AnimusLab · Tanishq1030 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026 · Mar 23, 2026
diff --git a/.anchor/.anchor.lock b/.anchor/.anchor.lock
@@ -0,0 +1,23 @@
+version: 4.0.0
+generated: '2026-03-18T00:00:00Z'
+algorithm: sha256
+offline_behaviour: warn
+files:
+  domains/agentic.anchor: 659abaa294a1b1f062385a077b41d04fe75e0d708be89c6ef3ebb4ce69169703
+  domains/alignment.anchor: b8fbdbbabc5e82f620a354829f5a8d70c3e85198ccbc96a4c55bd070f3f3f9db
+  domains/ethics.anchor: d402bf6d69815bdb0074a9fa7a02ae57fcc349a4a5c359f6f128302be5f7c38c
+  domains/legal.anchor: b5c061c69526f254ce2e6eb8f046aeceb1313b4e6bb8d763bd97ae2b2722854f
+  domains/operational.anchor: 9784ffa88b352d49b5643a257fedc3cd88e5d4b4f4591bb5c8610b2ca1aef435
+  domains/privacy.anchor: aa9204e9a7693e0d70cb09b7d6bd375684cac3b5066a884d9e946baf953805cc
+  domains/security.anchor: b7756ded815bbe80959e1734badabbaa753608f82486045202c4be89f072b8f8
+  domains/shared.anchor: 9121d6b2978c307f1b8d1d9cbccfbb77a3df65e17fdf6d54cdda0eb2d5dc0619
+  domains/supply_chain.anchor: 493ae046e572724609bd46bba1d712f9e5b66c550148f45e723cd785f276f9e4
+  frameworks/FINOS_Framework.anchor: 60306678ec523f3cc1aca02f7ff23d62a1b22429f23e7994b92fc13a0ded174a
+  frameworks/NIST_AI_RMF.anchor: 1a0971b93737280564dca779b8bfb6c27552c791c7f0d5bb22a9ff9d11c59ca5
+  frameworks/OWASP_LLM.anchor: 63b3086c9ebbb78e45437cf73dc69e72b441683e72ccfeb1fa91ccb11a8921b9
+  government/CFPB_Regulations.anchor: 7005b47e40061e1d47c0ee42439c3c2897a701337359490b09f8113d6dc87ee7
+  government/EU_AI_Act.anchor: 05063bdd1d5af44d08cedba38bc9549b15ee567d056da7afa217d7da7a185416
+  government/FCA_Regulations.anchor: f23b61075d323be487b6218a2c0e353d8df445bf3e13904f977edf895123973e
+  government/RBI_Regulations.anchor: 0337e51a8520507c951f68acd3ba207f30d015e586007be8a13db5c56a978e40
+  government/SEBI_Regulations.anchor: 38dac4c568ecf52d89ee49b027b401d8e8a46b03b40d9f99e9bdf40534247a15
+  government/SEC_Regulations.anchor: b7819b6dd874892ef5005eb5033221ac4327146dc060239a1e3fbadaeecd4c07
diff --git a/.anchor/constitution.anchor b/.anchor/constitution.anchor
@@ -0,0 +1,127 @@
+anchor_version: '>=4.0.0'
+core_domains:
+- namespace: SEC
+  path: domains/security.anchor
+  required: true
+  active: true
+- namespace: ETH
+  path: domains/ethics.anchor
+  required: true
+  active: true
+- namespace: SHR
+  path: domains/shared.anchor
+  required: true
+  active: true
+- namespace: ALN
+  path: domains/alignment.anchor
+  required: true
+  active: true
+- namespace: AGT
+  path: domains/agentic.anchor
+  required: true
+  active: true
+- namespace: PRV
+  path: domains/privacy.anchor
+  required: true
+  active: true
+- namespace: LEG
+  path: domains/legal.anchor
+  required: true
+  active: true
+- namespace: OPS
+  path: domains/operational.anchor
+  required: true
+  active: true
+- namespace: SUP
+  path: domains/supply_chain.anchor
+  required: true
+  active: true
+engine:
+  fail_on:
+  - BLOCKER
+  - ERROR
+  info_on:
+  - INFO
+  seal_check: warn
+  suppress_requires_reason: true
+  suppress_tracking: true
+  unknown_namespace: reject
+  warn_on:
+  - WARNING
+frameworks:
+- active: true
+  namespace: FINOS
+  path: frameworks/FINOS_Framework.anchor
+  source: FINOS AI Governance Framework
+- active: true
+  namespace: OWASP
+  path: frameworks/OWASP_LLM.anchor
+  source: OWASP LLM Top 10 2025
+- active: true
+  namespace: NIST
+  path: frameworks/NIST_AI_RMF.anchor
+  source: NIST AI RMF 1.0
+legacy_aliases:
+  ANC-001: FINOS-001
