The independent verifier for HonorNet decision records
Project description
honornet-verify
The independent verifier for HonorNet decision records.
When an AI agent transacts on the HonorNet acceptance
network, the network records its approve/decline decision in an append-only,
cryptographically verifiable log. honornet-verify lets anyone — a merchant,
an issuer, an auditor, a regulator — confirm such a decision is genuine and
intact:
- without calling a HonorNet API, and
- without HonorNet's private source code.
You verify a decision against the maths, not against HonorNet's word for it.
Why this exists
HonorNet's acceptance-network core is private. Its trustworthiness should not be. A decision record is exported as a self-contained bundle; this tool checks the bundle's signatures and its RFC 6962 Merkle inclusion proof. The verification core is standard-library only — no third-party runtime dependencies — so the entire trust path is auditable in an afternoon.
Install
pipx install honornet-verify
or, for use as a library:
pip install honornet-verify
Use
Verify a decision bundle exported from GET /decisions/{decision_id}:
honornet-verify verify decision-bundle.json
[PASS] record_signature
[PASS] leaf_hash_match
[PASS] tree_size_consistency
[PASS] inclusion_proof
[PASS] log_root_signature
VERIFIED: decision-bundle.json
Exit code 0 means verified, 1 means well-formed but not verified, 2 means
the file could not be read or parsed.
Structured output for scripts and CI:
honornet-verify verify --json decision-bundle.json
Pin the signing key — recommended. Verification alone proves a bundle is internally consistent and signed by the key it carries; pinning proves that key is HonorNet's:
honornet-verify verify --pin-key <honornet-ledger-public-key-hex> decision-bundle.json
What gets checked
A bundle verifies only if all of the following hold:
- record signature — the decision record carries a valid Ed25519 signature over its RFC 8785 canonical bytes;
- leaf hash — the RFC 6962 Merkle leaf hash matches the signed record;
- inclusion proof — the leaf is included under the signed log root;
- log root signature — the signed log root carries a valid signature.
See docs/verification-model.md and docs/bundle-format.md.
What this does not grant
honornet-verify is open source under Apache-2.0. Using, reading, or forking
it does not grant:
- any right to use the HonorNet name or marks, except as permitted by the Apache License 2.0, Section 6 (Trademarks);
- recognized-issuer status on the HonorNet acceptance network;
- any right to operate the HonorNet acceptance network, or to hold a fork or derivative of this software out as being HonorNet.
A successful verification establishes that a decision bundle is internally
consistent and signed by the key embedded in it. It does not by itself
establish that the key is HonorNet's — pin the key (--pin-key) to establish
that.
Relationship to HonorNet
This is the open-source arm of HonorNet. It is not the production network.
The acceptance network that issues decision records is a separate, private
system. honornet-verify deliberately imports nothing from it — that
independence is enforced by a test in this repo.
Licence
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file honornet_verify-1.1.0.tar.gz.
File metadata
- Download URL: honornet_verify-1.1.0.tar.gz
- Upload date:
- Size: 21.8 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
766e0bb4edb873992e9b26de47ffd93acd12525420951c4af053eeae9330f6fd
|
|
| MD5 |
242726b3b70f2c80bb3d74bbbde96417
|
|
| BLAKE2b-256 |
14c64ac95adc9ea2a9807ddd6a22edc1265b31723b431bbef369ec767bf66f8e
|
Provenance
The following attestation bundles were made for honornet_verify-1.1.0.tar.gz:
Publisher:
publish.yml on HonorNetAI/honornet-verify
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
honornet_verify-1.1.0.tar.gz -
Subject digest:
766e0bb4edb873992e9b26de47ffd93acd12525420951c4af053eeae9330f6fd - Sigstore transparency entry: 1806184498
- Sigstore integration time:
-
Permalink:
HonorNetAI/honornet-verify@951b6b7ab666b3bbc368d0edea62263ca7403d9d -
Branch / Tag:
refs/tags/v1.1.0 - Owner: https://github.com/HonorNetAI
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@951b6b7ab666b3bbc368d0edea62263ca7403d9d -
Trigger Event:
push
-
Statement type:
File details
Details for the file honornet_verify-1.1.0-py3-none-any.whl.
File metadata
- Download URL: honornet_verify-1.1.0-py3-none-any.whl
- Upload date:
- Size: 17.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ae5b6456db82d716a69561ef9f023678e1c538b156974f084760a1875eb73f5a
|
|
| MD5 |
c1f9d2d2323cfe227788bd60134ff605
|
|
| BLAKE2b-256 |
ccbcc197fe81dc678b8f9dd8fb2884204d720ac823b3a36f55b60d4aec82ec2a
|
Provenance
The following attestation bundles were made for honornet_verify-1.1.0-py3-none-any.whl:
Publisher:
publish.yml on HonorNetAI/honornet-verify
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
honornet_verify-1.1.0-py3-none-any.whl -
Subject digest:
ae5b6456db82d716a69561ef9f023678e1c538b156974f084760a1875eb73f5a - Sigstore transparency entry: 1806184927
- Sigstore integration time:
-
Permalink:
HonorNetAI/honornet-verify@951b6b7ab666b3bbc368d0edea62263ca7403d9d -
Branch / Tag:
refs/tags/v1.1.0 - Owner: https://github.com/HonorNetAI
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@951b6b7ab666b3bbc368d0edea62263ca7403d9d -
Trigger Event:
push
-
Statement type: