Provable boundaries for multi-agent AI.

A capability boundary for OpenClaw, LangChain, CrewAI, and your own delegation chains. Every agent-to-agent call is checked against a Lean-proven policy before it runs. 

guard = Guard(permissions=["network:http:read"])  # an agent's boundary

@guard.wrap(required_capabilities=["network:http:read"])
def web_fetch(url): ...

web_fetch("https://example.com")  # allowed → signed receipt
                                # escalation → CertiorBlocked
$ pip install certior
Alpha

Live on PyPI, full walkthrough in the quickstart.

TOOL CALL FROM ANY AGENT web_fetch("https://...") OpenClaw, LangChain, CrewAI, custom CERTIOR GATE / Z3 ENFORCES, LEAN PROVES Capability subset a child can never escalate beyond its parent Content policy HIPAA, SOX, attorney-client presets Budget ceiling runaway delegations stop themselves ✓ ALLOWED signed receipt policy = 4542ff75 verifiable offline ✗ BLOCKED precise reason CertiorBlocked with violation detail

Why now

Multi-agent systems just shipped. The security model didn't.

8

Distinct threat classes enumerated in a single multi-agent framework - prompt injection, ClawDrain tool-chain exploits, data exfiltration, privilege escalation via delegation, and more.
arXiv:2603.12644

10,000+

MCP servers reachable in production with no capability boundary on their tool surface - public scan, 2025. Any agent that connects inherits every tool.

30+

Organizations breached via agent supply-chain attacks during 2025 - compromised skills, prompt-injected tool calls, capability over-grant. Pattern matching alone did not stop them.

How it works

Three gates. One signed receipt. Every tool call.

Wrap any agent or pipeline. Each tool call passes through three independent checks before it runs. The decision is bound to a Lean-proven policy fingerprint so a customer can verify it offline.

GATE 1

Capability

Is the agent allowed to call this tool? In a delegation chain, every step's capability set must fit inside its parent's. A child can never escalate.

GATE 2

Content

Per-policy detectors on prompts and tool outputs. HIPAA, SOX, and attorney-client presets out of the box; custom rules where you need them.

GATE 3

Budget

Per-agent hard ceiling. Every step debits the parent's budget. Runaway delegations stop themselves before they bill you.

Verified delegation in a multi-agent pipeline

Parent guard network:http:read filesystem:read budget = 5000¢ Researcher network:http:read ✓ subset, cert issued Writer ✓ filesystem:read Exfiltrator ✗ database:admin, BLOCKED Signed receipts cert.id = c1a7… policy = 4542ff75 cost = 12¢ Verifiable offline. Bound to a Lean-checked policy fingerprint.

The capability subset rule is what's machine-checked in Lean. The runtime just runs the rule; the proof says the rule is enough.

What's actually proven

A policy a Big-4 auditor can check.

Z3 runs on every tool call and proves the decision. Lean 4 machine-checks the policy model that Z3 enforces. Every signed receipt carries a fingerprint of the Lean source; an auditor reproduces the audit with a single lake build command.

Certior does not verify the LLM's behaviour. It verifies the boundary the LLM operates inside. If an action violates the policy, it is provably blocked - and the policy itself is proven sound.

Building delegation chains where one mis-step can over-grant capability?

Regulated teams in healthcare, finance, and legal feel it first because the auditor is watching. Every team running multi-agent systems hits it eventually.

A small group of early design partners is shaping the v1 surface with us.

What design partners get

  • Threat-to-gate mapping for your framework (OpenClaw, LangChain, CrewAI, or custom).
  • Custom compliance preset tuned to your audit obligations.
  • Lean audit recipe - the lake build an auditor runs.
  • 1:1 onboarding and prioritised support from the founder.
Email hello@certior.io