There's no interception - it runs in-process, so it works with any Python code (with or without a framework). There's a TS version too if your stack is in JS.
Would love to hear more about your agent framework!
Because they live in infrastructure the vendor itself controls - there's some conflict of interest there. Things like retention, rotation, deletion, what gets included/excluded, etc are all decisions the vendor makes. Same reason why compliance requires audits!
The hash chain doesn't make the log unwritable, it makes any edit detectable.
Fair point - I am a marketer by training and built this with some help from Claude! But appreciate the love.
If you find something/have feedback, please let me know and I'll gladly fix it.
Separately - 100% agree on the witness - only someone/thing outside the vendor can prove nothing was omitted. Who do you think fills that gap - is it an audit firm (my world), a standards body, or something else?
I'm currently working on an agent framework that has auditability as one of its core promises. I'm glad to see others are working in this domain!
I've seen other products/apps in this space farther up the stack at the API boundary.
What frameworks does your package work with? How does it handle intercept?
There's no interception - it runs in-process, so it works with any Python code (with or without a framework). There's a TS version too if your stack is in JS.
Would love to hear more about your agent framework!
I don't want to hijack your thread. My email is in my profile, I'd be glad to shoot you an in depth description of what I have so far.
> may have built observability dashboards and audit logs, but those are editable and partisan
Why would these be editable?
Because they live in infrastructure the vendor itself controls - there's some conflict of interest there. Things like retention, rotation, deletion, what gets included/excluded, etc are all decisions the vendor makes. Same reason why compliance requires audits!
The hash chain doesn't make the log unwritable, it makes any edit detectable.
PS: please try to break it - if you find that the report does not catch a deleted line, changed number, or modified record, I'd love to know!
And to start a discussion: if you sell or buy AI agent products, what do security reviews ask about them?
Looks very slop, but it’s a good idea. The main difficulty is that no big name is hosting a witness.
Fair point - I am a marketer by training and built this with some help from Claude! But appreciate the love.
If you find something/have feedback, please let me know and I'll gladly fix it.
Separately - 100% agree on the witness - only someone/thing outside the vendor can prove nothing was omitted. Who do you think fills that gap - is it an audit firm (my world), a standards body, or something else?