Skillget

pic-standard

mcp
Guvenlik Denetimi
Gecti
Health Gecti
  • License — License: Apache-2.0
  • Description — Repository has a description
  • Active repo — Last push 0 days ago
  • Community trust — 15 GitHub stars
Code Gecti
  • Code scan — Scanned 12 files during light audit, no dangerous patterns found
Permissions Gecti
  • Permissions — No dangerous permissions requested
Purpose
This tool provides a local-first security protocol for AI agents, designed to verify intent, provenance, and evidence before allowing high-impact actions or tool calls to execute. It acts as an action gate to prevent unauthorized tasks like prompt-triggered data exports or payments.

Security Assessment
The overall risk is rated as Low. A scan of the codebase found no hardcoded secrets, no dangerous system permissions requested, and no malicious code patterns. By design, the protocol works entirely locally with zero cloud connectivity or external network requests, ensuring no data leaves your machine. It acts as a safety layer rather than introducing sensitive data exposure risks or executing arbitrary shell commands.

Quality Assessment
The project appears to be actively maintained, with repository activity as recent as today. It is distributed under the permissive and standard Apache-2.0 license, making it safe for both personal and commercial use. While community adoption is still in its early stages (15 GitHub stars), the repository includes continuous integration (CI) pipelines, clear documentation, and a structured README, indicating professional development practices.

Verdict
Safe to use.
SUMMARY

The industry standard for Provenance & Intent Contracts (PIC) in Agentic AI. Bridging the Causal Gap in autonomous systems.

README.md

PIC Standard: Provenance & Intent Contracts

Local-first action gating for AI agents. Verify intent, provenance, and evidence before any high-impact tool call executes.

PyPI version
PyPI downloads
CI
Last commit
GitHub stars
License

PIC is a lightweight, local-first protocol that forces AI agents to prove every important action before it happens. Agents must declare intent, impact, provenance, and evidence; PIC verifies everything and fails closed if anything is wrong.

No more hallucinations turning into wire transfers. No more prompt injections triggering data exports.

Example — when PIC blocks: A Slack message asks an LLM agent to send a $500 payment. PIC requires the agent to prove: where did this instruction come from? Is the source trusted? Is there evidence the invoice is real? The Slack message carries no trusted provenance, the claim has no backing evidence — PIC returns block. The payment tool never executes.

Table of Contents

Why PIC?

Guardrails constrain what the model says. PIC constrains what the agent is allowed to do based on verifiable provenance + evidence.

PIC is built for agent frameworks, internal tool gateways, and production systems where high-impact actions must be justified before execution.

  • Stops prompt injections & blind tool calls at the action boundary
  • Works 100% locally: zero cloud, zero data leaves your machine
  • Plugs into your stack in minutes: LangGraph, MCP, OpenClaw, Cordum
  • Open-source (Apache 2.0): audit it, fork it, own it

Quickstart

Try the verifier locally against a sample high-impact proposal in under a minute.

pip install pic-standard

# Verify an example proposal
pic-cli verify examples/financial_irreversible.json

# Evidence-aware verification (hash)
pic-cli verify examples/financial_hash_ok.json --verify-evidence

# Evidence-aware verification (signature — requires example keyring)
# macOS / Linux
PIC_KEYS_PATH=pic_keys.example.json pic-cli verify examples/financial_sig_ok.json --verify-evidence
# PowerShell
# $env:PIC_KEYS_PATH="pic_keys.example.json"
# pic-cli verify examples/financial_sig_ok.json --verify-evidence

Optional extras:

pip install "pic-standard[langgraph]"  # LangGraph PICToolNode
pip install "pic-standard[mcp]"        # MCP tool guarding
pip install "pic-standard[crypto]"     # Ed25519 signature evidence

From source (contributors):

git clone https://github.com/madeinplutofabio/pic-standard.git
cd pic-standard && pip install -e ".[langgraph,mcp,crypto]"
pytest -q

The PIC Contract

PIC is enforced at the moment before tool execution. The agent must emit a structured Action Proposal that can be validated, verified, and bound to the intended tool.

Field Purpose
intent What the agent is trying to do
impact Risk class: money, privacy, irreversible, compute, ...
provenance Which inputs influenced the decision (with trust levels)
claims + evidence What the agent asserts and the evidence backing it
action The actual tool call (tool binding)

Rule: For high-impact proposals, at least one claim must reference evidence from trusted provenance. Fail-closed.

