The governed knowledge store for autonomous organizations.
Every document has a trust tier that weights search results. Every chunk has a SHA3-256 content ID. Every mutation is auditable. The entire vault is verifiable via Merkle tree. Content is screened by a Membrane before indexing. Access is controlled by RBAC. Air-gap native. Post-quantum ready.
A Vault is a governed store of knowledge resources. Each resource is screened by the Membrane, chunked, hashed, trust-classified, and indexed for hybrid search. RBAC controls who can read, write, or administer.
┌─────────────────────────────────────────────────────────────────┐
│ VAULT │
├──────────────┬──────────────────────────────────────────────────┤
│ RBAC │ READER · WRITER · ADMIN permission matrix │
│ MEMBRANE │ Innate scan → Release gate → Index/Quarantine │
│ INGEST │ Parse → Chunk → SHA3-256 CID → Embed → Store │
│ GOVERN │ Trust tiers · Lifecycle · Data classification │
│ RETRIEVE │ Hybrid search · Trust-weighted · Time-travel │
│ VERIFY │ Merkle tree · CID per chunk · Proof export │
│ AUDIT │ Every write → VaultEvent → Capsule (opt.) │
│ ENCRYPT │ AES-256-GCM · ML-KEM-768 · ML-DSA-65 │
├──────────────┴──────────────────────────────────────────────────┤
│ Trust weights: CANONICAL 1.5x · WORKING 1.0x · EPHEMERAL 0.7x │
│ FIPS 202 · FIPS 197 · FIPS 203 · FIPS 204 │
└─────────────────────────────────────────────────────────────────┘
Knowledge that can't be verified can't be trusted.
Vector databases store embeddings and return them by similarity. When something goes wrong, or when a regulator asks "was this the current policy at the time?", similarity search is not enough.
qp-vault solves three problems that vector databases do not:
1. Trust-weighted retrieval. Every resource has a trust tier (CANONICAL, WORKING, EPHEMERAL, ARCHIVED) that multiplies its search relevance. A CANONICAL SOP at 0.6 similarity outranks a WORKING draft at 0.8 similarity. This is not metadata filtering; it is a scoring function that ensures authoritative knowledge surfaces first, every time, without manual curation.
2. Cryptographic content integrity. Every chunk receives a SHA3-256 content ID at ingest. Every resource receives a Merkle root over its chunk CIDs. The entire vault has a root hash. Any modification to any chunk, in any resource, changes the vault's Merkle root. Auditors can verify a single resource without downloading the vault, using an exported Merkle proof. No trust in the storage layer is required.
3. Knowledge lifecycle with temporal validity. Resources have lifecycles (DRAFT to ACTIVE to SUPERSEDED to ARCHIVED) with temporal validity windows. Point-in-time queries answer "what was our policy on March 15, 2024?" by returning only resources that were ACTIVE at that date. Supersession chains link v1 to v2 to v3 with cryptographic pointers. Expired resources auto-transition. None of this exists in any vector database.
Every chunk is hashed with SHA3-256 and assigned a content ID:
vault://sha3-256/4cb02d65a1b2c3d4e5f67890abcdef1234567890abcdef1234567890abcdef12
Every resource receives a Merkle root computed over its sorted chunk CIDs. The vault itself has a root hash over all resource hashes:
Vault Merkle Root
/ \
Resource A Root Resource B Root
/ \ |
hash(c1+c2) hash(c3+c4) hash(c5)
/ \ / \ |
CID(c1) CID(c2) CID(c3) CID(c4) CID(c5)
Identical content always produces the same CID. Modified content always produces a different root. Auditors verify a single resource via Merkle proof without downloading the vault.
Trust is not metadata. It is a scoring function.
| Tier | Weight | Freshness Half-Life | Behavior |
|---|---|---|---|
| CANONICAL | 1.5x | 365 days | Immutable. Official SOPs, approved policies. |
| WORKING | 1.0x | 180 days | Default. Drafts, in-progress documents. |
| EPHEMERAL | 0.7x | 30 days | Temporary. Meeting notes. Auto-archives after TTL. |
| ARCHIVED | 0.25x | 730 days | Historical. Superseded versions. |
Search ranking formula:
relevance = (0.7 × vector_similarity + 0.3 × text_rank) × trust_weight × freshness_decay × layer_boost
Where freshness_decay = exp(-age_days / half_life × ln2). A 180-day-old WORKING document retains 50% freshness. A CANONICAL document of the same age retains 70%.
