warrant-verify 0.3.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- warrant_verify-0.3.0/LICENSE +21 -0
- warrant_verify-0.3.0/PKG-INFO +141 -0
- warrant_verify-0.3.0/README.md +119 -0
- warrant_verify-0.3.0/impl/sigma_glyph.py +457 -0
- warrant_verify-0.3.0/impl/warrant.py +1164 -0
- warrant_verify-0.3.0/impl/warrant_mcp.py +269 -0
- warrant_verify-0.3.0/impl/warrant_verify.egg-info/PKG-INFO +141 -0
- warrant_verify-0.3.0/impl/warrant_verify.egg-info/SOURCES.txt +12 -0
- warrant_verify-0.3.0/impl/warrant_verify.egg-info/dependency_links.txt +1 -0
- warrant_verify-0.3.0/impl/warrant_verify.egg-info/entry_points.txt +3 -0
- warrant_verify-0.3.0/impl/warrant_verify.egg-info/requires.txt +1 -0
- warrant_verify-0.3.0/impl/warrant_verify.egg-info/top_level.txt +3 -0
- warrant_verify-0.3.0/pyproject.toml +44 -0
- warrant_verify-0.3.0/setup.cfg +4 -0
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 s0fractal
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,141 @@
|
|
|
1
|
+
Metadata-Version: 2.4
|
|
2
|
+
Name: warrant-verify
|
|
3
|
+
Version: 0.3.0
|
|
4
|
+
Summary: Verify what an AI agent decided — signed, hash-addressed decision records with reasons you can re-run on your own machine.
|
|
5
|
+
Author: s0fractal
|
|
6
|
+
License: MIT
|
|
7
|
+
Project-URL: Homepage, https://github.com/s0fractal/warrant
|
|
8
|
+
Project-URL: Specification, https://github.com/s0fractal/warrant/blob/master/SPEC.md
|
|
9
|
+
Project-URL: Evidence Pack format, https://github.com/s0fractal/warrant/blob/master/EVIDENCE-PACK.md
|
|
10
|
+
Keywords: ai-agents,agent-provenance,audit-trail,eu-ai-act,verifiable,sigstore,decision-record,compliance
|
|
11
|
+
Classifier: Development Status :: 4 - Beta
|
|
12
|
+
Classifier: Intended Audience :: Developers
|
|
13
|
+
Classifier: Intended Audience :: Legal Industry
|
|
14
|
+
Classifier: License :: OSI Approved :: MIT License
|
|
15
|
+
Classifier: Programming Language :: Python :: 3
|
|
16
|
+
Classifier: Topic :: Security :: Cryptography
|
|
17
|
+
Requires-Python: >=3.9
|
|
18
|
+
Description-Content-Type: text/markdown
|
|
19
|
+
License-File: LICENSE
|
|
20
|
+
Requires-Dist: cryptography>=41
|
|
21
|
+
Dynamic: license-file
|
|
22
|
+
|
|
23
|
+
# Warrant
|
|
24
|
+
|
|
25
|
+
**A decision record for AI agents. Signed, hash-addressed, with reasons you can re-run.**
|
|
26
|
+
|
|
27
|
+
When an agent accepts, rejects, or proposes something, it writes a warrant: a small JSON record that says **what** was decided, **under** which policy, **because** of which reasons, based on **which** evidence — signed by the actor, addressed by its own hash, linked to the decisions that came before it.
|
|
28
|
+
|
|
29
|
+
```json
|
|
30
|
+
{
|
|
31
|
+
"decision": "reject",
|
|
32
|
+
"subject": { "hash": "d5cf37…", "note": "PR-42" },
|
|
33
|
+
"under": [ "cb3a0a… (policy in force, by hash)" ],
|
|
34
|
+
"because": [
|
|
35
|
+
{ "kind": "check", "check": "05d234…", "runtime": "cmd@v1",
|
|
36
|
+
"verdict": "fail", "transcript": "9dc0c3…" },
|
|
37
|
+
{ "kind": "prose", "text": "policy clause 1: coverage drops 87.0 -> 84.2" }
|
|
38
|
+
],
|
|
39
|
+
"evidence": [ "9dc0c3…" ],
|
|
40
|
+
"actor": { "id": "agent-b@vendor2" },
|
|
41
|
+
"prior": [ "00f79f…" ],
|
|
42
|
+
"ts": 1751677200
|
|
43
|
+
}
|
|
44
|
+
```
|
|
45
|
+
|
|
46
|
+
The record's hash is its identity. Change one byte of the decision, the policy reference, or the reasons — the hash changes, and every later record that cited it stops resolving. Nothing can be quietly edited after the fact.
