Skip to content

Attach Tervos to Claude Code

Claude Code already runs hooks around every tool call. Point one at Tervos and every action your agent takes — every shell command, every file edit — lands in a hash-chained, exportable, offline-verifiable audit log.

Add a PostToolUse hook to your project’s .claude/settings.json (or ~/.claude/settings.json for all projects):

{
"hooks": {
"PostToolUse": [
{
"matcher": "*",
"hooks": [{ "type": "command", "command": "npx tervos hook" }]
}
]
}
}

That’s it. From the next session on, each tool call appends an external.action.recorded event to .tervos/events.db, chained to the previous one.

Terminal window
$ tervos audit --type external.action.recorded --limit 5
# every tool call: which tool, when, full input/response in the payload
$ tervos audit --verify
external:claude-code: chain intact 412 events verified

Edit or delete any row in the database and --verify reports the exact sequence number where the chain breaks.

Terminal window
$ tervos export-evidence -o session-evidence.json
$ npx @tervos/verify session-evidence.json
evidence verified

To sign bundles, you need an agent key — either run a Tervos org in the same directory (keys land in .tervos/keys/), or generate one by running tervos init && tervos start --dev once.

  • tervos hook reads the hook payload from stdin (session_id, hook_event_name, tool_name, tool_input, tool_response) and appends it verbatim as the data field of an external.action.recorded event.
  • The event store hash-chains at append time — the hook adds no crypto of its own and stays fast.
  • The hook is silent on success and exits 2 with a one-line stderr message on failure; PostToolUse runs after the tool, so a hook failure never blocks your agent.

The same pattern works for anything that can pipe JSON: some-runtime --emit-events | while read line; do echo "$line" | tervos hook --source my-runtime; done. For Paperclip specifically, use tervos tap which polls Paperclip’s activity stream and counter-signs each row.