Vaara is the tamper-evident runtime evidence layer for AI systems. It covers EU AI Act compliance, and any other case where you need to prove what an agent actually did.

Open source. No SaaS. No telemetry. No signup.

signed tool-call evidence live

$ vaara-mcp-proxy --attest-signing-key es256.pem --upstream github=github-mcp-server

attest.json   signed before the call
{
  "plannerDeclared": { "intent": "tools/call/create_issue" },
  "issuerAsserted": { "iss": "vaara-mcp-proxy", "sub": "acme/github",
                      "nonce": "GIVDibhm...4SiZ3hB", "alg": "ES256" }
}

receipt.json   signed after it returns
{
  "backLink": { "attestationNonce": "GIVDibhm...4SiZ3hB" },
  "outcomeDerived": { "status": "executed" },
  "alg": "ES256"
}

What's shipped

Article 12 evidence model plus commit-prove receipt pair
Hash-chained audit trail (SHA-256, optional Ed25519, optional ML-DSA-65)
Adversarial classifier with cross-model held-out evaluation. v035 TEST recall 85.3% at FPR 4.6%, v036 cross-model held-out (Mixtral-8x7B + Claude Sonnet 4.6) recall 59.2%.
Distribution-free conformal coverage on each runtime score
OVERT 1.0 Base Envelope, Phase 3 IAP, S3P emitter, and reference verifier
SEP-2787 Tool Call Attestation reference implementation, paired with signed execution receipts (v0.42 to v0.43). The proxy signs a request attestation before each allowed tool call and an execution receipt after it returns, linked by a shared nonce. ES256, RS256, or HS256. A verifier needs only the public key.
MCP proxy (v0.43): transparent runtime governance in front of one or more upstream MCP servers. Streamable HTTP transport, fan-out across multiple upstreams, per-tenant policy. Full primitive coverage (tools, resources, prompts), streaming notifications, OVERT 1.0 envelope per interaction. Listed on the MCP Registry as io.github.vaaraio/vaara.
Claude Code plugin (vaara-governance v0.1.2): PreToolUse hook with two layers. Regex deny patterns on Bash, WebFetch, WebSearch (sub-millisecond). Conformal risk classifier on MCP tool calls. Hash-chained SQLite audit persisted across sessions.
Policy-as-code: validate, test, and hot-reload (Conftest-analog, CI-runnable)
Auditor-facing evidence export: Markdown, JSON, PDF, HTML dashboard
Native framework integrations: LangChain, CrewAI, OpenAI Agents SDK, MCP
Upstream-signal adapters: AWS Bedrock, Azure Content Safety, GCP Model Armor, NVIDIA NeMo, Guardrails AI, LLM Guard, Rebuff
Per-article verdict drill-down inside compliance reports
SLSA Build Level 3 provenance on every release
ClusterFuzzLite continuous fuzzing on OVERT decoder, audit, policy loader
TypeScript HTTP client on npm

Adoption (live)

- PyPI downloads, last 30 days
- PyPI downloads, last 7 days
- npm downloads, last 7 days (@vaara/client)

Acknowledged by

IMDA Model AI Governance Framework for Agentic AI v1.5 (Singapore, 20 May 2026), industry contributors
AMD developer testimonial (May 2026)
OpenSSF Best Practices Project 12612

Where

codegithub.com/vaaraio/vaara pypipypi.org/project/vaara npm@vaara/client mcp registryio.github.vaaraio/vaara complianceCOMPLIANCE.md