Stonewrit
Sign up
Live · Evidence of record for AI agents

Prove what youragents did.

The system of record for AI agent actions. Every tool call, approval, and authorization scope, captured tamper-evident and mapped to the controls an auditor or examiner will ask about.

Get startedRead the docsStar on GitHub1
app.stonewrit.com
acme/prod
chain verified
Recent events4,218 sealed
EventActorPosStatus
agent.tool_calledagt_01HX#4218sealed
data.exportedusr_4q2#4217sealed
admin.access_grantedusr_8m1#4216sealed
identity.login.succeededusr_4q2#4215sealed
vendor.data_sentsvc_api#4214sealed
Chain integrity
100.00%
Suggested evidence
SOC 2 · CC6.11284
SOC 2 · CC7.2942
SOC 2 · CC8.1517
GDPR · Art. 30233
Evidence forSOC 2/ISO 27001/HIPAA/GDPR
Tamper-evident

Change one byte, break every hash after it.

Every agent action is canonicalized, hashed, and linked to the record before it. Alter anything and the chain stops matching from that point on. Auditors confirm the whole sequence themselves, no trust required.

  • RFC 8785 canonicalization
  • SHA-256 hash chain
  • Public verify endpoint
POST /api/v1/chains/verify200 OK
admin.access_granted#4216
event_hashsha256:4c8d…71fa
data.exported#4217
event_hashsha256:9f3e…c81b
agent.tool_called#4218
event_hashsha256:7a2c…e840
valid: true4,218 events verified
Authorization and controls

Prove every action was within authority.

Register each agent with the scopes it is authorized for. Every action is checked against them at ingest and mapped to the controls it supports, so the distance between what an agent did and what you can prove disappears.

  • Agent registry and scope checks
  • HIPAA, NYDFS 500, SEC 17a-4 packs
  • SOC 2, ISO 27001, GDPR coverage
Controls0 mapped
SOC 231 controls
ISO 2700124 controls
HIPAA18 controls
GDPR12 controls
data.exportedCC6.1 · CC7.2 · Art. 30
Built for agents

A complete record of what every agent did.

First-class agent identity, tool calls, approvals, and human-in-the-loop review. Filter to one agent and one data type to produce the examiner-ready pack that proves it acted within authority.

  • Agent identity and tool calls
  • Human supervisor links
  • Examiner-ready evidence packs
agent.* activitylive
agent.tool_called
sql.query → db.customers
sealed
agent.data_queried
412 rows · pii
sealed
agent.action_proposed
refund $480.00
review
agent.action_approved
usr_4q2 · scope: refund
sealed
The API

One call records what your agent did.

Send the agent action: a tool call, an approval, a decision. We canonicalize it, hash it, link it to the record before it, and check it against the agent’s authorized scopes, then return a proof anyone can verify later. Send the same action twice and you still get exactly one sealed record.

  • Idempotent by header, safe to retry
  • Scope-checked against the agent registry
  • Independently verifiable by any auditor
record-event.ts
await stonewrit.record({
event_type: "agent.tool_called",
actor: { type: "ai_agent", id: "agt_01HX" },
action: { name: "sql.query", category: "data_access" },
resource: { type: "db.customers", classification: ["pii"] }
})
201 Created · sealed in 41ms
{
"id": "evt_01HXZ8K4ME…",
"sequence": 4218,
"hash": { "event": "sha256:7a2c1d…e840" },
"chain_position": 4218
}
Open source

Don’t trust us. Verify it yourself.

The mechanism is public. The canonicalization, the hash chain, the verifier, and the event spec are open source under Apache 2.0. Run the verifier against your own evidence and confirm it independently. A black box that asks you to trust it is a weaker claim than code you can read.

Star on GitHub1Read the spec

Apache 2.0 end to end. Self-host the whole stack.

  • Hash-chain coreApache 2.0
    The canonicalization and hashing, the exact code that seals every event.
  • Verifier CLIApache 2.0
    Recompute and confirm any chain yourself, offline.
  • Event specApache 2.0
    The schema and frozen conformance vectors everything is checked against.
  • Baseline classifierApache 2.0
    The rule engine that maps events to the controls they support.
100.00%
Chain integrity SLA
< 80ms
p99 ingest latency
RFC 8785
Canonical form
Forever
Immutability guarantee
Pricing

Priced on evidence, not headcount.

One plan covers your whole organization. Invite the entire team, no per-seat math. You pay for the evidence you record: a generous monthly volume, then transparent metered overage with a spend cap you set. Never a surprise invoice.

Starter

$79/ mo

per organization · whole team included

$853 / year (save 10%)

then $0.60 per 1k events over 250k

For teams proving out agent evidence before production.

  • 250k events / month included
  • Up to 3 projects, unlimited environments
  • SOC 2, ISO 27001, HIPAA, GDPR
  • JSON evidence exports + hash proofs
  • Email support

7-day free trial · card required

Get started
Most popular

Pro

$199/ mo

per organization · whole team included

$2,149 / year (save 10%)

then $0.25 per 1k events over 5M

For production agent deployments with compliance requirements.

  • 5M events / month included
  • Unlimited projects + environments
  • SOC 2, ISO 27001, HIPAA, GDPR
  • JSON evidence exports + hash proofs
  • Google SSO
  • Email support, 24h response
  • Up to 100 org members

7-day free trial · card required

Get started

Enterprise

Custom

per organization · whole team included

For regulated agent fleets needing SSO, retention, or on-prem.

  • Unlimited events
  • Custom retention up to 7 years
  • SAML / OIDC SSO
  • Custom + private frameworks
  • Dedicated Slack + named CSM
  • 99.99% uptime SLA + DPA
  • On-prem / VPC deployment
Talk to sales
FAQ

Common questions.

Live · Launching now

The next time someone asks “can you prove that?”

When legal asks whether your agent stayed within its authority, Stonewrit gives you the answer, provably, instead of hoping your logs hold up.

Get startedTalk to the team