The problem: Agent systems today rely on logs, dashboards, or proprietary consoles for truth. Those are easy to forge, truncate, or lose. If an agent takes a high-stakes action (e.g. a firewall change, a deployment, a purchase), there’s no portable artifact you can independently verify later.

The idea: Treat agent execution like a signed transaction, not a log stream. Each run emits a receipt that can be verified offline, without trusting the issuer’s infrastructure.

How it works (minimal core):

Deterministic signing: Ed25519 signatures over a canonical JSON byte string

Canonicalization: RFC 8785-style JSON canonicalization (stable key ordering, UTF-8 encoding, no insignificant whitespace)

Tamper evidence: Any mutation of the signed payload flips the SHA-256 hash and invalidates the signature

Offline verification: A standalone verifier script; no network calls, no dependencies on the issuer

Try it locally (no network):

python verify_receipt.py hn_receipt.json python verify_receipt.py hn_receipt_tampered.json

The first passes; the second fails after a single-field mutation.

This is intentionally not a logging system, observability platform, or policy engine. It’s a small integrity / provenance primitive intended to compose with higher-level agent frameworks.

I’d appreciate feedback on:

Threat-model gaps (e.g. confused-deputy or context-hijacking risks)

Schema ergonomics for high-frequency or long-running agent pipelines

Canonicalization edge cases worth enforcing earlier