AI cannot act on what it cannot prove.
The verification runtime for autonomous AI.

Talk to founders For AI builders ↗

REFUSEDTREASURY_AGENT · AUTOPAY RUN

PROPOSED ACTION

Wire $487,000 to account ending in 4928.

▸ REASONamount disagreement exceeds tolerance · cannot verify

EVIDENCE CHAIN5 OBSERVED · 5 DERIVED

[1]invoice_417.pdfp.2amount_due = $487,000

[2]accounts_payable.csvrow 89amount_due = $486,200

[3]vendor_contract.docx§3net 30 · due 2026-04-23

[4]approval_matrix.csvrow 7agent_authority_limit = $500,000

[5]tolerance.csvwiresamount_match tolerance = $100

L1amount_matchdelta $800

[1] vs [2]125

L2within_toleranceFALSE

delta > $1005

L3within_authorityTRUE

$487K < $500K4

L4due_date_validTRUE

L5verdictREFUSED

cannot ground amount

OUTCOME

action_refused · routed_to: ap_lead · queue_id: q-49281

2026-04-20 14:32 UTC01 / 05

THE ENGINE IN MOTION

Heterogeneous sources, specialised extraction, one verification step.

Documents, spreadsheets, databases, APIs, emails. Each routes to the extraction agent that knows how to read it. Every output passes through the same verification node before it lands in the substrate. The agents coordinate. The verification step is singular.

01 · INGEST

02 · SUBSTRATE · TYPED FACT STORE

PDFmsa.pdf

↳ doc_extractor

APIstripe.api

↳ feed_extractor

CSVcrm.csv

↳ schema_extractor

PDFinvoice.pdf

↳ doc_extractor

CSVaccounts_payable.csv

↳ schema_extractor

DBcert_db.postgres

↳ schema_extractor

specialised extraction agents route by data type. one verification loop downstream.

acme_corp · plan · billing

Enterprise

stripe.api

acme_corp · plan · contract

Enterprise

msa §4.1

acme_corp · plan · crm

Pro

crm.csv

acme_corp · mrr

$4,800

stripe.api

invoice_417 · amount_due

$487,000

invoice.pdf

ap_record_89 · amount_due

$486,200

ap.csv

vendor_217 · soc2_current

TRUE

cert_db

vendor_412 · iso27001

27d expiry

cert_db

order_4821 · refund_amount

$124.50

computed

po_2841 · amount

$48,200

po_request

vendor_88 · lead_time

14 days

schedule.xlsx

ledger_4198 · balance

$2.14M

computed

form_adv · regulatory_aum

$4.83B

adv §8

credit_C44 · tier

credit.pdf

supplier_88 · delivery_eta

5 days

schedule

acme_corp · renewal_date

2026-07-01

msa §5

vendor_217 · spend_ltm

$284K

computed

invoice_418 · amount_due

$12,400

invoice.pdf

vendor_53 · approval_status

approved

vendor_master

policy_v4 · tolerance

$100

policy.docx

FACTS184,302

RULES412

CONFLICTS7

sample engine state · illustrative·engine · running

WHAT LIMMA IS

Verified knowledge for consequential AI.

Most agent frameworks let the model reason directly into a tool call. Limma puts a verification step between the model and the action. Every consequential call posts its proposed action and supporting facts. The verdict comes back proceed, hold, or refuse, with the full proof chain attached.

THE ARCHITECTURAL CONTRACT

EXTRACTED

Every fact comes from a source with a citation back to the page, table, or cell.

VERIFIED

Source verification, identity rules, cross-source pairing, and independent computation. Four passes, every run.

RETURNED

Outputs carry the chain that produced them. The verdict and its evidence travel with the artifact.

GO DEEPER

Three reads on the architecture.

Each one stands alone. Pick the angle that maps to the question you came in with.

01MECHANICS

The verification engine.

Four passes over typed facts. Four states. Three verdicts. The substrate every output inherits.

How it works ↗

02THE MOAT

Cross-source contradictions.

Two sources speak to the same fact and disagree. The verification step catches it before the agent fires.

Cross-source ↗

03ARCHITECTURE

Found by structure, not attention.

Long-context models miss facts buried mid-context. Limma extracts every fact at ingestion. Position stops mattering.

Lost in the middle ↗

THE WRAP

Three structural touch points. None of them bypassable.

Discretion is not a security model. Anything the agent can skip will be skipped on the call that matters. The wrap is enforced at the infrastructure layer, below the agent’s code, at every point where the agent touches data, calls a model, or commits an action.

01INPUT SIDE

WORKSPACE + INGEST

Every source enters Limma first. The agent queries the workspace and receives typed facts with citations and verification status attached, never raw files or rows. Enforced at the data layer.

02REASONING SIDE

VERIFY-PROXY

The customer points the LLM base URL at Limma. Every model call routes through the proxy and is re-checked against the workspace before it returns. Enforced at the network layer, below agent code.

03OUTPUT SIDE

ACTION CONTRACTS

Every consequential action produces a signed contract carrying inputs, workspace state, verdict, and a cryptographic anchor. Downstream consumers require the contract to accept the action. Enforced at the receiver.

MCP + SDKMCP and the Python SDK sit alongside the three touch points as ergonomic surfaces, not enforcement. An MCP-only deployment is not wrapped. An SDK-only deployment is not wrapped. MCP and the SDK are how the wrap gets surfaced cleanly in agent code.

For AI builders ↗

Trust a structure, not a model.

Every other framework asks the user to trust the model. Limma asks the user to trust a structure. If you are building agents that take consequential action, this is the layer that makes them safe to ship.

Talk to founders For AI builders ↗

how it works·cross-source·lost in the middle·for AI builders

AI cannot act on what it cannot prove.The verification runtime for autonomous AI.

Heterogeneous sources, specialised extraction, one verification step.

Verified knowledge for consequential AI.

Three reads on the architecture.

The verification engine.

Cross-source contradictions.

Found by structure, not attention.

Three structural touch points. None of them bypassable.

Trust a structure, not a model.

AI cannot act on what it cannot prove.
The verification runtime for autonomous AI.