing escalations         | Prompt injection, manipulation, value erosion, boundary violations |

## The twin protocol relationship

**AAP** is post-hoc verification. After an agent makes a decision, AAP records what happened (the AP-Trace) and checks it against what the agent declared it would do (the Alignment Card). This catches inconsistencies between declared and actual behavior -- but only after the fact.

**AIP** is real-time assurance. During execution, AIP analyzes the LLM's thinking blocks (Anthropic), thought parts (Gemini), or reasoning summaries (OpenAI) to detect active threats: prompt injection attempts, gradual value drift within a session, or manipulation by adversarial inputs. AIP catches problems before the agent acts on compromised reasoning.

They complement each other:

* AAP catches **behavioral drift over time** that develops gradually across many interactions
* AIP catches **active attacks in progress** that compromise a single reasoning step
* AAP verifies **declared vs. actual** alignment across a session or lifetime
* AIP verifies **reasoning integrity** within a single inference call

Neither protocol alone is sufficient. An agent that passes all AIP checks during execution could still drift from its declared values over weeks of operation (caught by AAP). An agent that matches its alignment card perfectly could have its reasoning temporarily compromised by a prompt injection (caught by AIP).

<Note>
  **What the protocols guarantee:** AAP provides complete audit trails of every agent decision. AIP provides real-time attestation of reasoning integrity at the thinking level — with cryptographic proofs ([certificates](/protocols/aip/certificates), [ZK proofs](/protocols/aip/verifiable-verdicts)) that any party can independently verify. Combined with [CLPI](/concepts/clpi) policy enforcement, Mnemom provides verifiable accountability from declared intent through execution.

  **The boundary:** No external system can enforce at the sub-thinking level — inside the model's weights. If a model produces compromised reasoning that does not surface in its thinking blocks, no external observer can detect it. See the [AAP limitations](/protocols/aap/limitations) and [AIP limitations](/protocols/aip/limitations) for details.
</Note>

## How they work together

When deployed via the [Mnemom Gateway](/quickstart/gateway), both protocols run automatically:

```
Your Application
       │
       ▼
┌─────────────────────────────────────────┐
│           Mnemom Gateway                │
│                                         │
│  1. Intercept LLM API call              │
│  2. Forward to provider                 │
│  3. Receive response with thinking      │
│                                         │
│  ┌─────────────┐   ┌─────────────────┐  │
│  │ AIP Analyzer │   │  AAP Observer   │  │
│  │             │   │                 │  │
│  │ Analyze      │   │ Extract action   │  │
│  │ thinking     │   │ Build AP-Trace   │  │
│  │ blocks       │   │ Verify against   │  │
│  │             │   │ Alignment Card   │  │
│  │ Verdict:     │   │                 │  │
│  │ clear /      │   │ Result:          │  │
│  │ review /     │   │ verified /       │  │
│  │ violation    │   │ violation        │  │
│  └─────────────┘   └─────────────────┘  │
│                                         │
│  4. Return response to your app         │
│  5. Store trace + checkpoint            │
└─────────────────────────────────────────┘
       │
       ▼
┌─────────────────────────────────────────┐
│         Dashboard (mnemom.ai)           │
│                                         │
│  Conscience timeline, drift alerts,     │
│  integrity scores, enforcement log      │
└─────────────────────────────────────────┘
```

## Protocol layers

Mnemom's protocols sit alongside existing agent infrastructure standards:

| Layer                     | Protocol                                               | Purpose                                                                                       |
| ------------------------- | ------------------------------------------------------ | --------------------------------------------------------------------------------------------- |
| Tool access               | [MCP](https://modelcontextprotocol.io/)                | Standardized tool and context access for LLMs                                                 |
| Agent communication       | [A2A](https://google.github.io/A2A/)                   | Agent-to-agent task delegation and coordination                                               |
| Alignment verification    | **AAP**                                                | Post-hoc verification of behavior against declared values                                     |
| Integrity assurance       | **AIP**                                                | Real-time analysis of reasoning for active threats                                            |
| Cryptographic attestation | **[AIP Certificates](/protocols/aip/certificates)**    | Ed25519 signatures, hash chains, Merkle proofs, and SP1 zero-knowledge proofs                 |
| Policy governance         | **[CLPI](/concepts/clpi)**                             | Governance-as-code: policy enforcement, trust recovery, risk intelligence, on-chain anchoring |
| Trust scoring             | **[Mnemom Trust Rating](/concepts/reputation-scores)** | Composite trust metric for agents and teams — cryptographically provable, anchorable on-chain |

AAP and AIP do not replace MCP or A2A -- they add a verification layer on top. CLPI adds a governance layer that prevents configuration drift, recovers from false violations, and anchors trust on-chain. An agent can use MCP tools, communicate via A2A, and have all of that activity traced and verified through AAP and AIP, with governance enforced by CLPI.

