Halo Open Source: Equipping AI Agents with a "Tamper-Proof" Black Box

An open-source project called Halo has surfaced on Hacker News, aiming to provide a tamper-proof evidence trail for AI Agent runtimes. It may sound niche, but at a time when Agents are being pushed into production environments, it hits a real pain point: when an Agent writes code, executes it, and makes decisions on its own, how do you conduct a postmortem when something goes wrong?
An Open-Source Project Focused on the "Crime Scene" of Agents
In early July, a project called Halo (halo-record) appeared on Hacker News' Show HN board. Its creator, bkuan001, positioned it quite modestly — it is neither another Agent framework nor a new observability SaaS, but something more foundational: tamper-evident runtime evidence for AI agents.
Put simply, it creates a non-repudiable black box record for every action an Agent takes.
If this idea had been proposed two years ago, hardly anyone would have cared. But things are different now. Tools like Claude Code, Codex, and Cursor Agent — capable of opening terminals, writing files, and calling APIs on their own — are already running in production environments. Over the past year, enterprise CISOs have been struggling with Agent runtime security: traditional APM tools cannot see an Agent’s reasoning chain, and SIEM systems have no idea how to parse a tool_call. Halo is targeting precisely this gap.

Why Logging Is Especially Difficult for Agents
First, the problem itself needs to be clear. Traditional software logs are deterministic: a function is called at a certain time, and the inputs and outputs can be matched exactly. If there's a bug, you inspect the logs.
Agents are a completely different story. Every execution is a probabilistic decision sequence:
- The same prompt may lead to different tool choices across two runs
- Most frameworks do not persist intermediate reasoning tokens by default
- MCP tool call return values are often truncated or summarized inside the context
- More importantly, Agents can modify their own runtime environment — files they write and configs they change become inputs for subsequent behavior
This means that if you later want to reconstruct "why the Agent deleted a production database table," stdout alone is nowhere near enough. You need to know what context it saw, which tools it called, what each tool returned, and what basis it used for the next decision. And critically, this record must be something that neither the Agent nor an attacker can tamper with — otherwise, an Agent compromised through prompt injection could easily commit malicious actions while simultaneously cleaning up the logs.
Halo aims to solve precisely this final piece: tamper resistance.
Technical Approach: Merkle-Style Chained Records
Judging from the repository code, Halo’s core idea is not particularly new. At its heart, it applies the heavily reused blockchain concept of a hash chain to Agent runtimes.
Every runtime event — an LLM call, a tool execution, a file read/write — generates a structured record containing:
- Event type and payload
- Timestamp
- Hash of the previous record
- Hash of the current record
All records form a chain that cannot be retroactively modified. Altering any record in the middle causes all subsequent hashes to break. If the root hash is periodically anchored externally (for example, to a public timestamping service or even an actual blockchain), the result becomes a third-party verifiable evidence chain.
This technology is old news in financial auditing and compliance logging. Halo’s value is not in inventing something fundamentally new, but in the fact that it explicitly aligns this paradigm with Agent semantics — the event types are designed around Agent operations rather than generic logging.
This Is Not the Same Thing as LangSmith or Langfuse
At this point, some people may ask: aren’t observability platforms like LangSmith, Langfuse, and Arize Phoenix already doing something similar?
Not really. Those tools are primarily focused on debugging and performance analysis — helping developers understand what happens inside Agents so they can iterate prompts, optimize latency, and evaluate quality. Their logs are intended for "trusted developers" and do not assume tampering.
Halo comes from an audit-oriented perspective. It assumes an adversarial scenario: Agents may be hijacked, logs may be forged, and evidence may eventually need to stand up in court. This is essential in regulated industries such as finance, healthcare, and government. The EU AI Act already explicitly requires auditable runtime logs for high-risk AI systems, and the U.S. NIST AI RMF is pushing in the same direction.
So Halo should not be compared directly with Langfuse. They solve problems at different layers: one is a dev tool, the other is compliance infrastructure.

How Mature Is It Right Now?
To be frank, it is still very early-stage. What’s in the repository looks more like a reference implementation:
- The event schema is fairly basic, covering mainstream scenarios like tool_call, llm_call, and file_op
- The SDK is currently focused mainly on Python; Node support is still incomplete
- There is no out-of-the-box verifier tool yet — hash comparison scripts need to be written manually
- Storage backends are flexible: SQLite, Postgres, and S3 are all supported, with no hard coupling imposed by the author
The author was also very candid on HN: this is a proof of concept built from a compliance engineering background, and he hopes the community can help refine the schema into something more universal — ideally evolving into a de facto standard for "Agent audit logs."
That ambition is significant, but the direction is correct. If Agents are truly going to enter enterprise production systems, someone will inevitably need to build the runtime evidence layer — either the open-source community establishes a standard, or giants like AWS and Datadog implement it as proprietary functionality within their observability stacks. Whether an open-source solution can succeed depends on ecosystem adoption.
A Bigger Observation: Agent Infrastructure Is Becoming Layered
The emergence of projects like Halo points to a broader trend: Agent infrastructure is evolving away from all-in-one frameworks toward specialized middleware layers.
In 2023, everyone was debating LangChain vs. LlamaIndex. After MCP arrived in 2024, the tooling layer was split out. This year, specialized layers for runtime security, auditing, sandboxing, and cost control are all spawning their own open-source projects. The evolution path looks remarkably similar to the cloud-native ecosystem years ago — first Docker dominated everything, then Kubernetes extracted orchestration, followed by Istio, Prometheus, and OPA each taking over specialized domains.
Halo’s role is roughly analogous to projects like Falco (cloud-native runtime security) or Sigstore (software supply chain evidence). It’s not flashy, but if Agents are truly going to become enterprise-grade infrastructure, this layer is necessary.
Some Practical Advice
If you are currently building Agent-related systems, is Halo worth adopting? My view:
- Building internal tools or PoCs: no rush; the overhead probably isn’t worth it
- Building consumer-facing Agent products: worth watching, because compliance pressure will eventually arrive
- Building Agents for regulated sectors like finance, healthcare, or legal: you should already be looking at this now, and potentially contributing to the schema
- Building multi-Agent collaborative systems: strongly recommended — responsibility attribution between Agents is currently a black hole, and verifiable runtime records can prevent a lot of disputes
There is also a hidden benefit: when your Agent needs to call multiple model APIs, having a unified, cross-provider runtime evidence layer becomes extremely useful. Aggregation layers like OpenAI Hub — where one key provides access to GPT, Claude, Gemini, DeepSeek, and others — combined with Halo-style evidence recording, allow you to preserve a consistent audit trail while switching underlying models. That provides tangible advantages for A/B testing and vendor failover scenarios.
One final point: projects that "don’t look very exciting" are often the clearest signal that an ecosystem is maturing. Over the past two years, the Agent space has produced far too many demo-grade projects. The fact that people are now seriously working on auditing, evidence, and tamper resistance suggests the field is moving from the toy stage into the engineering stage.
Definitely worth watching.
References
- Halo - GitHub Repository (bkuan001/halo-record) - Halo project homepage and source code, including the Show HN discussion
- HALO - camel-ai/halo - A different project with the same name: an open-source bridge layer connecting Agents to smart glasses; do not confuse the two



