DEV Community

Cover image for How do you prove which AI agent did what? We open-sourced our answer
Palash Bagchi
Palash Bagchi

Posted on • Originally published at kakunin.ai

How do you prove which AI agent did what? We open-sourced our answer

AI agents are starting to move money and hit production APIs, but almost none of them can answer the one question a regulator — or your own risk team — will eventually ask: which agent did this, and was it allowed to? We built Kakunin to fix that: every agent gets an X.509 certificate (issued via AWS KMS, keys never leave the HSM), its behavior is risk-scored in real time, and its certificate auto-revokes in under 60 seconds when it goes rogue. Today we open-sourced the whole thing — the platform under AGPL-3.0, the SDKs under Apache-2.0, every package provenance-signed. Here's what's open, what stays hosted, and why a trust anchor you can fork isn't a trust anchor.

What Kakunin does

Every agent gets an X.509 certificate, issued through AWS KMS so the private key never leaves the HSM. The certificate encodes the agent's permitted scope — what it's allowed to do, up to what limits. As the agent acts, it streams behavioral events to Kakunin, which scores each one in real time against a rolling 30-day baseline. When risk crosses a threshold, the certificate is auto-revoked in under 60 seconds — and anyone, anywhere, can verify a certificate's status keylessly, without an account.

Issuance, behavioral monitoring, auto-revocation, and regulator-ready compliance exports — the full lifecycle, built for MiCA Article 70 and the EU AI Act.

What's open

Everything you run:

  • The platformkakunin-core, the Next.js application, the CA integration, the risk engine, the audit pipeline — is AGPL-3.0. You can read exactly how risk is scored and how revocation decisions are made. For a compliance product, that transparency isn't a giveaway; it's the entire pitch. No black box gets to decide whether your agent is trustworthy.
  • The SDKs and integrations — TypeScript, Python, and drop-in tools for LangChain, Mastra, the Vercel AI SDK, MCP, LlamaIndex, CrewAI, and more — are Apache-2.0. Build on them with no copyleft obligation.
  • Every package publishes with cryptographic provenance (npm) and attestations (PyPI), each traceable to a public commit and CI run. You can verify the supply chain, not just trust it.

Six public repositories, seven packages on npm and PyPI.

What's hosted, and why we're telling you plainly

The canonical certificate authority and the public verification endpoint run as a hosted service. We could pretend otherwise; we won't.

A trust anchor you can fork is not a trust anchor. The value of a Kakunin certificate is that any counterparty can verify it against one authority — keylessly, without asking you. A thousand self-hosted CAs would mean a thousand roots nobody recognizes. Verification stays free and public for everyone precisely because issuance is centralized. Key custody (KMS-backed, never-leaves-the-HSM) and independent audit-log custody are what make the evidence admissible in the first place.

So: run every line of the code. Verify against the canonical CA. We wrote up the exact split, feature by feature, at kakunin.ai/open-source.

Why AGPL

We chose AGPL-3.0 for the platform deliberately. It's OSI-approved open source — you can read it, run it, modify it. Its copyleft means anyone who offers a modified Kakunin as a network service has to share their changes, which keeps the project honest. And it keeps us eligible for the open-source ecosystem — grants, sponsorships, the commons — in a way a source-available license wouldn't. The SDKs stay Apache-2.0 so nothing you integrate carries an obligation.

Try it in 60 seconds

npm install @kakunin/sdk
Enter fullscreen mode Exit fullscreen mode
import { Kakunin } from '@kakunin/sdk';
const kkn = new Kakunin({ apiKey: process.env.KAKUNIN_API_KEY! });

const agent = await kkn.agents.create({ name: 'my-agent', model_hash: await Kakunin.computeModelHash('gpt-4o') });
const cert  = await kkn.agents.certify(agent.id);
const check = await kkn.events.ingest({ agentId: agent.id, actionType: 'transaction_initiated', details: { amount: 840 } });
console.log(check.risk_band); // 'low' | 'medium' | 'high'
Enter fullscreen mode Exit fullscreen mode

Or open the sandbox — no signup, 100 free test certificates a day, and a live demo where you watch an agent go rogue and its certificate revoke itself.

Where this is going

It's early and we'll say so: baselines need history to be meaningful, the hosted CA is single-region today, and the roadmap is public. If you're building agents that do things that matter — or you just have opinions about how machine identity and open-core should work — star kakunin-core, read the code, and tell us where we're wrong.

Top comments (0)