DRAFT ──→ REVIEW ──→ ACTIVE ──→ SUPERSEDED ──→ ARCHIVED
│
EXPIRED (auto when valid_until passes)
│
ACTIVE (re-activate)
vault.transition(r.id, "review", reason="Ready for security team")
vault.transition(r.id, "active")
old, new = vault.supersede(v1_id, v2_id) # v1 → SUPERSEDED, linked to v2
chain = vault.chain(v1_id) # [v1, v2, v3, ...]
results = vault.search("policy", as_of=date(2024, 3, 15)) # Time-travel
expiring = vault.expiring(days=90) # What's about to expire?pip install qp-vault| Command | What You Get | Dependencies |
|---|---|---|
pip install qp-vault |
SQLite, trust search, CAS, Merkle, lifecycle, Membrane, RBAC | 1 (pydantic) |
pip install qp-vault[postgres] |
+ PostgreSQL + pgvector hybrid search | + sqlalchemy, asyncpg, pgvector |
pip install qp-vault[encryption] |
+ AES-256-GCM encryption at rest | + cryptography, pynacl |
pip install qp-vault[pq] |
+ ML-KEM-768 + ML-DSA-65 post-quantum crypto | + liboqs-python |
pip install qp-vault[capsule] |
+ Cryptographic audit trail | + qp-capsule |
pip install qp-vault[docling] |
+ 25+ format document processing (PDF, DOCX, etc.) | + docling |
pip install qp-vault[local] |
+ Local embeddings (sentence-transformers, air-gap safe) | + sentence-transformers |
pip install qp-vault[openai] |
+ OpenAI embeddings (cloud) | + openai |
pip install qp-vault[integrity] |
+ Near-duplicate + contradiction detection | + numpy |
pip install qp-vault[fastapi] |
+ REST API (30+ endpoints) | + fastapi |
pip install qp-vault[cli] |
+ vault command-line tool (15 commands) |
+ typer, rich |
pip install qp-vault[all] |
Everything | All of the above |
Combine extras with commas:
pip install qp-vault[postgres,encryption,pq,capsule,fastapi] # Production API server
pip install qp-vault[local,encryption,cli] # Air-gapped deployment
pip install qp-vault[docling,integrity,cli] # Developmentfrom qp_vault import Vault
vault = Vault("./my-knowledge")
# Add with trust tiers
vault.add("Incident response: acknowledge within 15 minutes...",
name="sop-incident.md", trust_tier="canonical")
# Trust-weighted search (deduplicated, with freshness decay)
results = vault.search("incident response")
# Multi-keyword grep (single-pass FTS, three-signal scoring)
results = vault.grep(["incident", "response", "P0", "escalation"])
# Retrieve full content
text = vault.get_content(results[0].resource_id)
# Replace content (atomic: creates new version, supersedes old)
old, new = vault.replace(resource_id, "Updated policy v2 content")
# Verify integrity
result = vault.verify()
print(result.merkle_root)
# Export proof for auditors
proof = vault.export_proof(resource_id)vault.add("content", tenant_id="site-123")
vault.search("query", tenant_id="site-123") # Scoped to tenant
# Or lock the vault to a single tenant
vault = Vault("./knowledge", tenant_id="site-123")vault = Vault("./knowledge", role="reader") # Search, get, verify only
vault = Vault("./knowledge", role="writer") # + add, update, delete
vault = Vault("./knowledge", role="admin") # + export, import, configresources = vault.add_batch(["doc1.md", "doc2.md", "doc3.md"], trust_tier="working")from qp_vault import MemoryLayer
ops = vault.layer(MemoryLayer.OPERATIONAL) # SOPs, runbooks (boost=1.5x)
strategic = vault.layer(MemoryLayer.STRATEGIC) # ADRs, decisions (trust=CANONICAL)
compliance = vault.layer(MemoryLayer.COMPLIANCE) # Audit evidence (reads audited)score = vault.health() # Vault-wide (0-100)
score = vault.health(resource.id) # Per-resourceContent is screened before indexing. Prompt injection, jailbreak, XSS, and code injection attempts are quarantined.
