Skip to content

Quickstart

One command runs the entire chain — gate, sign, witness, anchor, verify, enforce — and ends by re-verifying everything offline.

bash demo.sh

What you need

Requirement Why
The sibling auths/ and recurve/ checkouts, next to this repo recurve is the gate; the auths SDK is the signer
python3 the integration is Python end to end
A Rust toolchain (cargo) the gate rebuilds the auths SDK from source before probing, so it measures the current code
Network access once only the first run, to pip install pyyaml into a local .venv used to run recurve

Everything else is self-contained. No account, no server, no cloud project.

What you'll see

The demo prints seven stages. Each is a real step, not a mock.

A machine agent identity is minted — a did:keri: carrying a capability attestation (that attestation is what distinguishes an agent from a developer key). This is the signer for everything that follows.

agent identity: did:keri:EGzTx1qYsWORqHvioyFjXLNMEfByq_ox8xEaJTfwHGG2
is-agent (capability attestation present): True

recurve promotes the authored claims and runs each probe for real, confirming each keeps a counterexample that turns it RED — so no check is trusted until it is proven able to fail.

matrix --gate runs; every claim is GREEN and every counterexample is still RED. As each verdict lands, the agent signs it (through recurve's signer seam), a witness cosigns it, and the receipt is anchored in a transparency log.

holding 16 · regressions 0 · broken 0
traps: 16/16 counterexamples still RED
GATE OK

The release tarball is built and signed by the same agent — the artifact's digest is bound into the signature, so a mutated tarball fails.

A "someone who wasn't there" check re-verifies everything — the signed verdicts, the witness cosignatures, the inclusion proofs, the OTEL trace binding, and the release — using only the public key and the repo.

● integration: 16 receipt(s), chain holds, signatures verify
  [ok ] witness  every verdict independently cosigned
  [ok ] fresh    16/16 cycles each used a distinct fresh agent
           ↳ bound to OTEL trace 4bf92f3577b3… span 00f067aa0ba9…
ALL VERIFIED (offline)

The enforcement point: it re-verifies the attestation for HEAD and returns allow/block. Presence is never enough — it re-runs the checks.

merge-gate: ALLOW — HEAD is backed by a valid, re-verified attestation

The gated receipts are mapped to named control frameworks (SOC 2, EU AI Act, ISO/IEC 42001), each grounded in the receipts that substantiate it.

compliance export: 16 gated receipts → control evidence
  [satisfied] SOC 2          SOC2-CC8.1            (16 receipts)
  [satisfied] EU AI Act      EU-AI-Act-Art-12      (16 receipts)
  [satisfied] ISO/IEC 42001  ISO-42001-A.6.2.6     (16 receipts)

Believe the gate, not the prose

The demo's job is to be re-checkable. Run the gate yourself:

python3 ../recurve/recurve --config recurve.toml matrix --gate

Sixteen claims, sixteen counterexamples still RED, GATE OK. Then re-verify the signed evidence from scratch — see Verify it yourself.

It's repeatable

demo.sh starts each run from a clean slate — a fresh receipt chain, fresh attestations, a fresh transparency log — so you get the same result every time, and a bad run can never poison the next.