Verixa — Runtime Compliance Control Plane

AI agents are starting to take real-world actions in regulated industries — initiating payments, modifying patient records, filing returns. There is no trust layer between them and the systems they touch. When something goes wrong, regulators ask "who decided what, on what evidence, and can you replay it?" — and there is no answer. Verixa is a runtime control plane that sits between an AI agent and a regulated system. Every governed action passes through Verixa's gateway, which applies four layers in sequence: a tool-call firewall (allow-list with stable error codes and JSON-Schema-subset argument-bounds validation), an Open Policy Agent engine running Ed25519-signed Rego bundles (PII redaction, workflow-role binding, financial transfer-amount limits with PSD2 anchor), a risk engine that classifies the request LOW/MEDIUM/HIGH/CRITICAL, and a decision router that emits ALLOW / ESCALATE / DENY. Every decision is committed to a SHA-256 hash chain with Ed25519 signatures and is offline-verifiable through a CLI tool. The output creates evidence to demonstrate and support EU AI Act Annex IV obligations. The agent reasoning layer runs on AMD MI300X. We deployed Qwen3-0.6B on vLLM-on-ROCm to a live droplet at 165.245.133.120:8000 and the gateway's OpenAI-compatible /v1/chat/completions endpoint forwards through the governance pipeline before reaching the model. Validated end-to-end from local via requests.post() and from inside the runtime via httpx.MockTransport tests. This submission is Phase 0 — a hackathon prototype. What's working today: 7 Postgres schemas, 40 Python modules + 1 TS module at 100% line+branch coverage across 770+ unit tests and 5 live integration tests against a Redis testcontainer and the live MI300X droplet. What's next on the roadmap: triad review engine (CP-10), evidence validator (CP-11), replay vault (CP-12), Annex IV-aligned dossier export (CP-13), and Next.js 14 control-plane UI (CP-15). Honest scope, real engineering.