The KWAM SDK

protect / recover

A pip-installable, self-contained API that erasure-codes bytes into signed, content-addressed fragments and rebuilds them fail-closed. Any k of n fragments rebuild the exact original — or recovery raises. KWAM.CH itself is built on it: every Python asset is protected by RS(8,4) and SHA-256 verified at build.

Request a license The codec math
SDK built & in use SHA-256 fail-closed Six nines — a design target
01 · The API

Two verbs, one honest contract

protect turns bytes into signed fragments; recover rebuilds them or refuses. Deterministic codecs produce every byte; SHA-256 gates each one.

# Erasure-code any bytes into 12 signed, content-addressed fragments.
from kwam import protect, recover

obj = protect(data, k=8, m=4)   # n = k + m = 12 fragments

obj.obj_cid       # 'sha256:<hex>' — the whole-object content id
obj.frag_cids     # 12 per-fragment content ids, index-bound
obj.scheme        # 'reed_solomon(8,4)'
obj.millibit      # 1500
obj.manifest      # JSON — round-trips, rides in signed metadata

Fail-closed by default recover verifies each fragment against its index-bound frag_cid, requires ≥ k verified fragments, then re-hashes the whole object. The index-binding defeats relabel-and-invert attacks. It never returns the wrong bytes silently; it raises.

02 · Recovery

Any k of n rebuild the exact original

Hand recover the surviving fragments and the manifest. If enough verify, you get the original bytes back, re-hashed. If not, it raises rather than guess.

# Survivors can be any k of the n fragments — order need not matter.
from kwam import recover

original = recover(surviving_fragments, manifest)
assert original == data   # exact bytes, re-hashed against obj_cid
# Fail-closed: too few survivors, or a tampered fragment, and it refuses.
from kwam import recover, ResilienceError

try:
    data = recover(too_few_or_tampered, manifest)
except ResilienceError as err:
    # Below k verified survivors — the data is gone, and KWAM says so.
    log.error("recovery shortfall: %s", err)
    raise          # never a silent wrong-bytes return

When the data is gone, we say so Below k verified survivors, the original cannot be rebuilt. KWAM reports that shortfall; it never fabricates the missing bytes. Durability is six nines (99.9999%), a design target; the defensible guarantee is no silently-corrupted bits. Knowing a byte is lost is not the same as recovering it, and we never pretend otherwise.

03 · API surface

Everything you call, in one place

Small surface, deterministic behaviour. The bytes come from the codec; the gates come from SHA-256.

SymbolSignature / shapeBehaviour
protect protect(data, k=8, m=4) -> ProtectedObject Erasure-codes data into n = 12 signed, content-addressed fragments.
ProtectedObject .obj_cid · .frag_cids · .scheme · .millibit · .manifest scheme = reed_solomon(8,4), millibit = 1500, manifest is round-tripping JSON.
recover recover(fragments, manifest) -> bytes Any k of n verified fragments rebuild the exact original; fail-closed and SHA-gated, raises ResilienceError on shortfall or tamper.
durability_target durability_target(...) -> dict Returns the durability math tagged 'kind':'DESIGN_TARGET', never a promise.
ContentId ContentId(...) Wraps the prefixed sha256:<hex> string.
KwamBit .from_recovery() · recover_bit() · .verify() A SHA-gated immutable wrapper, built only via recovery; verify() raises BitIntegrityError if the bit does not match.
04 · Install

Two lanes, same guarantee

Run on the pure-stdlib floor, or add numpy for speed. The contract is identical; only the throughput differs.

Stdlib floor built

Pure standard library, no compiled dependencies. Always available, including in CI.

pip install kwam
Faster lane built

Adds numpy for a faster codec path. Same fragments, same SHA gates, same fail-closed recovery.

pip install kwam[numpy]

In production The manifest rides in cosign-signed metadata, so the recovery path can trust the scheme and the fragment ids it is handed. The codec produces the bytes; the signature and SHA gates decide whether to trust them.

05 · We run on it

KWAM protects itself with the SDK

Every Python asset behind this site is erasure-coded by the same protect / recover you would call.

RS(8,4)
The scheme every asset is coded with: 8 data, 4 parity, 12 fragments total.
SHA‑256
Verified at build. Corruption is detected, never silently shipped.
k of n
Any k verified fragments rebuild the exact original, or recovery raises.
6 nines
Durability design target: engineered and defended, never claimed as zero loss.
See the codec math Specify it in the DSL

Embed a defensible integrity guarantee

The SDK is proprietary and licensed directly. Tell us about your workload and we'll scope access.

Request a license See the architecture
Legal

Ownership & governing law

KWAM is our intellectual property, grounded in Swiss law.

Intellectual property & governing law

KWAM is the sole and exclusive property of the owners of KWAM.CH

KWAM — its source code, the KWAM language, the JHMM reconstruction orchestrator, the deterministic codec runtime, and all associated AI components — is a proprietary computer program and the sole and exclusive intellectual property of KWAM.CH. As a computer program it is a protected work under the Swiss Federal Act on Copyright and Related Rights (Copyright Act, CopA), and the exclusive rights of use vest in KWAM as employer; it is further protected as a trade secret under the Swiss Federal Act Against Unfair Competition (UCA). KWAM is offered by private licence only. All rights reserved.

CopA (SR 231.1) Art. 2 para. 3 & Art. 17 · UCA (SR 241) Art. 6 · Governed by the laws of Switzerland · Place of jurisdiction: Zürich