PIC Standard: Provenance & Intent Contracts
Lightweight, local-first protocol that forces AI agents to prove every important action before it happens.
Guardrails constrain what the model says. PIC constrains what the agent is allowed to do, based on verifiable provenance and evidence.
PIC is a lightweight, local-first protocol that forces AI agents to prove every high-impact action before it happens. Agents must declare intent, risk, provenance, and evidence; PIC verifies everything and fails closed if anything is wrong.
No more hallucinations turning into wire transfers. No more prompt injections triggering data exports.
Example: An LLM agent decides to send a $500 payment based on a user message. PIC requires the agent to prove: where did this instruction come from? Is the source trusted? Is there evidence the invoice is real? If any answer is missing or wrong, the action is blocked before it reaches the payment API.
Why PIC?
PIC is built for agent frameworks, internal tool gateways, and production systems where high-impact actions must be justified before execution.
Stops prompt injections & blind tool calls at the action boundary
Works 100% locally: zero cloud, zero data leaves your machine
Plugs into your stack in minutes: LangGraph, MCP, OpenClaw, Cordum
Open-source (Apache 2.0): audit it, fork it, own it
Quickstart
Try the verifier locally against a sample high-impact proposal in under a minute.
pip install pic-standard
# Verify an example proposal
pic-cli verify examples/financial_irreversible.json
# ✅ Schema valid
# ✅ Verifier passed
Optional extras:
pip install "pic-standard[langgraph]" # LangGraph PICToolNode
pip install "pic-standard[mcp]" # MCP tool guarding
pip install "pic-standard[crypto]" # Ed25519 signature evidence
The PIC Contract
PIC is enforced at the moment before tool execution. The agent must emit a structured Action Proposal that can be validated, verified, and bound to the intended tool.
intent- What the agent is trying to doimpact- Risk class:money,privacy,irreversible,compute, ...provenance- Which inputs influenced the decision (with trust levels)claims+evidence- What the agent asserts and the evidence backing itaction- The actual tool call (tool binding)
Evidence Verification
PIC supports deterministic evidence verification that upgrades provenance trust in-memory.
hash- SHA-256 verification of file artifacts (file://...)sig- Ed25519 signature verification via trusted keyring
Ed25519 signature verification requires pip install "pic-standard[crypto]" and a configured keyring.
Keyring (Trusted Signers)
Signature evidence requires a keyring of trusted public keys with expiry and revocation support.
pic-cli keys # Inspect current keyring
pic-cli keys --write-example # Generate starter keyring
# Inject a different org's keyring at runtime — no code changes, no redeploy
$env:PIC_KEYS_PATH = "path\to\org-b-keys.json"
pic-cli keys
Custom resolvers (v0.7+): Trust resolution is injectable and local-first. Implement the KeyResolver protocol to plug in your own trust backend: HSM-backed service, Vault-managed keys, cached remote keyring, and so on:
from pic_standard import KeyResolver, StaticKeyRingResolver
class MyResolver:
def get_key(self, key_id: str) -> Optional[bytes]:
return my_kms.get_public_key(key_id)
def key_status(self, key_id: str) -> KeyStatus:
return my_kms.check_status(key_id)
Integrations
LangGraph: Guard any tool node with PICToolNode:
pip install "pic-standard[langgraph]"
MCP (Model Context Protocol): Enterprise tool guarding with fail-closed defaults, request correlation, DoS limits, and evidence sandboxing:
pip install "pic-standard[mcp]"
OpenClaw: TypeScript plugin for OpenClaw AI agents (pic-gate, pic-init, pic-audit hooks):
pic-cli serve --port 7580
cd integrations/openclaw && npm install && npm run build
Cordum: Go Pack providing PIC verification as a Cordum workflow gate step with fail-closed three-way routing.
HTTP Bridge (any language): For non-Python integrations, PIC exposes an HTTP bridge:
pic-cli serve --port 3100
# POST /verify — verify an action proposal
# GET /health — liveness check
# GET /v1/version — package + protocol version