Verify what an AI agent decided — signed, hash-addressed decision records with reasons you can re-run on your own machine.
Project description
Warrant
A decision record for AI agents. Signed, hash-addressed, with reasons you can re-run.
When an agent accepts, rejects, or proposes something, it writes a warrant: a small JSON record that says what was decided, under which policy, because of which reasons, based on which evidence — signed by the actor, addressed by its own hash, linked to the decisions that came before it.
{
"decision": "reject",
"subject": { "hash": "d5cf37…", "note": "PR-42" },
"under": [ "cb3a0a… (policy in force, by hash)" ],
"because": [
{ "kind": "check", "check": "05d234…", "runtime": "cmd@v1",
"verdict": "fail", "transcript": "9dc0c3…" },
{ "kind": "prose", "text": "policy clause 1: coverage drops 87.0 -> 84.2" }
],
"evidence": [ "9dc0c3…" ],
"actor": { "id": "agent-b@vendor2" },
"prior": [ "00f79f…" ],
"ts": 1751677200
}
The record's hash is its identity. Change one byte of the decision, the policy reference, or the reasons — the hash changes, and every later record that cited it stops resolving. Nothing can be quietly edited after the fact.
Why not just logs?
A trace tells you what an agent did. A warrant proves why it was allowed to — and the proof survives the agent. Logs are mutable, vendor-shaped prose. Warrants are:
- Immutable — identity is the hash of the content.
- Signed — you know which actor decided.
- Anchored —
underpins the exact bytes of the policy that was in force, not "the policy" in someone's memory. - Re-checkable — a reason can be an executable check. Anyone can re-run it and get the same verdict.
- Linked —
priormakes decisions a chain: propose → reject (with reasons) → revise → accept.warrant why <hash>walks the whole chain.
A rejection is a first-class record, not an absence. This is the part that matters as agents get autonomy: the "no, because" survives, gets cited by hash, and stops the same argument from being re-had from scratch.
Ten minutes
pipx install warrant-verify # or: pip install warrant-verify
Installs the warrant verifier and the warrant-mcp sealer. ski@v1 reasons
re-run offline — the Σ-GLYPH Book I check engine ships inside the package, so
no separate clone is needed. (From a checkout: git clone … && pip install ..)
warrant init # .warrants/ store in your repo
warrant keygen --out me.key # Ed25519; prints your pubkey
printf 'demo diff\n' > diff.patch # the thing being decided about
POL=$(warrant policy add examples/policy.txt) # pin the rules in force -> hash
P=$(warrant propose --subject diff.patch --under $POL \
--reason "utility fns needed" --actor me@host --key me.key)
R=$(warrant reject $P --check examples/check.sh --verdict fail \
--reason "clause 1: coverage drop" --actor me@host --key me.key)
A=$(warrant accept $R --check examples/check.sh --verdict pass \
--actor me@host --key me.key)
warrant why $A # decision -> reasons -> checks -> policy, verified
warrant verify # every hash, signature, and link in the store
The store is plain files, content-addressed, git-friendly. No server, no vendor, no account.
Try it on a real case
Verify what an AI agent decided — the Air Canada chatbot case, as the record the
airline never had. Fifteen minutes, offline, trusting nothing but this tool:
demos/air-canada/. The portable bundle format those
records travel in is specified in EVIDENCE-PACK.md.
What it is not
Not an agent framework. Not a blockchain. Not observability. It is one file format and five verbs, designed to be boring: any language can implement it from the spec in an afternoon, and two implementations agree on every hash.
Spec and status
SPEC.md — the format (v0.3 draft: the v0.1/v0.2 body schema plus v0.3 settlement, key-state and multi-root rules), canonicalization rules, and worked test vectors with real hashes and signatures (examples/). Reason runtimes: prose, cmd@v1 (a check command run in a container), and — new in v0.2 — ski@v1: a portable, deterministic, budget-bounded check. The check is a content-addressed SKI term evaluated per Σ-GLYPH Book I; the verdict is a hash comparison; work AND peak memory are bounded by the ATP budget, so re-verifying a stranger's reason is safe by construction. warrant check <hash> re-runs one.
