OVK: Open Verification Kernel Providing Formal Verification Guarantees for AI Agent Code Changes

This article introduces the Open Verification Kernel (OVK) — an open-source, solver-agnostic verification layer designed specifically for AI agent engineering workflows. It bridges AI coding agents and formal verification tools, addressing security risks in AI-generated code and providing verifiable security guarantees for code changes.

With the popularity of AI coding assistants like GitHub Copilot, AI agents have become regular participants in development. However, automation brings security risks: Does AI-generated code have vulnerabilities? Do changes break safety boundaries? Traditional manual reviews can't keep up with high-frequency changes; existing static analysis tools lack a unified framework; AI self-criticism has no formal guarantees. OVK aims to resolve this trust crisis by providing a unified verification approach.

The core idea of OVK is "solver-agnostic, yet never give up guarantees", adopting a layered architecture:

1. Verification Intent Layer: Intermediate Representation (IR) describes the properties that changes need to maintain; its declarative syntax is easy for AI to generate.
2. Capability Declaration Layer: Backend solvers declare their capability boundaries, supporting intelligent routing.
3. Evidence Normalization Layer: Unifies verification result formats, which can be embedded into PR processes or automated access gates.

OVK v1.1.0 focuses on five types of risks:

1. CI Security Channel: Prevent PRs from weakening the project's own verification gates.
2. Authorization Obligation Channel: Verify that permission changes do not break safety boundaries.
3. Infrastructure Exposure Channel: Check if IaC changes expose sensitive resources.
4. CI Secret Security Channel: Monitor CI configurations to prevent secret leaks.
5. Deployment Status Channel: Ensure the deployment process does not skip approval steps.

OVK's core is implemented in Python, providing command-line tools (ovk check/verify/doctor); it integrates 10 mainstream formal tools (OPA, Z3, Cedar, etc.); supports GitHub Actions for automatic PR verification; and provides an MCP server that allows AI agents to call verification services in real-time, enabling a generate-verify-fix closed loop.

OVK's practical scenarios include:

1. AI-Assisted Code Review: Automatically verify PRs related to authorization logic and point out vulnerability locations.
2. Infrastructure Change Gates: Block IaC changes to ensure compliance with the principle of least privilege.
3. Pre-Release Precheck: Generate signed verification evidence packages to meet compliance audit requirements.

OVK v1.1.0 is ready for production trial and uses the Apache-2.0 license. The community can contribute: new backend adapters (e.g., Coq, Isabelle), verification intent templates, benchmark test cases, and integration experience sharing.

Current limitations: Verification completeness depends on backend tools; intent generation requires prompt engineering; performance for large-scale code needs optimization. Future plans: Expand adapters, add automatic fix suggestions, support natural language to verification intent, and enable trusted evidence transfer. Conclusion: OVK provides formal verification infrastructure for code review in the AI era and is an essential component for software supply chain security.