Daylite enforces policy at the MCP tool-call boundary and proves what your AI agent actually did. Self-hosted, air-gap capable. Each tool-call is gated against policy before it runs, then recorded in an append-only, hash-chained, signed log an auditor can verify offline. Built on AWS-LC, a FIPS 140-3 validated cryptographic library; Daylite is not CMVP product-certified. Mapped to NIST SP 800-53 controls. For finance, healthcare, and defense.