The compliance layer for AI agents — gate, approve, redact, sign, and audit every AI-agent action into offline-verifiable receipts.
Project description
heso
The compliance layer for AI agents. Wrap an agent and every action it takes — LLM call, tool call, payment, account change, delete — is gated against your policy (allow / block / redact / require-approval), routed to a human when a decision is risky, PII-redacted before signing, and signed into an offline-verifiable Action Receipt appended to a BLAKE3-chained audit log.
You hold the signing keys. heso's cloud can verify and mirror receipts but can never forge one — so anyone (a customer, an auditor, a court) can check exactly what your agent did, and that it was authorized, without trusting heso at all.
- Site · heso.ca
- Docs · heso.ca/docs
- Verify a receipt (no account) · heso.ca/verify
pip install heso # or: uv add heso
First receipt in 60 seconds
heso demo
heso demo scaffolds a project, mints one allowed and one redacted receipt through
the real engine, verifies both offline, and prints how to re-verify them yourself.
No cloud account, no key ceremony — a dev key is generated for you (strict custody
is opt-in for production).
The CLI:
| command | what it does |
|---|---|
heso init [dir] |
scaffold heso.toml + policy, mint your operator identity in-process |
heso demo [dir] |
mint + verify your first receipts end to end |
heso verify <path|hash> |
re-run the hash + signature math locally, print the verdict (zero network) |
heso show <hash> |
pretty-print a stored receipt |
Gate an agent
Every decorated call is gated before its body runs — a blocked or approval-pending action raises, so the side effect can never fire ungated.
import heso
heso.init()
@heso.tool
def search(query: str) -> list[str]:
...
@heso.destructive # verb=delete → matched against policy
def delete_account(account_id: str) -> None:
...
@heso.tool(redact=["api_key"]) # PII stripped before the receipt is signed
def call_vendor(api_key: str, payload: dict) -> dict:
...
Policy lives in a heso.toml the SDK reads at gate time — allow the safe lanes,
require_approval the risky ones. Edit it freely; it's the single source of policy
truth.
Human approval (L1)
When a rule says require_approval, the action suspends instead of running.
A human approver co-signs it (in the heso console or via your own webhook), and the
receipt is upgraded to L1 — proving an authorized human approved this specific
action, not just that the operator allowed the lane.
from heso import gated, resume
gate = gated(charge_card, amount=5000) # suspends if policy requires approval
if gate.status is heso.SUSPENDED:
... # notify approver; park the work
else:
result = gate.run()
Framework adapters
Drop-in wrappers over the same gate core — no rewrite:
import heso
heso.claude_agent # Anthropic Claude Agent SDK
heso.openai_agents # OpenAI Agents SDK
heso.langgraph # LangGraph / LangChain
heso.crewai # CrewAI
heso.pydantic_ai # Pydantic AI
heso.mcp # Model Context Protocol tools
There's also heso-mcp, an MCP server so an agent can gate and verify through heso
directly.
Verify anywhere
Receipts verify offline with heso fully removed from the loop — the hash and
signature math is open and the format is specified in
action-receipt.md. Hand a receipt to anyone
and they can confirm it's untampered and see who signed it.
heso verify ./receipt.json
# → Valid · L1 (operator + human approver)
Trust model
heso proves an action was authorized under policy, and at L1 that an authorized human approved or blocked it. It does not prove the action's outcome was truthful — that's unprovable from the artifact. Trust grades are L0 (operator) and L1 (operator + human approver).
Proprietary. See heso.ca for licensing and the hosted console.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distributions
Built Distributions
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file heso-0.5.1-cp310-abi3-win_amd64.whl.
File metadata
- Download URL: heso-0.5.1-cp310-abi3-win_amd64.whl
- Upload date:
- Size: 2.1 MB
- Tags: CPython 3.10+, Windows x86-64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
46ce9d22c48c226ecd1133eb6290f95116f3bf810b636ca105bcd8e2c2fd282b
|
|
| MD5 |
3492b9eab13c609103e9922387fcd823
|
|
| BLAKE2b-256 |
709205bdc44645e139f2cc18089eafdb8dd13a1b95717156dff9eb06adb65da7
|
Provenance
The following attestation bundles were made for heso-0.5.1-cp310-abi3-win_amd64.whl:
Publisher:
packages.yml on heso-inc/heso-enterprise
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
heso-0.5.1-cp310-abi3-win_amd64.whl -
Subject digest:
46ce9d22c48c226ecd1133eb6290f95116f3bf810b636ca105bcd8e2c2fd282b - Sigstore transparency entry: 1966905853
- Sigstore integration time:
-
Permalink:
heso-inc/heso-enterprise@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Branch / Tag:
refs/tags/v0.5.1 - Owner: https://github.com/heso-inc
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
packages.yml@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Trigger Event:
push
-
Statement type:
File details
Details for the file heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl.
