Vaara is the tamper-evident runtime evidence layer for AI systems. It turns every action an agent takes into a record an outside party can verify without trusting you, then binds that record to the machine's own TPM 2.0 + IMA attestation. EU AI Act compliance, and any other case where you have to prove what an agent actually did.
Open source. No SaaS. No telemetry. No signup.
anyone can check a record
keyless
$ vaara verify-record someone-elses-record.json conformance: CONFORMS [pass] required alg_supported [pass] required signature_hex [pass] required result_commitment_self_consistent projectionDigest == sha256 over the projection bytes ... 13 more checks, all pass no signing key, no access to the system that produced it
What's shipped
- Check any record yourself:
vaara verify-recordtests any JSON against the published SEP-2828 format, including a record Vaara never produced, with no signing key and no access to the system that made it.vaara verify-bundleruns the full evidence set and prints a single pass or fail, fail-closed on authenticity. - One sink for any stack's evidence:
vaara ingestseals a record from another format, an MCP execution record or adid:webcatalog entry, into one canonical, content-addressed envelope with an honest gap report, so a dropped record is a provable hole. The conformance corpus is reproduced by a checker that imports no Vaara. - Hash-chained, tamper-evident audit trail (SHA-256, optional Ed25519, optional post-quantum ML-DSA-65), anchored to an RFC 3161 / eIDAS qualified timestamp so a record cannot be backdated against a clock you do not control. An auditor verifies it offline with a public key.
- Hardware-rooted binding:
vaara verify-tpm-bindingandvaara verify-tpm-chaintie an execution record to the machine's own TPM 2.0 quote and IMA measurements. - Sovereign inference: run a local model through Vaara and every answer carries a signed receipt bound to the machine's TPM. Open under AGPL-3.0.
- One-command regulator package:
vaara trail export-article12writes the signed trail, per-article EU AI Act evidence, and the time anchor as Article 19 existence-in-time, in one file an authority checks offline. - Policy gating on every tool call: allow, block, or escalate each agent action against your own policy before it runs, through a transparent MCP proxy with native hooks for LangChain, CrewAI, and the OpenAI Agents SDK. TypeScript client on npm, Claude Code plugin in the same repo.
- Authored SEP-2828, the Model Context Protocol server-side execution-record proposal, reproduced in full by an independent developer from a clean checkout. Releases are SLSA Build Level 3 and Sigstore-signed, with continuous fuzzing on the decoder, audit, and policy loader.
Adoption (live)
- - total downloads across PyPI and npm
- - npm downloads, last 7 days (@vaara/client)
Acknowledged by
- Listed in the industry acknowledgements of the IMDA Model AI Governance Framework for Agentic AI v1.5 (Singapore, 20 May 2026)
- AMD AI Developer Program testimonial of Vaara (May 2026)
- OpenSSF Best Practices Project 12612 (passing)
Where