Hi HN — I've been experimenting with ways to make AI agent actions auditable and enforceable at runtime.

This project has two parts.

1. LICITRA-MMR — An append-only audit log using a Merkle Mountain Range instead of a simple hash chain. With a hash chain, verifying one event requires replaying the entire log. With an MMR, verification uses a logarithmic proof (~14 SHA-256 operations for ~10k events).

2. LICITRA-SENTRY — A small control layer between agents and tools.

Flow: agent → authorization service → signed execution ticket → proxy → tool

After approval, the system issues a signed ticket containing agent identity, tool name, hash of the exact request payload, and expiration. The proxy verifies the signature and recomputes the request hash before allowing execution.

This blocks: payload mutation after approval, replay of approvals across agents, and direct tool access without authorization.

Limitations I want to be upfront about: single-operator trust model, simple pattern-based content inspection, no distributed verification, not integrated with frameworks yet.

SENTRY repo: https://github.com/narendrakumarnutalapati/licitra-sentry

Happy to answer questions about design tradeoffs or where this breaks.