vault.add("ignore all previous instructions") # Quarantined automaticallyfrom qp_vault.plugins import embedder, parser
@embedder("my-model")
class MyEmbedder:
dimensions = 768
async def embed(self, texts):
return my_model.encode(texts)Three discovery methods: explicit registration, entry_points, or --plugins-dir (air-gap).
from qp_vault.encryption import AESGCMEncryptor, HybridEncryptor
# Classical
enc = AESGCMEncryptor()
ciphertext = enc.encrypt(b"secret")
# Post-quantum hybrid (ML-KEM-768 + AES-256-GCM)
enc = HybridEncryptor()
pub, sec = enc.generate_keypair()
ciphertext = enc.encrypt(b"classified", pub)from qp_vault.streaming import VaultEventStream
stream = VaultEventStream()
vault = AsyncVault("./knowledge", auditor=stream)
async for event in stream.subscribe():
print(f"{event.event_type}: {event.resource_name}")await vault.export_vault("backup.json")
await vault.import_vault("backup.json")vault init ./knowledge
vault add report.pdf --trust canonical
vault search "revenue projections" --top-k 5
vault list --trust canonical --tenant site-123
vault verify
vault health
vault delete <id>
vault transition <id> review --reason "Ready for review"
vault content <id>
vault replace <id> new-version.md
vault export backup.json15 commands. Exit codes: 0 = pass, 1 = fail. Designed for CI: vault verify && deploy.
from qp_vault.integrations.fastapi_routes import create_vault_router
router = create_vault_router(vault)
app.include_router(router, prefix="/v1/vault")
# 22+ endpoints: resources, search, faceted search, verify, health,
# lifecycle, collections, provenance, batch, export, content| Layer | Algorithm | Standard | Purpose |
|---|---|---|---|
| Content integrity | SHA3-256 | FIPS 202 | Tamper-evident CIDs and Merkle roots |
| Symmetric encryption | AES-256-GCM | FIPS 197 | Data at rest |
| Key encapsulation | ML-KEM-768 | FIPS 203 | Post-quantum key exchange |
| Digital signatures | ML-DSA-65 | FIPS 204 | Post-quantum provenance signing |
| Audit signatures | Ed25519 | FIPS 186-5 | Via qp-capsule |
| Hybrid encryption | ML-KEM-768 + AES-256-GCM | FIPS 203+197 | Quantum-resistant data encryption |
| Content screening | Membrane pipeline | -- | Prompt injection, jailbreak, XSS detection |
| Access control | RBAC | -- | Reader / Writer / Admin roles |
| Input validation | Pydantic + custom | -- | Enum checks, name/tag/metadata limits |
| Plugin verification | SHA3-256 manifest | -- | Hash-verified plugin loading |
| Key management | ctypes memset | -- | Secure key zeroization |
| Self-testing | FIPS KAT | -- | SHA3-256 + AES-256-GCM known answer tests |
No deprecated cryptography. No runtime network dependencies. Air-gapped operation supported. Full threat model in docs/security.md.
| Package | Purpose | Install |
|---|---|---|
| qp-capsule | Cryptographic audit protocol | pip install qp-capsule |
| qp-vault | Governed knowledge store | pip install qp-vault |
| qp-conduit | Infrastructure management | Shell toolkit |
| qp-tunnel | Encrypted remote access | Shell toolkit |
Each independently useful. Together, the governed AI platform for autonomous organizations.
| Document | Audience |
|---|---|
| Getting Started | Developers |
| Architecture | Developers, Architects |
| API Reference | Developers |
| Trust Tiers | Developers, Product |
| Knowledge Lifecycle | Developers, Compliance |
| Memory Layers | Developers, Architects |
| Multi-Tenancy | Developers, SaaS |
| Encryption | Developers, Security |
| RBAC | Developers, Compliance |
| Membrane | Developers, Security |
| Streaming & Telemetry | DevOps, Observability |
| Plugin Development | SDK Authors |
| Security Model | CISOs, Security Teams |
| CLI Reference | DevOps, Developers |
| FastAPI Integration | Backend Developers |
See CONTRIBUTING.md. Bug fixes with tests, new plugins (embedders, parsers, policies), and documentation improvements are welcome.
Knowledge that can't be verified can't be trusted.
An open-source governed knowledge store
Documentation · Security Policy · Changelog
Copyright 2026 Quantum Pipes Technologies, LLC
![@dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=64&v=4){kind=small}