Launching soon — Raucle Detect is open source on GitHub

Verifiable agent
accountability

A provable, independently verifiable record of every action your AI agents take — built for the audit problem regulated industries actually have, not just the attack problem the literature has been chasing.

Register Interest View on GitHub
YOUR ORG VERIFIED GATE TOOLS User request + tool schema Issuer Mints signed token Agent Emits tool call RAUCLE Gate · 8 checks Tool execution OpenAI · Anthropic · Azure · Bedrock · APIs CAPABILITY RECEIPT Ed25519-signed · content-addressed schema_hash · policy_proof_hash attenuation_chain · call_args_hash · sig INDEPENDENTLY VERIFIABLE — NO VENDOR CONTACT REQUIRED Regulator FCA · BaFin · NCA Partner gate Cross-org Internal auditor Periodic review Downstream tool Pre-execution check
3 / 0
Lean-mechanised soundness theorems · zero sorrys
720 / 720
Attacker-controlled tool calls provably blocked
+27–58pp
More legitimate work completed vs the strongest contemporary defence
0
Vendor trust required to verify a receipt
Platform

The accountability stack
for AI agents

Three primitives that together produce a verifiable receipt of every agent action.

Capability gate

Every agent tool call passes a gate that checks an Ed25519-signed capability token against the call arguments. Fail-closed by default. ALLOW or DENY decisions emit a cryptographic receipt; the gate's soundness is mechanised in Lean 4.

Verified policy registry

Each tool's security policy is verified by an SMT prover (Z3) to hold over every string the tool's JSON Schema admits — or a counterexample is extracted. The proof is content-addressed and cited by every capability token derived from it.

Cross-organisation receipts

Receipts are signed under a key your organisation publishes. A regulator, a partner organisation's gate, or a downstream tool can verify any receipt offline — schema, policy proof, attenuation chain, signature, argument hash — without contacting you.

Also includes

Runtime protections you'd expect from a gateway

AI Gateway

Reverse proxy in front of OpenAI, Anthropic, Azure, and Bedrock. Streaming SSE with minimal overhead. One endpoint for every provider.

Data Loss Prevention

Detects PII, credentials, API keys, NI numbers, NHS numbers, and IBANs in prompts, outputs, and tool arguments.

Shadow AI Discovery

Which AI tools are in use across your organisation, by which department. Sanction, review, or block.

Prompt injection detection

Three-layer pattern + heuristic + ML pipeline. One of the gate's verifications — not the headline.

Architecture

How it works

Every agent action passes a gate whose decision is a signed, content-addressed receipt that any third party can verify offline.

CAPABILITY FLOW User request Issuer Mints signed capability token Agent Emits tool call + token RAUCLE Gate · 8 checks Tool execution CAPABILITY RECEIPT Signed, content-addressed, Ed25519 issuer_cert · schema_hash policy_proof_hash · lean_theorem_id attenuation_chain · call_args_hash decision · timestamp · signature Verifiable offline · no vendor contact required AUDIT CHAIN Merkle-chained, periodically signed Every receipt linked to the previous; root signed. Tampering invalidates either signature or hash. INDEPENDENTLY VERIFIABLE Regulator FCA · BaFin · NCA Partner gate Cross-organisation Downstream tool Pre-execution check Internal auditor Periodic review RECEIPT

A regulator, a partner organisation's gate, or a downstream tool can verify any receipt offline — checking signature, schema hash, policy proof, attenuation chain, and argument hash against the issuer's published material. No information asymmetry remains between the operator and the auditor.

Anatomy of a receipt

What a receipt looks like —
and how it's verified

The hero artefact, the same in every deployment, signed under the deploying organisation's own key. Two side-by-side examples below: one ALLOW receipt for an authorised action, one DENY receipt where the gate caught a scope violation by the same agent moments later.

