warrant-verify 0.3.0__tar.gz

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,21 @@
1
+ MIT License
2
+
3
+ Copyright (c) 2026 s0fractal
4
+
5
+ Permission is hereby granted, free of charge, to any person obtaining a copy
6
+ of this software and associated documentation files (the "Software"), to deal
7
+ in the Software without restriction, including without limitation the rights
8
+ to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9
+ copies of the Software, and to permit persons to whom the Software is
10
+ furnished to do so, subject to the following conditions:
11
+
12
+ The above copyright notice and this permission notice shall be included in all
13
+ copies or substantial portions of the Software.
14
+
15
+ THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16
+ IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17
+ FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18
+ AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19
+ LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20
+ OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21
+ SOFTWARE.
@@ -0,0 +1,141 @@
1
+ Metadata-Version: 2.4
2
+ Name: warrant-verify
3
+ Version: 0.3.0
4
+ Summary: Verify what an AI agent decided — signed, hash-addressed decision records with reasons you can re-run on your own machine.
5
+ Author: s0fractal
6
+ License: MIT
7
+ Project-URL: Homepage, https://github.com/s0fractal/warrant
8
+ Project-URL: Specification, https://github.com/s0fractal/warrant/blob/master/SPEC.md
9
+ Project-URL: Evidence Pack format, https://github.com/s0fractal/warrant/blob/master/EVIDENCE-PACK.md
10
+ Keywords: ai-agents,agent-provenance,audit-trail,eu-ai-act,verifiable,sigstore,decision-record,compliance
11
+ Classifier: Development Status :: 4 - Beta
12
+ Classifier: Intended Audience :: Developers
13
+ Classifier: Intended Audience :: Legal Industry
14
+ Classifier: License :: OSI Approved :: MIT License
15
+ Classifier: Programming Language :: Python :: 3
16
+ Classifier: Topic :: Security :: Cryptography
17
+ Requires-Python: >=3.9
18
+ Description-Content-Type: text/markdown
19
+ License-File: LICENSE
20
+ Requires-Dist: cryptography>=41
21
+ Dynamic: license-file
22
+
23
+ # Warrant
24
+
25
+ **A decision record for AI agents. Signed, hash-addressed, with reasons you can re-run.**
26
+
27
+ When an agent accepts, rejects, or proposes something, it writes a warrant: a small JSON record that says **what** was decided, **under** which policy, **because** of which reasons, based on **which** evidence — signed by the actor, addressed by its own hash, linked to the decisions that came before it.
28
+
29
+ ```json
30
+ {
31
+ "decision": "reject",
32
+ "subject": { "hash": "d5cf37…", "note": "PR-42" },
33
+ "under": [ "cb3a0a… (policy in force, by hash)" ],
34
+ "because": [
35
+ { "kind": "check", "check": "05d234…", "runtime": "cmd@v1",
36
+ "verdict": "fail", "transcript": "9dc0c3…" },
37
+ { "kind": "prose", "text": "policy clause 1: coverage drops 87.0 -> 84.2" }
38
+ ],
39
+ "evidence": [ "9dc0c3…" ],
40
+ "actor": { "id": "agent-b@vendor2" },
41
+ "prior": [ "00f79f…" ],
42
+ "ts": 1751677200
43
+ }
44
+ ```
45
+
46
+ The record's hash is its identity. Change one byte of the decision, the policy reference, or the reasons — the hash changes, and every later record that cited it stops resolving. Nothing can be quietly edited after the fact.
47
+
48
+ ## Why not just logs?
49
+
50
+ A trace tells you what an agent did. A warrant proves **why it was allowed to** — and the proof survives the agent. Logs are mutable, vendor-shaped prose. Warrants are:
51
+
52
+ - **Immutable** — identity is the hash of the content.
53
+ - **Signed** — you know which actor decided.
54
+ - **Anchored** — `under` pins the exact bytes of the policy that was in force, not "the policy" in someone's memory.
55
+ - **Re-checkable** — a reason can be an executable check. Anyone can re-run it and get the same verdict.
56
+ - **Linked** — `prior` makes decisions a chain: propose → reject (with reasons) → revise → accept. `warrant why <hash>` walks the whole chain.
