The Accountability Gap in AI Agent Tooling
AI agents are getting good at browsing the web. They can navigate pages, fill out forms, extract data, and complete multi-step workflows. But there's a gap that most agent frameworks ignore: accountability.
When an agent uses a browser, what evidence exists of what it actually did? Typically, you get logs -- plaintext files that anyone can edit after the fact. Maybe screenshots, which can be fabricated. There's no cryptographic guarantee that the record of an agent's browser session is authentic and unmodified.
This matters more than most people realize. If you're deploying agents in regulated industries (finance, healthcare, legal), you need auditable records. If you're running an agent marketplace, buyers need proof that agents performed the work they claim. If an agent makes a mistake, you need a tamper-evident trail to understand what happened.
What Conduit Does
Conduit is a headless browser library for Python that builds a SHA-256 hash chain around every browser action and signs the result with Ed25519. It's built on top of Playwright, so it inherits all of Playwright's automation capabilities and adds a cryptographic trust layer on top.
Here's the core idea: every time the browser does something -- navigates, clicks, fills a form, takes a screenshot -- that action gets recorded as a structured event and hashed with SHA-256. Critically, each hash includes the previous hash, forming a chain. If any action in the chain is modified, every subsequent hash breaks. This is the same principle behind blockchain, applied to browser sessions.
At the end of a session, the entire hash chain is signed with an Ed25519 private key. The output is a "proof bundle" -- a self-contained JSON file that includes the action log, the hash chain, the signature, and the public key needed to verify it.
Getting Started
Install from PyPI:
pip install conduit-browser
Basic usage:
import asyncio
from conduit import ConduitBrowser
async def main():
async with ConduitBrowser() as browser:
page = await browser.new_page()
# Every action is recorded and hashed
await page.goto("https://example.com")
await page.click("a[href='/about']")
await page.screenshot(path="about.png")
# Get the proof bundle
proof = await browser.get_proof_bundle()
# Save it
with open("session_proof.json", "w") as f:
json.dump(proof, f, indent=2)
asyncio.run(main())
The proof bundle looks like this:
{
"session_id": "c3f8a...",
"actions": [
{
"type": "navigate",
"url": "https://example.com",
"timestamp": "2026-03-11T14:30:00Z",
"hash": "a1b2c3..."
},
{
"type": "click",
"selector": "a[href='/about']",
"timestamp": "2026-03-11T14:30:01Z",
"previous_hash": "a1b2c3...",
"hash": "d4e5f6..."
}
],
"chain_root": "d4e5f6...",
"signature": "ed25519_sig_...",
"public_key": "ed25519_pub_..."
}
Verifying a Proof Bundle
Verification is independent -- anyone can verify a proof bundle without trusting the party that created it:
from conduit import verify_proof_bundle
import json
with open("session_proof.json") as f:
proof = json.load(f)
result = verify_proof_bundle(proof)
if result.valid:
print("Chain intact, signature valid")
print(f"Actions: {result.action_count}")
print(f"Session duration: {result.duration}")
else:
print(f"Verification failed: {result.reason}")
The verifier checks two things:
- Hash chain integrity -- Recomputes every hash and confirms the chain is unbroken
- Signature validity -- Verifies the Ed25519 signature over the chain root using the embedded public key
MCP Server for AI Agents
Conduit ships as an MCP (Model Context Protocol) server. This means LLM-based agents -- Claude, GPT, or any MCP-compatible system -- can use Conduit natively through tool calls.
{
"mcpServers": {
"conduit": {
"command": "conduit-mcp",
"args": ["--stealth"]
}
}
}
Once configured, the agent gets access to tools like browse, click, fill, screenshot, and get_proof_bundle. The hash chain builds itself in the background. The agent doesn't need to manage the audit trail -- it just uses the browser and the proof is automatic.
Stealth Mode
An auditable browser that gets blocked isn't useful. Conduit includes stealth mode with common fingerprint evasion techniques: realistic viewport sizes, user-agent rotation, WebDriver flag masking, and other standard anti-detection measures. It's not a silver bullet against sophisticated bot detection, but it handles the common checks.
async with ConduitBrowser(stealth=True) as browser:
# Fingerprint evasion is active
page = await browser.new_page()
await page.goto("https://target-site.com")
Real-World Use Cases
Compliance automation: An agent processes GDPR data subject access requests. Each request involves logging into a portal, locating records, and exporting data. Conduit provides a proof bundle for each request that auditors can independently verify.
Web scraping provenance: A data provider scrapes pricing data for clients. Each scraping session produces a proof bundle proving exactly which pages were visited, when, and that the collected data matches what was on the page.
Agent marketplaces: A buyer hires an agent to perform research. The agent returns results plus a proof bundle. The buyer verifies the agent actually visited the claimed sources.
Litigation support: A law firm needs to capture the current state of a web page as evidence. Conduit provides a cryptographic chain of custody for the capture.
Open Source, No Strings
Conduit is MIT licensed. No API keys, no accounts, no telemetry. The cryptographic keys are generated locally. Proof bundles are self-contained -- verification requires no external service.
- GitHub: https://github.com/bkauto3/Conduit
- PyPI:
pip install conduit-browser - Docs: https://swarmsync.ai/conduit
Conduit is part of the SwarmSync ecosystem -- a set of open-source and commercial tools for building trustworthy AI agent systems. If you're building agents that interact with the real world, auditable tooling isn't a luxury. It's infrastructure.
Star the repo, try it out, and let me know what you build with it.
Top comments (0)