Skip to main content

The compliance layer for AI agents — gate, approve, redact, sign, and audit every AI-agent action into offline-verifiable receipts.

Project description

heso

The compliance layer for AI agents. Wrap an agent and every action it takes — LLM call, tool call, payment, account change, delete — is gated against your policy (allow / block / redact / require-approval), routed to a human when a decision is risky, PII-redacted before signing, and signed into an offline-verifiable Action Receipt appended to a BLAKE3-chained audit log.

You hold the signing keys. heso's cloud can verify and mirror receipts but can never forge one — so anyone (a customer, an auditor, a court) can check exactly what your agent did, and that it was authorized, without trusting heso at all.

pip install heso        # or: uv add heso

First receipt in 60 seconds

heso demo

heso demo scaffolds a project, mints one allowed and one redacted receipt through the real engine, verifies both offline, and prints how to re-verify them yourself. No cloud account, no key ceremony — a dev key is generated for you (strict custody is opt-in for production).

The CLI:

command what it does
heso init [dir] scaffold heso.toml + policy, mint your operator identity in-process
heso demo [dir] mint + verify your first receipts end to end
heso verify <path|hash> re-run the hash + signature math locally, print the verdict (zero network)
heso show <hash> pretty-print a stored receipt

Gate an agent

Every decorated call is gated before its body runs — a blocked or approval-pending action raises, so the side effect can never fire ungated.

import heso

heso.init()

@heso.tool
def search(query: str) -> list[str]:
    ...

@heso.destructive                      # verb=delete → matched against policy
def delete_account(account_id: str) -> None:
    ...

@heso.tool(redact=["api_key"])         # PII stripped before the receipt is signed
def call_vendor(api_key: str, payload: dict) -> dict:
    ...

Policy lives in a heso.toml the SDK reads at gate time — allow the safe lanes, require_approval the risky ones. Edit it freely; it's the single source of policy truth.

Human approval (L1)

When a rule says require_approval, the action suspends instead of running. A human approver co-signs it (in the heso console or via your own webhook), and the receipt is upgraded to L1 — proving an authorized human approved this specific action, not just that the operator allowed the lane.

from heso import gated, resume

gate = gated(charge_card, amount=5000)   # suspends if policy requires approval
if gate.status is heso.SUSPENDED:
    ...                                  # notify approver; park the work
else:
    result = gate.run()

Framework adapters

Drop-in wrappers over the same gate core — no rewrite:

import heso

heso.claude_agent   # Anthropic Claude Agent SDK
heso.openai_agents  # OpenAI Agents SDK
heso.langgraph      # LangGraph / LangChain
heso.crewai         # CrewAI
heso.pydantic_ai    # Pydantic AI
heso.mcp            # Model Context Protocol tools

There's also heso-mcp, an MCP server so an agent can gate and verify through heso directly.

Verify anywhere

Receipts verify offline with heso fully removed from the loop — the hash and signature math is open and the format is specified in ACTION-RECEIPT-1.0. Hand a receipt to anyone and they can confirm it's untampered and see who signed it.

heso verify ./receipt.json
# → Valid · L1 (operator + human approver)

Trust model

heso proves an action was authorized under policy, and at L1 that an authorized human approved or blocked it. It does not prove the action's outcome was truthful — that's unprovable from the artifact. Trust grades are L0 (operator) and L1 (operator + human approver).


Proprietary. See heso.ca for licensing and the hosted console.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

heso-0.4.3-cp310-abi3-win_amd64.whl (2.0 MB view details)

Uploaded CPython 3.10+Windows x86-64

heso-0.4.3-cp310-abi3-manylinux_2_28_x86_64.whl (2.1 MB view details)

Uploaded CPython 3.10+manylinux: glibc 2.28+ x86-64

heso-0.4.3-cp310-abi3-manylinux_2_28_aarch64.whl (1.9 MB view details)

Uploaded CPython 3.10+manylinux: glibc 2.28+ ARM64

heso-0.4.3-cp310-abi3-macosx_11_0_arm64.whl (2.0 MB view details)

Uploaded CPython 3.10+macOS 11.0+ ARM64

heso-0.4.3-cp310-abi3-macosx_10_12_x86_64.whl (2.2 MB view details)

Uploaded CPython 3.10+macOS 10.12+ x86-64

File details

Details for the file heso-0.4.3-cp310-abi3-win_amd64.whl.

File metadata

  • Download URL: heso-0.4.3-cp310-abi3-win_amd64.whl
  • Upload date:
  • Size: 2.0 MB
  • Tags: CPython 3.10+, Windows x86-64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for heso-0.4.3-cp310-abi3-win_amd64.whl
Algorithm Hash digest
SHA256 1c4ebd3efa43cfb4e7c8f6648c2f78f0d2569bb9331ff5c84877478a4e2f4da1
MD5 90258fb01c236fac699fb4d8a7e13769
BLAKE2b-256 8179600c479080ba29ac1e8ae20e25b0eaca84e16d1b5638dbe38369b6c90653

See more details on using hashes here.

File details

Details for the file heso-0.4.3-cp310-abi3-manylinux_2_28_x86_64.whl.

File metadata

File hashes

Hashes for heso-0.4.3-cp310-abi3-manylinux_2_28_x86_64.whl
Algorithm Hash digest
SHA256 f031fcddab74356dae0db577710e8181addcfccc9f4d52c40551de5cebb8c025
MD5 6c6e2b32a39f6241d99441c02bf7dc18
BLAKE2b-256 d843b72a1849253516e2a18a21aa8c0dce913d6ef8d6af098fcddbb69bc6f1c3

See more details on using hashes here.

File details

Details for the file heso-0.4.3-cp310-abi3-manylinux_2_28_aarch64.whl.

File metadata

File hashes

Hashes for heso-0.4.3-cp310-abi3-manylinux_2_28_aarch64.whl
Algorithm Hash digest
SHA256 0a57ec347aa507e50f14b8e19d88b4832bbd56454a5d050e63a3d72a5d5d0ed5
MD5 2035e7a98bf0013810ed00aac8c51832
BLAKE2b-256 2289ae860b8f7a85643029388f61d93620ebe586d91d0feaae995b10c600fb62

See more details on using hashes here.

File details

Details for the file heso-0.4.3-cp310-abi3-macosx_11_0_arm64.whl.

File metadata

  • Download URL: heso-0.4.3-cp310-abi3-macosx_11_0_arm64.whl
  • Upload date:
  • Size: 2.0 MB
  • Tags: CPython 3.10+, macOS 11.0+ ARM64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for heso-0.4.3-cp310-abi3-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 84cf7f8bb52bf16e3d92110191e02e04c6dbadb7191f19cbf02e52714ddd7b7b
MD5 0b3d5ff5a76c21449fcc4bd9aaf2e0cf
BLAKE2b-256 007abbc24e74454a210948297dfe45d1d45fdeed3e6c93022099994e41639b6a

See more details on using hashes here.

File details

Details for the file heso-0.4.3-cp310-abi3-macosx_10_12_x86_64.whl.

File metadata

File hashes

Hashes for heso-0.4.3-cp310-abi3-macosx_10_12_x86_64.whl
Algorithm Hash digest
SHA256 8f762e9ae8841d8833cd8f251883810b864390d1ec85ff1a85f3185b4e3353b0
MD5 cb1342c44530b8ebe427657b3cc99c35
BLAKE2b-256 9040aed03a5f66a34d415e7e06c3ce8d0775f14bce5ab6a4bd99cb4186670008

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page