Open Source • Python SDK • Public Beta

Your agents act together.

Govern them that way.

ProofRail tracks what a whole chain of agents does — cumulative spend, external calls, risky actions — and pauses high-stakes decisions for human approval before they execute.

$pip install proofrail

Read the docs →View on GitHub

AI agents that act together can commit you to things you never approved.

Most AI safety tools evaluate one tool call at a time. Each call passes its review — but a chain of calls can commit to a $50,000 vendor purchase without a human ever seeing it.

Per-call governance catches obvious things. Chain-level governance catches the things you'd actually fire someone over.

without governance — each call passes its own review

# Each of these passes per-call governance
search_web(query="vendor pricing")           # ✓ no PII, allowed
calculate_offer(amount_usd=3000)             # ✓ under per-call threshold
send_email(to="sales@vendor.com")            # ✓ domain allowlisted
record_commitment(amount_usd=3000)           # ✓ allowed
record_commitment(amount_usd=3000)           # ✓ allowed
record_commitment(amount_usd=4000)           # ✓ allowed
# Total committed: $13,000. Nobody approved any of it.

Chain-level governance catches what per-call governance misses.

Wrap your workflow in a ProofRail Chain. The SDK tracks running totals — financial exposure, external communications, modified records — across every action in the workflow. When the chain crosses a threshold, execution pauses for human approval before continuing. The decision is recorded in a cryptographically signed receipt you can verify forever.

with governance — the chain threshold catches it

import proofrail
proofrail.init(
    api_key="prail_...",
    cumulative_financial_threshold_usd=10000,
    fallback_approvers=["lead@company.com"],
)
async with proofrail.Chain("vendor-purchase") as chain:
    await chain.record_agent_action(
        agent_name="research", action_type="tool_call",
        action_name="search_web", payload={"query": "vendor pricing"},
    )
    # ... three $3,000 commitments accumulate ...
    # On the fourth commitment, cumulative crosses $10,000
    await chain.record_agent_action(
        agent_name="commitment-agent", action_type="tool_call",
        action_name="record_commitment", payload={"amount_usd": 4000},
    )
    # → execution pauses, approval email sent
    # → human reviews the whole chain, approves or denies
    # → execution resumes (or raises ActionDeniedError on deny)
# Chain completes. Signed receipt PR-2026-XXXXX is generated.

What's in the box

Everything you need to ship governed AI workflows in production.

Chain-level tracking

Cumulative spend, external comms, records modified — tracked across the whole workflow. Set thresholds; ProofRail enforces them.

Human approval gates

When something crosses a threshold, execution pauses. An approver gets an email with full chain context. They approve or deny; your code resumes accordingly. Time-boxed exceptions supported.

Tamper-evident receipts

Every chain produces an HMAC-signed receipt. Receipts are hash-chained across your org — tampering or deletion is publicly detectable. Verify offline; no backend access required.

Framework adapters

One-line wrappers for LangGraph, LangChain, CrewAI, and MCP. Or use the framework-agnostic Chain API for everything else. Python 3.10+.

Wrap your existing workflow

One import. One function call. No agent code changes.

LangGraph

pip install proofrail[langgraph]

from proofrail.langgraph import govern
governed = govern(compiled_graph)

LangChain

pip install proofrail[langchain]

from proofrail.langchain import govern
governed = govern(executor)

CrewAI

pip install proofrail[crewai]

from proofrail.crewai import govern
governed = govern(crew)

MCP

pip install proofrail[mcp]

from proofrail.mcp import ProofRailMcpAdapter
adapter = ProofRailMcpAdapter(chain=chain, agent_name="my-tools")
adapter.install(server)

Public beta. We tell you what's done and what isn't.

Live today: Python SDK on PyPI, US-East backend, LangGraph + LangChain + CrewAI + MCP adapters, dashboard with approvals and audit log, email-based approver workflow.

Coming soon: self-hosted deployment, Slack and Teams notifications, JavaScript SDK, multi-region.

Read the full limitations page on docs.proofrail.dev/limitations — we list everything that isn't built yet so you don't get surprised in production.

→ See current limitations

Open source SDK

The Python SDK is Apache 2.0. Read the policy evaluation algorithm. Audit how decisions get made. Run it locally for testing.

The backend and dashboard are closed source during the beta. If your compliance posture requires self-hosting, email us — we're prioritizing based on customer demand.

View on GitHub