Provable AI · model-agnostic · witnessable

Don't trust the AI.

Witness it.

Deterministic, tamper-evident proof of what an AI decided, what it believed, and every claim it made — with a receipt you can check yourself. Shipped

Every claim on this page is either something you can check yourself right now, or it's labelled Roadmap. No adjective without a measurement. No claim without a record.

Seven questions · two minutes · you keep the witness receipt.

Tamper-evidentReplayableModel-agnosticSelf-witnessed

00 — what the moat actually is

You keep the receipt.

Shipped

GRASP keeps the receipt for an AI decision. Three tamper-evident records, chained together: what it decided, what it believed when it decided, and proof of every claim it made.

None of the cryptography is new. GRASP is a recombination of primitives you already trust — hash chains, digital signatures, and public timestamping — assembled so a skeptic can independently confirm or refute the record without trusting us.

We say this openly: the parts are known. The moat is the composition — and that you can break it yourself.

01 — break the chain

Rewrite one decision. Watch every decision after it break.

Shipped

This is a live, signed decision ledger running in your browser. Every row's fingerprint is computed from the row before it — that's what "chained" means. Edit any cell and rewrite what the AI "decided". The break ripples down every later decision. That's cryptographic causation, not just tamper-evidence.

Chain intact — all 5 decisions signed and matching.
signed decision ledger — metadata only, no message content

↳ edit any provider or model cell — rewrite what the AI 'decided'

← scroll to see hash + state →

#decisionprovidermodelstateentry hash
1route request to modellocal-gatewayyou@your-mac✓ signeda1f0c3e9d2b47856…
2ground claim in sourceexample-providerdemo-model-v1✓ signed7b2d9e14a6f0c8b3…
3approve draft replyexample-providerdemo-model-v1✕ brokenfingerprint changedc4e18a0f2d963b57… → 0091ff7a3c2e1d48…
4escalate to human reviewacme/widgetsdemo-model-v1✕ brokenparent no longer matches5a7c2f39e0b1d846… → voided
5write memory of outcomeexample-providerdemo-model-v1✕ brokenparent no longer matchese2b60d15a8f7c934… → voided
BROKEN — a past decision was rewritten; every decision after it stopped matching. Root signature void.

Static preview — turn on JavaScript to break the chain yourself.

This is a demonstration chain signed with a throwaway test key in your browser — not a production node. But the hashing and the cascade are the real thing: this is exactly how a signed decision chain behaves when someone edits the past. Single node · no network · not Bitcoin-anchored. Shipped

02 — cite.verify

A fake citation can't pass. It's arithmetic, not opinion.

Shipped

When the AI quotes a source, GRASP checks — by exact string-match — whether that quote actually appears in the source it cited. A verbatim match is VERIFIED. A whitespace-flexible match is FUZZY. A quote that isn't there is NOT_FOUND. A hallucinated citation renders NOT_FOUND — it cannot pass. Both panels below run the check live in your browser.

A real quote in the supplied source
Claim: Claims are time-barred after one year.
"any claim under this agreement must be brought within twelve months"
A fabricated quote
Claim: The supplier accepts unlimited liability.
"the supplier accepts unlimited liability for all losses without cap"

What this proves: the quote is verbatim in the source you supplied. What it does not decide: whether that source is authentic, or whether the quote actually supports the claim — those are separate judgements. Shipped

03 — Bitcoin anchor

Committed to Bitcoin. Check it on your own phone.

Pilot

In a pilot, a real Merkle root of AI decisions was committed to the public Bitcoin blockchain — batched on 2026-07-06, landing in block 956992, which was mined on 2026-07-07. Once it's in a block, it's as immutable as everything else in that block. 1,400+ confirmations and growing.

↗ mempool.space/block/9569921,400+ confirmations and growing

This is pilot anchoring of a demonstration chain, not continuous production anchoring. Continuous production anchoring is on the roadmap. Pilot

04 — how it works

Three chains. One run. One receipt.

Shipped
01

The decision record

what it decided

What was decided, and on what basis. Hashed and chained to the one before it, rooted in a Merkle tree — change any past entry and the fingerprints downstream stop matching.

02

The belief / memory record

what it believed

A separate chain for what the system believed when it decided. One signs the decision; the other signs the memory formed from it — kept in two chains, not one.

