The code
Eight modules, two layers. Apache 2.0. Audit before you trust.
When your AI fails, someone has to be able to answer for it. We open-sourced the chain-of-custody layer for AI agent decisions, so anyone, including your own auditors, regulators, and customers, can verify what happened without taking us at our word.
Record layer · written after the action
ConductRecord The signed, hash-chained log every other module writes to. One record per AI action, with the model version, system-prompt hash, retrieved sources, tool calls and output. Edit one and the chain breaks.
MetricRecord Signed aggregate metrics computed over those records and bound to the chain root, so a board, a union, or a regulator can verify the numbers behind an automated decision.
Gate layer · enforced before the action, in order
AuthorityGate Who issued this instruction, and are they authorised to bind the agent? Runs first. Source and authority only. As seen in: DPD prompt injection · Chevrolet “$1 Tahoe” chatbot
ConstraintGate Does this action comply with the standing rules in force at that moment? Violations require explicit, recorded approval.
PersonaGuard Does this reply match the agent's defined identity and scope? Catches persona drift and impersonation, whichever subsystem answered.
CitationVerifier Is every citation real? Checked against genuine legal, academic and technical sources before a document can ship.
VerificationGate Is this actually true? The claim is routed to a trusted source, never back to the model. The model proposes; a database disposes.
EgressGate Does this output carry sensitive data, and is the destination inside the trust boundary? Runs where data would leave. As seen in: Samsung source-code leak · McHire data exposure
Why independence matters
Your governance layer shouldn't be built by the vendors you're governing.
The keys are yours
The signing keys belong to your company, not to us. The records live in your system, not ours. When a regulator asks for evidence, they verify it directly.
Free because trust must be verifiable
Apache 2.0 means no licence fees, no vendor lock-in, no proprietary auditor in the loop. Read every line, audit the cryptography, fork it.
Public and live
The repository is public now on GitHub, Apache 2.0, free to read, fork, and verify. The Incident Library grows alongside it, with new entries every week. Mapped to the AI Agent Audit Trail draft, an individual submission by Raza Sharif (March 2026), not yet IETF Working-Group adopted.