ALLOW Receipt #8416 · 08:15:22.041Z 
{
  "issuer":            "acme.bank.kyc-platform",
  "issuer_pubkey":     "ed25519:MCowBQYDK2VwAyEA9f8e2a47b4c1…",
  "schema_hash":       "sha256:9f8e2a47bcd1…b4c1",
  "policy_proof_hash": "sha256:4b78e687a3f1…203f",
  "lean_theorem_id":   "vcd_kyc_lookup_v1.policy_completeness",
  "attenuation_chain": [
    "root:acme.bank.root",
    "tok_kyc_2026Q3",
    "tok_session_a7f3b2"
  ],
  "agent_id":          "kyc-agent-prod-eu-west-1",
  "tool":              "crm.lookup_customer",
  "call_args_hash":    "sha256:8ba704819c2a…6c2a",
  "decision":          "ALLOW",
  "decision_reason":   "constraints satisfied",
  "timestamp":         "2026-05-27T08:15:22.041Z",
  "signature":         "ed25519:rJk7Q1xS3v…"
}
Authorised KYC lookup. The agent's in-force token covers crm.lookup_customer; the call's argument hash satisfies the token's constraint set; the gate admits the call and signs the receipt.
DENY Receipt #8417 · 08:15:24.137Z 
{
  "issuer":            "acme.bank.kyc-platform",
  "issuer_pubkey":     "ed25519:MCowBQYDK2VwAyEA9f8e2a47b4c1…",
  "schema_hash":       "sha256:c769f3a2d40b…a8e7",
  "policy_proof_hash": "sha256:4b78e687a3f1…203f",
  "lean_theorem_id":   "vcd_kyc_lookup_v1.policy_completeness",
  "attenuation_chain": [
    "root:acme.bank.root",
    "tok_kyc_2026Q3",
    "tok_session_a7f3b2"
  ],
  "agent_id":          "kyc-agent-prod-eu-west-1",
  "tool":              "payments.transfer_funds",
  "call_args_hash":    "sha256:e21d0a4f76b8…9c3b",
  "decision":          "DENY",
  "decision_reason":   "tool not in token's allowed-tool set; authorised: {crm.lookup_customer}",
  "timestamp":         "2026-05-27T08:15:24.137Z",
  "signature":         "ed25519:tF9pXyz2sW…"
}
Two seconds later, the same agent attempts a fund transfer. The KYC token doesn't authorise payments.transfer_funds; the gate refuses and signs the refusal. The denial itself is tamper-evident audit evidence.
External

An FCA examiner audits Q3 activity

Five offline checks per receipt. No call to the bank. No call to Raucle.

  1. Fetch the bank's published issuer pubkey, schema registry, policy registry, and Lean development URL — all signed and rotated according to a documented schedule.
  2. Verify each receipt's Ed25519 signature against the published pubkey.
  3. Match schema_hash against the published schema registry — confirms the tool's contract was the published one, not a substituted variant.
  4. Match policy_proof_hash against the published policy registry — confirms the agent ran under an approved policy.
  5. Rebuild the published Lean development and confirm the cited lean_theorem_id closes — the soundness claim is machine-checked, not asserted.
  6. Verify call_args_hash satisfies the policy's constraint set for the cited tool — the specific call really was authorised.

Conclusion: the bank did exactly what its approved policy says, every action in the quarter, demonstrably and without information asymmetry between bank and regulator.

Internal

An AppSec team governs in-house dev

Same artefact, different verifier. Receipts replace code review as the scope-adherence check.

  1. AppSec maintains an approved-policy registry — each entry is a policy_proof_hash whose corresponding policy AppSec has reviewed and signed off.
  2. Dev team builds a KYC agent and emits receipts as it runs in staging. The receipts go nowhere special — just the audit log.
  3. AppSec runs a nightly job over staging receipts: every receipt's policy_proof_hash must appear in the approved registry. Any unknown hash blocks release.
  4. AppSec spot-checks by picking any receipt and re-deriving whether its call_args_hash satisfies the cited policy. (It always does — the gate enforced it — but the verifier can prove it independently.)
  5. Production deploy gates on a clean receipt sweep. Agents that emit only known-policy receipts ship; agents whose behaviour drifts off-scope are caught before prod.

