Show HN: Halo – open-source, tamper-evident runtime evidence for AI agents
This covers a coding tool or code-capability update — useful for developers assessing workflow changes and reusable value.
Halo is an open-source tool providing tamper-evident runtime records for AI agents.…
Tamper-evident runtime records for AI agents: the audit trail the vendor runs but cannot edit.
Every action your agent takes (tool calls, model calls, data access, approvals) becomes one record in an append-only, hash-chained log. Any party can verify the log was never altered, without trusting whoever produced it. When a customer's security team asks "what did your agent do with our data?", you hand them a link instead of a paragraph. Security reviews already ask AI questions next to the SOC 2 checklist, and today a written assurance still passes. The bet behind this project is that it won't for long.
The record format is open and free to implement. This package is the reference implementation: recorder, verifier, witness client, and report server.
Why you can trust this code
You are being asked to put a recorder inside your agent. You should not take that on faith:
- Zero runtime dependencies. Standard library only. pip install halo-record installs exactly one package.
- No network calls, except the witness, which is opt-in and receives only a record count and a chain fingerprint. Record contents never leave your infrastructure.
- Raw inputs never enter a record. Arguments are hashed and stored only as a redacted summary — never the raw value. Redaction is best-effort (regex over common secret and PII formats): treat it as defense-in-depth, not a guarantee.
- Small enough to audit. ~4,300 lines of Python. Read all of it in an afternoon.
- Apache-2.0.
60-second demo
No agent required. With uv , nothing to install:
uvx --from halo-record halo demo --serve
or the classic way:
pip install halo-record halo demo --serve
Either one scaffolds a fictional support-agent vendor with two customers, witnesses the chains, serves their gated Runtime Reports, and opens the operator console in your browser. Then try the tamper test: delete a line from one of the .jsonl files and reload. The report catches it.
Record your own agent
One line at the boundary:
from halo import trace
agent = trace ( run_my_agent , profile = "my-agent" , log = "audit.jsonl" ) # wraps your entrypoint; records every tool call to ./audit.jsonl
Without log=, records go to ~/.halo/my-agent.jsonl (one chain per agent). Or use the adapter for what you already run (see the matrix below). Then render the report:
halo report audit.jsonl -o report.html # one chain -> self-verifying HTML halo serve ./records --port 8721 # all tenants, gated per customer
The quickstart ends when you are looking at your own agent's Runtime Report in a browser. If you got a JSONL file and no report, something is wrong: open an issue.
Connect to what you already run