Skip to content

The engine beneath the product

An open-source governance engine for validated autonomous action, in any regulated industry.

MakerChecker is the control layer that lets an AI agent take a real, irreversible action on regulated work and prove, to an auditor who trusts nothing, that it stayed inside the limits a named human set. Our drug-safety product is the first thing built on it. It is not the last. Deny-by-default version-pinned skills, identity-bound segregation of duties, transactional co-commit, a hash-chained Ed25519-signed audit verified offline, self-hosted, air-gapped-capable, yours to read line by line.

Every regulated industry is about to face the same question: can an AI agent be allowed to act on its own? The answer is the same everywhere, only if it can prove a named human was accountable and the record cannot be forged. Drug safety is where we start. The engine governs any agent that can take an action it cannot take back.

The primitives

Six controls between any agent and anything it cannot take back.

The same controls the drug-safety product is built on, named at the engine level. They are general because the question they answer, who was accountable and can the record be forged, is general.

Deny by default

Version-pinned skills

An agent can do nothing until a skill is granted to its role, and a grant is pinned to one version. The capability set is explicit, auditable, and small by construction. Nothing standing, nothing implicit.

Identity-bound

Segregation of duties

The identity that proposed an action is barred in code from approving it. Maker cannot be checker. This is not a policy in an SOP; it is a structural rule the engine enforces before the action runs.

Fail closed

Limits and gates

Over a budget, past a rate, or against a duty rule, the action is denied before the tool runs. The decisions a human marks high-risk stop for a named, authenticated person who signs, with the reason recorded word for word.

One transaction

Transactional co-commit

The state change and its audit event commit in a single database transaction. "Acted but did not log" cannot happen, because there is no path where one lands without the other.

Tamper-evident

Hash-chained, Ed25519-signed

Every step is appended to a hash-chained, signed record. Change one row and the chain breaks, and the verifier points at the altered entry. The record is evidence, not a log you have to trust.

No trust required

Verified offline

The audit format is published and open. An auditor re-derives it from the spec, in any language, with us nowhere in the loop. You trust the proof because you can recompute it, not because we wrote it.

AI agent

Proposes a consequential action

Assess seriousnessCode a termSubmit to FDA (E2B)Close a case

MakerChecker gate

  • Granted skill

    Deny by default. Only the skills you grant, at your tier.

  • Independent sign-off

    The proposer cannot approve. A second human signs off.

  • Signed audit

    Proof

    Every step written to a tamper-evident, signed record.

Refused

Ungranted skill or self-approval is blocked

Refused before it runs. Not flagged after.

Only then

The action runs

always written

Audit pack

Hash-chained, Ed25519-signed evidence

Regulator

Verifies it offline, without trusting us

Chain verified

Ed25519 · verified offline

Wrap, don't migrate

Put an agent you already built behind the engine in a few lines.

No re-platforming. Point the SDK at your self-hosted control plane, wrap the tools your agent already calls, same names and same schemas, and ship. A denied action stops before it runs; every call is signed into the audit. Typed connectors ship for LangChain and the Claude Agent SDK; CrewAI, LlamaIndex, and AutoGen connect through the generic SDK wrapper.

import { createClient } from "@makerchecker/sdk";
import { governLangChainTool } from "@makerchecker/connector-langchain";


// Point at your own self-hosted MakerChecker. We never see your data.
const mc = createClient({ baseUrl: process.env.MAKERCHECKER_URL });
const { session } = await mc.proxy.openSession({ label: "run" });


// Wrap a tool your agent already has. Its name and schema do not change.
const act = governLangChainTool(
  mc,
  { sessionId: session.id, agentName: "agent", skillRef: "skill@1" },
  rawTool,
);


// The agent calls it normally. A denied action throws before the tool
// runs, and every call is signed into the audit chain.
await act.invoke({ input });

The honest connector story: typed connectors, the generic wrapper, proxy sessions and flow gates →

Built once, proven across domains

Same engine, same proof, a different skill and a different regulation.

These are already-shipped examples in the open repo, not a roadmap. Read the code before you trust the claim.

  • Pharmacovigilance

    Governed ICSR triageFront door

    The front door. The agent processes routine adverse-event cases; every clock-affecting seriousness or expectedness call routes to a named safety physician who signs.

    See the drug-safety product →

  • Medtech

    MDR device-complaint reportability

    The agent triages the complaint queue; the reportability disposition that starts the 30-day MDR clock stays a named regulatory-affairs decision.

    See the life-sciences page →

  • Clinical data

    EDC query resolution and reconciliation

    The agent closes the confirmation-only query classes; reconciling a value or locking the database routes to a named human who signs.

    See the use cases →

  • Supply chain

    Cold-chain disposition

    The agent catches an excursion and quarantines the affected lots; release-or-destroy belongs to a named qualified person.

    See the use cases →

  • Financial services

    AML triage and reconciliation

    The agent triages alerts and prepares reconciliations; the SAR decision stays off the identity that raised the alert.

    See the financial-services page →

Why open source is the point

A governance claim you cannot read is just a vendor asking for trust.

The whole point of this engine is that you do not have to trust us. That only holds if you can read it. The control plane, the connectors, and the audit verifier are open source, so your validation team reads every line before anything touches a real action, and your security review runs against the actual code, not a datasheet.

It is self-hosted and runs inside your perimeter, air-gapped if validation requires it, on your own Postgres. The audit format is published and open, so the proof an auditor checks is re-derivable from a spec, with us nowhere in the loop.

Read the engine on GitHubSee the proof
Runs on
Your infrastructure
Deployment
Self-hosted, air-gapped
Database
Your own Postgres
Phones home
Never
Audit format
Published, open
Records
Hash-chained, Ed25519-signed

Open source · MCP-native skills · works with the AI agents your teams already build.

One engine, many doors

Read the engine. See the product. Then talk to the team.

The drug-safety product is the first thing built on this engine. Read the code that governs it, watch it stop an agent and verify the signed evidence yourself, and tell us which one-way door in your world you would point it at next.

Read the engine on GitHubSee the productTalk to the team

Self-hosted, open source, designed against the rules your auditors already enforce.