Tracepath — I Built an AI Agent Audit Middleware in One Weekend A developer built Tracepath, an open-source middleware that makes AI agents auditable, traceable, and compliant with regulations like the EU AI Act and FINRA. The tool intercepts every tool call, signs it with Ed25519, checks it against OPA policies, stores it in an immutable WORM log, and monitors for anomalies in real-time. It features a dashboard with tabs for Audit, Incidents, Policies, Reports, and Gemini for semantic incident classification. This is a submission for Weekend Challenge: Passion Edition Tracepath is an open-source middleware that makes any AI agent — LangChain, CrewAI, AutoGen, or your own — auditable, traceable, and compliant with regulations like the EU AI Act and FINRA. It's a full audit stack you can spin up with a single docker compose up . Every tool call your agent makes gets intercepted, signed with Ed25519, checked against OPA policies, stored in an immutable WORM log, and monitored in real-time for anomalies. "Can you audit what your agents did yesterday?"— Tracepath answers that. Five tabs: Audit event trail , Incidents real-time detection , Policies versioned OPA rules with diff & rollback , Reports FINRA & EU AI Act compliance , and Gemini semantic incident classification . I didn't start in AI. I started in security . When I began working in tech, I specialized in web application security — OWASP Top 10, XSS, CSRF, DoS attacks. I spent years thinking about how to control what applications do, how to prevent them from being abused, how to draw a boundary between "allowed" and "denied." Then AI happened. And I fell in love with building agents — autonomous systems that can reason, use tools, and make decisions. But the security part of my brain wouldn't shut up: That's the passion. Marrying the two halves of my career: the security engineer who says "trust nothing, verify everything" and the AI builder who wants agents to be powerful and autonomous. The EU AI Act was the spark. When I read Article 50 — the requirement for high-risk AI systems to maintain logs and enable human oversight — I realized: this is exactly what I spent years doing for web apps, but nobody's built it for AI agents yet. So I built it. In one weekend. Because that's what passion does — it makes you forget to sleep. Quick tour of all five dashboard tabs: Audit, Incidents, Policies, Reports, and Gemini. git clone https://github.com/nujovich/tracepath.git cd tracepath/docker AUDIT SIGNING KEY=$ openssl rand -hex 32 docker compose up -d Then open http://localhost:3000 . You'll see: | Tab | What it shows | |---|---| Audit | Every tool call signed, policy-checked, stored in PostgreSQL + MinIO WORM | Incidents | Real-time detection: denial spikes, budget overruns, suspicious patterns, rate limit breaches | Policies | Git-based OPA versioning with visual diff and one-click rollback | Reports | One-click FINRA and EU AI Act compliance reports | Gemini | Google Gemini 2.5 Flash classifying incidents — "this is a misconfiguration, not an attack" | curl -X POST http://localhost:9001/audit/step \ -H "Content-Type: application/json" \ -d '{ "session id":"demo","agent id":"researcher","agent type":"researcher", "step number":1,"tool name":"web search", "tool input":{"q":"EU AI Act Article 50"}, "tool output":{"results":3},"cost cents":5, "timestamp":"2026-07-12T12:00:00Z" }' → {"status":"recorded","signature":"