In many environments, evidence of these changes ends up scattered across logs, CI systems, ticketing tools, and control planes. Reconstructing a single change months later can mean querying multiple systems that may not retain state indefinitely.
I am exploring a simple idea: treating each privileged mutation as something that emits a portable, signed receipt. The receipt would tie together what was authorized, who approved it, what ran, and what the resulting state was. The goal is that it could be verified offline, without querying the original system.
There is a draft spec here: https://github.com/reciprium/spec
It defines a receipt format using JSON Schema, CDDL, and Protobuf, with test vectors and worked examples for Terraform, GitOps workflows, database migrations, secret rotation, and break glass access.
I would appreciate perspective from people who operate infrastructure at scale:
1. How do you currently record that a privileged change was authorized, executed as approved, and verified afterward?
2. Could you reconstruct a complete audit of a specific change from six months ago without relying on your CI or control plane?
3. During audits or incidents, how do you demonstrate that a change matched its approval?
4. Would a signed, portable receipt for each mutation materially simplify anything for you, or does this problem already feel solved?
5. Where in your workflow would something like this naturally attach, if at all?
I am trying to understand whether the problem exists in the form described, or whether practitioners have converged on better patterns. Critical feedback is especially useful.