Cryptographically verifiable behavior logs for AI agents.
You can trust an agent. But you should be able to verify.
Millions of AI agents are writing code, sending emails, making API calls, and accessing sensitive data — right now, today. But there's no way to answer a simple question:
"What exactly did the agent do?"
- An agent reviews your PR. Did it also read your
.env.production? - An agent writes code to your repo. Can you prove it didn't exfiltrate source code?
- An agent accesses customer data. Can you show the auditor exactly what it touched?
- Three agents work in a chain. One made a bad call. Which one?
Git tracks what humans commit. Firewalls track what servers send. Nothing tracks what AI agents actually do.
soma-proof is the missing audit layer for the agent era.
┌──────────────────────────────────────────────────────┐
│ AI Agent Runtime │
│ (soma-work, OpenClaw, LangGraph, ...) │
└───────────────────────┬──────────────────────────────┘
│ tool_use / tool_result events
▼
┌──────────────────────────────────────────────────────┐
│ soma-proof │
│ │
│ Record ──→ Hash Chain ──→ Verify ──→ Anchor │
│ │
│ ┌─────────┐ ┌───────────┐ ┌──────────────────┐ │
│ │ SQLite │ │ Merkle │ │ L2 Blockchain │ │
│ │ (local) │ │ Tree │ │ (Base, Arb) │ │
│ │ │ │ │ │ │ │
│ │ Full │ │ Periodic │ │ Tamper-proof │ │
│ │ action │ │ batching │ │ timestamp │ │
│ │ history │ │ of trace │ │ anchor │ │
│ │ │ │ heads │ │ │ │
│ └─────────┘ └───────────┘ └──────────────────┘ │
│ │
│ Query ◄── Anomaly Detection ◄── Trust Scoring │
└──────────────────────────────────────────────────────┘
Every action an AI agent takes — every file read, file write, shell command, API call — is captured, hashed into a tamper-proof chain, and periodically anchored to a public blockchain. The full data stays local. Only a 32-byte hash goes on-chain.
Cost: ~$0.72/month for 10 agents. Mathematically tamper-proof.
Each user request ("Review PR #42") creates an independent hash chain called a trace. No global chain. No concurrency conflicts. 10,000 agents can run simultaneously with zero collisions.
User: "Review PR #42"
│
▼
Trace-7f3a (independent hash chain)
│
┌────┴────────────────────────────────────────────┐
│ │
Action 0: user_input │
hash: SHA-256(GENESIS + payload) │
│ │
Action 1: tool_use [file_read] src/auth.ts │
hash: SHA-256(prev_hash + payload) │
│ │
Action 2: tool_use [file_read] src/db.ts │
hash: SHA-256(prev_hash + payload) │
│ │
Action 3: tool_use [shell] npm test │
hash: SHA-256(prev_hash + payload) │
│ │
Action 4: agent_response "Review complete..." │
hash: SHA-256(prev_hash + payload) ← trace head │
└──────────────────────────────────────────────────┘
If any action in the chain is modified after the fact, every subsequent hash breaks. Tampering is immediately detectable.
| Layer | Where | What | Cost |
|---|---|---|---|
| L1 | SQLite (local) | Full action history, raw data | $0 |
| L2 | Merkle Tree | Periodic batch of trace heads | Computed locally |
| L3 | L2 Chain (Base/Arbitrum) | Merkle root only (32 bytes) | ~$0.001/tx |
The blockchain doesn't store your data. It stores proof that your data existed at a specific point in time and hasn't been modified since.
Every hour (configurable):
Active traces:
Trace-A (head: 0xabc...) ─┐
Trace-B (head: 0xdef...) ─┤
Trace-C (head: 0x123...) ─┤── Merkle Tree ── Root: 0x789...
Trace-D (head: 0x456...) ─┘ │
▼
L2 Transaction
(one tx, ~$0.001)
Incident Response — Production goes down. Trace back through the agent's exact chain of actions to find which file change, which test was skipped, which assumption was wrong. In minutes, not hours.
