Open source · Apache 2.0

trust()your AI spend

Budget holds, audit trails, and spend limits for every LLM call. Keep your keys, keep your billing. Add trust in one line.

See the code View on GitHub

One line

Wrap any client.
Keep your keys.

Your API keys. Your billing. Your provider. trust() adds budget holds and audit trails on top — nothing changes except now you have control.

One await trust(client) call — nothing else changes
Returns the same interface as the original SDK
Every response includes a receipt with hash-chained proof

example.ts

import { trust } from "usertrust"
import Anthropic from "@anthropic-ai/sdk"

// Your keys. Your billing. Now trusted.
const client = await trust(new Anthropic())

const { response, receipt } = await client.messages.create({
  model: "claude-sonnet-4-20250514",
  messages: [{ role: "user", content: "Hello" }]
})

receipt.auditHash       // SHA-256 hash-chained audit link
receipt.cost            // 0.0032
receipt.settled         // true
receipt.model           // "claude-sonnet-4-20250514"

What you get

Not observability.
Governance.

Observability tells you what happened. Governance prevents what shouldn't.

PENDING → POST / VOID

Two-phase settlement

Budget held before execution. Settled on success. Voided on failure. Like a credit card hold at a gas pump.

12 OPERATORS · YAML RULES

Policy engine

Spend limits, model allowlists, PII blocking, rate limits. Enforced before the call — not after.

SHA-256 · RFC 6962 MERKLE

Hash-chained audit

Every transaction links to its predecessor via SHA-256. Tamper-evident by construction. SOC 2 ready.

ZERO MIGRATION · ZERO LOCK-IN

Bring your own keys

Keep your API keys. Keep your billing. trust() wraps your existing client — nothing changes.

OPEN SOURCE · NO SAAS

Apache 2.0 licensed

Run locally with JSON receipts. No account needed. No SaaS dependency. Read every line of code.

IMPORT · WRAP · DONE

Three lines to ship

No config files, no dashboard setup, no SDK initialization ceremony. One function call.

Under the hood

The two-phase lifecycle

Every trust() call follows the same settlement pattern used by payment networks worldwide. No step may be skipped.

PENDING→EXECUTE→POST / VOID→RECEIPT

FIG 1.1

PENDING

Budget hold creation

Before any LLM call executes, trust() reserves tokens from the user's budget — the same hold pattern banks use for credit card authorizations.

Double-entry debit from AVAILABLE, credit to RESERVED
Estimated cost calculated from the 20-model pricing table
Returns a transferId that tracks the hold through its lifecycle

Must never: execute the LLM call, skip budget verification, allow negative balances

transferId + PENDING hold + estimatedCostHold is active — budget reserved before execution

EXECUTE

Policy gate + LLM call

The policy gate evaluates every request before it reaches the provider. PII detection, model allowlists, rate limits, and spend caps — all enforced before the call, not after.

12 field operators for flexible policy rules (YAML or JSON)
Duck-typed provider detection — Anthropic, OpenAI, Google, any SDK
Response includes token usage for actual cost settlement

Must never: forward without a PENDING hold, bypass policy evaluation, cache responses

FIG 1.2

LLM Response + usage (tokens, latency)Branches to POST (success) or VOID (failure)

FIG 1.3

POST

Settlement on success

On success, the hold is settled at the actual cost — calculated from real token usage, not the estimate. Any overage is refunded immediately.

Actual cost = input tokens × rate + output tokens × rate
Delta between estimate and actual refunded to AVAILABLE
Receipt appended to SHA-256 hash chain (tamper-evident)

Must never: settle without a preceding PENDING, skip audit chain append

FIG 1.4

VOID

Release on failure

On failure, the entire hold is released — zero charge. The error is classified and recorded in the audit trail, never suppressed.

Full hold amount returned to AVAILABLE immediately
Error classified: transient, permanent, or timeout
Dead-letter queue fallback if audit write fails after void

Must never: charge partial amounts on failure, suppress errors, skip DLQ

POST xor VOID : exactly one outcome per transferId · never both

GovernanceReceipt + auditHashImmutable proof of settlement or release

FIG 1.5

RECEIPT

Hash-chained audit proof

Every call produces an immutable receipt — a hash-chained proof that links to every prior transaction. Tamper-evident by construction.

Each SHA-256 hash covers the previous event's hash
Chain anchored from GENESIS_HASH (64 zeros)
RFC 6962 Merkle proofs for public verifiability

Must never: modify historical receipts, break the hash chain, skip the GENESIS anchor

Connection Index

PENDING→EXECUTEtransferId + budget hold + estimatedCost

EXECUTE→POSTLLM success + token usage

EXECUTE→VOIDLLM failure + error classification

POST→RECEIPTsettled hold + actual cost + audit hash

VOID→RECEIPTvoided hold + error event + audit hash

TigerBeetle—double-entry ledger, two-phase transfers

Audit Chain—SHA-256 hash-linked JSONL, Merkle proofs

Policy Gate—12 operators, PII detection, scope globs

5 PHASES · 3 STORAGE SYSTEMS · 1 UNIVERSAL JOIN KEY (transferId)

Your keys. Your billing.
Our trust layer.

trust() wraps your existing provider client. No proxy. No routing. No new accounts. Just trust on top of what you already use.

AnthropicClaude SDK

OpenAIGPT SDK

GoogleGemini SDK

xAIGrok SDK

GroqFast inference

+ moreAny provider

Read every line

Your trust layer shouldn't be a black box. UserTrust is open source under the Apache 2.0 license.

View on GitHub Read the docs