Show HN: Halo, tamper-evident runtime records for AI agents (open source)

1 point

6 days ago

Hey HN, I'm Brian. I spent a few years at Vanta (compliance automation) before this, and the biggest thing I took from it is that trust between companies gets built on evidence instead of promises. That lens is what made one gap around AI agents feel really obvious to me.

The last few months I've been talking to security and GRC teams about exactly that. When a company buys an AI agent from some vendor, and it starts touching their data, nobody can answer the obvious question: "what did it actually do in here?" The only proof on offer is the vendor's own logs - and the vendor is the party being reviewed.

So I built Halo. It's a small recorder, zero dependencies. Every action an agent takes - tool calls, model calls, data access - becomes one record in an append-only, hash-chained log that anyone can re-verify without trusting whoever produced it.

60-second demo so you can see it before wiring up your own agent (there's nothing to install):

  uvx --from halo-record halo demo --serve
  (or: pip install halo-record && halo demo --serve)

It scaffolds a sample vendor + two customers with example data, serves each a report, and re-checks the whole chain in your browser. Delete a line from one of the .jsonl files, reload, and the report catches it.

To run it on your own agent, it's one line:

  agent = trace(run_my_agent, profile="my-agent")

every tool call lands in the chain, and halo report gives you the same report to hand a customer.

Being upfront about what it does NOT do yet: a self-held chain proves integrity (nothing edited), but not completeness - the operator could just never write a record, or delete the bad day and re-seal a shorter chain. Catching that needs a witness outside the operator's control holding periodic fingerprints (a count + a head hash). The protocol's in the repo; the hosted, recognized witness is the part I'm still building, and honestly I think that's where the real value is.

Apache-2.0, zero runtime deps, ~4,200 lines you can read in a sitting. The integrity model is the load-bearing claim - so if you can edit a chain in a way that still passes halo verify, or fool a completeness check against an honest witness, I'd genuinely love to hear how. SECURITY.md spells out what I consider a vulnerability. Thanks and give it a spin!