Code Provenance — git blame shows who committed. soma-proof shows which agent generated it, what context it used, what files it referenced, and whether a human actually reviewed the diff.
Security Audit — "Show me every external API call our agents made this month." One query. Cryptographically complete.
Compliance — Regulated industries (finance, healthcare, legal) require audit trails. AI agents without verifiable behavior logs cannot pass compliance review. soma-proof makes agent adoption possible in environments where it's currently blocked.
Data Loss Prevention — Track every file an agent accessed and every external endpoint it contacted. Detect unauthorized data flows in real time.
Vendor Risk — Using third-party agent plugins or MCP tools? Verify that a plugin's actual behavior matches its declared permissions. Detect silent data exfiltration.
Trust Scoring — An agent with 10,000 verified traces and 0 anomalies has earned trust. Dynamically grant more autonomy to proven agents, require approval for untrusted ones.
Multi-Agent Accountability — Agent A writes code → Agent B reviews → Agent C deploys. When something breaks, trace responsibility through the entire chain.
Agent Marketplaces — Publish cryptographic proof that your agent/skill/plugin behaves as advertised. Not reviews. Not ratings. Math.
npm install soma-proofimport { SomaProof } from 'soma-proof';
const proof = new SomaProof({
storage: './agent-audit.db', // SQLite path
anchor: {
chain: 'base', // L2 chain for anchoring
interval: '1h', // anchor every hour
wallet: process.env.WALLET_KEY,
}
});
// Start a trace when a task begins
const trace = await proof.startTrace({
userId: 'U-alice',
agentId: 'agent-01',
intent: 'Review PR #42',
});
// Record each agent action
await trace.record({
actionType: 'tool_use',
toolName: 'file_read',
input: { path: 'src/auth.ts', lines: '1-50' },
output: { content: fileContent, bytes: 1200 },
resourcesAccessed: ['src/auth.ts'],
});
await trace.record({
actionType: 'tool_use',
toolName: 'shell',
input: { command: 'npm test' },
output: { exitCode: 0, stdout: '...' },
});
// Complete the trace
await trace.complete();// Verify a trace's hash chain
const result = await proof.verify(traceId);
// { valid: true, actionCount: 12, brokenAt: null }
// Verify on-chain
const onchain = await proof.verifyOnChain(actionId);
// { verified: true, block: 12345678, chain: 'base', explorerUrl: '...' }// What files did agents modify today?
const actions = await proof.query({
resourcesModified: 'src/**',
since: '2026-04-05',
});
// All external API calls this week
const external = await proof.query({
toolName: 'http_request',
since: '2026-03-30',
});
// Anomalies
const anomalies = await proof.getAnomalies('agent-01');
// [{ reason: 'first_time_external_endpoint', detail: 'api.stripe.com', risk: 'high' }]interface AgentAction {
id: string;
traceId: string;
sequence: number;
agentId: string;
userId: string;
model: string;
actionType: 'tool_use' | 'tool_result' | 'user_input' | 'agent_response';
toolName?: string;
inputHash: string; // SHA-256 of input
outputHash: string; // SHA-256 of output
inputSummary: string; // Human-readable
outputSummary: string;
resourcesAccessed: string[];
resourcesModified: string[];
externalEndpoints: string[];
prevHash: string; // Previous action in this trace
hash: string; // SHA-256(prevHash + payload)
timestamp: string;
durationMs: number;
permission: 'auto' | 'user_approved' | 'denied';
}No global chain. No consensus algorithm. Each trace is an independent hash chain.
User A, Task 1: Genesis → A₁ → A₂ → A₃ (independent)
User A, Task 2: Genesis → A₁ → A₂ (independent)
User B, Task 1: Genesis → B₁ → B₂ → B₃ → B₄ (independent)
Anchor (hourly):
Merkle Root → L2
/ | \
A-T1.head A-T2.head B-T1.head
10,000 concurrent agents. Zero conflicts. Each trace maps naturally to a Slack thread, a CI job, or an API request.