How It Works

graph TD
    A[Untrusted Input] --> B{AI Agent / Planner}
    C[Trusted Data/DB] --> B
    B --> D[Action Proposal JSON]
    D --> E[PIC Verifier]
    E --> F{Valid Contract?}
    F -- Yes --> G[Tool Executor]
    F -- No --> H[Blocked / Alert Log]

Evidence Verification

PIC supports deterministic evidence verification that upgrades provenance trust in-memory.

Type Description
hash SHA-256 verification of file artifacts (file://...)
sig Ed25519 signature verification via trusted keyring

Ed25519 signature verification requires pip install "pic-standard[crypto]".

# Verify hash evidence
pic-cli verify examples/financial_hash_ok.json --verify-evidence

# Verify signature evidence (requires keyring)
# macOS / Linux
PIC_KEYS_PATH=pic_keys.example.json pic-cli verify examples/financial_sig_ok.json --verify-evidence
# PowerShell
# $env:PIC_KEYS_PATH="pic_keys.example.json"
# pic-cli verify examples/financial_sig_ok.json --verify-evidence

Full guide: docs/evidence.md

Keyring (Trusted Signers)

Signature evidence requires a keyring of trusted public keys with expiry and revocation support.

pic-cli keys                        # Inspect current keyring
pic-cli keys --write-example        # Generate starter keyring

Custom resolvers (v0.7+): As of v0.7, trust resolution is injectable and local-first. PIC no longer reloads the default keyring per signature, and custom resolvers can plug into the verifier and pipeline directly. Implement the KeyResolver protocol to use your own trust backend or preloaded trust source (HSM-backed service, Vault-managed keys, cached remote keyring, etc.):

from pic_standard import KeyResolver, StaticKeyRingResolver

Trust controls (v0.7.5+): PIC v0.7.5 introduces strict_trust mode — when enabled, all inbound provenance trust is sanitized to "untrusted" and only evidence verification can upgrade it. See docs/migration-trust-sanitization.md for migration guide.

Full guide: docs/keyring.md

Integrations

LangGraph

Guard any tool node with PICToolNode:

pip install "pic-standard[langgraph]"

PICToolNode now accepts verify_evidence, strict_trust, policy, and key_resolver for full pipeline configuration (v0.7.5+).

MCP (Model Context Protocol)

Enterprise tool guarding with fail-closed defaults, request correlation, DoS limits, and evidence sandboxing:

pip install "pic-standard[mcp]"

Full guide: docs/mcp-integration.md

OpenClaw

TypeScript plugin for OpenClaw AI agents (pic-gate, pic-init, pic-audit hooks):

pic-cli serve --port 7580
cd integrations/openclaw && npm install && npm run build

Full guide: docs/openclaw-integration.md

Cordum

Go Pack providing PIC verification as a Cordum workflow gate step with fail-closed three-way routing.

Full guide: docs/cordum-integration.md

HTTP Bridge (any language)

For non-Python integrations, PIC exposes an HTTP bridge:

pic-cli serve --port 3100
# POST /verify   — verify an action proposal
# GET  /health   — liveness check
# GET  /v1/version — package + protocol version

RFC & Prior Art

RFC-0001: PIC/1.0 — Provenance & Intent Contracts for AI Agent Action Safety

Formal specification covering scope, threat model, security properties, conformance levels, and prior art differentiation. Published as a defensive publication with a SHA-256 fingerprint manifest: docs/RFC-0001.SHA256.

Verify locally: sha256sum -c docs/RFC-0001.SHA256

Roadmap

  • Core verifier, CLI, schema, policy system
  • Evidence verification (SHA-256 hash + Ed25519 signatures)
  • Anchor integrations (LangGraph, MCP, OpenClaw, Cordum)
  • Injectable key resolution + hot path fix (v0.7)
  • Trust hardening + attestation object draft (v0.7.5)
  • Canonicalization spec (PIC Canonical JSON v1)
  • Conformance suite with cross-implementation test vectors
  • Normative semantics (MUST/SHOULD spec document)
  • OpenAPI spec + guard hardening (structured audit logs, request correlation)
  • TypeScript local verifier (second independent implementation)

Contributing

We welcome contributions! See CONTRIBUTING.md for how to propose changes or report issues.

We're actively seeking:

  • Security researchers to stress-test causal logic
  • Framework authors to build native integrations
  • Enterprise architects to define domain Impact Classes

Good first contribution areas right now: conformance vectors, OpenAPI spec, TS verifier groundwork, and security review of trust sanitization behavior.

If you find PIC useful, please consider giving us a star on GitHub: it helps attract more security experts and framework authors into the community.

Issues & ideas: GitHub Issues

Maintained by Linkedin @fmsalvadori
 
GitHub MadeInPluto

Yorumlar (0)

Sonuc bulunamadi