DEV Community

correctover
correctover

Posted on

Correctover Ibex: Tamper-Evident Agent Verification Is Now Real

When Aleksey Safonov (safal207) published ibex-agent-verification a week ago, we immediately recognized it as a kindred spirit. His project does pre-execution authorization: "Should this agent be allowed to perform this action?" Our project does post-execution verification: "Did the agent's output actually pass quality checks?"

Today, we're releasing correctover-ibex — the bridge between both worlds.

The Integration

Ibex (pre-execution authorization)
    ↓ ActionEnvelopeV1 freezes action identity
Correctover (post-execution verification)
    ↓ 87 rules × 6 dimensions verified
GuardrailDecision binds verdict to action
    ↓ canonical IDs via JCS + SHA-256
Tamper-evident verification chain
Enter fullscreen mode Exit fullscreen mode

Every Correctover verification is now cryptographically bound to an exact action context via ActionEnvelopeV1. The result is a tamper-evident chain: you can verify the verifier.

ActionEnvelopeV1: The Key Innovation

Ibex's ActionEnvelopeV1 is elegant in its simplicity:

{
    "@context": "urn:ibex-agent-verification:action-envelope:v1",
    "tool_identity": "search_web",
    "args_digest": "sha256:aaaa...",
    "caller_identity": "agent:researcher",
    "resource_scope": "workspace:production",
    "policy_version": "policy-v1"
}
Enter fullscreen mode Exit fullscreen mode

This envelope gets hashed (JCS canonical JSON → SHA-256) to produce a canonical action_id — a tamper-evident identifier for exactly what the agent was authorized to do. Any change to the tool, arguments, caller, or scope produces a different ID.

We implement the exact same algorithm — independently, from scratch — and our implementation passes ibex's published conformance vector:

Preimage → sha256:325d87f3a89db334374b25f839c6dfcf528fac357b7c554b01a1486a570522c7
Enter fullscreen mode Exit fullscreen mode

40 tests. All green. Including ibex's official test vector.

What correctover-ibex Adds

1. GuardrailDecision: Every Correctover verification produces an Ibex-compatible decision (ALLOW/BLOCK/ESCALATE) with a canonical decision_id that chains back to the action.

2. Transition Phase: Multi-step agent workflows can now be tracked through ibex's transition contract (CALIBRATE → EXPAND → COMMIT → EXECUTE → VERIFY → REFLECT), with Correctover verifying each step.

3. Full Interoperability: The adapter speaks both protocols natively. No translation layer, no data loss.

from correctover_ibex import CorrectoverIbexVerifier

verifier = CorrectoverIbexVerifier()
result = verifier.verify(request)

print(result.action_id)      # sha256:... (tamper-evident)
print(result.ibex_decision)  # ALLOW | BLOCK | ESCALATE
print(result.decision_id)    # sha256:... (recomputable)
Enter fullscreen mode Exit fullscreen mode

The Standards Convergence

What makes this significant is that two independent projects — built by people who'd never spoken — arrived at the same conclusion: agent verification needs tamper-evident, reproducible, standards-based tooling.

Ibex Correctover
Focus Pre-execution authorization Post-execution verification
Schema ActionEnvelopeV1 (URN-based) STANDARDS.md (87 rules)
Identity JCS + SHA-256 canonical IDs Proof hashes (SHA-256)
Policy Transition Phase Contract 6-dim conformance levels
Status v0.8.1, Apache-2.0 v1.1.0, Apache-2.0

The adapter makes them interoperate without either project changing a single line of code.

Install

pip install correctover-ibex
Enter fullscreen mode Exit fullscreen mode

Correctover — Failover ≠ Correctover™

Top comments (0)