03

The claim record

every quote checked to source

Proof that every outward claim checks out — that's cite.verify, above. A quote that isn't in its source resolves to NOT_FOUND and the claim does not go out.

They compose. A single run writes into both the decision chain and the memory chain — enforced by a test, not a promise. Records are hash-chained, Merkle-rooted (RFC-6962 root with O(log N) inclusion proofs), and signed HMAC-SHA256 by default.

05 — runs on any model

Any model. You can watch it choose.

Shipped

Every AI call goes through one stable interface that routes to whichever provider you choose — or a local open-weight model. By default, calls route through non-Anthropic providers, proven live on more than one machine.

When a provider is rate-limited or briefly unavailable, a sentinel catches the error, records a cooldown, and re-routes to the next provider. You get a successful answer and never see the failover.

Boundary: sovereignty is a property of the substrate — the layer that runs the models. The interactive coding harness itself runs on Anthropic; we don't pretend otherwise. Shipped

06 — same belief, different model

The same belief, whichever model wrote it.

Shipped

A belief recorded under one model reads identically to the same belief recorded under another. A provider-neutral projector strips the model-specific wrapping and returns an identical semantic fingerprint regardless of which model produced the text.

Honestly: this shipped and passes its test suite. We have not yet measured how often it degrades on broad, real-world workloads — so we call it a demonstrated property, not a proven-at-scale guarantee. Shipped

07 — per-tenant Ed25519

Publicly verifiable signatures, when you want them.

Provisioned

By default, records are signed HMAC-SHA256. When a tenant provisions its own keys, an Ed25519 asymmetric-signing path is selected automatically — signatures anyone can verify against a published public key.

Boundary: this is an available upgrade, not the default — and it is not active on GRASP's own demonstration chain. Provisioned

08 — finance post-quantum

Post-quantum: parity, not a party trick.

Provisioned

In the Finance vertical, records are dual-signed with Ed25519 and ML-DSA-65 (the NIST FIPS-204 post-quantum standard). We hold this to be table-stakes — the serious competitors ship the same primitive. We're not going to tell you it's a moat. Provisioned

09 — the line, drawn by us

What we are not claiming.

  • Not new cryptography. We recombine known primitives; we didn't invent a cipher.Shipped
  • Not bitwise replay. We record court-admissible evidence-of-record and re-derive the decision — not a byte-identical model re-run. No system delivers that across different hardware, batching, and float implementations, and we won't claim it.Shipped
  • Post-quantum is parity, not advantage.Provisioned
  • Anchoring is a proven pilot, not continuous production.Pilot
  • The self-witness demo is one node's own chain — single node, no network, not Bitcoin-anchored.Shipped

10 — win vs parity

Where we win — and where we're just even.

Shipped

Across the systems we surveyed, the deterministic verbatim-quote check has no equivalent — that's the specific place we win. The base receipt primitive and the post-quantum signing are parity. Our edge is the four-part recombination: a provider-agnostic inference envelope, a tamper-evident receipt, a separate belief chain, the reasoning bound into the receipt, and a deterministic citation floor on top.

We're specific about this so you can check it. The full competitive breakdown is in the whitepapers (request access below).

11 — why now

Why this matters now.

Shipped

From August 2026, the EU AI Act requires tamper-evident logging (Article 12) and imposes high-risk obligations on systems that assess things like creditworthiness (Annex III). Both demand an audit trail of what an AI decided, when, and on what basis. GRASP's witness → sign → anchor chain is a direct technical response.

Boundary: the witness and sign layers are live today; the anchor layer is pilot-proven. We're not implying continuous production anchoring. Shipped Pilot

12 — on the record

Our own claims, on the record.

Shipped

We hold ourselves to the same standard we sell. Here's every claim on this page, with its status. In doubt, we downgrade.

ClaimStatus
Signed decision chain + separate belief chain + claim check, composedShipped
Deterministic cite.verify (fake citation can't pass)Shipped
Hash-chained, Merkle-rooted, HMAC-SHA256 by defaultShipped
Non-Anthropic-by-default substrate + transparent failoverShipped
Same-belief-different-model canonical fingerprint (not yet proven-at-scale)Shipped
Bitcoin anchor of a pilot chain (block 956992)Pilot
Per-tenant Ed25519 signing pathProvisioned
Finance post-quantum dual-sign (ML-DSA-65)Provisioned
GRASP published as an open reference implementation under a copyleft licence (AGPL-3.0)Shipped
Continuous production Bitcoin anchoringRoadmap

13 — open infrastructure, on purpose

Shipped

Open infrastructure, on purpose.

