Open source · Apache 2.0 · Coming soon

The free code that records what your AI actually did.

When your AI fails, someone has to be able to answer for it. We open-sourced the chain-of-custody layer for AI agent decisions, so anyone, including your own auditors, regulators, and customers, can verify what happened without taking us at our word.

What it does

Four things, in this order, every time your AI does something.

Headlights sits at the layer where your AI agent's actions happen, captures each one as a structured record, signs it cryptographically, and chains the records so any change after the fact is detectable. The result is forensic-grade evidence: a tamper-evident chain of custody from the moment a decision is made to the moment a regulator, a court, or a customer's lawyer asks for it. The signatures are verifiable by anyone with the public key.

Signed records, the moment each action happens

Every reply, every tool call, every database write. The agent acts, the record is created, the signature is applied. No retroactive logging, no editable conversation history.

A hash chain that locks history

Each record carries the hash of the one before it. Change any record after the fact and the chain breaks visibly. Built on the same primitive that secures Git and Bitcoin.

Verifiable without trusting us

The cryptography is standard (ECDSA P-256, SHA-256, RFC 8785 canonical JSON). Your auditor, your customer's lawyer, your regulator, all can verify the signatures without trusting Headlights and without trusting you.

Built on an open standard

Aligned with the IETF working draft draft-sharif-agent-audit-trail-00. The standard is open. The reference implementation is ours.

The six governance modules

Each module catches a specific failure pattern documented in the Incident Library.

The library cases each end with a code snippet showing the module that would have caught the failure. When the repository goes public, the modules below will be importable from a single package. Composable, documented, and free.

ConductRecordFoundation

The signed, hash-chained audit log every other module builds on. One record per AI action, with full context: model version, system prompt hash, retrieved documents, tool calls, output. Signed at the moment of generation.

As seen in HD-INC-001 Air Canada chatbot

PersonaGuardPersona drift

A contract object that checks every reply against a defined identity and scope, regardless of which subsystem produced the reply. LLM, retrieval, or legacy script, they all go through the same gate.

As seen in HD-INC-014 Woolworths Olive

ConstraintGateUser constraints

Parses user-declared standing rules ("code freeze, no production writes") into structured constraints. Every subsequent tool call runs through the gate. Violations require explicit, recorded approval.

As seen in HD-INC-004 Replit database wipe

CitationVerifierDocument authoring

Checks every citation in an AI-drafted document against real legal, academic, or technical databases before the document can ship. Unverified citations block delivery or flag for human review.

As seen in HD-INC-010 Deloitte fabricated references

VerificationGateFact-checking

When anyone asks the system "is this real?", the question is routed to a real source, never back to the model. The model proposes. A trusted database disposes of the question of whether something exists.

As seen in HD-INC-002 Mata v. Avianca

MetricRecordWorkforce trust

Signed aggregate metrics produced over signed conduct records, with a chain root hash binding the aggregate to the underlying events. Workforce decisions citing AI performance are verifiable by the union, the regulator, and the board.

As seen in HD-INC-015 Commonwealth Bank voice bot

Why open source

Most AI governance tools are sold by the companies building the agents. A company grading its own homework is not an audit.

Headlights is independent on purpose. The signing keys belong to your company, not to us. The records live in your system, not ours. When an auditor or a regulator asks for evidence, they verify it directly. We do not sit in the middle.

The code is free because trust has to be verifiable, not bought. Anyone can read every line. Anyone can audit the cryptography. Anyone can fork it, harden it, or use it inside a product they sell. Apache 2.0 means no licence fees, no vendor lock-in, no proprietary auditor in the loop.

That is the entire pitch. Cheap to install, expensive to ignore, impossible to argue with once it is running.

When and how

The repository goes public alongside the Incident Library launch.

The target is twenty entries written and the OSS repo flipping public together. That coincides with outreach to the IETF draft author and the broader audit-trail standards community. Until then, the code is in private development.

Status

Private repository, in active development. Public launch alongside the Incident Library (target: 20 entries).

Licence

Apache 2.0. Free to use, modify, redistribute, and use commercially.

Standard

draft-sharif-agent-audit-trail-00 (IETF working draft)

For engineers

Python. ECDSA P-256 signatures, SHA-256 hash chain, RFC 8785 canonical JSON. 226 tests passing.

When live

github.com/saffronandindia/headlights-oss

Want a note the day the repo opens? One email, no list, no follow-up.

Get notified →