Provable AI · model-agnostic · witnessable
Don't trust the AI.
Deterministic, tamper-evident proof of what an AI decided, what it believed, and every claim it made — with a receipt you can check yourself. Shipped
Every claim on this page is either something you can check yourself right now, or it's labelled Roadmap. No adjective without a measurement. No claim without a record.
Seven questions · two minutes · you keep the witness receipt.
00 — what the moat actually is
You keep the receipt.
ShippedGRASP keeps the receipt for an AI decision. Three tamper-evident records, chained together: what it decided, what it believed when it decided, and proof of every claim it made.
None of the cryptography is new. GRASP is a recombination of primitives you already trust — hash chains, digital signatures, and public timestamping — assembled so a skeptic can independently confirm or refute the record without trusting us.
We say this openly: the parts are known. The moat is the composition — and that you can break it yourself.
01 — break the chain
Rewrite one decision. Watch every decision after it break.
ShippedThis is a live, signed decision ledger running in your browser. Every row's fingerprint is computed from the row before it — that's what "chained" means. Edit any cell and rewrite what the AI "decided". The break ripples down every later decision. That's cryptographic causation, not just tamper-evidence.
↳ edit any provider or model cell — rewrite what the AI 'decided'
← scroll to see hash + state →
| # | decision | provider | model | state | entry hash |
|---|---|---|---|---|---|
| 1 | route request to model | local-gateway | you@your-mac | ✓ signed | a1f0c3e9d2b47856… |
| 2 | ground claim in source | example-provider | demo-model-v1 | ✓ signed | 7b2d9e14a6f0c8b3… |
| 3 | approve draft reply | example-provider | demo-model-v1 | ✕ brokenfingerprint changed | c4e18a0f2d963b57… → 0091ff7a3c2e1d48… |
| 4 | escalate to human review | acme/widgets | demo-model-v1 | ✕ brokenparent no longer matches | 5a7c2f39e0b1d846… → voided |
| 5 | write memory of outcome | example-provider | demo-model-v1 | ✕ brokenparent no longer matches | e2b60d15a8f7c934… → voided |
Static preview — turn on JavaScript to break the chain yourself.
02 — cite.verify
A fake citation can't pass. It's arithmetic, not opinion.
ShippedWhen the AI quotes a source, GRASP checks — by exact string-match — whether that quote actually appears in the source it cited. A verbatim match is VERIFIED. A whitespace-flexible match is FUZZY. A quote that isn't there is NOT_FOUND. A hallucinated citation renders NOT_FOUND — it cannot pass. Both panels below run the check live in your browser.
What this proves: the quote is verbatim in the source you supplied. What it does not decide: whether that source is authentic, or whether the quote actually supports the claim — those are separate judgements. Shipped
03 — Bitcoin anchor
Committed to Bitcoin. Check it on your own phone.
PilotIn a pilot, a real Merkle root of AI decisions was committed to the public Bitcoin blockchain — batched on 2026-07-06, landing in block 956992, which was mined on 2026-07-07. Once it's in a block, it's as immutable as everything else in that block. 1,400+ confirmations and growing.
↗ mempool.space/block/956992 — 1,400+ confirmations and growingThis is pilot anchoring of a demonstration chain, not continuous production anchoring. Continuous production anchoring is on the roadmap. Pilot
04 — how it works
Three chains. One run. One receipt.
ShippedThe decision record
what it decided
What was decided, and on what basis. Hashed and chained to the one before it, rooted in a Merkle tree — change any past entry and the fingerprints downstream stop matching.
The belief / memory record
what it believed
A separate chain for what the system believed when it decided. One signs the decision; the other signs the memory formed from it — kept in two chains, not one.
The claim record
every quote checked to source
Proof that every outward claim checks out — that's cite.verify, above. A quote that isn't in its source resolves to NOT_FOUND and the claim does not go out.
05 — runs on any model
Any model. You can watch it choose.
ShippedEvery AI call goes through one stable interface that routes to whichever provider you choose — or a local open-weight model. By default, calls route through non-Anthropic providers, proven live on more than one machine.
When a provider is rate-limited or briefly unavailable, a sentinel catches the error, records a cooldown, and re-routes to the next provider. You get a successful answer and never see the failover.
Boundary: sovereignty is a property of the substrate — the layer that runs the models. The interactive coding harness itself runs on Anthropic; we don't pretend otherwise. Shipped
06 — same belief, different model
The same belief, whichever model wrote it.
ShippedA belief recorded under one model reads identically to the same belief recorded under another. A provider-neutral projector strips the model-specific wrapping and returns an identical semantic fingerprint regardless of which model produced the text.
Honestly: this shipped and passes its test suite. We have not yet measured how often it degrades on broad, real-world workloads — so we call it a demonstrated property, not a proven-at-scale guarantee. Shipped
07 — per-tenant Ed25519
Publicly verifiable signatures, when you want them.
ProvisionedBy default, records are signed HMAC-SHA256. When a tenant provisions its own keys, an Ed25519 asymmetric-signing path is selected automatically — signatures anyone can verify against a published public key.
Boundary: this is an available upgrade, not the default — and it is not active on GRASP's own demonstration chain. Provisioned
08 — finance post-quantum
Post-quantum: parity, not a party trick.
ProvisionedIn the Finance vertical, records are dual-signed with Ed25519 and ML-DSA-65 (the NIST FIPS-204 post-quantum standard). We hold this to be table-stakes — the serious competitors ship the same primitive. We're not going to tell you it's a moat. Provisioned
09 — the line, drawn by us
What we are not claiming.
- Not new cryptography. We recombine known primitives; we didn't invent a cipher.Shipped
- Not bitwise replay. We record court-admissible evidence-of-record and re-derive the decision — not a byte-identical model re-run. No system delivers that across different hardware, batching, and float implementations, and we won't claim it.Shipped
- Post-quantum is parity, not advantage.Provisioned
- Anchoring is a proven pilot, not continuous production.Pilot
- The self-witness demo is one node's own chain — single node, no network, not Bitcoin-anchored.Shipped
10 — win vs parity
Where we win — and where we're just even.
ShippedAcross the systems we surveyed, the deterministic verbatim-quote check has no equivalent — that's the specific place we win. The base receipt primitive and the post-quantum signing are parity. Our edge is the four-part recombination: a provider-agnostic inference envelope, a tamper-evident receipt, a separate belief chain, the reasoning bound into the receipt, and a deterministic citation floor on top.
We're specific about this so you can check it. The full competitive breakdown is in the whitepapers (request access below).
11 — why now
Why this matters now.
ShippedFrom August 2026, the EU AI Act requires tamper-evident logging (Article 12) and imposes high-risk obligations on systems that assess things like creditworthiness (Annex III). Both demand an audit trail of what an AI decided, when, and on what basis. GRASP's witness → sign → anchor chain is a direct technical response.
Boundary: the witness and sign layers are live today; the anchor layer is pilot-proven. We're not implying continuous production anchoring. Shipped Pilot
12 — on the record
Our own claims, on the record.
ShippedWe hold ourselves to the same standard we sell. Here's every claim on this page, with its status. In doubt, we downgrade.
| Claim | Status |
|---|---|
| Signed decision chain + separate belief chain + claim check, composed | Shipped |
| Deterministic cite.verify (fake citation can't pass) | Shipped |
| Hash-chained, Merkle-rooted, HMAC-SHA256 by default | Shipped |
| Non-Anthropic-by-default substrate + transparent failover | Shipped |
| Same-belief-different-model canonical fingerprint (not yet proven-at-scale) | Shipped |
| Bitcoin anchor of a pilot chain (block 956992) | Pilot |
| Per-tenant Ed25519 signing path | Provisioned |
| Finance post-quantum dual-sign (ML-DSA-65) | Provisioned |
| GRASP published as an open reference implementation under a copyleft licence (AGPL-3.0) | Shipped |
| Continuous production Bitcoin anchoring | Roadmap |
13 — open infrastructure, on purpose
ShippedOpen infrastructure, on purpose.
The private harness stays private. But the protocol and the reference infrastructure — the receipt engine, the signed decision forest with Merkle roots, the memory chain, the deterministic citation check, the specs, and a conformance test suite — are published as an open reference implementation, in their own repository under a copyleft licence. It is public and cloneable right now.