|
|
47
|
+
|
|
48
|
+
## Why not just logs?
|
|
49
|
+
|
|
50
|
+
A trace tells you what an agent did. A warrant proves **why it was allowed to** — and the proof survives the agent. Logs are mutable, vendor-shaped prose. Warrants are:
|
|
51
|
+
|
|
52
|
+
- **Immutable** — identity is the hash of the content.
|
|
53
|
+
- **Signed** — you know which actor decided.
|
|
54
|
+
- **Anchored** — `under` pins the exact bytes of the policy that was in force, not "the policy" in someone's memory.
|
|
55
|
+
- **Re-checkable** — a reason can be an executable check. Anyone can re-run it and get the same verdict.
|
|
56
|
+
- **Linked** — `prior` makes decisions a chain: propose → reject (with reasons) → revise → accept. `warrant why <hash>` walks the whole chain.
|
|
57
|
+
|
|
58
|
+
A rejection is a first-class record, not an absence. This is the part that matters as agents get autonomy: the "no, because" survives, gets cited by hash, and stops the same argument from being re-had from scratch.
|
|
59
|
+
|
|
60
|
+
## Ten minutes
|
|
61
|
+
|
|
62
|
+
```bash
|
|
63
|
+
git clone https://github.com/s0fractal/warrant && cd warrant
|
|
64
|
+
pip install . # installs the `warrant` command + a bundled Σ-GLYPH oracle
|
|
65
|
+
```
|
|
66
|
+
|
|
67
|
+
`ski@v1` reasons re-run **offline** — the Σ-GLYPH Book I check engine ships inside
|
|
68
|
+
the package, so no separate clone is needed. (A one-line `pipx install
|
|
69
|
+
warrant-verify` lands once it's on PyPI.)
|
|
70
|
+
|
|
71
|
+
```bash
|
|
72
|
+
warrant init # .warrants/ store in your repo
|
|
73
|
+
warrant keygen --out me.key # Ed25519; prints your pubkey
|
|
74
|
+
printf 'demo diff\n' > diff.patch # the thing being decided about
|
|
75
|
+
POL=$(warrant policy add examples/policy.txt) # pin the rules in force -> hash
|
|
76
|
+
|
|
77
|
+
P=$(warrant propose --subject diff.patch --under $POL \
|
|
78
|
+
--reason "utility fns needed" --actor me@host --key me.key)
|
|
79
|
+
R=$(warrant reject $P --check examples/check.sh --verdict fail \
|
|
80
|
+
--reason "clause 1: coverage drop" --actor me@host --key me.key)
|
|
81
|
+
A=$(warrant accept $R --check examples/check.sh --verdict pass \
|
|
82
|
+
--actor me@host --key me.key)
|
|
83
|
+
|
|
84
|
+
warrant why $A # decision -> reasons -> checks -> policy, verified
|
|
85
|
+
warrant verify # every hash, signature, and link in the store
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
The store is plain files, content-addressed, git-friendly. No server, no vendor, no account.
|
|
89
|
+
|
|
90
|
+
## Try it on a real case
|
|
91
|
+
|
|
92
|
+
Verify what an AI agent decided — the Air Canada chatbot case, as the record the
|
|
93
|
+
airline never had. Fifteen minutes, offline, trusting nothing but this tool:
|
|
94
|
+
**[`demos/air-canada/`](demos/air-canada/)**. The portable bundle format those
|
|
95
|
+
records travel in is specified in **[`EVIDENCE-PACK.md`](EVIDENCE-PACK.md)**.
|
|
96
|
+
|
|
97
|
+
## What it is not
|
|
98
|
+
|
|
99
|
+
Not an agent framework. Not a blockchain. Not observability. It is one file format and five verbs, designed to be boring: any language can implement it from the spec in an afternoon, and two implementations agree on every hash.
