Skip to content

auths-dev/auths-curve

Repository files navigation

auths-curve

Proof your agents' code passed — that anyone can re-verify offline.

When an AI agent ships code, "it passed" comes from the same system that wrote it. auths-curve is the neutral referee: recurve re-runs the correctness checks RED-first, an auths agent identity signs an independent verdict, a witness cosigns it, it's anchored in a transparency log — and anyone can re-verify the whole thing offline, with no server, CA, or account to trust.

📖 Full documentation: https://auths-dev.github.io/auths-curve/

Quickstart

bash demo.sh

One command gates the code, signs every verdict, cosigns with an independent witness, anchors each receipt, binds it to your OTEL trace, verifies everything offline, enforces the merge-gate, and exports compliance evidence — ending with:

● integration: 16 receipt(s), chain holds, signatures verify
ALL VERIFIED (offline)
merge-gate: ALLOW — HEAD is backed by a valid, re-verified attestation

Needs the sibling auths/ and recurve/ checkouts, python3, and a Rust toolchain (the gate rebuilds the SDK from source). Network only the first run, to pip install pyyaml.

What it produces, per verdict

  • an agent-signed, tamper-evident verdict (a DSSE in-toto attestation)
  • an independent witness cosignature — the referee can't mark its own homework
  • a transparency-log inclusion proof — provably in an append-only log
  • an OTEL trace binding and a fresh-agent-per-cycle attestation
  • all of it re-verifiable offline, from a clone, with only a public key

Then a CI merge-gate blocks any merge that isn't backed by a valid, re-verified attestation, and a compliance export maps the gated receipts to SOC 2 / EU AI Act / ISO 42001 controls.

Believe the gate, not this README

python3 ../recurve/recurve --config recurve.toml matrix --gate   # 16 GREEN, 16 traps RED, GATE OK
python3 tools/verify_all.py                                       # ALL VERIFIED (offline)

See Verify it yourself for the full offline re-verification, including how to watch it reject a forgery.

What's in here

Path What it is
src/auths_curve/integration.py the seam: mint agent, sign/verify/cosign verdicts, anchor, bind trace, verify offline
tools/auths_sign_receipt.py · auths_verify_receipt.py the signer + verifier adapters for recurve's receipts seam
tools/verify_all.py offline re-verification of every signature and proof
tools/ci_merge_gate.py the CI merge-gate (exit 0 allow / 1 block)
tools/compliance_export.py maps gated receipts to control-framework evidence
claims/integration/ the recurve suite: prose, ledger, probes, and a kept counterexample per probe

Constraints honored

  • The agent's private keychain (.auths-keychain/, and the witness's) is gitignored — no signing key is ever committed.
  • attestations/, dist/, and the transparency log are regenerated each run.

About

End-to-end demo: recurve gates the code (RED-first, gated), an auths agent identity signs every verdict and the release — verifiable offline. Dogfoods recurve + the auths Python SDK.

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors