The problem Halo solves is: when a company buys an AI agent from a vendor and gives it access to their data, they have no way to check what the agent did with that data. Vendors may have built observability dashboards and audit logs, but those are editable and partisan. SOC 2 and ISO 27001 audit a company's controls, but controls are less predictive when the software is agentic. TLDR: give an agent the same prompt 50 times, and you get 50 slightly different actions/answers - so the only thing worth auditing in a post-agentic world is what happened at runtime.
Halo is an open-source project that produces agent runtime evidence. It's a small recorder that records every action an agent takes (eg. tool calls, model calls, data access, etc), and becomes a record in an append-only log. It's hash-chained, so anyone can re-verify.
Run the following command to see a fictional example:
uvx --from halo-record halo demo --serve
Then, delete a line from one of the .jsonl files and reload, and the report will catch that it's been tampered with.To wire up your own agent, run this line of Python:
agent = trace(run_my_agent, profile="my-agent", log="audit.jsonl")
Then use this to generate a real report and give it to your customers: halo report audit.jsonl -o report.html
Disclaimer: this proves integrity, not completeness (as a self-held chain proves nothing was edited but does NOT prove that nothing was omitted). Catching this requires a witness outside the vendor and is what I'm working on next.Halo is Apache-2.0, contains zero runtime dependencies, and is about 4,300 lines of Python with 125 tests (if you prefer TypeScript, here's that repo: https://github.com/bkuan001/halo-record-ts).
Give it a try, and please let me know if you have any feedback!
Or as the page puts it in more detail:
> A self-held chain proves integrity: nothing was edited or reordered after the fact. It cannot prove completeness: the operator of a recorder can delete the bad day and re-seal the chain, or never write a record at all, and the chain stays internally consistent.
I don't get this. If I "hold" the "chain" (I hate the jargon agents invent), why can't I edit or reorder and then "re-seal" it?
But if you're incentivized to publish as quickly as possible, then your customer gets the log immediately, and there is no need for a "trusted" third party to act as a "witness" and seek rents for not doing anything useful.
And none of the above protects against the vendor using your sensitive data to (a) do the work as contracted, with a cryptographically verified log and everything, but also (b) copy/analyze/abuse said data without telling you.
It's 2017 again, and someone on HN is inventing "blockchain for X", poorly. (Also note that it doesn't matter what kind of work X is, except for aligning this with HN's current main interest.)
Regarding incentives, this only works if the customer (or regulation) demands it - they’ll require the checkpoints as a condition of closing the deal - and is part of the bet.
A missed checkpoint is in and of itself visible, so if the vendor sits on records instead of publishing, the customer will notice the silence.
And to start a discussion: if you sell or buy AI agent products, what do security reviews ask about them?
Would love to hear more about what you’re building!
I've seen other products/apps in this space farther up the stack at the API boundary.
What frameworks does your package work with? How does it handle intercept?
Would love to hear more about your agent framework!
Why would these be editable?
The hash chain doesn't make the log unwritable, it makes any edit detectable.
If you find something/have feedback, please let me know and I'll gladly fix it.
Separately - 100% agree on the witness - only someone/thing outside the vendor can prove nothing was omitted. Who do you think fills that gap - is it an audit firm (my world), a standards body, or something else?