|
|
100
|
+
|
|
101
|
+
## Spec and status
|
|
102
|
+
|
|
103
|
+
`SPEC.md` — the format (v0.3 draft: the v0.1/v0.2 body schema plus v0.3 settlement, key-state and multi-root rules), canonicalization rules, and worked test vectors with real hashes and signatures (`examples/`). Reason runtimes: `prose`, `cmd@v1` (a check command run in a container), and — new in v0.2 — **`ski@v1`**: a portable, deterministic, budget-bounded check. The check is a content-addressed SKI term evaluated per [Σ-GLYPH Book I](https://github.com/s0fractal/sigma-glyph); the verdict is a hash comparison; work AND peak memory are bounded by the ATP budget, so re-verifying a stranger's reason is safe by construction. `warrant check <hash>` re-runs one.
|
|
104
|
+
|
|
105
|
+
`impl/warrant.py` — reference implementation (M1): the five verbs on a plain-file store, one file, stdlib + Ed25519 (`pip install cryptography`). It must pass its own law:
|
|
106
|
+
|
|
107
|
+
```bash
|
|
108
|
+
python3 impl/warrant.py conformance examples # all SPEC §8 vectors, byte-exact
|
|
109
|
+
python3 impl/warrant.py selftest # live round-trip + tamper detection
|
|
110
|
+
```
|
|
111
|
+
|
|
112
|
+
`impl-go/` — independent Go implementation for cross-checking the spec:
|
|
113
|
+
|
|
114
|
+
```bash
|
|
115
|
+
(cd impl-go && go build -o warrant-go .) # stdlib-only; binary is not committed
|
|
116
|
+
./impl-go/warrant-go conformance examples # same SPEC §8 vectors
|
|
117
|
+
./impl-go/warrant-go selftest examples # schema and verification edges
|
|
118
|
+
```
|
|
119
|
+
|
|
120
|
+
First real user: [sigma-glyph](https://github.com/s0fractal/sigma-glyph) files its review adjudications as warrants (`.warrants/` in that repo) — the maintainer's accept/reject decisions are signed, hash-addressed, and cite CI gates as `cmd@v1` checks.
|
|
121
|
+
|
|
122
|
+
License: MIT.
|
|
123
|
+
|
|
124
|
+
## v0.3: settlement-grade verification (DRAFT)
|
|
125
|
+
|
|
126
|
+
Beyond integrity (`verify`), v0.3 adds settlement semantics (SPEC §5.1/§7/§9):
|
|
127
|
+
|
|
128
|
+
```bash
|
|
129
|
+
python3 impl/warrant.py verify --settlement --trust-config trust.json
|
|
130
|
+
python3 impl/warrant.py settle <settling-wid> candidate-body.json
|
|
131
|
+
./impl-go/warrant-go verify --settlement --trust-config trust.json <store>
|
|
132
|
+
# NB: Python takes a global --store flag; Go verify/settle take the store as a
|
|
133
|
+
# positional argument — Go is deliberately verify-only (no filing surface).
|
|
134
|
+
```
|
|
135
|
+
|
|
136
|
+
Settlement-active roots come from your local trust configuration (plus
|
|
137
|
+
policy-authorized adoptions); `genesis.json` is advisory and must be pinned to
|
|
138
|
+
be used. Re-litigation of a settled subject requires new evidence or a new
|
|
139
|
+
outcome fingerprint — prose never re-opens anything. Key rotation/revocation
|
|
140
|
+
are warrants; key state derives from the DAG. Both implementations must agree
|
|
141
|
+
on every settlement outcome: `python3 tests/settlement.py`.
|
|
@@ -0,0 +1,119 @@
|
|
|
1
|
+
# Warrant
|
|
2
|
+
|
|
3
|
+
**A decision record for AI agents. Signed, hash-addressed, with reasons you can re-run.**
|
|
4
|
+
|
|
5
|
+
When an agent accepts, rejects, or proposes something, it writes a warrant: a small JSON record that says **what** was decided, **under** which policy, **because** of which reasons, based on **which** evidence — signed by the actor, addressed by its own hash, linked to the decisions that came before it.
