Tamper-evident runtime records for AI agents: the audit trail the vendor runs but cannot edit.
Every action your agent takes (tool calls, model calls, data access, approvals) becomes one record in an append-only, hash-chained log. Any party can verify the log was never altered, without trusting whoever produced it. When a customer's security team asks "what did your agent do with our data?", you hand them a link instead of a paragraph. Security reviews already ask AI questions next to the SOC 2 checklist, and today a written assurance still passes. The bet behind this project is that it won't for long.
The record format is open and free to implement. This package is the reference implementation: recorder, verifier, witness client, and report server.
Why you can trust this code
You are being asked to put a recorder inside your agent. You should not take that on faith:
Zero runtime dependencies. Standard library only. pip install halo-record installs exactly one package.
Standard library only. installs exactly one package. No network calls , except the witness, which is opt-in and receives only a record count and a chain fingerprint. Record contents never leave your infrastructure.
, except the witness, which is opt-in and receives only a record count and a chain fingerprint. Record contents never leave your infrastructure. Raw inputs never enter a record. Arguments are hashed and stored only as a redacted summary — never the raw value. Redaction is best-effort (regex over common secret and PII formats): treat it as defense-in-depth, not a guarantee.
Arguments are hashed and stored only as a redacted summary — never the raw value. Redaction is best-effort (regex over common secret and PII formats): treat it as defense-in-depth, not a guarantee. Small enough to audit. ~4,300 lines of Python. Read all of it in an afternoon.
~4,300 lines of Python. Read all of it in an afternoon. Apache-2.0.
... continue reading