57
+
58
+ A rejection is a first-class record, not an absence. This is the part that matters as agents get autonomy: the "no, because" survives, gets cited by hash, and stops the same argument from being re-had from scratch.
59
+
60
+ ## Ten minutes
61
+
62
+ ```bash
63
+ git clone https://github.com/s0fractal/warrant && cd warrant
64
+ pip install . # installs the `warrant` command + a bundled Σ-GLYPH oracle
65
+ ```
66
+
67
+ `ski@v1` reasons re-run **offline** — the Σ-GLYPH Book I check engine ships inside
68
+ the package, so no separate clone is needed. (A one-line `pipx install
69
+ warrant-verify` lands once it's on PyPI.)
70
+
71
+ ```bash
72
+ warrant init # .warrants/ store in your repo
73
+ warrant keygen --out me.key # Ed25519; prints your pubkey
74
+ printf 'demo diff\n' > diff.patch # the thing being decided about
75
+ POL=$(warrant policy add examples/policy.txt) # pin the rules in force -> hash
76
+
77
+ P=$(warrant propose --subject diff.patch --under $POL \
78
+ --reason "utility fns needed" --actor me@host --key me.key)
79
+ R=$(warrant reject $P --check examples/check.sh --verdict fail \
80
+ --reason "clause 1: coverage drop" --actor me@host --key me.key)
81
+ A=$(warrant accept $R --check examples/check.sh --verdict pass \
82
+ --actor me@host --key me.key)
83
+
84
+ warrant why $A # decision -> reasons -> checks -> policy, verified
85
+ warrant verify # every hash, signature, and link in the store
86
+ ```
87
+
88
+ The store is plain files, content-addressed, git-friendly. No server, no vendor, no account.
89
+
90
+ ## Try it on a real case
91
+
92
+ Verify what an AI agent decided — the Air Canada chatbot case, as the record the
93
+ airline never had. Fifteen minutes, offline, trusting nothing but this tool:
94
+ **[`demos/air-canada/`](demos/air-canada/)**. The portable bundle format those
95
+ records travel in is specified in **[`EVIDENCE-PACK.md`](EVIDENCE-PACK.md)**.
96
+
97
+ ## What it is not
98
+
99
+ Not an agent framework. Not a blockchain. Not observability. It is one file format and five verbs, designed to be boring: any language can implement it from the spec in an afternoon, and two implementations agree on every hash.
100
+
101
+ ## Spec and status
102
+
103
+ `SPEC.md` — the format (v0.3 draft: the v0.1/v0.2 body schema plus v0.3 settlement, key-state and multi-root rules), canonicalization rules, and worked test vectors with real hashes and signatures (`examples/`). Reason runtimes: `prose`, `cmd@v1` (a check command run in a container), and — new in v0.2 — **`ski@v1`**: a portable, deterministic, budget-bounded check. The check is a content-addressed SKI term evaluated per [Σ-GLYPH Book I](https://github.com/s0fractal/sigma-glyph); the verdict is a hash comparison; work AND peak memory are bounded by the ATP budget, so re-verifying a stranger's reason is safe by construction. `warrant check <hash>` re-runs one.
104
+
105
+ `impl/warrant.py` — reference implementation (M1): the five verbs on a plain-file store, one file, stdlib + Ed25519 (`pip install cryptography`). It must pass its own law:
106
+
107
+ ```bash
108
+ python3 impl/warrant.py conformance examples # all SPEC §8 vectors, byte-exact
109
+ python3 impl/warrant.py selftest # live round-trip + tamper detection
110
+ ```
111
+
112
+ `impl-go/` — independent Go implementation for cross-checking the spec:
113
+
114
+ ```bash
115
+ (cd impl-go && go build -o warrant-go .) # stdlib-only; binary is not committed
116
+ ./impl-go/warrant-go conformance examples # same SPEC §8 vectors
117
+ ./impl-go/warrant-go selftest examples # schema and verification edges
118
+ ```
119
+
120
+ First real user: [sigma-glyph](https://github.com/s0fractal/sigma-glyph) files its review adjudications as warrants (`.warrants/` in that repo) — the maintainer's accept/reject decisions are signed, hash-addressed, and cite CI gates as `cmd@v1` checks.
121
+
122
+ License: MIT.