|
|
6
|
+
|
|
7
|
+
```json
|
|
8
|
+
{
|
|
9
|
+
"decision": "reject",
|
|
10
|
+
"subject": { "hash": "d5cf37…", "note": "PR-42" },
|
|
11
|
+
"under": [ "cb3a0a… (policy in force, by hash)" ],
|
|
12
|
+
"because": [
|
|
13
|
+
{ "kind": "check", "check": "05d234…", "runtime": "cmd@v1",
|
|
14
|
+
"verdict": "fail", "transcript": "9dc0c3…" },
|
|
15
|
+
{ "kind": "prose", "text": "policy clause 1: coverage drops 87.0 -> 84.2" }
|
|
16
|
+
],
|
|
17
|
+
"evidence": [ "9dc0c3…" ],
|
|
18
|
+
"actor": { "id": "agent-b@vendor2" },
|
|
19
|
+
"prior": [ "00f79f…" ],
|
|
20
|
+
"ts": 1751677200
|
|
21
|
+
}
|
|
22
|
+
```
|
|
23
|
+
|
|
24
|
+
The record's hash is its identity. Change one byte of the decision, the policy reference, or the reasons — the hash changes, and every later record that cited it stops resolving. Nothing can be quietly edited after the fact.
|
|
25
|
+
|
|
26
|
+
## Why not just logs?
|
|
27
|
+
|
|
28
|
+
A trace tells you what an agent did. A warrant proves **why it was allowed to** — and the proof survives the agent. Logs are mutable, vendor-shaped prose. Warrants are:
|
|
29
|
+
|
|
30
|
+
- **Immutable** — identity is the hash of the content.
|
|
31
|
+
- **Signed** — you know which actor decided.
|
|
32
|
+
- **Anchored** — `under` pins the exact bytes of the policy that was in force, not "the policy" in someone's memory.
|
|
33
|
+
- **Re-checkable** — a reason can be an executable check. Anyone can re-run it and get the same verdict.
|
|
34
|
+
- **Linked** — `prior` makes decisions a chain: propose → reject (with reasons) → revise → accept. `warrant why <hash>` walks the whole chain.
|
|
35
|
+
|
|
36
|
+
A rejection is a first-class record, not an absence. This is the part that matters as agents get autonomy: the "no, because" survives, gets cited by hash, and stops the same argument from being re-had from scratch.
|
|
37
|
+
|
|
38
|
+
## Ten minutes
|
|
39
|
+
|
|
40
|
+
```bash
|
|
41
|
+
git clone https://github.com/s0fractal/warrant && cd warrant
|
|
42
|
+
pip install . # installs the `warrant` command + a bundled Σ-GLYPH oracle
|
|
43
|
+
```
|
|
44
|
+
|
|
45
|
+
`ski@v1` reasons re-run **offline** — the Σ-GLYPH Book I check engine ships inside
|
|
46
|
+
the package, so no separate clone is needed. (A one-line `pipx install
|
|
47
|
+
warrant-verify` lands once it's on PyPI.)
|
|
48
|
+
|
|
49
|
+
```bash
|
|
50
|
+
warrant init # .warrants/ store in your repo
|
|
51
|
+
warrant keygen --out me.key # Ed25519; prints your pubkey
|
|
52
|
+
printf 'demo diff\n' > diff.patch # the thing being decided about
|
|
53
|
+
POL=$(warrant policy add examples/policy.txt) # pin the rules in force -> hash
|
|
54
|
+
|
|
55
|
+
P=$(warrant propose --subject diff.patch --under $POL \
|
|
56
|
+
--reason "utility fns needed" --actor me@host --key me.key)
|
|
57
|
+
R=$(warrant reject $P --check examples/check.sh --verdict fail \
|
|
58
|
+
--reason "clause 1: coverage drop" --actor me@host --key me.key)
|
|
59
|
+
A=$(warrant accept $R --check examples/check.sh --verdict pass \
|
|
60
|
+
--actor me@host --key me.key)
|
|
61
|
+
|
|
62
|
+
warrant why $A # decision -> reasons -> checks -> policy, verified
|
|
63
|
+
warrant verify # every hash, signature, and link in the store
|
|
64
|
+
```
|
|
65
|
+
|
|
66
|
+
The store is plain files, content-addressed, git-friendly. No server, no vendor, no account.
