Your AI connects to services through your router. Your policy controls every call. Every action is signed and recorded. We see nothing. You own the proof.
Your AI needs to access a service — your tax software, your email, a database, an AI model. Instead of connecting directly, you add the service to your router. No restart needed.
The router connects to the service, discovers its available tools, and makes them available to your AI — all in the same conversation. Add another service anytime. Remove one. The AI's capabilities expand and contract dynamically.
You decide what your AI can do. Not the AI company. Not the service provider. You write the rules. The router enforces them cryptographically.
Read W-2 data, read 1099s, calculate taxes. The AI can do these freely. Every call is still recorded.
Submit the tax return. Blocked. The AI physically cannot call this tool. Denial is recorded in the audit chain.
Draft a return. The AI can prepare it, but YOUR desktop shows a confirmation dialog. You review and approve with your wallet signature.
Policy is enforced at the infrastructure layer, not in the prompt. You don't ask the AI to be careful. You make it physically impossible for the AI to exceed its authorized scope.
The AI calls tools normally. It doesn't know the router is in the middle. Every call is intercepted, policy-checked, forwarded, and recorded.
sequenceDiagram
participant AI as Your AI
participant Router as Rootz Router
participant Policy as Policy Engine
participant Service as Intuit MCP
AI->>Router: intuit_read_w2({ year: 2025 })
Router->>Policy: Check: intuit-tax / read_w2
Policy-->>Router: ALLOW
Router->>Service: read_w2({ year: 2025 })
Service-->>Router: W-2 data
Note right of Router: Hash request + response
Record in audit chain
Router-->>AI: W-2 data returned
AI->>Router: intuit_submit_return({ data: ... })
Router->>Policy: Check: intuit-tax / submit_return
Policy-->>Router: DENY
Note right of Router: Denial recorded in chain
Router-->>AI: BLOCKED by policy
The AI asked for W-2 data — allowed. The AI tried to submit the return — blocked. Both the allowed call and the denied call are recorded in the audit chain. The AI adjusts and works within its policy.
For high-stakes actions, the router pauses and asks you. Your desktop shows a confirmation dialog. You review what the AI wants to do. You approve with your wallet signature — or deny.
The confirmation isn't just a click. It's a cryptographic signature from your hardware-sealed wallet key. Proof that you, specifically, reviewed and authorized this action at this time. No one can forge it. No one can deny it.
Every proxied call — allowed, denied, or confirmed — becomes a signed entry in your audit chain. Hash-linked. Tamper-evident. Settleable to blockchain.
The audit chain includes what was allowed, what was denied, and what you specifically approved. An auditor verifies one Merkle root and knows the complete history of every AI-to-service interaction.
Rootz is the software, not the operator. We never see your traffic. Your router runs on your hardware. Your keys are in your TPM. Your data stays in your enclave.
The router runs locally. Your TPM-sealed key signs everything. The key never leaves your hardware. Rootz Corp has zero access.
Or run in a confidential VM (AMD SEV, Intel TDX). The cloud operator can't see inside. Your keys are in the enclave. Same privacy.
You choose what to share. Auditor gets a Merkle root. Regulator gets a settlement. Colleague gets a share link. Default: private.
See the proof of origin demo. Read the code. For partnerships, integration, and enterprise deployment — reach out.