The private harness stays private. But the protocol and the reference infrastructure — the receipt engine, the signed decision forest with Merkle roots, the memory chain, the deterministic citation check, the specs, and a conformance test suite — are published as an open reference implementation, in their own repository under a copyleft licence. It is public and cloneable right now.

The licence is AGPL-3.0 (see LICENSE in the repo). Open for the commons; a separate commercial licence is available for closed-source and embedded use.

github.com/CodeTonight-SA/grasp — AGPL-3.0, public →

14 — quis custodiet ipsos custodes

Who watches the watchmen?

Juvenal's question is unanswerable as a tower: every guardian strong enough to watch the watchmen is itself a power that needs watching. Cryptographic causation doesn't build a taller tower — it pours a floor under all of them.

The watched leave a trace they cannot rewrite, anchored to a system no single power controls; anyone can check it, because the check is arithmetic and a public anchor, not an authority's say-so; and it binds a human to the decision — who authorised this, on what evidence, when. The watchmen are watched by the record itself, plus everyone's ability to read it.

Verification stops being a privilege of the powerful and becomes a capability of the weakest party in the room — the journalist, the whistleblower, the opposing counsel, the citizen, the historian a century later.

Who watches the watchmen? Everyone does — by witnessing. 'Don't trust it. Witness it.' is that answer, operationalised.

15 — verify without trusting us

Verify without trusting us.

Shipped

The green checkmarks on this site are a convenience, not the trust root. A web page you don't control can't be the reason you believe a record — so the check doesn't live here, and it doesn't belong to us.

The trust root is fourfold. One: a ~200-line standard-library Python script anyone can read in one sitting — no GRIP runtime, no network, no account: tools/grasp-verify-receipt in the public repo (it lands with the sibling pull request). Two: two independent verifier implementations — JavaScript and Python — that byte-agree on shared vectors, so you never have to trust a single implementation. Three: Bitcoin anchors, checked with the upstream OpenTimestamps client and any block explorer — none of our code involved. Four: the raw public ledger itself.

python3 tools/grasp-verify-receipt SPEC.json RECEIPT.json --root .

It re-hashes the deliverable and every pinned source, re-reads each citation quote at its recorded offsets, and recomputes the tally. Any tampered byte, shifted offset, or missing quote exits 1, loudly. For the Bitcoin leg:

pip install opentimestamps-client && ots verify <proof>.ots

One independent verifier in a thousand readers makes forgery unsafe for all thousand — the forger cannot know which of you will check.

16 — the declaration layer (TMIF)

Declared in TMIF. Proved by the engine.

Shipped

TMIF (A Standard for Claiming Transparency and Falsifiability, draft-laurie-tmif-01 — Laurie et al., IETF Informational draft) is a JSON format in which a system declares, per threat, what it mitigates and how transparently — so an independent evaluator can go and verify. GRASP publishes its claims as a signed TMIF Claimant document: grasp/docs/tmif.md — the document, its RFC 7515 signature (Ed25519), and the verifying key, all in the public repo.

To be precise about the relationship: GRASP is not an implementation of TMIF. GRASP is the engine that produces tamper-evident records; TMIF is a declaration layer above it — and GRASP makes a natural reference Claimant precisely because its artifacts (the signed chain, this site's in-browser verifier, the Bitcoin anchor) are what TMIF directs evaluators to check. One divergence, stated openly: TMIF Claimants self-assert transparency levels. Under GRASP's exogenous-anchor rule a level is only worth what a third party can re-derive, so GRASP under-claims by policy — lower bound 3, with level 4 only where verification is a deterministic re-derivation you can run offline.

See it live: the engine sandbox can render any check you run as a TMIF claim — the "Output as TMIF claim" toggle under the signed decision.

18 — request the whitepapers

Want the "how"? Request the whitepapers.

Roadmap

This page proves that it works — you just broke the chain yourself. The whitepapers explain how: the architecture, the competitive breakdown, and our full falsification perimeter. Because the "how" is genuinely sensitive, we deliver it per request under NDA rather than as an open download.