|
|
67
|
+
|
|
68
|
+
## Try it on a real case
|
|
69
|
+
|
|
70
|
+
Verify what an AI agent decided — the Air Canada chatbot case, as the record the
|
|
71
|
+
airline never had. Fifteen minutes, offline, trusting nothing but this tool:
|
|
72
|
+
**[`demos/air-canada/`](demos/air-canada/)**. The portable bundle format those
|
|
73
|
+
records travel in is specified in **[`EVIDENCE-PACK.md`](EVIDENCE-PACK.md)**.
|
|
74
|
+
|
|
75
|
+
## What it is not
|
|
76
|
+
|
|
77
|
+
Not an agent framework. Not a blockchain. Not observability. It is one file format and five verbs, designed to be boring: any language can implement it from the spec in an afternoon, and two implementations agree on every hash.
|
|
78
|
+
|
|
79
|
+
## Spec and status
|
|
80
|
+
|
|
81
|
+
`SPEC.md` — the format (v0.3 draft: the v0.1/v0.2 body schema plus v0.3 settlement, key-state and multi-root rules), canonicalization rules, and worked test vectors with real hashes and signatures (`examples/`). Reason runtimes: `prose`, `cmd@v1` (a check command run in a container), and — new in v0.2 — **`ski@v1`**: a portable, deterministic, budget-bounded check. The check is a content-addressed SKI term evaluated per [Σ-GLYPH Book I](https://github.com/s0fractal/sigma-glyph); the verdict is a hash comparison; work AND peak memory are bounded by the ATP budget, so re-verifying a stranger's reason is safe by construction. `warrant check <hash>` re-runs one.
|
|
82
|
+
|
|
83
|
+
`impl/warrant.py` — reference implementation (M1): the five verbs on a plain-file store, one file, stdlib + Ed25519 (`pip install cryptography`). It must pass its own law:
|
|
84
|
+
|
|
85
|
+
```bash
|
|
86
|
+
python3 impl/warrant.py conformance examples # all SPEC §8 vectors, byte-exact
|
|
87
|
+
python3 impl/warrant.py selftest # live round-trip + tamper detection
|
|
88
|
+
```
|
|
89
|
+
|
|
90
|
+
`impl-go/` — independent Go implementation for cross-checking the spec:
|
|
91
|
+
|
|
92
|
+
```bash
|
|
93
|
+
(cd impl-go && go build -o warrant-go .) # stdlib-only; binary is not committed
|
|
94
|
+
./impl-go/warrant-go conformance examples # same SPEC §8 vectors
|
|
95
|
+
./impl-go/warrant-go selftest examples # schema and verification edges
|
|
96
|
+
```
|
|
97
|
+
|
|
98
|
+
First real user: [sigma-glyph](https://github.com/s0fractal/sigma-glyph) files its review adjudications as warrants (`.warrants/` in that repo) — the maintainer's accept/reject decisions are signed, hash-addressed, and cite CI gates as `cmd@v1` checks.
|
|
99
|
+
|
|
100
|
+
License: MIT.
|
|
101
|
+
|
|
102
|
+
## v0.3: settlement-grade verification (DRAFT)
|
|
103
|
+
|
|
104
|
+
Beyond integrity (`verify`), v0.3 adds settlement semantics (SPEC §5.1/§7/§9):
|
|
105
|
+
|
|
106
|
+
```bash
|
|
107
|
+
python3 impl/warrant.py verify --settlement --trust-config trust.json
|
|
108
|
+
python3 impl/warrant.py settle <settling-wid> candidate-body.json
|
|
109
|
+
./impl-go/warrant-go verify --settlement --trust-config trust.json <store>
|
|
110
|
+
# NB: Python takes a global --store flag; Go verify/settle take the store as a
|
|
111
|
+
# positional argument — Go is deliberately verify-only (no filing surface).
|
|
112
|
+
```
|
|
113
|
+
|
|
114
|
+
Settlement-active roots come from your local trust configuration (plus
|
|
115
|
+
policy-authorized adoptions); `genesis.json` is advisory and must be pinned to
|
|
116
|
+
be used. Re-litigation of a settled subject requires new evidence or a new
|
|
117
|
+
outcome fingerprint — prose never re-opens anything. Key rotation/revocation
|
|
118
|
+
are warrants; key state derives from the DAG. Both implementations must agree
|
|
119
|
+
on every settlement outcome: `python3 tests/settlement.py`.
|