Quickstart¶
One command runs the entire chain — gate, sign, witness, anchor, verify, enforce — and ends by re-verifying everything offline.
What you need¶
| Requirement | Why |
|---|---|
The sibling auths/ and recurve/ checkouts, next to this repo |
recurve is the gate; the auths SDK is the signer |
python3 |
the integration is Python end to end |
A Rust toolchain (cargo) |
the gate rebuilds the auths SDK from source before probing, so it measures the current code |
| Network access once | only the first run, to pip install pyyaml into a local .venv used to run recurve |
Everything else is self-contained. No account, no server, no cloud project.
What you'll see¶
The demo prints seven stages. Each is a real step, not a mock.
A machine agent identity is minted — a did:keri: carrying a capability
attestation (that attestation is what distinguishes an agent from a developer
key). This is the signer for everything that follows.
recurve promotes the authored claims and runs each probe for real,
confirming each keeps a counterexample that turns it RED — so no check is
trusted until it is proven able to fail.
matrix --gate runs; every claim is GREEN and every counterexample is still
RED. As each verdict lands, the agent signs it (through recurve's signer seam),
a witness cosigns it, and the receipt is anchored in a transparency log.
The release tarball is built and signed by the same agent — the artifact's digest is bound into the signature, so a mutated tarball fails.
A "someone who wasn't there" check re-verifies everything — the signed verdicts, the witness cosignatures, the inclusion proofs, the OTEL trace binding, and the release — using only the public key and the repo.
The enforcement point: it re-verifies the attestation for HEAD and returns allow/block. Presence is never enough — it re-runs the checks.
The gated receipts are mapped to named control frameworks (SOC 2, EU AI Act, ISO/IEC 42001), each grounded in the receipts that substantiate it.
Believe the gate, not the prose¶
The demo's job is to be re-checkable. Run the gate yourself:
Sixteen claims, sixteen counterexamples still RED, GATE OK. Then re-verify the
signed evidence from scratch — see Verify it yourself.
It's repeatable
demo.sh starts each run from a clean slate — a fresh receipt chain, fresh
attestations, a fresh transparency log — so you get the same result every time,
and a bad run can never poison the next.