Show HN: Halo – 用于 AI 代理的开源、防篡改运行时证据系统
Show HN: Halo – open-source, tamper-evident runtime evidence for AI agents

原始链接: https://github.com/bkuan001/halo-record

**halo-record** 为 AI 智能体提供了一种可验证、防篡改的审计追踪方案,以密码学证明取代了传统的人工安全保障。它能为智能体执行的每一项操作(包括工具调用、数据访问和模型交互)创建一条仅可追加、哈希链接的日志。 主要功能包括: * **零信任验证:** 无需信任生成方,任何人均可验证日志的完整性。它通过哈希链检测任何篡改或重排行为。 * **隐私至上:** 不存储原始数据。参数会被哈希处理为脱敏摘要,所有记录均保留在您的基础设施内。 * **轻松集成:** 轻量且无依赖(仅使用标准库),提供原生追踪、OpenTelemetry 支持,以及针对 LangChain、LiteLLM 和 Vercel AI SDK 等主流框架的适配器。 * **合规就绪:** 可生成 SOC 2、ISO 42001 和欧盟《人工智能法案》审计所需的运行时证据,将安全问卷转化为可验证、自包含的 HTML 报告。 虽然自持链条可以证明**完整性**,但该项目还支持可选的**见证协议**以证明**完备性**,确保没有任何日志被删除。该实现秉持透明原则,采用开源协议 (Apache-2.0),且代码简洁,一个下午即可完成审计。

抱歉。
相关文章

原文

Tamper-evident runtime records for AI agents: the audit trail the vendor runs but cannot edit.

Every action your agent takes (tool calls, model calls, data access, approvals) becomes one record in an append-only, hash-chained log. Any party can verify the log was never altered, without trusting whoever produced it. When a customer's security team asks "what did your agent do with our data?", you hand them a link instead of a paragraph. Security reviews already ask AI questions next to the SOC 2 checklist, and today a written assurance still passes. The bet behind this project is that it won't for long.

The record format is open and free to implement. This package is the reference implementation: recorder, verifier, witness client, and report server.

Why you can trust this code

You are being asked to put a recorder inside your agent. You should not take that on faith:

  • Zero runtime dependencies. Standard library only. pip install halo-record installs exactly one package.
  • No network calls, except the witness, which is opt-in and receives only a record count and a chain fingerprint. Record contents never leave your infrastructure.
  • Raw inputs never enter a record. Arguments are hashed and stored only as a redacted summary — never the raw value. Redaction is best-effort (regex over common secret and PII formats): treat it as defense-in-depth, not a guarantee.
  • Small enough to audit. ~4,300 lines of Python. Read all of it in an afternoon.
  • Apache-2.0.

No agent required. With uv, nothing to install:

uvx --from halo-record halo demo --serve

or the classic way:

pip install halo-record
halo demo --serve

Either one scaffolds a fictional support-agent vendor with two customers, witnesses the chains, serves their gated Runtime Reports, and opens the operator console in your browser. Then try the tamper test: delete a line from one of the .jsonl files and reload. The report catches it.

One line at the boundary:

from halo import trace

agent = trace(run_my_agent, profile="my-agent", log="audit.jsonl")   # wraps your entrypoint; records every tool call to ./audit.jsonl

Without log=, records go to ~/.halo/my-agent.jsonl (one chain per agent). Or use the adapter for what you already run (see the matrix below). Then render the report:

halo report audit.jsonl -o report.html    # one chain -> self-verifying HTML
halo serve ./records --port 8721          # all tenants, gated per customer

The quickstart ends when you are looking at your own agent's Runtime Report in a browser. If you got a JSONL file and no report, something is wrong: open an issue.

Connect to what you already run

Captured at the boundary Ingested from existing telemetry
Native recorder (from halo import trace) OpenTelemetry GenAI spans
MCP interceptor LiteLLM callbacks
LangChain / LangGraph callback Langfuse export
OpenAI Agents SDK hooks Any gateway / reverse-proxy log
Claude Code / Claude Agent SDK hook

Every record carries a source tag, so the report discloses how each piece of evidence was collected. Captured and ingested records live in the same chain.

Anything that emits OpenTelemetry GenAI spans (CrewAI, LlamaIndex, and most agent frameworks with OTel instrumentation) lands in the chain through the OTel adapter, and the TypeScript package ships native adapters for the Vercel AI SDK and the JS agent ecosystem. Missing an adapter for your stack? Open an issue. Most adapters are about a hundred lines.

Integrity vs. completeness (read this part)

A self-held chain proves integrity: nothing was edited or reordered after the fact. It cannot prove completeness: the operator of a recorder can delete the bad day and re-seal the chain, or never write a record at all, and the chain stays internally consistent.

Completeness requires a party outside the operator's control holding periodic fingerprints of the chain (a count and a head hash, nothing else). That is the witness:

halo anchor audit.jsonl witness.jsonl           # anchor a checkpoint to a local witness
halo anchor audit.jsonl witness.jsonl --check   # completeness verdict against it

Anyone can run a witness. A witness you run yourself proves integrity to you; proving completeness to your customer requires a witness they have reason to trust. The protocol is open either way.

A hosted, recognized witness is how this project will sustain itself. Early access: [email protected].

Where this sits in a compliance stack

halo-record is an evidence layer, not a certification. It produces the artifact that assessment frameworks keep asking for in different words:

  • Security questionnaires and SOC 2 reviews: answer the AI sections with a verifiable Runtime Report instead of screenshots and prose.
  • AIUC-1: continuous runtime evidence for agent-behavior requirements, instead of evidence reconstructed at audit time.
  • OWASP (GenAI Security Project): the runtime evidence behind the agent-behavior risks in the OWASP Top 10 for LLM Applications and the Agentic Security Initiative — excessive agency, tool misuse, sensitive-information disclosure — recorded as what the agent actually did, with which tools and data.
  • AARM (CSA): produces the tamper-evident action receipt AARM specifies (R5/R6) — chained and independently witnessed. halo-record is the receipt layer; pair it with an enforcement gateway for a full AARM system. See AARM.md.
  • EU AI Act: logging and record-keeping obligations for high-risk AI systems.
  • ISO 42001 / NIST AI RMF: the operational evidence behind management-system controls.

None of this certifies anything by itself. It gives your assessor something verifiable to look at.

halo verify   validate schema + hash chain (non-zero exit on failure; CI-friendly)
halo report   render a chain as a self-verifying HTML Runtime Report
halo serve    serve per-tenant reports over HTTP, access-scoped per customer
halo grant    designate a report recipient (email or domain)
halo anchor   witness a chain head, or --check completeness
halo demo     scaffold the full vendor demo (record -> witness -> gated report)
halo sample   emit a valid example log
halo hash     canonical sha256 of a JSON value
halo hook     Claude Code PostToolUse hook

To compute a record's hash: take the record excluding integrity.hash, with integrity.prev_hash set to the previous record's hash; canonicalize with RFC 8785 (JSON Canonicalization Scheme); SHA-256 the bytes. The first record's prev_hash is 64 zeros. Verification recomputes every hash and checks every link. No secret required; that is the point.

Full field reference: halo-record.schema.json.

The same recorder ships for Node: halo-record-ts. Same chain format, same witness protocol. Records written in either language verify with either verifier.

Apache-2.0

联系我们 contact @ memedata.com