Nobody could prove what the agent said
By The Lucidrail Team · 2026-06-25
An operator running an online store did something a lot of teams are doing right now. He handed his customer communications to AI agents. For a while it worked. Then the agents started sending customers wrong information.
When he went to find out what had gone wrong, he hit a second wall that had nothing to do with the mistake itself. He could not reconstruct what the agents had actually said.
They started sending wrong information… When I tried to figure out what happened, I had scattered logs across services with no way to prove what the agents actually said. — shotwellj, Show HN: “Air — Open-source black box for AI agents”
His fix was to build the missing piece himself: an open-source tool he called AIR, a “black box” that signs every agent action so the record cannot be quietly changed after the fact. The striking part is not that he built it. It is that he had to.
A mistake you cannot reconstruct is two problems, not one
The agents sending wrong information was the first problem. The second, larger one showed up afterward: there was no trustworthy account of events. Each service kept its own notes, in its own format, in its own place — “scattered logs across services” — and none of it added up to a record he could stand behind.
This matters because fixing a bad output means knowing three things: what the agent was told, what it decided, and what it sent. If that history lives in a dozen places, and any of it can be edited or rotated away, you are not investigating. You are guessing.
Logs are not the same as proof
Almost every system has logs. Logs are written by the same services doing the work, kept for a while, then rotated away to save space. They are fine for debugging on a normal day. They are not built to answer, months later, a much harder question: what exactly did this agent say to this customer, and can you show the record was not altered since?
Proof is a stronger claim than a log. It means a record that is complete — every action, not a sample. Attributable — which agent, doing what. And tamper-evident — if a single line were changed, it would show. That last property is why the operator reached for signing. Each entry carries a small cryptographic seal; change the entry and the seal no longer matches. A plain log file gives you none of that.
The tell: people keep rebuilding this by hand
One person building a private black box could be a quirk. It is not just one person.
On a public thread about agent controls, another builder described the same missing layer as something he had assembled himself:
Agent requests a mandate before spending, policy engine decides approved/queued/blocked, every decision gets a signed receipt and audit trail. — dreadpirates, on an Ask HN thread about agent approval and audit
Even inside popular tooling, the same request surfaces. On Claude Code's own issue tracker, a paying user asked for a way to audit consumption by session, process, and tool — a way to see, after the fact, exactly what ran and to trust the account. Different tools, same absent feature. When capable engineers independently rebuild a signed, per-action record, it is a sign the control belongs in the platform, not in each team's spare weekends.
What a record you can trust looks like
If you run agents against real systems, it is worth deciding in advance what you would need the day one of them misbehaves. A few plain checks:
The e-commerce operator needed all four the moment his agents went wrong. He had none of them, so he spent his own time building them. That is a strange thing to have to do before you can answer a simple question about your own system.
This is the part we set out to make ordinary at Lucidrail. Every agent action is written to one audit trail where it traces back to the goal that prompted it — so later you can show what an agent did rather than reassemble it from scattered logs. The aim is a record you can point to, not notes you hope are complete. There is more on our /audit page.
- Complete: every action is recorded, not only the ones that failed loudly.
- Attributable: each entry ties back to which agent acted and which goal it was pursuing.
- Tamper-evident: the record is signed, so an altered or deleted entry is visible.
- Reconstructable: you can replay the sequence in order, without stitching together five services by hand.