Cryptographic execution integrity for AI agents.
Every action authorized. Every deviation blocked. Every event tamper-evident.
The Gap
Current AI security tools answer whether an agent is allowed. LICITRA answers whether the action that executed matched what was approved.
Most tools answer: "Is this agent allowed to do this?"
Authorization checks pass. The agent proceeds. Nothing verifies that what executes matches what was approved.
"Did the action that actually executed match — byte for byte — what was approved?"
Cryptographic proof. Tamper-evident audit chain. Third-party verifiable inclusion proof.
Architecture
Every agent action passes through the complete pipeline. No bypass. Every decision written to the MMR audit chain.
LLM01 injection scanner. 8 patterns, HIGH/MEDIUM severity. INJ001–INJ008.
Rate limits, daily budget, allowed actions and resources. SELECT FOR UPDATE.
Ed25519 signed. SHA-256 payload hash bound. JTI for replay prevention.
Signature, expiry, replay, payload hash, action, resource, schema, injection rescan.
Tamper-evident append. O(log N) inclusion proof. mmr_detect_tampering() on every read.
OWASP LLM Top 10
Every claim is verifiable directly from the codebase. No broad coverage claims that cannot be substantiated.
8 patterns scanned at intent creation and re-scanned at execution. INJ001–INJ008, HIGH/MEDIUM severity.
JSON Schema validation at Check 9. additionalProperties enforced. Schema declared at agent registration.
12-check cryptographic verification pipeline. Exact action, resource, and payload hash binding per ticket.
Per-agent hourly and daily action limits. Daily budget caps. Race condition safe with SELECT FOR UPDATE.
Quick Start
Docker Desktop and Git are the only prerequisites. No local Python setup required.
git clone https://github.com/narendrakumarnutalapati/licitra-execution-gateway cd licitra-execution-gateway cp .env.example .env make up # starts API + React dashboard + PostgreSQL make seed # populates with 46 realistic events # Open http://localhost:5173
Attack Demos
Each demo runs the full pipeline and returns the blocking reason, verification diff, evidence ID, and millisecond timing.
Check 8 · Payload hash mismatch
Check 5 · JTI already consumed
Intent scanner · INJ pattern matched
Check 9 · Output schema invalid
Policy layer · Hourly limit exceeded
mmr_detect_tampering() · Root hash mismatch
Check 11 · Agent scope exceeded
Check 4 · Ticket expiry exceeded
Check 1 · Agent not registered
v1.2 roadmap · Check 13
Research Foundation
This gateway is the reference implementation of the LICITRA research series, published on Zenodo and credited in OWASP GenAI Data Security Risks v1.0.
Execution tickets and witnessed transparency for runtime enforcement. Five-gate Chain of Intent authorization pipeline. Ed25519 signed tickets with JTI replay protection.
doi.org/10.5281/zenodo.18860290Merkle Mountain Range audit ledger for tamper-evident accountability. O(log N) inclusion proofs. Position-binding leaf hashes preventing swap attacks.
doi.org/10.5281/zenodo.18843032Reference implementation. 91 tests. FastAPI + PostgreSQL + React. Docker Compose. Full Ed25519 ticket lifecycle, 12-check verifier, MMR audit chain, PDF evidence generation.
doi.org/10.5281/zenodo.20634496