Skip to main content
Customer-hosted by default

Control and prove every AI agent action

Policy-driven gate. Human approval when it matters. Audit-grade evidence bundles. No vendor lock-in.

Customer-hosted · Your data, your evidence · Guardians, not barriers

Request Early Access See how it works
proofstream-operator-ui.local:8787

Recent Runs

Live
slack-notify
agent: deploy-bot-01
2m ago
Executed
signal-alert
agent: monitoring-agent
Just now
Pending Approval
api-webhook
agent: unregistered
5m ago
Blocked

Evidence Bundle

manifest.json
correlation_id: corr_8f3a2b...
checksums: sha256:a1b2c3...
artifacts: 3 files

Why ProofStream exists

AI agents can send messages, trigger workflows, and take irreversible actions. Today many deployments have dangerous gaps.

No policy gate

No allow/deny by agent, action, or destination. Actions can go to arbitrary endpoints unchecked.

No human-in-the-loop

No approval path for high-risk or anomalous actions. Critical decisions happen without oversight.

No audit trail

When auditors ask "what did this agent do?", there's no portable, tamper-evident evidence.

Built for: Platform engineers, DevOps, and security teams who need governance, evidence, and control without becoming the bottleneck.

ai-agent-47 UNCONTROLLED
POST https://hooks.slack.com/services/...
Payload: { "text": "Production database deleted" }
⚠️ No policy check · No approval · No evidence
ProofStream Gateway GOVERNED
Policy: Allow slack/ops for deploy-bot-01
Risk tier: Medium → Requires approval
✓ Scoped autonomy · Exception-path approval · Full evidence

How it works

Four steps to governed, evidenced agent actions

1

Invoke

Your agent sends an action to the ProofStream gateway with agent ID, action type, and destination key. No raw URLs or secrets in the policy layer.

POST /invoke
dest_key: "ops"
action: "slack-notify"
2

Evaluate

Policy allows or denies. High-risk actions or anomalies trigger an approval record. Low-risk actions flow through scoped autonomy.

Allow Pending Deny
3

Approve or Block

Operators review pending approvals in the UI or via API. Approve with rationale or deny. Execution happens only after approval when required.

Approval: "Emergency deploy"
Rationale: "Incident response"
4

Execute & Evidence

Connector runs (Slack, Signal, etc.). Every run emits trace events and an exportable evidence bundle with manifest, checksums, and correlation ID.

bundle.zip
├─ manifest.json
├─ events.jsonl
└─ checksums.sha256

Scenario 1: Auto-Approved

LOW RISK

deploy-bot-01 → Slack #ops

User action: DevOps runs ./deploy prod v2.4.1

What happens: Registered agent posts "Deploy v2.4.1 complete ✓" to approved #ops channel. Policy allows it — known agent, low-risk action, scoped destination. Executes instantly with full evidence trail.

Scenario 2: Requires Approval

HIGH RISK

monitoring-agent → Signal #secops

User action: Anomaly detection triggers "Suspected data exfiltration pattern detected"

What happens: Agent wants to alert security via Signal. High-risk tier + sensitive destination → pauses for approval. SecOps reviews alert context, confirms it's legitimate, approves with "Incident response — investigating S3 access spike."

Scenario 3: Blocked

CRITICAL

unregistered → external API

User action: Rogue script attempts POST https://api.competitor.com

What happens: Unregistered agent trying to reach external endpoint. Fail-closed policy blocks immediately — no agent manifest, no destination key, clear violation. Evidence bundle captures full attempt for security investigation.

Interactive Workflow Simulator
request → decision → approval (if needed) → connector → evidence bundle
corr_id:

Interactive workflow simulator is best viewed on desktop

View on a larger screen to see the animated demo

This demo mirrors the product logic: destination keys, fail-closed gating, optional human approval, then connector execution and a portable evidence bundle.

What you get

Built for security, compliance, and velocity

Policy-first

Allow/deny by agent, action, and destination key. Agent manifests restrict allowed actions. Fail-closed if raw URLs detected in policy.

Fail-closed by default

Approval Workflow

Exception-path approvals with rationale. Operator UI and API support. Policy-driven and timeboxed. Guardians, not barriers.

