Skip to main content

The compliance layer for AI agents — gate, approve, redact, sign, and audit every AI-agent action into offline-verifiable receipts.

Project description

heso

The compliance layer for AI agents. Wrap an agent and every action it takes — LLM call, tool call, payment, account change, delete — is gated against your policy (allow / block / redact / require-approval), routed to a human when a decision is risky, PII-redacted before signing, and signed into an offline-verifiable Action Receipt appended to a BLAKE3-chained audit log.

You hold the signing keys. heso's cloud can verify and mirror receipts but can never forge one — so anyone (a customer, an auditor, a court) can check exactly what your agent did, and that it was authorized, without trusting heso at all.

pip install heso        # or: uv add heso

First receipt in 60 seconds

heso demo

heso demo scaffolds a project, mints one allowed and one redacted receipt through the real engine, verifies both offline, and prints how to re-verify them yourself. No cloud account, no key ceremony — a dev key is generated for you (strict custody is opt-in for production).

The CLI:

command what it does
heso init [dir] scaffold heso.toml + policy, mint your operator identity in-process
heso demo [dir] mint + verify your first receipts end to end
heso verify <path|hash> re-run the hash + signature math locally, print the verdict (zero network)
heso show <hash> pretty-print a stored receipt

Gate an agent

Every decorated call is gated before its body runs — a blocked or approval-pending action raises, so the side effect can never fire ungated.

import heso

heso.init()

@heso.tool
def search(query: str) -> list[str]:
    ...

@heso.destructive                      # verb=delete → matched against policy
def delete_account(account_id: str) -> None:
    ...

@heso.tool(redact=["api_key"])         # PII stripped before the receipt is signed
def call_vendor(api_key: str, payload: dict) -> dict:
    ...

Policy lives in a heso.toml the SDK reads at gate time — allow the safe lanes, require_approval the risky ones. Edit it freely; it's the single source of policy truth.

Human approval (L1)

When a rule says require_approval, the action suspends instead of running. A human approver co-signs it (in the heso console or via your own webhook), and the receipt is upgraded to L1 — proving an authorized human approved this specific action, not just that the operator allowed the lane.

from heso import gated, resume

gate = gated(charge_card, amount=5000)   # suspends if policy requires approval
if gate.status is heso.SUSPENDED:
    ...                                  # notify approver; park the work
else:
    result = gate.run()

Framework adapters

Drop-in wrappers over the same gate core — no rewrite:

import heso

heso.claude_agent   # Anthropic Claude Agent SDK
heso.openai_agents  # OpenAI Agents SDK
heso.langgraph      # LangGraph / LangChain
heso.crewai         # CrewAI
heso.pydantic_ai    # Pydantic AI
heso.mcp            # Model Context Protocol tools

There's also heso-mcp, an MCP server so an agent can gate and verify through heso directly.

Verify anywhere

Receipts verify offline with heso fully removed from the loop — the hash and signature math is open and the format is specified in ACTION-RECEIPT-1.0. Hand a receipt to anyone and they can confirm it's untampered and see who signed it.

heso verify ./receipt.json
# → Valid · L1 (operator + human approver)

Trust model

heso proves an action was authorized under policy, and at L1 that an authorized human approved or blocked it. It does not prove the action's outcome was truthful — that's unprovable from the artifact. Trust grades are L0 (operator) and L1 (operator + human approver).


Proprietary. See heso.ca for licensing and the hosted console.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

heso-0.4.1-cp310-abi3-win_amd64.whl (2.0 MB view details)

Uploaded CPython 3.10+Windows x86-64

heso-0.4.1-cp310-abi3-manylinux_2_28_x86_64.whl (2.0 MB view details)

Uploaded CPython 3.10+manylinux: glibc 2.28+ x86-64

heso-0.4.1-cp310-abi3-manylinux_2_28_aarch64.whl (1.9 MB view details)

Uploaded CPython 3.10+manylinux: glibc 2.28+ ARM64

heso-0.4.1-cp310-abi3-macosx_11_0_arm64.whl (2.0 MB view details)

Uploaded CPython 3.10+macOS 11.0+ ARM64

heso-0.4.1-cp310-abi3-macosx_10_12_x86_64.whl (2.1 MB view details)

Uploaded CPython 3.10+macOS 10.12+ x86-64

File details

Details for the file heso-0.4.1-cp310-abi3-win_amd64.whl.

File metadata

  • Download URL: heso-0.4.1-cp310-abi3-win_amd64.whl
  • Upload date:
  • Size: 2.0 MB
  • Tags: CPython 3.10+, Windows x86-64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for heso-0.4.1-cp310-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 8f169c1802fbab17cd577fc9771d5f684d09184f0b751d82bb52f55914650be9
MD5 30535666dc58bbe25cb0396d31cd2099
BLAKE2b-256 9b420ab21c06b93ddf4200d96895c6581aa6578f79d3250af4a0eaa5183e68bd

See more details on using hashes here.

File details

Details for the file heso-0.4.1-cp310-abi3-manylinux_2_28_x86_64.whl.

File metadata

File hashes

Hashes for heso-0.4.1-cp310-abi3-manylinux_2_28_x86_64.whl
Algorithm Hash digest
SHA256 b5c0b1fc820815c72d6e0905d7702a950c06963a213488a0822b3c6e6616b46b
MD5 b7b1961f259869b87beebb1acebf06b0
BLAKE2b-256 ed262665770df8fe4a3370c817a979b48cf3e37ada2947d0eeceb96b6f3747fa

See more details on using hashes here.

File details

Details for the file heso-0.4.1-cp310-abi3-manylinux_2_28_aarch64.whl.

File metadata

File hashes

Hashes for heso-0.4.1-cp310-abi3-manylinux_2_28_aarch64.whl
Algorithm Hash digest
SHA256 7c0c69ed43f96bb9f122d390836127c2231da83a4fd83b61c960b8fb09d64678
MD5 51a3e78c4689a3ebd0616866fa8c8f05
BLAKE2b-256 ac7652bfc1d99981d2e0566721733a37b241b075dd8683bf41b938040cf6b1ce

See more details on using hashes here.

File details

Details for the file heso-0.4.1-cp310-abi3-macosx_11_0_arm64.whl.

File metadata

  • Download URL: heso-0.4.1-cp310-abi3-macosx_11_0_arm64.whl
  • Upload date:
  • Size: 2.0 MB
  • Tags: CPython 3.10+, macOS 11.0+ ARM64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for heso-0.4.1-cp310-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 17c1f39638744dc9e0c6569c08592404d8bb0905a36616ba2c96edb639a6baf2
MD5 05dc428645a29657d3ecbbf535cb6384
BLAKE2b-256 82477f64921201038ba8b3cbddfcffe779e8af67eb443e03149d34e05bb78195

See more details on using hashes here.

File details

Details for the file heso-0.4.1-cp310-abi3-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for heso-0.4.1-cp310-abi3-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 152766980ee81a27950fd9a6ff2bd5a9eedeb786cc25f0f59ecf41ccfac9fe6e
MD5 6fb62b21461428dbb7de5182f97d696b
BLAKE2b-256 0b74e8ca7bef4ad17cba64c97e944500d00edce53284887f9c4ea1083bd570ee

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page