# MakerChecker

> Open-source security gateway for AI agents that enforces segregation of duties, human-in-the-loop approvals, and cryptographically signed audit logs to prevent agents from approving their own irreversible actions.

MakerChecker is a self-hosted, open-source security layer for AI agents that enforces the principle that the agent proposing an irreversible action can never be its own approver. Built by Mashini Investments Ltd., it sits outside the model as a deterministic runtime checkpoint, issuing a hard 403 denial rather than relying on prompt-level promises. The core platform is licensed AGPL-3.0 for the server and web UI, with Apache-2.0 SDKs and connectors that can be embedded freely in closed-source agents.

## What It Is

MakerChecker is a self-hosted authorization gateway and audit system for AI agents taking high-consequence actions — moving money, changing records, placing trades, deleting data, or filing documents. It enforces three controls in code rather than policy: deny-by-default role-based access control (RBAC) over versioned "skills," structural segregation of duties so the agent that proposed an action cannot approve it, and an Ed25519-signed, SHA-256 hash-chained audit log that any auditor can verify offline with no access to the operator's systems. The project also ships `mc scan`, a static code scanner that reads an agent's tool definitions and flags ungoverned, catastrophic actions before they ever reach production.

## Architecture and Package Structure

MakerChecker is organized as three independently adoptable layers that enforce the same controls and write the same signed audit format:

- **`mc scan` (Apache-2.0):** A static CLI scanner run via `npx @makerchecker/scan .` that classifies every consequential action an agent can take, maps each finding to a real incident from a documented database of 41 agent incidents, and can write governance code with `--fix`. Runs fully offline by default; an opt-in `--llm` flag sends ambiguous tools to the Anthropic API.
- **`@makerchecker/embedded` (Apache-2.0):** Importable enforcement primitives for in-process governance — define skills, roles, and grants, then wrap any tool so a denied call throws before it executes.
- **Self-hosted server (AGPL-3.0):** A Fastify + Postgres gateway with a React web console, human-approval inbox, flow engine, and audit writer. Deployed via `docker compose up` or Kubernetes/Helm. Runs fully air-gapped with no external dependencies.

Drop-in connectors ship for LangChain (`@makerchecker/connector-langchain`) and the Claude Agent SDK (`@makerchecker/connector-claude-agent`), with a generic TypeScript SDK and a Python SDK for CrewAI, LlamaIndex, AutoGen, and other frameworks.

## How the Segregation-of-Duties Gate Works

The core rule is structural: the agent that prepared a case is refused as its own approver with a hard 403, enforced at the execution boundary, not in a prompt. When an agent proposes a skill call, the engine checks whether the agent is active, whether the skill is granted to its role, whether acting would violate segregation of duties, and whether the call is within the role's limits. Low- and medium-risk actions that pass run immediately and are recorded. High-risk actions stop at an approval gate where a quorum of named humans must sign — and the requester identity is blocked from being one of them. Every step, whether allowed, denied, or approved, is appended to the hash-chained audit trail in the same atomic operation as the action, so "acted but never logged it" cannot happen.

## Target Domains and Worked Use Cases

The site positions MakerChecker as domain-agnostic but focuses initial go-to-market on regulated industries where compliance carries personal liability:

- **Life sciences & pharma:** Pharmacovigilance ICSR triage (15-day expedited clock gated on a safety physician's signature), MDR device complaint reportability (30-day clock gated on a regulatory affairs officer), GMP cold-chain disposition (release or destroy gated on a named qualified person who is not the assessor), and clinical trial data-query resolution and cohort identification.
- **Finance:** Payment release, trade and limit approval, ledger posting — the "four-eyes" control enforced in code and backed by an offline-verifiable log.
- **Patient access:** Prior-authorization and appeals queue automation with copay/foundation enrollment gated on a named access specialist, producing a signed record for Anti-Kickback and False Claims Act compliance.

## Update: v1.2.0

The latest release is v1.2.0, published on 2026-07-06, according to the GitHub repository. The repository was created in June 2026 and has been actively updated, with the last push on 2026-07-06. The project direction signals continued expansion of framework connectors and runnable domain examples (pharmacovigilance, MDR triage, oncology patient access, daily cash reconciliation are all present as worked examples in the repository).

## Features
- Deny-by-default role-based access control (RBAC) for AI agent tool calls
- Structural segregation of duties: agent that proposed an action is blocked from approving it (hard 403)
- Ed25519-signed, SHA-256 hash-chained audit log verifiable offline with no external dependencies
- Static code scanner (mc scan) that flags ungoverned, catastrophic agent actions before production
- Human-in-the-loop approval gates for high-risk actions
- Versioned skill grants per agent role
- Self-hosted deployment — data never leaves operator infrastructure
- Air-gapped / fully offline execution mode
- Drop-in connectors for LangChain and Claude Agent SDK
- Generic TypeScript and Python SDKs for any agent framework
- Offline proof verifier (npx @makerchecker/proof-verifier verify bundle.json)
- React web console with approvals inbox and run log
- Flow engine for multi-step workflows with embedded approval gates
- CI/CD integration via mc-policy.json and GitHub Actions badge
- Incident database of 41 documented agent failures mapped to scan findings

## Integrations
LangChain, Claude Agent SDK, CrewAI, LlamaIndex, AutoGen, Anthropic API (optional LLM scan), Docker / Docker Compose, Kubernetes / Helm, PostgreSQL, GitHub Actions

## Platforms
LINUX, WEB, API, VSC_EXTENSION, DEVELOPER_SDK, CLI

## Pricing
Open Source, Free tier available

## Version
v1.2.0

## Links
- Website: https://makerchecker.ai
- Documentation: https://makerchecker.ai/docs
- Repository: https://github.com/makerchecker/MakerChecker
- EveryDev.ai: https://www.everydev.ai/tools/makerchecker