Minimal. Stores only 32-byte merkle roots.
contract AgentAuditAnchor {
struct Anchor {
bytes32 merkleRoot;
uint64 startTime;
uint64 endTime;
uint32 actionCount;
address agent;
}
mapping(address => Anchor[]) public anchors;
function anchor(bytes32 root, uint64 start, uint64 end, uint32 count) external;
function verify(address agent, uint256 index, bytes32 leaf, bytes32[] proof) external view returns (bool);
}"Prove agent didn't access production DB on April 3rd"
1. Query local SQLite → 0 matching actions
2. Find anchor covering April 3rd → Anchor #47
3. Generate merkle proof for relevant traces
4. Verify on-chain: contract.verify() → true
5. Result: "No production DB access recorded.
This record was anchored at block #12345678
on Base L2 at 2026-04-03T21:00:12Z.
Tampering is mathematically impossible."
// In ClaudeHandler stream processing
import { SomaProof } from 'soma-proof';
const proof = new SomaProof(config);
async function handleStreamEvent(event, trace) {
if (event.type === 'tool_use') {
await trace.record({
actionType: 'tool_use',
toolName: event.tool.name,
input: event.tool.input,
resourcesAccessed: extractResources(event),
});
}
}soma-proof is framework-agnostic. If your agent emits tool calls, soma-proof can record them.
// LangChain
chain.on('tool_start', (tool, input) => trace.record({ ... }));
chain.on('tool_end', (tool, output) => trace.record({ ... }));
// OpenClaw / any MCP-based agent
mcpServer.on('tool_call', (call) => trace.record({ ... }));| Method | Description |
|---|---|
proof.startTrace(opts) |
Start a new trace (returns Trace) |
trace.record(action) |
Record an action in the trace |
trace.complete() |
Mark trace as completed |
| Method | Description |
|---|---|
proof.verify(traceId) |
Verify hash chain integrity |
proof.verifyOnChain(actionId) |
Verify against L2 anchor |
proof.getProof(actionId) |
Generate merkle proof |
| Method | Description |
|---|---|
proof.query(filters) |
Search actions by resource, tool, time |
proof.getTrace(traceId) |
Get full action chain |
proof.getAnomalies(agentId) |
Behavioral anomalies |
proof.getTrust(agentId) |
Trust score and stats |
| Method | Description |
|---|---|
proof.anchor() |
Manually trigger L2 anchoring |
proof.getAnchors(since) |
List anchor history |
| Scale | Agents | Actions/day | L2 Cost/month |
|---|---|---|---|
| Team | 10 | 6,000 | $0.72 |
| Startup | 100 | 60,000 | $7.20 |
| Enterprise | 1,000 | 600,000 | $72 |
| Platform | 10,000 | 6,000,000 | $720 |
Local storage (SQLite): free. The only cost is L2 gas for anchoring, which is one transaction per batch regardless of how many actions are included.
- Action data model and hash chain
- SQLite storage with full query support
- Merkle tree batching and L2 anchoring
- Anomaly detection (behavioral profiling)
- Trust scoring and dynamic permissions
- Dashboard UI
- soma-work integration
- Framework adapters (LangChain, CrewAI, OpenClaw)
- Enterprise: SSO, RBAC, compliance reports
- Multi-agent trace linking
AI agents are the most powerful tools humans have ever built. Power without accountability is dangerous. But accountability doesn't have to mean surveillance or restriction — it means transparency.
soma-proof doesn't limit what agents can do. It makes what they did provable.
In a world where AI agents write code, manage finances, handle healthcare data, and make decisions on behalf of humans — the ability to verify their behavior isn't a feature. It's infrastructure.
soma (σῶμα) — body soma-proof — proof of what the body did
MIT
Built by 2lab.ai