Exception-path only

Evidence Bundles

Export a ZIP per run with manifest and SHA-256 checksums. Correlation ID ties request → decision → outcome. Ready for compliance.

Tamper-evident

Customer-hosted

Run in your environment. Evidence stays yours. Optional export to your own storage (S3). No SaaS control plane holding your content.

Zero vendor lock-in

Runs Dashboard

Operator UI shows recent runs, outcomes (executed/blocked/failed), and failure counts. Real-time visibility into agent activity.

Real-time visibility

CLI & Connectors

psctl for agent registration, policy apply, and evidence export. Connectors for Slack and Signal (more coming). Teams that need SSO, RBAC, or premium connectors can get in touch for extended capabilities.

psctl + HTTP API
events/2024-01-15.jsonl
{"ts":"2024-01-15T09:23:01Z",
"type":"action.requested",
"correlation_id":"corr_8f3a2b9d",
"agent_id":"deploy-bot-01",
"action":"slack-notify",
"dest_key":"ops"}
{"ts":"2024-01-15T09:23:02Z",
"type":"decision.approval_required",
"correlation_id":"corr_8f3a2b9d",
"reason":"risk_tier:high"}
{"ts":"2024-01-15T09:24:15Z",
"type":"approval.granted",
"correlation_id":"corr_8f3a2b9d",
"operator":"[email protected]",
"rationale":"Incident response"}
{"ts":"2024-01-15T09:24:16Z",
"type":"action.executed",
"correlation_id":"corr_8f3a2b9d",
"connector":"slack",
"status":"success"}
Correlation ID: corr_8f3a2b9d

Audit-grade evidence

Every action produces a complete trace. From request to decision to outcome, everything is logged, checksumed, and exportable.

  • JSONL event stream Date-based files with correlation IDs for easy log tailing and audit integration
  • Evidence bundles Exportable ZIP with manifest, SHA-256 checksums, and all artifacts per run
  • Complete traceability Correlation ID ties request → decision → approval → outcome in an unbroken chain
Compliance Ready

Evidence bundles are designed for forensics and compliance audits. Tamper-evident checksums ensure integrity from creation to review.

Try it in 5 minutes

Run locally with Docker or Python. No signup required.

Quick Start
# Clone and start
git clone https://github.com/proofstream/gateway
cd gateway
# Option 1: Docker
docker compose up --build
# Option 2: Local Python
python -m venv venv
source venv/bin/activate
make dev
5-Minute Demo
3 invocations
# 1. Valid request → Approved → Executed
psctl invoke --agent deploy-bot --action slack --dest ops
# 2. Invalid request → 4xx (fail-closed)
psctl invoke --agent unknown --action api
# 3. Policy denied → Blocked
psctl invoke --agent test --action admin-delete
# Export evidence
psctl export corr_8f3a2b9d

Then open the Operator UI:

http://127.0.0.1:8787/ui/approvals

FAQ

Common questions about ProofStream

ProofStream is customer-hosted. Events and evidence stay in your environment. You can export bundles to your own storage (e.g., S3). We don't run a SaaS control plane that holds your content.
No. Approvals are the exception path. Policy defines which actions require human approval (e.g., high-risk or anomaly). Low-risk actions within scoped autonomy execute without blocking.
Invalid requests (malformed payload, policy violation, or raw URLs in policy) are rejected. The system denies by default when it can't make a safe decision. Security over convenience.
Yes. psctl handles agent registration, policy apply, approvals, approve/deny, and evidence export. The gateway exposes HTTP APIs for invoke, export, and approval; the operator UI uses them.
Slack (Incoming Webhook) and Signal (demo/mock) in the current release. More connectors and policy packs are on the roadmap. Custom connectors can be built using our SDK.
Yes. For teams that need identity (OIDC/mTLS), RBAC approvers, signed manifests, or premium connectors and support, we offer extended capabilities. Reach out via the contact link below for details.

Ready to govern your agents?

Join the early access program and be the first to implement audit-grade control for your AI agents.

No spam. We'll contact you about early access and documentation. Need identity, RBAC, or premium connectors? Get in touch.

Customer-hosted
No data lock-in
SOC 2 Ready