The licence is AGPL-3.0 (see LICENSE in the repo). Open for the commons; a separate commercial licence is available for closed-source and embedded use.
14 — quis custodiet ipsos custodes
Who watches the watchmen?
Juvenal's question is unanswerable as a tower: every guardian strong enough to watch the watchmen is itself a power that needs watching. Cryptographic causation doesn't build a taller tower — it pours a floor under all of them.
The watched leave a trace they cannot rewrite, anchored to a system no single power controls; anyone can check it, because the check is arithmetic and a public anchor, not an authority's say-so; and it binds a human to the decision — who authorised this, on what evidence, when. The watchmen are watched by the record itself, plus everyone's ability to read it.
Verification stops being a privilege of the powerful and becomes a capability of the weakest party in the room — the journalist, the whistleblower, the opposing counsel, the citizen, the historian a century later.
Who watches the watchmen? Everyone does — by witnessing. 'Don't trust it. Witness it.' is that answer, operationalised.
15 — verify without trusting us
Verify without trusting us.
ShippedThe green checkmarks on this site are a convenience, not the trust root. A web page you don't control can't be the reason you believe a record — so the check doesn't live here, and it doesn't belong to us.
The trust root is fourfold. One: a ~200-line standard-library Python script anyone can read in one sitting — no GRIP runtime, no network, no account: tools/grasp-verify-receipt in the public repo (it lands with the sibling pull request). Two: two independent verifier implementations — JavaScript and Python — that byte-agree on shared vectors, so you never have to trust a single implementation. Three: Bitcoin anchors, checked with the upstream OpenTimestamps client and any block explorer — none of our code involved. Four: the raw public ledger itself.
python3 tools/grasp-verify-receipt SPEC.json RECEIPT.json --root .
It re-hashes the deliverable and every pinned source, re-reads each citation quote at its recorded offsets, and recomputes the tally. Any tampered byte, shifted offset, or missing quote exits 1, loudly. For the Bitcoin leg:
pip install opentimestamps-client && ots verify <proof>.ots
One independent verifier in a thousand readers makes forgery unsafe for all thousand — the forger cannot know which of you will check.
16 — the declaration layer (TMIF)
Declared in TMIF. Proved by the engine.
ShippedTMIF (A Standard for Claiming Transparency and Falsifiability, draft-laurie-tmif-01 — Laurie et al., IETF Informational draft) is a JSON format in which a system declares, per threat, what it mitigates and how transparently — so an independent evaluator can go and verify. GRASP publishes its claims as a signed TMIF Claimant document: grasp/docs/tmif.md — the document, its RFC 7515 signature (Ed25519), and the verifying key, all in the public repo.
To be precise about the relationship: GRASP is not an implementation of TMIF. GRASP is the engine that produces tamper-evident records; TMIF is a declaration layer above it — and GRASP makes a natural reference Claimant precisely because its artifacts (the signed chain, this site's in-browser verifier, the Bitcoin anchor) are what TMIF directs evaluators to check. One divergence, stated openly: TMIF Claimants self-assert transparency levels. Under GRASP's exogenous-anchor rule a level is only worth what a third party can re-derive, so GRASP under-claims by policy — lower bound 3, with level 4 only where verification is a deterministic re-derivation you can run offline.
See it live: the engine sandbox can render any check you run as a TMIF claim — the "Output as TMIF claim" toggle under the signed decision.
17 — go deeper
You broke it here. Now drive it, and see it at scale.
Drive the real engine
do-it-yourself, in depth
You've seen the chain break here. Now run the HAPPI 1.3 cite.verify + Ed25519 causation sandbox yourself — ground a claim in its source and sign the verdict live.
Open the engine — /try →See it at ecosystem scale
see-it-at-scale
One node's chain broke on this page. Here is the live constellation — a witnessed view across nodes, each proving its own signed chain in the browser.
happiverse.grip-web.com ↗18 — request the whitepapers
Want the "how"? Request the whitepapers.
RoadmapThis page proves that it works — you just broke the chain yourself. The whitepapers explain how: the architecture, the competitive breakdown, and our full falsification perimeter. Because the "how" is genuinely sensitive, we deliver it per request under NDA rather than as an open download.