I run cloud and AI infrastructure at an enterprise. Over the past year agents went from experiments to touching real systems with real credentials. Then one broke. Legal asked what happened. We had logs but no reproducible artifact, no proof of what policy governed the action, no way to show the same inputs would produce the same behavior again. Nobody was building this internally, so I started building it at 11pm after my kids go to bed. Gait is a Go CLI that turns each agent run into a signed pack: a ZIP of versioned JSON with intents, policy decisions, results, and cryptographic verification (Ed25519 + SHA-256).

gait verify validates a pack offline. Schema, hashes, signatures. Stable exit codes.

gait pack diff compares two packs structurally, including context drift classification.

gait run replay reproduces behavior using recorded results as deterministic stubs. No re-executing real API calls at 2am.

gait regress bootstrap converts a bad run into a CI fixture. Exit 0 = pass, exit 5 = drift. One command, one PR.

gait gate eval evaluates structured tool-call intent against YAML policy before the side effect runs. Non-allow means non-execute. Fail-closed.

The gate is the architectural differentiator: guardrails scan content probabilistically, the gate evaluates structured fields against policy deterministically. Different layer, different guarantees.

gait demo gait verify run_demo

No account, no API key, no internet. Feedback I'd value most:

Onboarding friction: where did install or demo confuse you? Pack format: what's missing for your real incidents? CI adoption: what would it take to add gait regress to your pipeline in one PR?

Happy to go deep on architecture decisions in the thread.