123
+
124
+ ## v0.3: settlement-grade verification (DRAFT)
125
+
126
+ Beyond integrity (`verify`), v0.3 adds settlement semantics (SPEC §5.1/§7/§9):
127
+
128
+ ```bash
129
+ python3 impl/warrant.py verify --settlement --trust-config trust.json
130
+ python3 impl/warrant.py settle <settling-wid> candidate-body.json
131
+ ./impl-go/warrant-go verify --settlement --trust-config trust.json <store>
132
+ # NB: Python takes a global --store flag; Go verify/settle take the store as a
133
+ # positional argument — Go is deliberately verify-only (no filing surface).
134
+ ```
135
+
136
+ Settlement-active roots come from your local trust configuration (plus
137
+ policy-authorized adoptions); `genesis.json` is advisory and must be pinned to
138
+ be used. Re-litigation of a settled subject requires new evidence or a new
139
+ outcome fingerprint — prose never re-opens anything. Key rotation/revocation
140
+ are warrants; key state derives from the DAG. Both implementations must agree
141
+ on every settlement outcome: `python3 tests/settlement.py`.
@@ -0,0 +1,119 @@
1
+ # Warrant
2
+
3
+ **A decision record for AI agents. Signed, hash-addressed, with reasons you can re-run.**
4
+
5
+ When an agent accepts, rejects, or proposes something, it writes a warrant: a small JSON record that says **what** was decided, **under** which policy, **because** of which reasons, based on **which** evidence — signed by the actor, addressed by its own hash, linked to the decisions that came before it.
6
+
7
+ ```json
8
+ {
9
+ "decision": "reject",
10
+ "subject": { "hash": "d5cf37…", "note": "PR-42" },
11
+ "under": [ "cb3a0a… (policy in force, by hash)" ],
12
+ "because": [
13
+ { "kind": "check", "check": "05d234…", "runtime": "cmd@v1",
14
+ "verdict": "fail", "transcript": "9dc0c3…" },
15
+ { "kind": "prose", "text": "policy clause 1: coverage drops 87.0 -> 84.2" }
16
+ ],
17
+ "evidence": [ "9dc0c3…" ],
18
+ "actor": { "id": "agent-b@vendor2" },
19
+ "prior": [ "00f79f…" ],
20
+ "ts": 1751677200
21
+ }
22
+ ```
23
+
24
+ The record's hash is its identity. Change one byte of the decision, the policy reference, or the reasons — the hash changes, and every later record that cited it stops resolving. Nothing can be quietly edited after the fact.
25
+
26
+ ## Why not just logs?
27
+
28
+ A trace tells you what an agent did. A warrant proves **why it was allowed to** — and the proof survives the agent. Logs are mutable, vendor-shaped prose. Warrants are:
29
+
30
+ - **Immutable** — identity is the hash of the content.
31
+ - **Signed** — you know which actor decided.
32
+ - **Anchored** — `under` pins the exact bytes of the policy that was in force, not "the policy" in someone's memory.
33
+ - **Re-checkable** — a reason can be an executable check. Anyone can re-run it and get the same verdict.
34
+ - **Linked** — `prior` makes decisions a chain: propose → reject (with reasons) → revise → accept. `warrant why <hash>` walks the whole chain.
35
+
36
+ A rejection is a first-class record, not an absence. This is the part that matters as agents get autonomy: the "no, because" survives, gets cited by hash, and stops the same argument from being re-had from scratch.
37
+
38
+ ## Ten minutes
39
+
40
+ ```bash
41
+ git clone https://github.com/s0fractal/warrant && cd warrant
42
+ pip install . # installs the `warrant` command + a bundled Σ-GLYPH oracle
43
+ ```
44
+
45
+ `ski@v1` reasons re-run **offline** — the Σ-GLYPH Book I check engine ships inside
46
+ the package, so no separate clone is needed. (A one-line `pipx install
47
+ warrant-verify` lands once it's on PyPI.)
