Vaara is the tamper-evident runtime evidence layer for AI systems. It turns every action an agent takes into a record an outside party can verify without trusting you, then binds that record to the machine's own TPM 2.0 + IMA attestation. EU AI Act compliance, and any other case where you have to prove what an agent actually did.

Open source. No SaaS. No telemetry. No signup.

anyone can check a record keyless

$ vaara verify-record someone-elses-record.json

  schema             ok    well-formed SEP-2828 execution record
  result commitment  ok    projectionDigest == sha256(projection)
  verdict            CONFORMS

no signing key, no access to the system that produced it

What's shipped

Check any record yourself: vaara verify-record tests any JSON against the published SEP-2828 format, including a record Vaara never produced, with no signing key and no access to the system that made it. vaara verify-bundle runs the full evidence set and prints a single pass or fail, fail-closed on authenticity.
One sink for any stack's evidence: vaara ingest seals a record from another format, an MCP execution record or a did:web catalog entry, into one canonical, content-addressed envelope with an honest gap report, so a dropped record is a provable hole. The conformance corpus is reproduced by a checker that imports no Vaara.
Hash-chained, tamper-evident audit trail (SHA-256, optional Ed25519, optional post-quantum ML-DSA-65), anchored to an RFC 3161 / eIDAS qualified timestamp so a record cannot be backdated against a clock you do not control. An auditor verifies it offline with a public key.
Hardware-rooted binding: vaara verify-tpm-binding and vaara verify-tpm-chain tie an execution record to the machine's own TPM 2.0 quote and IMA measurements.
Sovereign inference: run a local model through Vaara and every answer carries a signed receipt bound to the machine's TPM. Open under AGPL-3.0.
One-command regulator package: vaara trail export-article12 writes the signed trail, per-article EU AI Act evidence, and the time anchor as Article 19 existence-in-time, in one file an authority checks offline.
Policy gating on every tool call: allow, block, or escalate each agent action against your own policy before it runs, through a transparent MCP proxy with native hooks for LangChain, CrewAI, and the OpenAI Agents SDK. TypeScript client on npm, Claude Code plugin in the same repo.
Authored SEP-2828, the Model Context Protocol server-side execution-record proposal, reproduced in full by an independent developer from a clean checkout. Releases are SLSA Build Level 3 and Sigstore-signed, with continuous fuzzing on the decoder, audit, and policy loader.

Adoption (live)

- PyPI downloads, last 30 days
- PyPI downloads, last 7 days
- npm downloads, last 7 days (@vaara/client)

Acknowledged by

IMDA Model AI Governance Framework for Agentic AI v1.5 (Singapore, 20 May 2026), industry contributors
AMD developer testimonial (May 2026)
OpenSSF Best Practices Project 12612

Where

codegithub.com/vaaraio/vaara pypipypi.org/project/vaara npm@vaara/client mcp registryio.github.vaaraio/vaara proposalSEP-2828 complianceCOMPLIANCE.md sponsorgithub.com/sponsors/vaaraio linkedinin/sirkkavaara