* **MCP + AAP**: Every MCP tool call can generate an AP-Trace. See [MCP migration](/protocols/aap/mcp-migration).
* **A2A + AAP**: Before two agents collaborate, value coherence checks verify compatibility. See [A2A integration](/protocols/aap/a2a-integration).
* **CLPI + AAP/AIP**: CLPI's policy engine governs which tools are permitted, its reclassification system fixes false violations from AAP/AIP, and its on-chain layer anchors the resulting trust scores immutably. See [CLPI overview](/concepts/clpi).

## Core concepts

<CardGroup cols={2}>
  <Card title="Alignment Cards" icon="id-card" href="/concepts/alignment-cards">
    Machine-readable declarations of agent identity, values, autonomy boundaries, escalation triggers, and audit commitments. The reference document that all verification checks against.
  </Card>

  <Card title="AP-Traces" icon="route" href="/concepts/ap-traces">
    Structured records of agent decisions. Each trace captures what action was taken, what alternatives were considered, what values were applied, and whether escalation was triggered.
  </Card>

  <Card title="Integrity Checkpoints" icon="shield-check" href="/concepts/integrity-checkpoints">
    Real-time AIP analysis results. Each checkpoint contains a verdict (`clear`, `review_needed`, `boundary_violation`), identified concerns, and confidence levels.
  </Card>

  <Card title="Drift Detection" icon="chart-line" href="/concepts/drift-detection">
    Statistical analysis of agent behavior over time. Detects sustained deviations from declared alignment, including autonomy expansion, escalation rate changes, and value application shifts.
  </Card>

  <Card title="Value Coherence" icon="handshake" href="/concepts/value-coherence">
    Pairwise compatibility checking between two agents' Alignment Cards. Identifies shared values, conflicts, and proposes resolutions before collaboration begins.
  </Card>

  <Card title="CLPI: Governance Layer" icon="gears" href="/concepts/clpi">
    Card Lifecycle & Policy Intelligence. The 5-phase governance system that enforces policies, recovers trust after false violations, and anchors reputation on-chain.
  </Card>

  <Card title="Mnemom Trust Rating" icon="ranking-star" href="/concepts/reputation-scores">
    Composite trust metric for AI agents — a credit score built from integrity checkpoints, drift stability, compliance, and fleet coherence. Publicly queryable, embeddable, and cryptographically provable.
  </Card>

  <Card title="Team Reputation" icon="users-gear" href="/concepts/team-reputation">
    Teams as first-class meta-agents with persistent identity, their own alignment cards, accumulated reputation, and ZK-provable team trust scores.
  </Card>

  <Card title="Verifiable Integrity" icon="certificate" href="/protocols/aip/certificates">
    Four-layer cryptographic attestation stack: Ed25519 signatures, hash chains, Merkle proofs, and SP1 zero-knowledge proofs for independent verdict verification.
  </Card>
</CardGroup>

## Specifications

<CardGroup cols={2}>
  <Card title="AAP Specification" icon="file-contract" href="/protocols/aap/specification">
    Full Agent Alignment Protocol specification. Covers Alignment Card schema, AP-Trace format, verification algorithm, coherence checking, and drift detection.
  </Card>

  <Card title="AIP Specification" icon="file-shield" href="/protocols/aip/specification">
    Full Agent Integrity Protocol specification. Covers thinking block analysis, checkpoint format, verdict mapping, signal building, and window management.
  </Card>

  <Card title="AAP Security Model" icon="lock" href="/protocols/aap/security">
    AAP threat model, attack surfaces, and mitigations. Covers card forgery, trace tampering, similarity gaming, and adversarial alignment.
  </Card>

  <Card title="AIP Security Model" icon="shield-halved" href="/protocols/aip/security">
    AIP threat model and limitations. Covers thinking block suppression, adversarial reasoning, and confidence calibration.
  </Card>
</CardGroup>

## SDK packages

Both protocols have SDK implementations in Python and TypeScript:

| Package                            | Language   | Protocol | Registry                                                              |
| ---------------------------------- | ---------- | -------- | --------------------------------------------------------------------- |
| `agent-alignment-protocol`         | Python     | AAP      | [PyPI](https://pypi.org/project/agent-alignment-protocol/)            |
| `@mnemom/agent-alignment-protocol` | TypeScript | AAP      | [npm](https://www.npmjs.com/package/@mnemom/agent-alignment-protocol) |
| `agent-integrity-proto`            | Python     | AIP      | [PyPI](https://pypi.org/project/agent-integrity-proto/)               |
| `@mnemom/agent-integrity-protocol` | TypeScript | AIP      | [npm](https://www.npmjs.com/package/@mnemom/agent-integrity-protocol) |

## Quickstarts

* [Mnemom Gateway quickstart](/quickstart/gateway) -- Both protocols, zero code changes
* [SDK direct quickstart](/quickstart/sdk-direct) -- Full programmatic control
* [AAP protocol quickstart](/protocols/aap/quickstart) -- AAP SDK standalone
* [AIP protocol quickstart](/protocols/aip/quickstart) -- AIP SDK standalone
