Launch Open Source 12 min read

Introducing Project AIR

Evidence-grade infrastructure for accountable AI agents.

Every agent decision, signed. Every action, tamper-evident. Every chain, anchored to public infrastructure anyone can verify. MIT-licensed and on PyPI today.

Kevin Minn | May 26, 2026

What Project AIR is

Project AIR writes a Signed Intent Capsule for every AI agent decision. Each capsule carries a BLAKE3 content hash and an Ed25519 signature, chained to the previous step. The chain root is anchored to Sigstore Rekor (a public transparency log) and RFC 3161 trusted timestamps. The result is evidence that survives subpoena, survives the vendor, and survives the auditor's first question.

pip install projectair
air demo

That is the entire cold start. Two commands, ten seconds, and you have a signed forensic chain with 16 detectors running over it. No API keys, no cloud account, no agent wiring required.

The problem: AI agents act without evidence

When an AI agent breaks something in production, three questions follow: what happened, who authorized it, and can you prove it? Today the answer to all three is usually "we think so, based on logs." Application logs are mutable, unsigned, and vendor-controlled. They are not evidence. They are claims.

The gap is not detection (the security industry has that covered). The gap is proof. Proof that the agent was told to do X and did Y. Proof that no one altered the record after the fact. Proof that a human authorized the sensitive action, verified by a third-party identity provider, recorded in a chain that neither the agent vendor nor the customer can backdate.

That is what AIR builds. Not another detection layer. An evidence layer.

What shipped in 1.0: the five-layer stack

Layer	What it does	Status
Detection	16 detectors mapped to OWASP Top 10 for Agentic + LLM Applications	shipped
Trust Anchor	RFC 3161 timestamps + Sigstore Rekor transparency log	shipped
Causal Reasoning	`air explain` walks the chain, explains why a step happened	shipped
Containment	Halt agent actions; require Auth0-verified human approval	shipped
Handoff Protocol	Cross-agent chain of custody with W3C Trace Context + Rekor attestation	shipped

Each layer is independently adoptable. A team can start with detection only and add anchoring, containment, or cross-agent trust as their deployment matures. The layers compose; they do not require each other.

16 detectors, mapped to public taxonomies

AIR ships 10 of 10 detectors from the OWASP Top 10 for Agentic Applications, 3 detectors from the OWASP Top 10 for LLM Applications, and 3 AIR-native detectors including NemoGuard cross-corroboration with NVIDIA NIM classifiers.

Every detector maps to a public taxonomy. No proprietary severity scales, no vague "risk scores." When AIR flags ASI02 (Tool Misuse), that is the same ASI02 your compliance team reads in the OWASP spec. The mapping is the documentation.

Works with the frameworks you already use

Framework	Integration
LangChain	AIRCallbackHandler
OpenAI SDK	instrument_openai
Anthropic SDK	instrument_anthropic
Google Gemini SDK	instrument_gemini
Google ADK	instrument_adk
LlamaIndex	instrument_llamaindex
NVIDIA NeMo Guardrails	instrument_nemo_guardrails
NVIDIA NIM / vLLM / Groq / Together / Fireworks	instrument_openai
Custom code	AIRRecorder

Any OpenAI-compatible endpoint works through instrument_openai, including self-hosted models on NVIDIA NIM, vLLM, and TGI. One integration covers the entire OpenAI-compatible ecosystem.

Structural verification: did the agent do what it was told?

Detection tells you what went wrong. Structural verification tells you whether the agent honored its declared intent. Declare what the agent is authorized to do (which tools, which paths, which network targets, whether secret access is allowed), and AIR verifies the chain against that declaration deterministically.

from airsdk import AIRRecorder, IntentSpec

spec = IntentSpec(
    goal="Refactor the auth module",
    allowed_tools=["read_file", "write_file"],
    allowed_paths=["src/auth/"],
    secret_access=False,
)
recorder = AIRRecorder("chain.jsonl", intent_spec=spec)

$ air verify-intent chain.jsonl

FAILED: 2 violations against declared intent
  SV-SECRET-01  CRITICAL  step 6: Secret material accessed outside declared scope
  SV-NET-01     CRITICAL  step 8: Network egress to undeclared destination

Four symbolic checks ship today: SV-SECRET (secret access), SV-NET (network egress), SV-SCOPE (tool scope), and SV-EXFIL (data exfiltration patterns with causal path tracing). The verdict is VERIFIED, FAILED, or INCONCLUSIVE. CI-friendly: air verify-intent exits with code 2 on FAILED.

We run it on our own infrastructure

Every API request to vindicara.io is recorded as a signed AgDR chain using the same airsdk library customers use, anchored to public Sigstore Rekor every 60 seconds, and published as redacted JSONL.

Verify it yourself. The chain catalog, manifest, and every Rekor anchor are independently verifiable with zero Vindicara infrastructure in the path. If we stopped existing tomorrow, the proof would still stand.

Post-quantum ready (experimental)

AIR supports ML-DSA-65 (FIPS 204) post-quantum signatures as an opt-in experimental feature. Ed25519 remains the default. Mixed-algorithm chains (some records Ed25519, some ML-DSA-65) verify correctly. When quantum computing threatens Ed25519, your chains are already migration-ready.

What comes next

1.0 is the foundation. The roadmap includes HL7v2 + FHIR R4 clinical interop for healthcare deployments, learned-baseline behavioral detection, cross-tenant federation via Sigstore Fulcio, and framework-level containment interceptors for LangChain and OpenAI so step-up approval happens automatically. Each of these gets its own news cycle; we do not rush features to pad launch day.

Try it now

pip install projectair && air demo

View on GitHub Pricing 5-Minute Quickstart

LinkedIn X Facebook Reddit HN Email