Proof your agents' code passed — that anyone can re-verify offline.
When an AI agent ships code, "it passed" comes from the same system that wrote it. auths-curve is the neutral referee: recurve re-runs the correctness checks RED-first, an auths agent identity signs an independent verdict, a witness cosigns it, it's anchored in a transparency log — and anyone can re-verify the whole thing offline, with no server, CA, or account to trust.
📖 Full documentation: https://auths-dev.github.io/auths-curve/
bash demo.shOne command gates the code, signs every verdict, cosigns with an independent witness, anchors each receipt, binds it to your OTEL trace, verifies everything offline, enforces the merge-gate, and exports compliance evidence — ending with:
● integration: 16 receipt(s), chain holds, signatures verify
ALL VERIFIED (offline)
merge-gate: ALLOW — HEAD is backed by a valid, re-verified attestation
Needs the sibling auths/ and recurve/ checkouts, python3, and a Rust
toolchain (the gate rebuilds the SDK from source). Network only the first run, to
pip install pyyaml.
- an agent-signed, tamper-evident verdict (a DSSE in-toto attestation)
- an independent witness cosignature — the referee can't mark its own homework
- a transparency-log inclusion proof — provably in an append-only log
- an OTEL trace binding and a fresh-agent-per-cycle attestation
- all of it re-verifiable offline, from a clone, with only a public key
Then a CI merge-gate blocks any merge that isn't backed by a valid, re-verified attestation, and a compliance export maps the gated receipts to SOC 2 / EU AI Act / ISO 42001 controls.
python3 ../recurve/recurve --config recurve.toml matrix --gate # 16 GREEN, 16 traps RED, GATE OK
python3 tools/verify_all.py # ALL VERIFIED (offline)See Verify it yourself for the full offline re-verification, including how to watch it reject a forgery.
| Path | What it is |
|---|---|
src/auths_curve/integration.py |
the seam: mint agent, sign/verify/cosign verdicts, anchor, bind trace, verify offline |
tools/auths_sign_receipt.py · auths_verify_receipt.py |
the signer + verifier adapters for recurve's receipts seam |
tools/verify_all.py |
offline re-verification of every signature and proof |
tools/ci_merge_gate.py |
the CI merge-gate (exit 0 allow / 1 block) |
tools/compliance_export.py |
maps gated receipts to control-framework evidence |
claims/integration/ |
the recurve suite: prose, ledger, probes, and a kept counterexample per probe |
- The agent's private keychain (
.auths-keychain/, and the witness's) is gitignored — no signing key is ever committed. attestations/,dist/, and the transparency log are regenerated each run.