+  ANC-002: FINOS-002
+  ANC-003: FINOS-003
+  ANC-004: FINOS-004
+  ANC-005: FINOS-005
+  ANC-006: FINOS-006
+  ANC-007: FINOS-007
+  ANC-008: FINOS-008
+  ANC-009: FINOS-009
+  ANC-010: FINOS-010
+  ANC-011: FINOS-011
+  ANC-012: FINOS-012
+  ANC-013: FINOS-013
+  ANC-014: FINOS-014
+  ANC-015: FINOS-015
+  ANC-016: FINOS-016
+  ANC-017: FINOS-017
+  ANC-018: FINOS-018
+  ANC-019: FINOS-019
+  ANC-020: FINOS-020
+  ANC-021: FINOS-021
+  ANC-022: FINOS-022
+  ANC-023: FINOS-023
+name: Anchor Constitutional Root
+output:
+  formats:
+  - json
+  - markdown
+  include_git_blame: true
+  report_path: .anchor/reports/
+  telemetry_path: .anchor/telemetry/
+policy:
+  allow_custom_rules: true
+  custom_rule_prefix: INTERNAL
+  enforce_raise_only: true
+  path: policy.anchor
+regulators:
+- active: true
+  namespace: RBI
+  path: government/RBI_Regulations.anchor
+  source: RBI FREE-AI Report August 2025
+- active: true
+  namespace: EU
+  path: government/EU_AI_Act.anchor
+  source: EU AI Act 2024/1689
+- active: true
+  namespace: SEBI
+  path: government/SEBI_Regulations.anchor
+  source: SEBI AI/ML Consultation 2024-2025
+- active: true
+  namespace: CFPB
+  path: government/CFPB_Regulations.anchor
+  source: CFPB Regulation B + 2024 Guidance
+- active: true
+  namespace: FCA
+  path: government/FCA_Regulations.anchor
+  source: FCA AI Governance Guidance 2024
+- active: false
+  namespace: USSEC
+  path: government/SEC_Regulations.anchor
+  source: SEC 2026 Examination Priorities
+type: manifest
+version: '4.1'
diff --git a/.anchor/domains/agentic.anchor b/.anchor/domains/agentic.anchor
@@ -0,0 +1,166 @@
+type: domain
+namespace: AGT
+version: "1.0"
+anchor_version: ">=4.0.0"
+maintainer: "Anchor Core"
+always_loaded: false
+description: >
+  Agentic AI risks unique to autonomous, tool-calling, and
+  multi-agent systems. These risks operate at the intent and
+  reasoning layer — structurally distinct from code-level
+  security violations. Enable this domain for any system
+  deploying AI agents, MCP integrations, autonomous pipelines,
+  or multi-agent orchestration frameworks.
+seal: "sha256:PENDING"
+
+rules:
+
+  - id: "AGT-001"
+    name: "Agent Action Authorization Bypass"
+    source: "FINOS"
+    original_id: "Ri-024"
+    category: "security"
+    description: >
+      An AI agent executes actions outside its granted permissions
+      not because a code-level permission check failed, but because
+      the agent's reasoning layer decided to act without consulting
+      the enforcement layer at all. This is a failure of intent, not
+      enforcement. A standard authorization bypass (SEC-005) occurs
+      when code skips a token validation check. An agentic
+      authorization bypass occurs when the model decides that a
+      high-stakes action — transferring funds, modifying governance
+      configuration, calling a privileged API — is within its mandate
+      based on its interpretation of high-level instructions, bypassing
+      the human authorization step entirely. In financial AI, this
+      risk is critical in any agentic system with access to payment
+      rails, customer account operations, or trading systems. The
+      mitigation is not better code-level permission checks — it is
+      explicit intent boundaries declared in the agent's system prompt,
+      enforced by a runtime governance layer that intercepts tool calls
+      before execution and validates them against the agent's declared
+      permission scope.