Conclusion: AppSec audits scope adherence without reading the agent's code. The dev team ships faster because the scope check is automated and objective, not a manual review queue.

Same primitive. Two buyers. The regulator who has to audit your AI in production. The AppSec team who has to govern the AI your developers are shipping. Both verify the same signed receipt against the same published policy registry. The audit, the governance, and the evidence trail collapse into one cryptographic artefact.

Receipts in flight

Every action your agents take —
signed, content-addressed, verifiable

Whether a tool call is admitted or denied, Raucle emits a capability receipt — citing the issuer's key, the verified policy, the Lean theorem, the attenuation chain, and a hash of the actual arguments. The audit trail you hand to a regulator is built by your agents in real time, not reconstructed from logs months later.

  • Every ALLOW carries a proof. The capability token cites a policy verified to hold over every schema-valid call. The receipt names the Lean theorem behind the soundness claim.
  • Every DENY carries a reason. Structured rejection — which constraint failed, against which policy hash. Auditable, comparable across time.
  • Every chain is offline-verifiable. Attenuation chains link back to a pinned root your organisation publishes. No vendor contact required to verify.
  • Every receipt is content-addressed. Tampering invalidates either the signature or the hash. Tamper-evident audit by construction.
Capability Receipt Stream
Live — 3 agents active
DENY · agent_id outside token scope Receipt cites policy_proof_hash 7f3a…; deploy-bot tool=shell_exec not in token's allowed-tool set.
Receipt #8421
DENY · args fail policy constraint Receipt cites policy_proof_hash 4b78…; research-agent tool=http_post recipient host not in allowed_hosts.
Receipt #8420
DENY · schema_hash mismatch Receipt cites schema_hash 9f8e…; MCP tool file_reader presented mismatching schema — possible rug pull.
Receipt #8419
DENY · token attenuation violated Receipt cites attenuation_chain root → s-1 → s-2; code-assistant attempted child-broader permission — structurally impossible.
Receipt #8418
ALLOW · with rate-policy flag Receipt cites policy_proof_hash c769…; analytics-bot 847 calls/3s within token's rate envelope but flagged for review.
Receipt #8417
ALLOW · constraints satisfied Receipt cites policy_proof_hash 8ba7…; support-agent tool=search_knowledge_base args match in-force token.
Receipt #8416
DENY · injection in tool input Receipt cites policy_proof_hash 4b78…; email-drafter tool args bound at mint time disagree with model-emitted call.
Receipt #8415
Open Source

Raucle Detect
detection engine

Latest release: v0.18.0

The core engine that powers Raucle is the open-source raucle-detect library — released under AGPL-3.0-or-later, with a commercial licence available for licence-incompatible uses. It ships the SMT-backed policy prover, the Ed25519 capability primitives, the gate, and the audit chain. The commercial platform adds the multi-tenant management layer, a dashboard surfacing the receipt graph, the audit-export PDF that a regulator can consume, and managed key rotation.

  • Non-BMP object-key ordering diverged across the five reference encoders.
  • All Python signed-material canonicalisers (provenance, capability, prove, audit, feed, verdicts) and the OWASP cap-verifier share one UTF-16 canonicaliser (raucle_detect/_canon.py).
  • New interop test vectors — canonicalization_vectors and invalid_canonicalization_vectors in the published v1 set, including an A2A/APS action_ref-shaped vector.
  • reference/canon_conformance.py — drives all five encoders and proves 5-language byte-identity on the published vectors, non-BMP probes, and invalid-rejection.
  • Verifiers reject unsorted/duplicate parents/taint;
  • The OWASP cap-verifier reference brought to single-token parity with the gate (numeric/NaN/safe-int, unknown kinds, bool bounds, agent-id regex, NFC field names, constraint shapes, attenuation-chain deny, empty-field rejection).

