Under the hood

Run an action through it.

This page is the mechanism, hands-on: one payment, five stations, and you run every one of them. Everything here is the public design, and what you’re about to do is exactly what you can check from any real receipt.

01intercept

Nothing runs until it clears the gate.

The SDK wraps the call, with decorators in Python, wrap() in TypeScript, and adapters for the common frameworks. The action is caught before it executes, not logged after the fact. Send it and watch where it stops.

Your agent is about to run this. Pick the amount, then let it go.

the gateexecution

payments.transfer$4,200 → Clark Kent

02canonicalize

The exact bytes, or nothing.

The caught action is serialized into one canonical byte form, so the same action gives the same bytes on any machine, and then hashed with BLAKE3. Flip a single byte and watch the entire digest change. That avalanche is why edits can’t hide.

canonical bytes · same action, same bytes, any machine

payments.transfer|$4,200.00Clark Kent|usd

hash(bytes) · simplified demo

ddf2f90001145275

A pure function of the bytes above. Real receipts use full BLAKE3.

03decide

First matching rule wins, in under 2 ms.

Your policy is a list of ordered rules, and the first one that matches returns the verdict. Run them at $4,200 and the payment holds for a person. Drop to $500 and it goes through. Push to $42,000 and rule 02 blocks it before the hold rule is ever asked. Order is policy.

Ordered rules, first match wins. Run them — then change the amount and run again.

01payments.transfer ≤ $1,000·
02payments.transfer > $25,000·
03anything over $1,000 waits for a person·

verdictrun the rules to see the verdict

04co-sign

The cloud holds no signing key.

A held action waits for a person, and their browser co-signs with a key generated on that device. It never leaves, and we never see it. That’s L1. No one can forge an approval: not us, not your operator, and not anyone who breaches a server.

$4,200 to Clark Kent is waiting on you.

Your browser holds the key, so the cloud can’t sign this, and neither can we.

ed25519awaiting the decision above

05verify

Anyone checks it. We’re not involved.

The finished receipt is self-contained evidence. Run the checks and they execute right here, the same way the real verifier runs Ed25519 and BLAKE3 as wasm in your browser. Then alter the receipt and run them again.

The receipt isn’t finished.

This run is still held at station 04 — approve or reject it there, then verify the result here.

not promises, math

Things we couldn’t do even if we wanted to.

We built heso so you never have to take our word for anything. Every server in the story, ours included, could be lying, breached, or gone, and these four things would still be impossible:

fake an approvalapproval keys are born on your approvers’ devices and stay there. We never touch them.
rewrite historytouch one byte and every hash after it stops matching. Instantly visible.
invent a pastthe chain only moves forward. Yesterday’s receipts can’t be written today.
read what’s redactedstripped before anything is signed. We don’t store it, so we can’t read it.

station 05, for real

Verify a receipt Read the docs