File metadata
- Download URL: heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl
- Upload date:
- Size: 2.0 MB
- Tags: CPython 3.10+, manylinux: glibc 2.28+ x86-64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
768509c86f31f64c7ae54f76e3457c47a93fa899e9272850a83314240973a423
|
|
| MD5 |
9fbf83e240775ef1273d7cc5b62ccc83
|
|
| BLAKE2b-256 |
84ad9ba78bd036051d52b8c42dad13f16064e72d7e23b5c5c5d58a6a349daa25
|
Provenance
The following attestation bundles were made for heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl:
Publisher:
packages.yml on heso-inc/heso-enterprise
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
heso-0.5.1-cp310-abi3-manylinux_2_28_x86_64.whl -
Subject digest:
768509c86f31f64c7ae54f76e3457c47a93fa899e9272850a83314240973a423 - Sigstore transparency entry: 1966905747
- Sigstore integration time:
-
Permalink:
heso-inc/heso-enterprise@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Branch / Tag:
refs/tags/v0.5.1 - Owner: https://github.com/heso-inc
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
packages.yml@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Trigger Event:
push
-
Statement type:
File details
Details for the file heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl.
File metadata
- Download URL: heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl
- Upload date:
- Size: 1.9 MB
- Tags: CPython 3.10+, manylinux: glibc 2.28+ ARM64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3d8b8b11b3ff9543f17a323aca71ace753dc25eaee43a962d83995b61098e62d
|
|
| MD5 |
1347a00ee9fec7db5ebb4ad9bea2838e
|
|
| BLAKE2b-256 |
b1fc55f8783c668798377ea75e2412f2d547f660b0b72ed889c3b13606183f72
|
Provenance
The following attestation bundles were made for heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl:
Publisher:
packages.yml on heso-inc/heso-enterprise
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
heso-0.5.1-cp310-abi3-manylinux_2_28_aarch64.whl -
Subject digest:
3d8b8b11b3ff9543f17a323aca71ace753dc25eaee43a962d83995b61098e62d - Sigstore transparency entry: 1966905697
- Sigstore integration time:
-
Permalink:
heso-inc/heso-enterprise@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Branch / Tag:
refs/tags/v0.5.1 - Owner: https://github.com/heso-inc
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
packages.yml@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Trigger Event:
push
-
Statement type:
File details
Details for the file heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl.
File metadata
- Download URL: heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl
- Upload date:
- Size: 1.8 MB
- Tags: CPython 3.10+, macOS 11.0+ ARM64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
dd17358caebaa9838462a6e1e8fbe479406551886b54fb6bf78e5b4cb7127c2e
|
|
| MD5 |
4b4f3e241cf1a9b8b1b633fcd303e5be
|
|
| BLAKE2b-256 |
b8a0140fa67d5c38a1e823053115ecc066aefd106f0a6e3e78a180c6654da957
|
Provenance
The following attestation bundles were made for heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl:
Publisher:
packages.yml on heso-inc/heso-enterprise
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
heso-0.5.1-cp310-abi3-macosx_11_0_arm64.whl -
Subject digest:
dd17358caebaa9838462a6e1e8fbe479406551886b54fb6bf78e5b4cb7127c2e - Sigstore transparency entry: 1966905806
- Sigstore integration time:
-
Permalink:
heso-inc/heso-enterprise@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Branch / Tag:
refs/tags/v0.5.1 - Owner: https://github.com/heso-inc
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
packages.yml@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Trigger Event:
push
-
Statement type:
File details
Details for the file heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl.
File metadata
- Download URL: heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl
- Upload date:
- Size: 2.0 MB
- Tags: CPython 3.10+, macOS 10.12+ x86-64
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
103f25cac19c71dac9ef7517a044c704121321f2aa0094c9e59ddeb88ec151ab
|
|
| MD5 |
ad0e0b0989c235395d16abc82d0a7df5
|
|
| BLAKE2b-256 |
525bd0e64792b05d28b80042a80bda883b11cd1544d21cf74acb3214b88e5085
|
Provenance
The following attestation bundles were made for heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl:
Publisher:
packages.yml on heso-inc/heso-enterprise
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
heso-0.5.1-cp310-abi3-macosx_10_12_x86_64.whl -
Subject digest:
103f25cac19c71dac9ef7517a044c704121321f2aa0094c9e59ddeb88ec151ab - Sigstore transparency entry: 1966905648
- Sigstore integration time:
-
Permalink:
heso-inc/heso-enterprise@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Branch / Tag:
refs/tags/v0.5.1 - Owner: https://github.com/heso-inc
-
Access:
internal
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
packages.yml@b8fead6e998ee40a26feb1cd2c042f93c0d9c60e -
Trigger Event:
push
-
Statement type: