Skip to main content

The compliance layer for AI agents — gate, approve, redact, sign, and audit every AI-agent action into offline-verifiable receipts.

Project description

heso

The compliance layer for AI agents. Wrap an agent and every action it takes — LLM call, tool call, payment, account change, delete — is gated against your policy (allow / block / redact / require-approval), routed to a human when a decision is risky, PII-redacted before signing, and signed into an offline-verifiable Action Receipt appended to a BLAKE3-chained audit log.

You hold the signing keys. heso's cloud can verify and mirror receipts but can never forge one — so anyone (a customer, an auditor, a court) can check exactly what your agent did, and that it was authorized, without trusting heso at all.

pip install heso        # or: uv add heso

First receipt in 60 seconds

heso demo

heso demo scaffolds a project, mints one allowed and one redacted receipt through the real engine, verifies both offline, and prints how to re-verify them yourself. No cloud account, no key ceremony — a dev key is generated for you (strict custody is opt-in for production).

The CLI:

command what it does
heso init [dir] scaffold heso.toml + policy, mint your operator identity in-process
heso demo [dir] mint + verify your first receipts end to end
heso verify <path|hash> re-run the hash + signature math locally, print the verdict (zero network)
heso show <hash> pretty-print a stored receipt

Gate an agent

Every decorated call is gated before its body runs — a blocked or approval-pending action raises, so the side effect can never fire ungated.

import heso

heso.init()

@heso.tool
def search(query: str) -> list[str]:
    ...

@heso.destructive                      # verb=delete → matched against policy
def delete_account(account_id: str) -> None:
    ...

@heso.tool(redact=["api_key"])         # PII stripped before the receipt is signed
def call_vendor(api_key: str, payload: dict) -> dict:
    ...

Policy lives in a heso.toml the SDK reads at gate time — allow the safe lanes, require_approval the risky ones. Edit it freely; it's the single source of policy truth.

Human approval (L1)

When a rule says require_approval, the action suspends instead of running. A human approver co-signs it (in the heso console or via your own webhook), and the receipt is upgraded to L1 — proving an authorized human approved this specific action, not just that the operator allowed the lane.

from heso import gated, resume

gate = gated(charge_card, amount=5000)   # suspends if policy requires approval
if gate.status is heso.SUSPENDED:
    ...                                  # notify approver; park the work
else:
    result = gate.run()

Framework adapters

Drop-in wrappers over the same gate core — no rewrite:

import heso

heso.claude_agent   # Anthropic Claude Agent SDK
heso.openai_agents  # OpenAI Agents SDK
heso.langgraph      # LangGraph / LangChain
heso.crewai         # CrewAI
heso.pydantic_ai    # Pydantic AI
heso.mcp            # Model Context Protocol tools

There's also heso-mcp, an MCP server so an agent can gate and verify through heso directly.

Verify anywhere

Receipts verify offline with heso fully removed from the loop — the hash and signature math is open and the format is specified in action-receipt.md. Hand a receipt to anyone and they can confirm it's untampered and see who signed it.

heso verify ./receipt.json
# → Valid · L1 (operator + human approver)

Trust model

heso proves an action was authorized under policy, and at L1 that an authorized human approved or blocked it. It does not prove the action's outcome was truthful — that's unprovable from the artifact. Trust grades are L0 (operator) and L1 (operator + human approver).


Proprietary. See heso.ca for licensing and the hosted console.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

heso-0.5.1-cp310-abi3-win_amd64.whl (2.1 MB view details)

Uploaded CPython 3.10+Windows x86-64

heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl (2.0 MB view details)

Uploaded CPython 3.10+manylinux: glibc 2.28+ x86-64

heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl (1.9 MB view details)

Uploaded CPython 3.10+manylinux: glibc 2.28+ ARM64

heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl (1.8 MB view details)

Uploaded CPython 3.10+macOS 11.0+ ARM64

heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl (2.0 MB view details)

Uploaded CPython 3.10+macOS 10.12+ x86-64

File details

Details for the file heso-0.5.1-cp310-abi3-win_amd64.whl.

File metadata

  • Download URL: heso-0.5.1-cp310-abi3-win_amd64.whl
  • Upload date:
  • Size: 2.1 MB
  • Tags: CPython 3.10+, Windows x86-64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for heso-0.5.1-cp310-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 46ce9d22c48c226ecd1133eb6290f95116f3bf810b636ca105bcd8e2c2fd282b
MD5 3492b9eab13c609103e9922387fcd823
BLAKE2b-256 709205bdc44645e139f2cc18089eafdb8dd13a1b95717156dff9eb06adb65da7

See more details on using hashes here.

Provenance

The following attestation bundles were made for heso-0.5.1-cp310-abi3-win_amd64.whl:

Publisher: packages.yml on heso-inc/heso-enterprise

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl.

File metadata

File hashes

Hashes for heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl
Algorithm Hash digest
SHA256 768509c86f31f64c7ae54f76e3457c47a93fa899e9272850a83314240973a423
MD5 9fbf83e240775ef1273d7cc5b62ccc83
BLAKE2b-256 84ad9ba78bd036051d52b8c42dad13f16064e72d7e23b5c5c5d58a6a349daa25

See more details on using hashes here.

Provenance

The following attestation bundles were made for heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl:

Publisher: packages.yml on heso-inc/heso-enterprise

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl.

File metadata

File hashes

Hashes for heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl
Algorithm Hash digest
SHA256 3d8b8b11b3ff9543f17a323aca71ace753dc25eaee43a962d83995b61098e62d
MD5 1347a00ee9fec7db5ebb4ad9bea2838e
BLAKE2b-256 b1fc55f8783c668798377ea75e2412f2d547f660b0b72ed889c3b13606183f72

See more details on using hashes here.

Provenance

The following attestation bundles were made for heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl:

Publisher: packages.yml on heso-inc/heso-enterprise

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl.

File metadata

  • Download URL: heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl
  • Upload date:
  • Size: 1.8 MB
  • Tags: CPython 3.10+, macOS 11.0+ ARM64
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.13

File hashes

Hashes for heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 dd17358caebaa9838462a6e1e8fbe479406551886b54fb6bf78e5b4cb7127c2e
MD5 4b4f3e241cf1a9b8b1b633fcd303e5be
BLAKE2b-256 b8a0140fa67d5c38a1e823053115ecc066aefd106f0a6e3e78a180c6654da957

See more details on using hashes here.

Provenance

The following attestation bundles were made for heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl:

Publisher: packages.yml on heso-inc/heso-enterprise

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 103f25cac19c71dac9ef7517a044c704121321f2aa0094c9e59ddeb88ec151ab
MD5 ad0e0b0989c235395d16abc82d0a7df5
BLAKE2b-256 525bd0e64792b05d28b80042a80bda883b11cd1544d21cf74acb3214b88e5085

See more details on using hashes here.

Provenance

The following attestation bundles were made for heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl:

Publisher: packages.yml on heso-inc/heso-enterprise

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page