Coproduct Releases Nucleus: Open-Source Framework for Formally Verified AI Agent Security
Key Takeaways
- ▸Formal verification guarantees: Machine-checked Lean 4 theorems prove that contaminated data cannot reach privileged sinks—taint monotonicity is provably enforced, not hoped
- ▸Algebraic law enforcement: Information flow control enforces four compositional laws (commutativity, associativity, idempotence, monotonicity) enabling provably safe parallel execution and caching
- ▸Per-call provenance tracking: Each tool invocation generates a SPIFFE identity encoding its full derivation path and content hash, creating an immutable audit trail of every agent action
Summary
Coproduct has released Nucleus, an open-source framework that uses formal verification to enforce information flow control in AI coding agents, preventing untrusted data from reaching dangerous operations like git push. The system operates on two core primitives—join and flows_to—that enforce permissions via algebraic laws with machine-checked guarantees rather than policy hopes. Once external content contaminates a session, it cannot silently regain trusted status without explicit permission checks, a property proven mathematically rather than hoped through testing.
The framework supports multiple deployment tiers: Tier 0 provides compile-time auditing of agent configurations, while Tier 1 enables local runtime enforcement (nucleus run --local) that tracks data provenance through every tool call and blocks dangerous combinations—such as writing code derived from untrusted web content. Nucleus generates append-only audit trails with signed receipt chains, and includes per-call SPIFFE workload identity derivation that encodes the full derivation chain of every agent action as a cryptographically-signed witness.
Nucleus is in alpha and extensively formally verified: 165 Lean 4 theorems (zero sorries), 112 Kani bounded model checking proofs, and 297 Verus verification conditions across ~2,850 tests. The framework was previously integrated with Claude through nucleus-claude-hook, which is now part of Anthropic's private nucleus-code orchestrator. Nucleus is available on GitHub and installable via cargo.
- Tiered security model: Tier 0 compile-time auditing requires no runtime overhead; Tier 1 runtime enforcement blocks violations; distributed SPIFFE integration planned for cross-trust verification
- Comprehensive verification scope: 165 Lean theorems, 112 Kani BMC proofs, 297 Verus VCs, and 2,850+ tests address taint monotonicity, adversarial integrity absorption, obligation bypass prevention, and secret data confidentiality
Editorial Opinion
Nucleus represents a watershed moment in AI safety infrastructure: moving from aspirational security policies to machine-verified guarantees about what untrusted data can and cannot do within an agent session. The decision to express core properties as Lean 4 theorems with zero sorries—rather than compile-fail tests or design documentation—sets a new rigor standard for autonomous AI agent security. For any organization deploying AI agents with internet access and privileged operations, formally verified permission enforcement may soon become a non-negotiable requirement.