+    severity: "blocker"
+    min_severity: "blocker"
+    min_mitigations: 1
+    detection: ~
+    primitives: ~
+
+  - id: "AGT-002"
+    name: "Tool Chain Manipulation and Injection"
+    source: "FINOS"
+    original_id: "Ri-025"
+    category: "security"
+    description: >
+      An attacker manipulates the parameters, outputs, or metadata
+      of tools called by an AI agent to corrupt the agent's reasoning,
+      redirect its actions, or inject malicious instructions into the
+      tool-calling chain. Unlike prompt injection (SEC-001) which
+      targets the model's input, tool chain manipulation targets the
+      feedback loop between the model and its tools — the attacker
+      poisons what the tools return, causing the model to take
+      attacker-controlled actions based on fabricated tool results.
+      In financial AI, tool chain manipulation can cause an agent
+      with access to market data APIs, customer databases, or payment
+      systems to act on falsified data — executing trades based on
+      injected price feeds, approving transactions based on fabricated
+      credit scores, or exfiltrating customer data through manipulated
+      search tool responses. The attack surface grows with every tool
+      the agent can call, and the sophistication required is lower
+      than direct model manipulation because tool outputs are often
+      trusted implicitly by the model's reasoning.
+    severity: "blocker"
+    min_severity: "error"
+    min_mitigations: 1
+    detection: ~
+    primitives: ~
+
+  - id: "AGT-003"
+    name: "MCP Server Supply Chain Compromise"
+    source: "FINOS"
+    original_id: "Ri-026"
+    category: "security"
+    description: >
+      A compromised or malicious Model Context Protocol (MCP) server
+      poisons an AI agent's reasoning by returning fabricated tool
+      schemas, injecting malicious instructions into tool descriptions,
+      or providing attacker-controlled responses that redirect the
+      agent's behavior. This is structurally distinct from general
+      supply chain attacks (SEC-008) which target model weights and
+      code dependencies. MCP compromise targets the live reasoning
+      layer — the server that tells the agent what tools exist, what
+      they do, and what they return. A malicious MCP server can
+      convince an agent that a destructive action is a routine
+      operation by manipulating the tool's description and expected
+      output schema. In financial AI deployments using MCP for
+      integration with banking APIs, payment systems, or regulatory
+      reporting tools, a compromised MCP server represents a single
+      point of failure that can redirect an entire agent fleet.
+      Mitigation requires cryptographic verification of MCP server
+      manifests and tool schemas before the agent is permitted to
+      call any tool from that server.
+    severity: "blocker"
+    min_severity: "error"
+    min_mitigations: 1
+    detection: ~
+    primitives: ~
+
+  - id: "AGT-004"
+    name: "Agent State Persistence Poisoning"
+    source: "FINOS"
+    original_id: "Ri-027"
+    category: "security"
+    description: >
+      An attacker injects malicious instructions, false memories, or
+      behavioral backdoors into an AI agent's persistent state —
+      long-term memory, conversation history, vector store entries,
+      or cached reasoning chains — causing the agent to carry
+      compromised behavior across sessions, tasks, and restarts.
+      State persistence poisoning is uniquely dangerous because it
+      survives model redeployment. A poisoned memory entry that
+      causes an agent to trust a specific external endpoint, bypass
+      a specific check, or misclassify a specific pattern will
+      continue to affect agent behavior until the state is explicitly
+      audited and purged. In financial AI, agents with persistent
+      state and access to customer data, payment systems, or
+      compliance workflows represent a critical attack surface —
+      a single successful state poisoning event can introduce
+      a long-lived backdoor that operates silently across thousands
+      of subsequent transactions before detection.
