Forensic reconstruction and incident response for AI agents.
When your AI agent goes off-script, AIR tells you what happened and proves it.
vindicara.io · Quickstart · Pricing · Blog
AIR writes a Signed Intent Capsule for every agent decision (llm, tool, finish). The Intent Capsule pattern is named in the OWASP Top 10 for Agentic Applications v12.6 as mitigation #5 for ASI01: an emerging pattern that binds the declared goal, constraints, and context to each execution cycle in a signed envelope. AIR's on-disk format is AgDR-compatible (AI Decision Record schema as published at accountability.ai), so capsules interoperate with the wider ecosystem. Each capsule is content-hashed with BLAKE3, signed with Ed25519, and chained to the previous step. The air CLI replays the chain, verifies every signature, and reports findings across two public OWASP taxonomies plus one AIR-native check:
- OWASP Top 10 for Agentic Applications (8 of 10): ASI01 Agent Goal Hijack, ASI02 Tool Misuse & Exploitation, ASI04 Agentic Supply Chain Vulnerabilities (partial, MCP supply-chain risk only), ASI05 Unexpected Code Execution (RCE), ASI06 Memory & Context Poisoning, ASI07 Insecure Inter-Agent Communication, ASI08 Cascading Failures, ASI09 Human-Agent Trust Exploitation. ASI03, ASI10 on roadmap.
- OWASP Top 10 for LLM Applications (3 categories): LLM01 Prompt Injection, LLM04 Model Denial of Service, LLM06 Sensitive Information Disclosure.
- AIR-native: forensic-chain-integrity check for untraceable actions.
It is the layer that runs behind your guardrails. Prevention tools (Lakera, NeMo Guardrails, Bedrock Guardrails) try to stop bad things from happening. AIR produces the evidence of what actually happened, in a form security, legal, and insurance can act on.
pip install projectairThis installs both the air terminal command and the airsdk Python library.
air demoGenerates a fresh signed capsule chain (13 steps, two baked-in ASI violations), verifies every signature, runs the detectors, and writes forensic-report.json next to you. No agent, no log file, no wiring required.
Instrument your LangChain agent:
from airsdk import AIRCallbackHandler
from langchain.agents import AgentExecutor
handler = AIRCallbackHandler(
key="...", # Ed25519 signing key; auto-generated when omitted
log_path="my-agent.log",
user_intent="Draft a Q3 sales report from the CRM data",
)
agent = AgentExecutor(callbacks=[handler], ...)Every step the agent takes is appended to my-agent.log as a Signed Intent Capsule.
Replay the trace:
air trace my-agent.logYou get a console report: signatures verified, ASI01/ASI02 findings flagged, detector coverage shown honestly, and forensic-report.json emitted alongside.
This is a monorepo.
packages/projectair/: the MIT-licensedprojectairpackage published to PyPI. Ships theairCLI and theairsdkPython library. This is the public, supported AIR surface.site/: the SvelteKit source for vindicara.io.src/vindicara/: the older Apache-2.0 runtime security engine (policy evaluator, MCP scanner, agent IAM, drift monitor, compliance collector). This is now the engine substrate underneath AIR, not the public product surface. Retained for reference and for future integrations.
For the legacy five-pillar README that used to live here, see docs/legacy-vindicara-readme.md.
| Surface | Status |
|---|---|
| BLAKE3 + Ed25519 Signed Intent Capsule chain (AgDR-format) | implemented, tested |
| Tamper detection on chain replay | implemented, tested |
LangChain AIRCallbackHandler |
implemented |
| ASI01 Agent Goal Hijack | implemented (heuristic) |
| ASI02 Tool Misuse & Exploitation | implemented (regex) |
| ASI04 Agentic Supply Chain Vulnerabilities | implemented (partial: MCP supply-chain risk only) |
| ASI05 Unexpected Code Execution (RCE) | implemented (execution-semantics tool-name patterns) |
| ASI06 Memory & Context Poisoning | implemented (heuristic: retrieval-output + memory-write scans) |
| ASI07 Insecure Inter-Agent Communication | implemented (identity, nonce, replay, downgrade, descriptor-forgery checks) |
| ASI08 Cascading Failures | implemented (oscillating-pair + fan-out burst checks over inter-agent messages) |
| ASI09 Human-Agent Trust Exploitation | implemented (fabricated-rationale + manipulation-language scan preceding sensitive actions) |
| ASI03, ASI10 | not yet implemented |
| AIR-01 Prompt Injection | implemented, maps to OWASP LLM01 |
| AIR-02 Sensitive Data Exposure | implemented, maps to OWASP LLM06 |
| AIR-03 Unrestricted Resource Consumption | implemented, maps to OWASP LLM04 |
| AIR-04 Untraceable Action | implemented, AIR-native |
| JSON forensic export | implemented |
| PDF forensic export | implemented (fpdf2) |
| SIEM forensic export (ArcSight CEF v0) | implemented |
| LangChain callback integration | implemented |
| OpenAI SDK integration | implemented |
| Anthropic SDK integration | implemented |
| LlamaIndex / CrewAI / AutoGen | not yet implemented |
| AIR Cloud (hosted dashboards, SIEM) | not yet implemented |
Pre-1.0. The detector heuristics will produce false positives and false negatives. The signed chain itself is production-grade cryptography. See the pricing page for what's planned next.
Issues, traces that break the detectors, and new ASI detector PRs are welcome. Bugs and feature requests: https://github.com/vindicara-inc/projectair/issues.
packages/projectair/and theprojectairPyPI distribution: MIT. Seepackages/projectair/LICENSE.src/vindicara/(engine substrate, not published): Apache-2.0.