What's new in v0.18.0: Added, Docs, Fixed — cross-language byte-identity (security/correctness), Hardened — capability gate / cap-verifier parity (fail-closed). Read the changelog →

The Raucle commercial platform builds on the open-source engine with the dashboard, audit-export PDF, and managed deployment regulated industries need.

Star on GitHub
terminal
$ pip install raucle-detect # 1. Issuer mints a signed capability from the user's request $ raucle-detect cap keygen acme.bank --out issuer $ raucle-detect cap mint \     --key issuer.key --issuer acme.bank \     --agent-id agent-1 --tool transfer_funds \     --constraints user-request.json \     --ttl-seconds 60 --out token.json # 2. The gate checks every tool call against the token $ raucle-detect cap check token.json \     --pubkey issuer.pub \     --tool transfer_funds --args call.json ALLOW # 3. Any third party verifies the token's signature offline $ raucle-detect cap verify token.json --pubkey issuer.pub VERIFIED  # signature OK; policy_proof_hash chains to published proof
Ecosystem

Plugs into the agent stacks
you already run

Raucle is a sidecar, not a framework. It composes with the platforms enterprises are already deploying — including Microsoft's. The capability-receipt artefact is what makes coexistence work: raucle emits the audit primitive your framework's policy engine doesn't produce, without displacing what your framework already does.

Microsoft Agent Framework

A drop-in FunctionMiddleware that runs at Microsoft's documented (context, call_next) hook. One line at agent construction. Verified against agent-framework 1.6 with 9 / 9 tests passing. pip install raucle-detect[agent-framework].

Working integration · v0.11

Microsoft Agent Governance Toolkit

Composes alongside AGT's in-process policy engine through the ExternalPolicyBackend Protocol. raucle's contribution at microsoft/agent-governance-toolkit#2610 — adding proof_artefact and verification_pointers carry-through — merged upstream on 2026-05-27, so high-assurance backends attach offline-verifiable evidence to the AGT audit chain.

Merged upstream

Azure AI Foundry · MCP Gateway

Microsoft's AI gateway explicitly does not log tool traces. Raucle deployed as an APIM backend pool member fills exactly that gap — EU AI Act Article 12 evidence Foundry alone cannot supply.

Pattern · ships today

Also in scope: LangChain runnables, AutoGen (subsumed by Agent Framework 1.0), Vercel AI SDK middleware, the OpenClaw plugin (shipped), and MCP servers via the gateway pattern. The next integration is whichever the contributor base prioritises — design docs and skeletons live in docs/proposals.

Compliance

Audit evidence,
not vendor assurance

EU AI Act Article 12 (logging) and Article 26 (deployer obligations) require audit logs that survive independent scrutiny. FCA model-risk-management expects defensible evidence of model behaviour. Raucle produces it — exportable, content-addressed, signed, and verifiable by your regulator without contacting us.

EU AI Act Art. 12 / Art. 26

Capability receipts satisfy the audit-logging obligations for high-risk AI systems, exportable to a national competent authority offline.

FCA model-risk-management

Defensible evidence of every model-mediated decision in regulated finance — what the agent did, by whose authority, against which verified policy.

UK data residency

Receipts and the issuer key stay in the jurisdiction you choose. No transatlantic transfers required to verify.

ISO/IEC 42001 aligned

Auditable AI Management System artefacts — capability receipts, policy proofs, and the Lean development together form a ready-to-submit AIMS evidence pack.

Cryptographic accountability
for AI in regulated industries

Receipts your auditors verify offline. Policies your prover certifies. Soundness your reviewers can re-check in Lean 4. Be first to know when Raucle launches.

Register Interest Explore Raucle Detect