I'm currently working on an agent framework that has auditability as one of its core promises. I'm glad to see others are working in this domain!
I've seen other products/apps in this space farther up the stack at the API boundary.
What frameworks does your package work with? How does it handle intercept?
brian_kuan 1 hours ago [-]
There's no interception - it runs in-process, so it works with any Python code (with or without a framework). There's a TS version too if your stack is in JS.
Would love to hear more about your agent framework!
all2 40 minutes ago [-]
I don't want to hijack your thread. My email is in my profile, I'd be glad to shoot you an in depth description of what I have so far.
brian_kuan 32 seconds ago [-]
Sending you an email now!
brian_kuan 2 hours ago [-]
PS: please try to break it - if you find that the report does not catch a deleted line, changed number, or modified record, I'd love to know!
And to start a discussion: if you sell or buy AI agent products, what do security reviews ask about them?
ambicapter 1 hours ago [-]
> may have built observability dashboards and audit logs, but those are editable and partisan
Why would these be editable?
brian_kuan 54 minutes ago [-]
Because they live in infrastructure the vendor itself controls - there's some conflict of interest there. Things like retention, rotation, deletion, what gets included/excluded, etc are all decisions the vendor makes. Same reason why compliance requires audits!
The hash chain doesn't make the log unwritable, it makes any edit detectable.
nf-x 1 hours ago [-]
Looks very slop, but it’s a good idea. The main difficulty is that no big name is hosting a witness.
brian_kuan 59 minutes ago [-]
Fair point - I am a marketer by training and built this with some help from Claude! But appreciate the love.
If you find something/have feedback, please let me know and I'll gladly fix it.
Separately - 100% agree on the witness - only someone/thing outside the vendor can prove nothing was omitted. Who do you think fills that gap - is it an audit firm (my world), a standards body, or something else?
Rendered at 21:41:49 GMT+0000 (Coordinated Universal Time) with Vercel.
I've seen other products/apps in this space farther up the stack at the API boundary.
What frameworks does your package work with? How does it handle intercept?
Would love to hear more about your agent framework!
And to start a discussion: if you sell or buy AI agent products, what do security reviews ask about them?
Why would these be editable?
The hash chain doesn't make the log unwritable, it makes any edit detectable.
If you find something/have feedback, please let me know and I'll gladly fix it.
Separately - 100% agree on the witness - only someone/thing outside the vendor can prove nothing was omitted. Who do you think fills that gap - is it an audit firm (my world), a standards body, or something else?