🚀 Evidence-grade fraud and incident operations OS for teams that need to turn suspicious activity into explainable decisions, verifiable evidence, and audit-ready reports.
ProofPilot AI ingests suspicious events, scores risk with deterministic rules, opens investigation cases, tracks live progress, detects shared-device/IP fraud rings, verifies a tamper-evident evidence ledger, and produces analyst-ready reports.
Fraud, trust-and-safety, fintech, marketplace, and SaaS operations teams often have plenty of alerts but weak proof. ProofPilot focuses on the missing middle:
- What happened?
- Why is it risky?
- Which entities are connected?
- Which evidence supports the decision?
- Can the evidence chain survive audit review?
- ⚡ Suspicious event ingestion API with strict Zod validation.
- 🧮 Deterministic TypeScript risk engine with explainable reason codes.
- 🚨 Automatic critical case creation for high-risk activity.
- 📡 Live investigation stream with 4-second UI refresh.
- 🧭 Pipeline progress: New Event -> Risk Score -> Case Created -> Ledger Record -> Report Ready.
- 🗄️ DynamoDB-backed event repository with query-first access patterns.
- 🔎 Latest event API:
GET /api/events/latest. - 👤 Entity timeline API:
GET /api/events/entity/[entityId]. - 🔥 Severity feed API:
GET /api/events/severity/[severity]. - 🕸️ Fraud ring detector for shared account, device, IP, and case patterns.
- 📊 Dashboard analytics with Recharts.
- 🧩 React Flow entity graph.
- 🧾 Case detail timeline with linked evidence and analyst notes.
- 🛡️ Tamper-evident SHA-256 evidence ledger.
- ✅ Global ledger verification with exact broken-record reporting.
- 🧪 Simulate Tamper and Restore Valid Chain demo controls.
- 🤖 Controlled case copilot with structured deterministic fallback.
- 📝 Analyst brief generation.
- 🧠 Suspicious pattern summary.
- ✅ Recommended next actions.
- 💬 Customer-support-safe summary.
- 📄 Compliance-style HTML report generation.
- 🖨️ Print-friendly report preview.
- 🧯 Server-side generation cap: 1 to 1000 events per request.
- 🚦 Rate limiting for ingest and generation routes.
- 🔐 Server-side AWS SDK usage only.
- 🩺 System health page without secret exposure.
- 🧱 Future-ready Aurora DSQL/PostgreSQL schema.
- 🔍 Future OpenSearch zero-ETL architecture story.
- 🌊 Future DynamoDB Streams + Lambda processor story.
- 🧪 Vitest coverage for risk, ledger, generator, reports, API contracts, and Diamond features.
- 🚀 Vercel-ready Next.js App Router deployment.
Current live path:
flowchart LR
Judge[Judge / Analyst Browser] --> App[Vercel Next.js App]
App --> API[API Routes]
API --> DDB[(DynamoDB ProofPilotEvents)]
API --> Risk[Risk Engine]
Risk --> Cases[Case Creation]
Cases --> Ledger[Evidence Ledger]
Ledger --> UI[Live UI Feed]
Ledger --> Reports[Report Generator]
DynamoDB access patterns:
PK = ORG#org_northstar_paySK = EVENT#timestamp#eventIdGSI1PK = ENTITY#entityIdGSI1SK = EVENT#timestampGSI2PK = RISK#CRITICALGSI2SK = timestamp#eventId
Future expansion is documented but not falsely claimed as live:
- DynamoDB Streams for near-real-time change capture.
- AWS Lambda risk processor for event-driven processing.
- OpenSearch zero-ETL for search and analyst queries.
- Aurora DSQL/PostgreSQL for strongly consistent relational workflow storage.
- Next.js App Router
- React 19
- TypeScript strict mode
- Tailwind CSS import plus custom enterprise CSS
- Zod validation
- AWS SDK v3 DynamoDB adapter
- Recharts
- React Flow via
@xyflow/react - Drizzle schema definitions
- Vitest
- ESLint flat config
npm install
npm run devOpen http://localhost:3000.
Copy .env.example to .env.local when using live adapters:
DATABASE_URL=
AWS_REGION=
AWS_ACCESS_KEY_ID=
AWS_SECRET_ACCESS_KEY=
DYNAMODB_EVENTS_TABLE=ProofPilotEvents
NEXT_PUBLIC_APP_URL=http://localhost:3000
NEXT_PUBLIC_DEMO_MODE=trueNever commit .env, .env.local, AWS credentials, database passwords, or screenshots with visible secrets.
GET /api/events/latest?limit=50
GET /api/events/entity/acct_00?limit=50
GET /api/events/severity/critical?limit=50
GET /api/investigation-stream?limit=12
POST /api/demo/generate-events
POST /api/ingest
POST /api/ledger/verify
POST /api/ledger/tamper
POST /api/ledger/restore
POST /api/cases/[id]/ai-briefnpm run typecheck
npm run lint
npm run test
npm run build- Open
/demo. - Generate suspicious events.
- Open
/streamand watch realtime pipeline progress. - Open
/entitiesand inspect the fraud ring graph. - Open the latest critical case.
- Generate the controlled analyst brief.
- Verify the ledger.
- Simulate tamper and confirm the exact broken record.
- Restore the valid chain.
- Generate a report.
- Open
/architectureand/system-health.
ProofPilot is designed so the demo works without credentials while live adapters activate only from server-side environment variables. The system health page reports readiness without exposing secrets. For a full production launch, add organization auth, RBAC, hashed API keys, tenant isolation tests, durable rate limiting, observability, and least-privilege IAM policies.