Skip to main content

The independent verifier for HonorNet decision records

Project description

honornet-verify

The independent verifier for HonorNet decision records.

When an AI agent transacts on the HonorNet acceptance network, the network records its approve/decline decision in an append-only, cryptographically verifiable log. honornet-verify lets anyone — a merchant, an issuer, an auditor, a regulator — confirm such a decision is genuine and intact:

  • without calling a HonorNet API, and
  • without HonorNet's private source code.

You verify a decision against the maths, not against HonorNet's word for it.

Why this exists

HonorNet's acceptance-network core is private. Its trustworthiness should not be. A decision record is exported as a self-contained bundle; this tool checks the bundle's signatures and its RFC 6962 Merkle inclusion proof. The verification core is standard-library only — no third-party runtime dependencies — so the entire trust path is auditable in an afternoon.

Install

pipx install honornet-verify

or, for use as a library:

pip install honornet-verify

Use

Verify a decision bundle exported from GET /decisions/{decision_id}:

honornet-verify verify decision-bundle.json
  [PASS] record_signature
  [PASS] leaf_hash_match
  [PASS] tree_size_consistency
  [PASS] inclusion_proof
  [PASS] log_root_signature

VERIFIED: decision-bundle.json

Exit code 0 means verified, 1 means well-formed but not verified, 2 means the file could not be read or parsed.

Structured output for scripts and CI:

honornet-verify verify --json decision-bundle.json

Pin the signing key — recommended. Verification alone proves a bundle is internally consistent and signed by the key it carries; pinning proves that key is HonorNet's:

honornet-verify verify --pin-key <honornet-ledger-public-key-hex> decision-bundle.json

What gets checked

A bundle verifies only if all of the following hold:

  1. record signature — the decision record carries a valid Ed25519 signature over its RFC 8785 canonical bytes;
  2. leaf hash — the RFC 6962 Merkle leaf hash matches the signed record;
  3. inclusion proof — the leaf is included under the signed log root;
  4. log root signature — the signed log root carries a valid signature.

See docs/verification-model.md and docs/bundle-format.md.

What this does not grant

honornet-verify is open source under Apache-2.0. Using, reading, or forking it does not grant:

  • any right to use the HonorNet name or marks, except as permitted by the Apache License 2.0, Section 6 (Trademarks);
  • recognized-issuer status on the HonorNet acceptance network;
  • any right to operate the HonorNet acceptance network, or to hold a fork or derivative of this software out as being HonorNet.

A successful verification establishes that a decision bundle is internally consistent and signed by the key embedded in it. It does not by itself establish that the key is HonorNet's — pin the key (--pin-key) to establish that.

Relationship to HonorNet

This is the open-source arm of HonorNet. It is not the production network. The acceptance network that issues decision records is a separate, private system. honornet-verify deliberately imports nothing from it — that independence is enforced by a test in this repo.

Licence

Apache-2.0. See LICENSE and NOTICE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

honornet_verify-1.1.0.tar.gz (21.8 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

honornet_verify-1.1.0-py3-none-any.whl (17.6 kB view details)

Uploaded Python 3

File details

Details for the file honornet_verify-1.1.0.tar.gz.

File metadata

  • Download URL: honornet_verify-1.1.0.tar.gz
  • Upload date:
  • Size: 21.8 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for honornet_verify-1.1.0.tar.gz
Algorithm Hash digest
SHA256 766e0bb4edb873992e9b26de47ffd93acd12525420951c4af053eeae9330f6fd
MD5 242726b3b70f2c80bb3d74bbbde96417
BLAKE2b-256 14c64ac95adc9ea2a9807ddd6a22edc1265b31723b431bbef369ec767bf66f8e

See more details on using hashes here.

Provenance

The following attestation bundles were made for honornet_verify-1.1.0.tar.gz:

Publisher: publish.yml on HonorNetAI/honornet-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file honornet_verify-1.1.0-py3-none-any.whl.

File metadata

  • Download URL: honornet_verify-1.1.0-py3-none-any.whl
  • Upload date:
  • Size: 17.6 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for honornet_verify-1.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ae5b6456db82d716a69561ef9f023678e1c538b156974f084760a1875eb73f5a
MD5 c1f9d2d2323cfe227788bd60134ff605
BLAKE2b-256 ccbcc197fe81dc678b8f9dd8fb2884204d720ac823b3a36f55b60d4aec82ec2a

See more details on using hashes here.

Provenance

The following attestation bundles were made for honornet_verify-1.1.0-py3-none-any.whl:

Publisher: publish.yml on HonorNetAI/honornet-verify

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page