Coming soon — v0 in private beta

provenant / v0

Every number your agent emits,
traced to source.

An open-source enforcement kernel for LLM agents in financial services. Every numeric output is bound to a verifiable computation chain — or it never leaves the system.

Run the demo (5 min)Coming soon Read the thesis →Coming soon

Agent answer

Provenance chain

$237.42←calc.subtract

└− $1,247,322.18←ledger.get_balance

│ postgres://gl row 4821

└− $1,247,084.76←extract.bank_statement

BS-05-26.pdf page 12

Chain 7f3a91… ✓ Replay bit-identical Bypass impossible

Integration

One kernel. Multiple entry points.

The problem

Logging is not provenance.

Agent frameworks record what the agent said. Model risk reviewers ask how each number was derived. These are different questions, and most frameworks only answer the first one.

What your agent outputs

“Cash unreconciled is $237.42.”

✓Plausible

✓Document citation present

✗Per-value derivation trace

✗Independently replayable

✗Tamper-evident record

What a reviewer asks

“Where did $237.42 come from? Who computed it? Show me the chain. Replay it.”

Model risk guidance (FINRA 2026, SR 11-7) places the burden of proof on the firm. A plausible-looking number with no verifiable derivation is not evidence — it is exposure.

A reconciliation, end to end

Three spreadsheets, one defensible number.

A complete Provenant run — three real source files in, one operating-income figure out, every dollar tied to its exact origin. Hover any value to see which source produced it. Click view file to inspect the rows.

xlsx

Revenue_Q1

ledger.get_balance

487 rows · $4,512,847.00

csv

Payroll_Q1

payroll.export

211 rows · $1,247,892.42

xlsx

AP_Expenses

ap.subledger

1,903 rows · $417,562.40

reconcile.match

calc.subtract

✓14 tokens minted

✓0 ungrounded numbers

✓0 schema violations

Operating income

$0.00

✓submit_answer

Audit chain

$2,847,392.18←calc.subtract

└− $4,512,847.00←Revenue_Q1.xlsx

│ rows 12–487 · sha256 a3f9…

└− $1,247,892.42←Payroll_Q1.csv

│ rows 4–211 · sha256 7c1b…

└− $417,562.40←AP_Expenses.xlsx

rows 8–1903 · sha256 2e8d…

↓ Download audit pack (.json)

How it works

Three invariants. One Go kernel.

The kernel sits between your agent and its output channel. Every numeric release passes through the same enforcement gate, regardless of host framework or model provider.

emit $237.42

token t_001 minted

tool ledger.get_balance

src postgres://gl row 4821

✓ grounded · replayable

Token-level grounding

Every emitted number maps to a provenance token — linking it to a specific tool call and source read. A footnote tells you where a number appeared. A token proves the arithmetic that produced it.

Fabricated values caught at emit time

agent.write() intercepted ✗

console.log() intercepted ✗

submit_answer(verified)

✓ released · chain sealed

Single enforced exit

submit_answer is the only output channel. The kernel verifies every value against the token table before release. In Mode A, this is architectural — no back channel exists.

No bypass possible in Mode A

emit $42.00 token: none

ERROR ungrounded_output

→ run halted · attempt logged

emit $237.42 token: t_001

✓ released

Fail closed by default

Validators reject ungrounded output — no “warn and continue.” A run that emits an unverified number halts, logs the attempt, and surfaces a full error record in the audit log.

Errors logged, never silently dropped

Get started

Running in under five minutes.

# Run as an MCP server — no code changes in your host

$ docker run -p 8080:8080 provenant/provenant:v0

# Register with your MCP host

$ claude mcp add provenant http://localhost:8080

→ Provenant ready · 14 tools registered · audit chain active

# Add to your Go module

$ go get github.com/provenant/provenant

import "github.com/provenant/provenant/kernel"

k, _ := kernel.New(kernel.Config{

Store: myPostgres,

Skills: skills.Load("reconciliation"),

})

run, _ := k.Run(ctx, input)

// audit pack + token table + replay hash all in run.AuditPack

# Install the reconciliation skill pack

$ provenant skills install reconciliation

$ provenant run --skill=reconciliation --input=./sample.json

→ Run complete · Tokens: 14 · Ungrounded: 0 · Replay: ✓

$ provenant replay ./out/audit-7f3a91.json

→ Deterministic · chain hash matches · reads verified

Comparison

Why not just use…

Four alternatives teams reach for first — and the gap each one leaves.

✗Without Provenant

Runs after the fact. An agent can emit ungrounded text through any other path — callbacks never see it.

✓With Provenant

Enforcement is architectural. The kernel gate sits before any output channel — no code path bypasses it.

✗Without Provenant

Classifies prose, not computation. A correct-looking number that was never derived from a tool call passes every guardrail check.

✓With Provenant

Tokens are deterministic gates. A value either traces to a tool output, or it does not release. No exceptions.

✗Without Provenant

Proves where a number appeared. “Revenue grew 18% (10-K p.12)” cites the right doc while stating a fabricated figure.

✓With Provenant

Token grounding proves how a number was computed — and blocks it when no computation supports it.

✗Without Provenant

Re-implement tokens, hash-chained logs, captured-read replay, tool registries, and DFAH metrics. Every time.

✓With Provenant

Apache 2.0 — adopt the shared substrate. Ship the product that differentiates your business instead.

Compliance & auditability

Built to be defensible.
Designed to be shared.

Every run produces a self-contained audit pack. Any reviewer can verify the computation chain, replay the run, and confirm that no number was produced outside the kernel — without access to the original system.

Read the compliance brief →Coming soon

Maps to FINRA 2026, SR 11-7, EU AI Act Art. 14, and SOX §404. Structured for model risk teams, legal, and model inventory filings.

✓Hash-chained audit log — tamper-evident, verifiable without the original system

✓Bit-identical replay from the captured-read record

✓DFAH metrics per run: determinism, faithfulness, accuracy, hallucination rate

✓Per-value provenance to the source row — not document-level citation

✓Single-tenant, air-gappable in v0 — data does not leave your perimeter

FINRA 2026SR 11-7EU AI Act Art. 14SOX §404MRM guidance

Who adopts Provenant

Who uses
Provenant.

Platform engineers

Ship product,
not substrate.

Stop rebuilding what Provenant already ships. Token minting, audit logs, and replay — handled.

k, _ := kernel.New(Config{

Store: myPostgres,

Skills: skills.Load("recon"),

})

run, _ := k.Run(ctx, input)

✓ audit logs ✓ tokens ✓ replay

MCP host authors

Finance-grade
in one command.

One command and your host has full audit enforcement. Zero code changes. Your users get compliance coverage.

$ docker run -p 8080:8080 \

provenant/provenant:v0

✓ 14 tools registered

✓ audit chain active

✓ zero code changes

✓ bypass impossible

Controllers & audit leads

The chain is
always there.

Every run produces a self-contained audit pack. When an examiner asks, you answer with the full derivation instantly.

run: 01HW9KQXJR8M

tokens: 14 · ungrounded: 0

chain: 9b2e74d1c8a3f4…

✓ verifiable without original system

✓ bit-identical replay on demand

✓ tamper-evident chain

Every number your agent emits,traced to source.

One kernel. Multiple entry points.

Logging is not provenance.

Three spreadsheets, one defensible number.

Three invariants. One Go kernel.

Running in under five minutes.

Why not just use…

Built to be defensible.Designed to be shared.

Who usesProvenant.

Agent outputs that hold up under any audit.

Every number your agent emits,
traced to source.

Built to be defensible.
Designed to be shared.

Who uses
Provenant.