ProofGate Standard

Deterministic Consequences for AI Systems

Standard Threat Model Spec Reference Implementation

StandardThreat ModelCompliance ChecklistReference Implementation

Stop letting models touch reality.

ProofGate is the standard for deterministic consequences in AI systems. It defines how to gate actions (email, money, files, access) with explicit policy, signed approvals, signed receipts, and append-only audit truth — before any tool call mutates the world.

Read the Standard Reference Docs

THE MEMETIC RULE

FAILURE MODE

Probabilistic text + authority

Incident. Eventually. Not because the model is evil — because untrusted input becomes action.

SAFE MODE

Probabilistic text + deterministic consequences

Safe automation. The model proposes. A policy gate decides. Receipts prove what happened.

Share this with anyone shipping “agents”.

WHY BUYERS CARE

If your agent can do things, it will do the wrong thing — eventually.

Most “agent security” is vibes. Production failures follow the same pattern: untrusted input → model output → over-scoped tools → irreversible action. ProofGate fixes the architecture, not the model.

Prompt Injection

Untrusted content becomes instructions. If tools are reachable, consequences happen.

Over-scoped Permissions

Admin-ish tool scopes turn a helper into an attacker — even without malice.

No Receipts

When something goes wrong, you lose causality: who approved what, when, and why.

WITHOUT PROOFGATE

Input → Model → Tools → Reality

Untrusted input becomes actions. Authority is implicit. Incidents are inevitable.

untrusted input→LLM output→tool calls→irreversible state

WITH PROOFGATE

Input → Model (proposal) → ProofGate → Tools → Reality

Actions happen only when invariants allow them. Approvals and receipts are signed. Audit is append-only.

untrusted input→proposal→policy gate→signed receipt→tools

THE STANDARD

Seven non-negotiables for AI that touches production.

ProofGate defines minimum requirements for deterministic consequence rails. If any of these are missing, you don’t have guarantees — you have hope.

Intent Envelopes

Every action is a structured intent — not a prompt. Intents are validated before execution.

Explicit Invariants

Allowlists, caps, deny rules, rate limits. Machine-enforced. No hidden authority.

No Secrets in Models

Models never hold raw credentials. Tools live behind a router with least privilege.

Signed Approvals

Signed, expiring, intent-hash bound. No forgery. No replay. No ambiguity.

Signed Receipts

Every decision + execution emits cryptographic receipts. Proof of causality by default.

Append-only Audit Truth

Immutable JSONL audit lines. Incidents become forensics — not blame games.

The 30-second audit test

Ask any agent vendor one question.

Read the threat model

“What guarantees do you provide if the model is wrong?”

IF THEY ANSWER

“Users can correct it.”
“We monitor it.”
“The model is improving.”

THEN THEY HAVE

Hope. Not guarantees.

ProofGate is guarantees: constraints, approvals, receipts, and audit truth — enforced outside the model.

ADOPTION

Adopt ProofGate without replatforming.

ProofGate is a boundary layer. Wrap outputs as intents, evaluate against invariant packs, execute only through a router, and persist receipts + audit logs.

1) Wrap output

Convert model output into an Intent Envelope (structured action request).

2) Gate consequences

Evaluate against invariant packs. Deny, require approval, or execute.

3) Prove what happened

Emit signed receipts + append-only audit. Incidents become forensics.

Use the Reference Implementation Read the Spec