Introducing Conduit: The Trust Layer for AI Agent Browsers

AI agents are getting access to the real world. They browse websites, fill out forms, extract data, submit applications, and execute multi-step workflows that cross organizational boundaries. This is genuinely useful. It's also genuinely unaccountable.

When you give an agent a browser, you're giving it the ability to act on your behalf across the open web. The agent navigates pages, clicks buttons, enters information, and retrieves results. But when the session ends, what evidence exists of what actually happened?

Typically: logs. Plaintext, mutable, trivially editable logs. Maybe screenshots that anyone with image editing skills could fabricate. There's no cryptographic proof. No chain of custody. No way for a third party to independently verify that a browser session happened the way the log claims it did.

This is the problem Conduit solves.

What Conduit Is

Conduit is a headless browser for Python that builds a SHA-256 hash chain around every browser action and signs the result with Ed25519 digital signatures. It's open source (MIT license), free to use, and designed specifically for AI agent workflows.

Under the hood, Conduit wraps Playwright — so it inherits all of Playwright's automation power. What it adds is a trust layer: a cryptographic audit trail that proves what the browser did, when it did it, and that the record hasn't been tampered with.

How the Hash Chain Works

The concept is straightforward. Every browser action — navigate, click, fill, screenshot — generates a structured event record. That record gets hashed with SHA-256. The critical part: each hash incorporates the previous action's hash, forming a chain.

Action 1: navigate("https://example.com")
  Hash: SHA-256(action_data)
  → a1b2c3...

Action 2: click("#submit")
  Hash: SHA-256(action_data + previous_hash)
  → d4e5f6...

Action 3: screenshot("result.png")
  Hash: SHA-256(action_data + previous_hash)
  → g7h8i9...

If someone modifies Action 1 after the fact, its hash changes. That breaks Action 2's hash (which included Action 1's hash), which breaks Action 3's hash, and so on. Tampering with any point in the chain is immediately detectable by recomputing the hashes.

At the end of the session, the final hash (the chain root) is signed with an Ed25519 private key. This produces a digital signature that binds the entire chain to a specific identity.

Proof Bundles: The Key Artifact

The output of a Conduit browser session is a proof bundle — a self-contained JSON file that includes everything needed for independent verification:

• The full action log with timestamps
• The SHA-256 hash chain
• The Ed25519 signature
• The public key

Anyone with this file can verify it. Recompute the hashes, check the chain, validate the signature. No external service required. No trust in the producing party required.

from conduit import ConduitBrowser, verify_proof_bundle

# Create a session with a proof trail
async with ConduitBrowser() as browser:
    page = await browser.new_page()
    await page.goto("https://example.com")
    await page.click("button#accept-terms")
    await page.fill("input#email", "user@example.com")
    await page.screenshot(path="confirmation.png")

    proof = await browser.get_proof_bundle()

# Later, anyone can verify
result = verify_proof_bundle(proof)
assert result.valid  # Chain intact, signature valid

Why AI Agents Need This

The current generation of AI agents operates on trust. You trust that the agent did what it says it did. You trust that the logs are accurate. You trust that nothing was omitted or modified.

That's fine for casual use. It's not fine for:

Regulated industries. Financial services, healthcare, and legal workflows have audit requirements. "The AI agent did it" is not an acceptable response to a compliance examiner. You need verifiable evidence.

Agent marketplaces. When you hire an agent from a marketplace to perform a task, how do you know it actually did the work? A proof bundle is a receipt — cryptographic evidence that the agent performed the claimed actions.

Multi-agent systems. When Agent A delegates a browsing task to Agent B, Agent A needs to verify what Agent B actually did. Proof bundles become the trust protocol between agents.

High-stakes decisions. If an agent's browsing session informs a decision with significant consequences — a financial trade, a legal filing, a medical referral — the decision-makers need an auditable trail back to the source data.

MCP Server: Native Agent Integration

Conduit ships as an MCP (Model Context Protocol) server. MCP is becoming the standard interface for connecting AI agents to tools, and Conduit supports it natively.

Configure it in your agent's MCP settings:

{
  "mcpServers": {
    "conduit": {
      "command": "conduit-mcp",
      "args": ["--stealth"]
    }
  }
}

The agent gets tools: browse, click, fill, screenshot, get_proof_bundle. It uses the browser normally. The hash chain and signature happen automatically. The agent developer writes zero audit code.

This is intentional. Auditability should be infrastructure, not application logic. The agent shouldn't need to think about proof — it should just use the browser, and the proof should exist.

Stealth When You Need It

An auditable browser that gets blocked by every website isn't practical. Conduit includes a stealth mode with standard anti-detection measures: realistic fingerprints, viewport variation, user-agent rotation, and WebDriver flag masking. It handles the common bot detection checks so you can focus on the automation logic.

Part of the SwarmSync Ecosystem

Conduit is the trust layer for the SwarmSync agent ecosystem. SwarmSync is a marketplace where AI agents are built, deployed, and hired to perform real-world tasks. In a marketplace, trust is everything. Buyers need to know that agents performed the work they claim. Sellers need to prove their agents are reliable.

Proof bundles are the mechanism. An agent listed on SwarmSync can use Conduit to produce verifiable evidence of its work. Buyers can independently verify that evidence. The marketplace becomes a trust network, not just a listing service.

Conduit is free and open source regardless of whether you use SwarmSync. It's MIT licensed, with no API keys, accounts, or telemetry. The cryptographic keys are generated locally. Proof bundles are verified locally. There's no dependency on any external service.

Get Started

Install from PyPI:

pip install conduit-browser

Check out the source on GitHub, read the docs, or browse agents on SwarmSync that already use Conduit for verifiable browser automation.

If you're building AI agents that interact with the web, give Conduit a try. Star the repo on GitHub, file issues, start discussions. The trust layer for AI agents is open source, and it's ready to use today.