FOR AI BUILDERS

The runtime your agent operates inside.

Most pitches for AI verification describe a tool the agent can call. That model fails the moment trust matters. Anything the agent can choose to skip will be skipped on the call that matters. Anything the developer can bypass will be bypassed under deadline pressure. Discretion is not a security model. Limma is the runtime the agent runs inside, with structural choke points it cannot route around.

THE WRAP

Three structural touch points. None of them bypassable.

Every point where the agent touches data, calls a model, or commits an action is enforced by Limma at the infrastructure layer, below the agent’s code. The agent can be written naively. The framework can be any framework. The model can be any model. The wrap is structural.

01 · INPUT
workspace + ingest
Sources flow in → typed verified facts
02 · VERIFY-PROXY
every model call ↕
AGENT
any framework · any model
03 · OUTPUT
action contracts
Actions out → consumer requires contract
no path to read an ungrounded fact · no path to bypass model verification · no path to commit an action without a contract
01WORKSPACE + INGEST
INPUT SIDE

The agent reads from the workspace, not raw data.

Every source enters Limma first. The agent does not read files from disk or rows from the warehouse; it queries the workspace and receives typed facts with citations and verification status attached. If a fact is not verified, the agent cannot see it as a verified fact.

Enforced at the data layer.
02VERIFY-PROXY
REASONING SIDE

Every model call routes through Limma.

The customer points their LLM base URL at Limma’s proxy. From that moment, every prompt the agent sends and every response it receives passes through the proxy. The proxy re-checks the model’s proposed output against the workspace before it returns.

Enforced at the network layer. No agent-side switch.
03ACTION CONTRACTS
OUTPUT SIDE

Downstream consumers require a Limma contract.

Every consequential action produces a signed contract carrying the inputs, the workspace state, the verdict, and a cryptographic anchor. Filing systems, counterparty agents, internal queues, and regulators accept the action only against a valid contract. The gate is on the receiver, not the sender.

Enforced at the consumer layer.
MCP + SDKMCP and the Python SDK sit alongside these three touch points as ergonomic surfaces, not enforcement. An MCP-only deployment is not wrapped. An SDK-only deployment is not wrapped. The enforcement comes from workspace + verify-proxy + action contracts. MCP and the SDK are how that enforcement gets surfaced cleanly in agent code.
VERDICT IN ACTION

A real action. A real verdict. A real chain.

Five agents about to fire a consequential action, each cycling every few seconds. Each card is the verdict the engine returns when the agent posts its proposal: proceed, advisory, or refused, with the evidence chain attached.

REFUSEDTREASURY_AGENT · AUTOPAY RUN
PROPOSED ACTION
Wire $487,000 to account ending in 4928.
REASONamount disagreement exceeds tolerance · cannot verify
EVIDENCE CHAIN5 OBSERVED · 5 DERIVED
[1]invoice_417.pdfp.2amount_due = $487,000
[2]accounts_payable.csvrow 89amount_due = $486,200
[3]vendor_contract.docx§3net 30 · due 2026-04-23
[4]approval_matrix.csvrow 7agent_authority_limit = $500,000
[5]tolerance.csvwiresamount_match tolerance = $100
L1amount_matchdelta $800
[1] vs [2]125
L2within_toleranceFALSE
delta > $1005
L3within_authorityTRUE
$487K < $500K4
L4due_date_validTRUE
3
L5verdictREFUSED
cannot ground amount
OUTCOME
action_refused · routed_to: ap_lead · queue_id: q-49281
2026-04-20 14:32 UTC01 / 05
WHAT THIS UNLOCKS

What an agent gains when it runs inside Limma.

Capabilities that arrive when the agent operates on Limma rather than over raw retrieval and model memory.

01

Autonomous action in regulated work

Agents that file, transmit, sign, or transact do so with a verification chain attached. The audit story is mechanical, not narrative.

02

Honest uncertainty

The agent refuses precisely. Unknown stops being a hedge and becomes "missing input X, which would close goal Y." Refusal becomes acceptable to downstream consumers.

03

Compositional reliability

A ten-step derivation is not the chained probability of ten independent model calls. Each step is a rule applied against verified inputs. The chain stays sound at depth.

04

Disagreement detection across sources

If two sources the agent has read conflict, the engine flags the conflict and identifies the disputed value before the agent acts on either side.

05

Replayability

An auditor can reconstruct the workspace state at the moment of the decision, re-run the verification, and confirm the result. State versioning + deterministic verification.

06

Customer-specific reasoning

The firm&rsquo;s playbook becomes a rule library. The agent inherits institutional knowledge automatically. This is the moat retrieval cannot deliver.

WHAT IS REAL TODAY

The wrap, in stages.

The engine, the MCP server, and the Python SDK ship today. The verify-proxy and action contracts are in active build; they are what turn an ergonomically wrapped agent into a structurally wrapped one.

SHIPPING
  • Verification engine
    Workspace, ingest, typed fact store, rule library, four verification passes.
  • MCP server
    Limma’s verbs (verify, query_workspace, attest) exposed to Claude Desktop, Cursor, Zed, Continue, and any MCP-compatible client.
  • Python SDK
    Client library wrapping the engine’s REST API for direct application embedding.
IN ACTIVE BUILD
  • Verify-proxy
    LLM-base-URL proxy that re-checks every model output against the workspace. The highest-leverage build target: the only deployment surface that closes the discretion problem structurally.
  • Action contracts
    Signed certificate generator carrying inputs, workspace state, verdict, and a cryptographic anchor for downstream consumers to verify against.
  • Task workspaces
    Transient child workspaces that inherit firm-overlay rules. Action contracts persist back to the parent workspace as durable audit artifacts.
until the verify-proxy and action contracts land, the wrap is end-to-end in design and ergonomic at runtime. once they land, the wrap is structural at runtime as well.

Trust a structure, not a model.

Every other agent framework asks the user to trust the model. Limma asks the user to trust a structure. If you are building agents that take consequential action, this is the layer that makes them safe to ship.

Talk to foundersThe verification engine ↗← Back to home