Skip to main content

Cryptographic receipts for every AI agent decision

v0.19.0 ships signed governance receipts. Every Cedar policy evaluation now produces a JSON receipt with an Ed25519 signature over canonical RFC 8785 JSON. If anyone changes a single byte, the signature breaks. No trust required. Just maths.

The problem receipts solve

Audit logs tell you what happened. But an audit log is a text file. Anyone with write access can edit it after the fact. When a compliance review asks “prove this policy actually fired,” a mutable log is a weak answer.

Receipts are a stronger one: a cryptographic proof that a specific policy set evaluated a specific action and produced a specific decision, at a specific time. Verifiable independently, offline, without trusting any server.

How receipts work

Every time Vectimus evaluates a tool call against your Cedar policies, it produces a signed receipt:

{
  "receipt_id": "vtms-bf387670-6abb-...",
  "timestamp": "2026-03-22T14:30:26Z",
  "action": {
    "tool": "Bash",
    "normalised_tool": "shell_command",
    "command_summary": "terraform destroy -auto-approve",
    "context_hash": "sha256:3d53dd78..."
  },
  "policy": {
    "policy_set_hash": "sha256:44c5a662...",
    "policy_pack_version": "0.2.0"
  },
  "decision": {
    "outcome": "DENY",
    "reason": "vectimus-infra-001",
    "evaluation_time_ms": 2.0
  },
  "signature": {
    "algorithm": "Ed25519",
    "public_key_id": "vtms-key-73ae52",
    "value": "base64:79rhTFMGNGi3fY..."
  }
}

The signature covers the entire receipt including the policy set hash. This means the receipt proves not just the decision, but which version of which policies produced it.

Receipt IDs are included in deny messages. When an agent gets blocked you can trace back to the exact receipt and see the full evaluation context.

Verify offline

vectimus verify receipt.json

Ed25519 verification, no network access needed. Signing keys are generated automatically on first use and stored locally at ~/.vectimus/keys/.

Retention

Receipts are stored per-project in .vectimus/receipts/YYYY-MM-DD/ as individual JSON files. Cleanup runs automatically and removes receipts older than the configured retention period. The default is 7 days.

[receipts]
enabled = true          # default
retention_days = 7      # default
vectimus receipts prune --days 30   # delete older than 30 days
vectimus receipts prune --all       # delete everything

What this unlocks for teams

Open-source receipts prove a single developer’s governance decisions. That is the right starting point. But for organisations running agents across teams, a signed JSON file in a project directory is not enough. The compliance question shifts from “did governance run on my machine?” to “can we prove governance ran across every agent, every team, every decision, and hand that proof to an auditor?”

That is the gap between local receipts and what Vectimus Prime delivers.

Open-source (v0.19.0)

PreToolUse receipts that prove the governance decision happened before the tool executed. Signed JSON files written to the project directory. Offline verification with vectimus verify and a public key. Date-based retention at 7 days by default. One file per evaluation, searchable with standard tools.

Vectimus Prime

PostToolUse output hashing enriches the receipt with a fingerprint of what the tool actually produced. The receipt proves the full action lifecycle: what was requested, what was decided and what happened. Without that second half, the proof chain is incomplete.

Output validation policies let Cedar evaluate the tool’s result after execution. A detection layer scans for PII, secrets and compliance violations. Cedar then makes the governance decision based on the findings: block the output, redact it or allow it through. The policies are configurable per team and per agent persona.

Evidence bundles package the receipt, the Cedar policy set, the public key and any redaction metadata into a single verifiable archive. One file for an auditor. One file for a regulator. The entire governance chain verified offline from a single artifact.

An indexed receipt store replaces date directories with queryable history. Filter by agent, decision outcome, time range or policy ID. Drift analytics trend failure rates across that history and project when governance thresholds will breach before they actually do.

SIEM export forwards receipt telemetry to Splunk, Datadog or Grafana while receipts themselves stay on disk. Tenant isolation gives each team or business unit a separate receipt store with its own retention and access controls. Key rotation and revocation management handle the signing lifecycle at fleet scale.

The difference is scope. Local receipts answer “did I govern this?” Enterprise receipts answer “can we prove we governed everything?”

Also in v0.19.0

Persistent evaluation daemon. The Cedar engine now stays warm in memory. The daemon auto-starts on first hook call and eliminates the ~200ms Python startup cost on every evaluation. On Unix and macOS it listens on a Unix domain socket with filesystem permissions. On Windows it uses TCP localhost with an auth token.

Smarter shell normalisation. The shell command normaliser now detects inline file I/O in Python, Node, Ruby and Perl scripts and reclassifies them to file_read/file_write. Agents can no longer wrap file operations in inline scripts to bypass policies.

Windows fixes. Daemon startup, process detection and audit log file locking all received fixes for Windows. python -m vectimus is now supported via __main__.py.

Claude Code hook enforcement. Exit code and JSON format for deny responses were corrected so Claude Code actually respects denials. Previously, denials could be silently ignored due to a format mismatch.

See the full changelog at /changelog. For background on the incidents that motivated receipts, see the blog. For how receipts integrate with compliance frameworks, see the SOC 2 mapping and ISO 27001 mapping.

Why receipts change the conversation

AI agents are gaining autonomy faster than governance frameworks are keeping up. Policies are a necessary foundation. Without them nothing is enforced. But policies alone answer “what should happen,” not “what did happen.” Receipts close that gap.

Every decision, signed, verifiable, offline. For individual developers that is v0.19.0 today. For teams that need fleet-wide proof and auditor-ready evidence, that is Vectimus Prime.

pipx upgrade vectimus