48
+
49
+ ```bash
50
+ warrant init # .warrants/ store in your repo
51
+ warrant keygen --out me.key # Ed25519; prints your pubkey
52
+ printf 'demo diff\n' > diff.patch # the thing being decided about
53
+ POL=$(warrant policy add examples/policy.txt) # pin the rules in force -> hash
54
+
55
+ P=$(warrant propose --subject diff.patch --under $POL \
56
+ --reason "utility fns needed" --actor me@host --key me.key)
57
+ R=$(warrant reject $P --check examples/check.sh --verdict fail \
58
+ --reason "clause 1: coverage drop" --actor me@host --key me.key)
59
+ A=$(warrant accept $R --check examples/check.sh --verdict pass \
60
+ --actor me@host --key me.key)
61
+
62
+ warrant why $A # decision -> reasons -> checks -> policy, verified
63
+ warrant verify # every hash, signature, and link in the store
64
+ ```
65
+
66
+ The store is plain files, content-addressed, git-friendly. No server, no vendor, no account.
67
+
68
+ ## Try it on a real case
69
+
70
+ Verify what an AI agent decided — the Air Canada chatbot case, as the record the
71
+ airline never had. Fifteen minutes, offline, trusting nothing but this tool:
72
+ **[`demos/air-canada/`](demos/air-canada/)**. The portable bundle format those
73
+ records travel in is specified in **[`EVIDENCE-PACK.md`](EVIDENCE-PACK.md)**.
74
+
75
+ ## What it is not
76
+
77
+ Not an agent framework. Not a blockchain. Not observability. It is one file format and five verbs, designed to be boring: any language can implement it from the spec in an afternoon, and two implementations agree on every hash.
78
+
79
+ ## Spec and status
80
+
81
+ `SPEC.md` — the format (v0.3 draft: the v0.1/v0.2 body schema plus v0.3 settlement, key-state and multi-root rules), canonicalization rules, and worked test vectors with real hashes and signatures (`examples/`). Reason runtimes: `prose`, `cmd@v1` (a check command run in a container), and — new in v0.2 — **`ski@v1`**: a portable, deterministic, budget-bounded check. The check is a content-addressed SKI term evaluated per [Σ-GLYPH Book I](https://github.com/s0fractal/sigma-glyph); the verdict is a hash comparison; work AND peak memory are bounded by the ATP budget, so re-verifying a stranger's reason is safe by construction. `warrant check <hash>` re-runs one.
82
+
83
+ `impl/warrant.py` — reference implementation (M1): the five verbs on a plain-file store, one file, stdlib + Ed25519 (`pip install cryptography`). It must pass its own law:
84
+
85
+ ```bash
86
+ python3 impl/warrant.py conformance examples # all SPEC §8 vectors, byte-exact
87
+ python3 impl/warrant.py selftest # live round-trip + tamper detection
88
+ ```
89
+
90
+ `impl-go/` — independent Go implementation for cross-checking the spec:
91
+
92
+ ```bash
93
+ (cd impl-go && go build -o warrant-go .) # stdlib-only; binary is not committed
94
+ ./impl-go/warrant-go conformance examples # same SPEC §8 vectors
95
+ ./impl-go/warrant-go selftest examples # schema and verification edges
96
+ ```
97
+
98
+ First real user: [sigma-glyph](https://github.com/s0fractal/sigma-glyph) files its review adjudications as warrants (`.warrants/` in that repo) — the maintainer's accept/reject decisions are signed, hash-addressed, and cite CI gates as `cmd@v1` checks.
99
+
100
+ License: MIT.
101
+
102
+ ## v0.3: settlement-grade verification (DRAFT)
103
+
104
+ Beyond integrity (`verify`), v0.3 adds settlement semantics (SPEC §5.1/§7/§9):
105
+
106
+ ```bash
107
+ python3 impl/warrant.py verify --settlement --trust-config trust.json
108
+ python3 impl/warrant.py settle <settling-wid> candidate-body.json
109
+ ./impl-go/warrant-go verify --settlement --trust-config trust.json <store>
110
+ # NB: Python takes a global --store flag; Go verify/settle take the store as a
111
+ # positional argument — Go is deliberately verify-only (no filing surface).
112
+ ```
113
+
114
+ Settlement-active roots come from your local trust configuration (plus
115
+ policy-authorized adoptions); `genesis.json` is advisory and must be pinned to
116
+ be used. Re-litigation of a settled subject requires new evidence or a new
117
+ outcome fingerprint — prose never re-opens anything. Key rotation/revocation
118
+ are warrants; key state derives from the DAG. Both implementations must agree
119
+ on every settlement outcome: `python3 tests/settlement.py`.