LockStock Architecture

Cryptographic compliance for enterprise AI agents - Know what happened, prove it was authorized, satisfy auditors

The Question Every Enterprise Asks

"How do we prove what our AI agents did?"

What LockStock Does For You

Tamper-Evident Audit Trail

Every agent action is cryptographically linked. If anyone modifies the logs, the chain breaks and you'll know immediately.

Proof of Authorization

Not just "who did it" but "was it allowed?" Each action carries cryptographic proof that authorization was granted.

Hardware-Bound Identity

Agent credentials are locked to specific machines. Stolen credentials are useless on any other hardware.

Compliance-Ready Reports

Export audit trails in SOC2, HIPAA, and PCI-DSS formats. Give auditors exactly what they need.

The Three-Credential Architecture

LockStock separates concerns with three distinct credential types, each designed for a specific purpose:

1. Admin API Key (Fleet Management)

Who uses it: Your DevOps team, from the dashboard
What it does: Provisions new agents, manages fleet, views audit logs
Where it lives: Your password manager, never on agent machines

2. Provisioning Token (One-Time Setup)

Who uses it: The agent machine, once
What it does: Claims the agent's identity during initial setup
Where it lives: Nowhere - it's destroyed after use

3. Agent Credential (Runtime Authentication)

Who uses it: The agent, automatically
What it does: Authenticates every action with cryptographic proof
Where it lives: Encrypted on the agent machine, hardware-locked

Credentials never in environment variables

Credentials never in source code

Credentials locked to hardware

Credentials automatically rotated

Per-Action Credential Rotation

Unlike traditional systems that rotate credentials every 30-90 days, LockStock rotates cryptographic proof on every single action. This isn't just better security—it eliminates entire categories of risk that your auditors care about.

Approach	Traditional Rotation	LockStock
Rotation Frequency	Every 30-90 days	Every single action
Replay Window	30-90 days of exposure	Zero - instant invalidation
Stolen Credential Impact	Works until next rotation	Useless after one action
Compliance Evidence	Scheduled rotation logs	Proof of rotation per-action

What This Means For Your Business

Lower Insurance Premiums

Cyber insurance companies care about exposure windows. Zero replay window = demonstrably lower risk = better rates.

Faster Audits

Show auditors mathematical proof of continuous rotation. No more explaining why your credentials were valid for 90 days.

Instant Breach Detection

If credentials are compromised, the attack fails on the next action. No 90-day window for attackers to operate undetected.

Continuous Compliance

Meet SOC2/HIPAA rotation requirements not monthly, but per-request. Auditors see real-time proof, not scheduled events.

How It Works

Every time your agent takes an action, LockStock generates a new cryptographic proof that includes:

Unique state hash - Never reused, cryptographically linked to all previous actions
Parent reference - Chains back to the previous action, creating an unbreakable audit trail
Sequence number - Increments with each action, making replay attacks impossible
Fresh signature - Computed over all of the above using your hardware-locked secret

Traditional rotation asks: "Has it been 90 days since we changed the password?"
LockStock rotation asks: "Has this exact cryptographic proof ever been used before?"

Result: Every action uses a credential that has never existed before and will never be valid again. Zero replay window. Zero credential reuse. Continuous rotation.

How It Works (The Simple Version)

1. You Provision an Agent

From your dashboard, create a new agent with specific permissions. You get a one-time setup token.

2. Agent Binds to Hardware

Run one command on the agent machine. The token is consumed, credentials are encrypted and locked to that specific hardware.

3. Every Action is Proven

When your agent performs an action, LockStock generates cryptographic proof. The proof links to all previous actions, creating an unbreakable chain.

4. Auditors Get What They Need

Export the entire action history with mathematical proof of authenticity. No "trust us" - the cryptography speaks for itself.

Integration With Your Stack

Integration	What It Does
MCP Protocol	Works with Claude, GPT, and any MCP-compatible agent
A2A Protocol	Agent-to-agent communication with LockStock proofs
OpenTelemetry	Export audit trail as distributed traces
Prometheus	Real-time metrics and alerting
SIEM Systems	Forward events to Splunk, Datadog, etc.

Security Comparison

Feature	Traditional Logging	LockStock
Tamper Detection	No - logs can be edited	Yes - chain breaks if modified
Proof of Authorization	No - just records what happened	Yes - cryptographic proof attached
Action Sequence	Timestamps only	Cryptographically linked chain
Hardware Binding	Credentials can be copied	Locked to specific machine
Auditor Acceptance	"How do we know these are real?"	Mathematically verifiable

Compliance Coverage

SOC 2 Type II

Complete audit trail with cryptographic integrity. Demonstrate continuous compliance, not just point-in-time.

HIPAA

Track every access to protected health information. Prove authorization was granted before access.

PCI-DSS

Cardholder data access is logged and proven. Meet requirements for audit trails and access control.

Custom Frameworks

Export raw audit data in JSON, CSV, or integrate directly with your GRC platform.

The Guard Dashboard

Real-time visibility into your agent fleet:

Action Timeline: See every agent action with cryptographic proof
Anomaly Detection: ML-powered alerts when agents behave unusually
Circuit Breakers: Automatic shutdown of compromised agents
Compliance Reports: One-click export for auditors
Trace Explorer: Follow the chain from any action to its origin

Why This Matters

Every enterprise deploying AI agents will eventually face these questions:

"How do we audit what the AI did?"
"How do we prove it was authorized?"
"How do we detect if someone tampered with the logs?"
"How do we satisfy SOC2/HIPAA/PCI auditors?"

LockStock answers all of these with cryptographic proof. Not promises - mathematics.

Ready to Secure Your AI Agents?

Start with a free trial. See your first audit trail in minutes.

Get Started Free