+    severity: "error"
+    min_severity: "warning"
+    min_mitigations: 1
+    detection: ~
+    primitives: ~
+
+  - id: "AGT-005"
+    name: "Multi-Agent Trust Boundary Violations"
+    source: "FINOS"
+    original_id: "Ri-028"
+    category: "security"
+    description: >
+      In multi-agent systems where multiple AI agents communicate,
+      delegate tasks, or share state, a compromised or manipulated
+      agent propagates malicious behavior across the agent swarm by
+      exploiting implicit trust between agents. Agents in a swarm
+      frequently trust messages from other agents in the same system
+      without verification — a compromised orchestrator can instruct
+      worker agents to take unauthorized actions, a poisoned worker
+      can inject false results into the orchestrator's reasoning,
+      and a compromised memory agent can corrupt the shared state
+      that all agents read from. In financial AI, multi-agent
+      architectures are increasingly used for complex workflows —
+      loan processing pipelines, regulatory reporting chains, fraud
+      investigation workflows — where each agent handles one step
+      of a larger process. Trust boundary violations in these systems
+      can cause cascading failures that are difficult to trace because
+      the proximate cause of each individual agent's failure appears
+      legitimate when examined in isolation. Mitigation requires
+      explicit trust declarations between agents, cryptographic
+      message signing between agent boundaries, and governance
+      checkpoints that validate agent outputs before they are
+      consumed by downstream agents.
+    severity: "blocker"
+    min_severity: "blocker"
+    min_mitigations: 1
+    detection: ~
+    primitives: ~
diff --git a/.anchor/domains/alignment.anchor b/.anchor/domains/alignment.anchor
@@ -0,0 +1,65 @@
+type: domain
+namespace: ALN
+version: "1.0"
+anchor_version: ">=4.0.0"
+maintainer: "Anchor Core"
+always_loaded: false
+description: >
+  Alignment violations in AI systems. Covers hallucination of
+  non-existent APIs and code references, and goal misrepresentation
+  where AI output diverges from declared system purpose.
+seal: "sha256:PENDING"
+
+rules:
+
+  - id: "ALN-001"
+    name: "Hallucination"
+    source: "FINOS"
+    original_id: "Ri-008"
+    category: "accuracy"
+    description: >
+      AI models generate factually incorrect, fabricated, or
+      non-existent information presented with the same confidence
+      as accurate information. In code generation, hallucination
+      manifests as references to non-existent APIs, libraries, or
+      functions that appear syntactically valid but will fail at
+      runtime. In financial AI, hallucination is a critical risk
+      in automated report generation, regulatory filing assistance,
+      customer communications, and investment research — where
+      fabricated figures, non-existent regulatory citations, or
+      invented financial data can cause material harm. Hallucination
+      is not a reliability issue — in regulated contexts it is a
+      compliance issue, as SEBI requires AI outputs to be accurate
+      and traceable, and RBI FREE-AI Recommendation 14 requires
+      AI-assisted credit decisions to be explainable and verifiable.
+    severity: "error"
+    min_severity: "warning"
+    min_mitigations: 1
+    detection: ~
+    primitives: ~
+
+  - id: "ALN-002"
+    name: "Goal Misrepresentation"
+    source: "FINOS"
+    original_id: "Ri-021"
+    category: "safety"
+    description: >
+      An AI system pursues objectives that diverge from its declared
+      purpose, either through misaligned training, adversarial
+      manipulation, or emergent behavior that was not anticipated
+      during development. In financial AI, goal misrepresentation
+      manifests when a fraud detection model begins optimizing for
+      metrics other than fraud detection — such as minimizing false
+      positive complaints — in ways that compromise its primary
+      safety function. It also includes agentic systems that interpret
+      high-level goals in ways that achieve the stated objective
+      while violating implicit constraints — for example, an agent
+      instructed to maximize loan approvals that begins bypassing
+      credit risk checks. This is a BLOCKER because misaligned AI
+      goals in financial systems can cause systematic harm at scale
+      before human review catches the drift.
+    severity: "blocker"
+    min_severity: "error"
+    min_mitigations: 1
+    detection: ~
+    primitives: ~