impl/warrant.py — reference implementation (M1): the five verbs on a plain-file store, one file, stdlib + Ed25519 (pip install cryptography). It must pass its own law:
python3 impl/warrant.py conformance examples # all SPEC §8 vectors, byte-exact
python3 impl/warrant.py selftest # live round-trip + tamper detection
impl-go/ — independent Go implementation for cross-checking the spec:
(cd impl-go && go build -o warrant-go .) # stdlib-only; binary is not committed
./impl-go/warrant-go conformance examples # same SPEC §8 vectors
./impl-go/warrant-go selftest examples # schema and verification edges
First real user: sigma-glyph files its review adjudications as warrants (.warrants/ in that repo) — the maintainer's accept/reject decisions are signed, hash-addressed, and cite CI gates as cmd@v1 checks.
License: MIT.
v0.3: settlement-grade verification (DRAFT)
Beyond integrity (verify), v0.3 adds settlement semantics (SPEC §5.1/§7/§9):
python3 impl/warrant.py verify --settlement --trust-config trust.json
python3 impl/warrant.py settle <settling-wid> candidate-body.json
./impl-go/warrant-go verify --settlement --trust-config trust.json <store>
# NB: Python takes a global --store flag; Go verify/settle take the store as a
# positional argument — Go is deliberately verify-only (no filing surface).
Settlement-active roots come from your local trust configuration (plus
policy-authorized adoptions); genesis.json is advisory and must be pinned to
be used. Re-litigation of a settled subject requires new evidence or a new
outcome fingerprint — prose never re-opens anything. Key rotation/revocation
are warrants; key state derives from the DAG. Both implementations must agree
on every settlement outcome: python3 tests/settlement.py.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file warrant_verify-0.4.0.tar.gz.
File metadata
- Download URL: warrant_verify-0.4.0.tar.gz
- Upload date:
- Size: 37.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
69f4429a1b5693d73e1144f5c776e7376e777a3a3abfe93d4b6c1c10671802c6
|
|
| MD5 |
0e0b64236c012d98f062e88506f8c21a
|
|
| BLAKE2b-256 |
64034bcca45d4e2ed71d42d4b2d8f553d24af371727b489151204af1aa0b8c81
|
Provenance
The following attestation bundles were made for warrant_verify-0.4.0.tar.gz:
Publisher:
publish.yml on s0fractal/warrant
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
warrant_verify-0.4.0.tar.gz -
Subject digest:
69f4429a1b5693d73e1144f5c776e7376e777a3a3abfe93d4b6c1c10671802c6 - Sigstore transparency entry: 2187899265
- Sigstore integration time:
-
Permalink:
s0fractal/warrant@2de1d17fb61306e092391f1e1fbce8ff7df05a5a -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/s0fractal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2de1d17fb61306e092391f1e1fbce8ff7df05a5a -
Trigger Event:
release
-
Statement type:
File details
Details for the file warrant_verify-0.4.0-py3-none-any.whl.
File metadata
- Download URL: warrant_verify-0.4.0-py3-none-any.whl
- Upload date:
- Size: 36.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
b3ce4af5183ad440661586dd154d6e2c2b1d85253faff1a8ba290d250fc6e31a
|
|
| MD5 |
f4402ca4e93766b2bad2a348b7b17a7f
|
|
| BLAKE2b-256 |
9d4b1bbb28e6c84e07e34e0ad354d29a2c8b29774a3bf5ad6ae5745c4eeaa735
|
Provenance
The following attestation bundles were made for warrant_verify-0.4.0-py3-none-any.whl:
Publisher:
publish.yml on s0fractal/warrant
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
warrant_verify-0.4.0-py3-none-any.whl -
Subject digest:
b3ce4af5183ad440661586dd154d6e2c2b1d85253faff1a8ba290d250fc6e31a - Sigstore transparency entry: 2187899267
- Sigstore integration time:
-
Permalink:
s0fractal/warrant@2de1d17fb61306e092391f1e1fbce8ff7df05a5a -
Branch / Tag:
refs/tags/v0.4.0 - Owner: https://github.com/s0fractal
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@2de1d17fb61306e092391f1e1fbce8ff7df05a5a -
Trigger Event:
release
-
Statement type: