local-first · no account · no server

agent-receipt

Contract an AI coding session, judge it when it ends, keep a verifiable receipt.
Checks the contract scope (allowed/denied paths) against the real git diff and closes the session with a 4-value verdict (PASS · warnings · FAIL · incomplete), the diff is the evidence, not the agent's self-report. The verdict ships as a ten-second proof page (four review buckets in the order reviewers actually read), with approve/reject records, one-command re-verification for the recipient (verify-proof), and a local inbox over the pile, the whole flow is four verbs: begin · done · share · review. The same engine verifies a report's quotes, numbers and commit claims, and shows what the session actually cost. No server, no account, all on your machine.
Why trust it, deterministic verdicts (same input → same verdict) · sealed receipts (sha256, replayable) · third-party seal (Rekor) · in-toto · Merkle. All local.
npm install -g @promptia-labs/agent-receipt
agent-receipt cost reads your local transcript (Anthropic's own usage) and prints this. Example session.

🔎 Catch a fabrication right now

Runs entirely in your browser, nothing is sent anywhere.

🧾 Someone sent you a receipt? Inspect it, no install

Drop a Verification Receipt (JSON) and its seal (contentHash · receiptId) is recomputed right here. The file never leaves your browser, zero upload. Download a sample → drop it → then edit one character and drop it again to watch tamper detection fire.
Drop a .json here
or click to choose
§ Three audits

agent-receipt leaves three things behind

One philosophy, "what the AI did and said, as a local receipt anyone can verify later." Three axes hang off it. From v0.20 the receipt becomes a reviewed document, approve/reject records, a local inbox, and one-command verification for the recipient.

🧾 Change Audit

What did the AI actually change in your repo?, checked against the contract scope, recorded in a hash-chained ledger, plus beyond-git actions (even failed / denied ones). Incidents it prevents →

🔎 Evidence Audit

Is the AI's stated evidence real?, quotes, numbers, dates, git claims, versions checked against their sources by 15 deterministic checks. No LLM judging LLMs. The checks →

💰 Cost Audit

What did this session actually cost?, the transcript's usage priced at list, showing where it leaks and when to start a fresh session. See cost →

§ Cost

What this session cost, in real numbers

Claude Code writes each session to local disk, and that transcript carries Anthropic's own usage data (per-message tokens + model). agent-receipt reads it and applies list pricing, nothing sent to a server, no values stored.

In a long session the money isn't the new code, it's re-sending the growing context every turn (80% of the session above). Seeing it tells you when to start fresh. Today's running total sums every session in the project today, a pure count that shows what you're spending now, before the month-end bill. High cache-read is NOT waste, the cache saved you 90%. We show measured numbers, never a made-up "savings" figure.

§ Incident log

What it prevents

Not a feature list, the incidents that actually happen. Badges state exactly what the machine does: blocked = command fails (exit 1) or the commit is refused · recorded = kept as evidence (not blocked).

📋 The AI wrote "passed SOC 2 Type II", only Type I was completed

Quotes are deterministically checked against the source, a sentence that isn't there fails on the spot.

blocked in CI · exit 1
🔀 The AI wrote "commit abc modified payment.ts", history says otherwise

Commit existence, changed files, even diff contents, checked against actual git history.

blocked in CI · exit 1
📁 The AI modified files outside the agreed scope

The contract's allowed paths are compared against the real diff, the pre-commit gate refuses, and even a bypass (--no-verify) still leaves an evidence receipt. With guard: block, forbidden-path writes are stopped before the tool runs, the agent sees why and backs off (the denied attempt is chain-recorded too).

real-time block · opt-in receipt recorded
🔑 The AI tried to read .env (and failed), then tried to phone home

Invisible to git, failed and permission-denied attempts are kept as action classes only (values never stored). Reads and network calls stay record-only; real-time blocking covers forbidden-path writes, nothing more (honest scope).

⚠ READ_SECRET_FILE   .env  (failed attempt)
⚠ EXTERNAL_NETWORK_CALL   api.exfil.example
recorded, not blocked
🔁 The AI re-read the same file 11 times and re-ran the same test 4 times

Recomputed from the capture log: rereads with no edit in between · duplicate commands (fingerprint only) · the same failure repeating. It may be legitimate double-checking, so the human judges, measured counts only, never converted into token/time "savings" (unmeasurable numbers aren't displayed).

reported, not blocked
📦 The AI reaches for an unasked npm publish

Commands are classified by their lead token into push · publish · network classes (a quoted "git push" stays out). Turn on forbid_actions + block to stop it before the tool runs, and the deny message confesses it is a bypassable signal, not a lock.

real-time block · opt-in recorded by default
§ One layer, two audits

What the AI did, and what the AI said

agent-receipt is a local audit layer that turns an AI agent's code work and report evidence into an independently verifiable trail. Two subsystems underneath:

AuditQuestion it answers
AI Change AuditWhat did the AI actually do to my repo? Contract-scoped diff evidence · hash-chained ledger · third-party Rekor anchoring · beyond-git action capture (incl. failed & denied attempts), plus an opt-in real-time guard that stops forbidden-path writes up front.
AI Evidence AuditIs what the AI said actually true? 15 deterministic check kinds, each carries an evidence grade (A recompute · B compare · C form), and abstains when there's no basis. No LLM judging LLMs. Same input, same verdict, every time.
§ Tools

Not just Claude Code, Cursor too

agent-receipt isn't tied to a single tool. It captures Claude Code and Cursor edits the same way, into one ledger, whether the tool runs on Windows or inside WSL.

# Bridge Cursor (Windows) to agent-receipt (WSL), one line
agent-receipt capture install-cursor --wsl-bridge
#   Cursor (Windows) ─ afterFileEdit ─▶ wsl.exe ─▶ 🧾 agent-receipt (WSL)
#   garbled in transit (BOM / encoding)? it recovers on its own
🖱 Wire up Cursor hooks directly

Every time Cursor saves a file, that action flows into agent-receipt. One install command and the wiring is done.

🪟 A bridge across Windows and WSL

Cursor on Windows, the tool in WSL, no problem. --wsl-bridge connects them, and even if the payload is mangled in transit it's recovered and recorded.

🧩 Vendor-neutral by design

Each tool's envelope is normalized to one shape. Add more tools and the audit stays the same.

§ Who

Who this is for

🏗 Agencies & contractors shipping AI-assisted work

Prove, without a dispute, whether the AI stayed inside the contract and what it actually changed. Hand the client a self-contained proof HTML (share-proof).

📊 Teams whose decisions consume AI research

Fabricated citations, numbers, versions and commit facts get blocked in CI before they reach a decision. What passes accumulates as receipts.

🔐 Internal dev teams under security/audit needs

Sensitive-file reads, exfiltration attempts and change scope, evidenced locally, no server, no account, third-party sealable (Rekor).

§ Workflow

How it's used

Workflows, not command menus.

# Scenario A, before an AI-written report reaches a decision
agent-receipt research verify --file report.md --out vr/r1.json
#   a single fabrication → exit 1 (CI stops it)
agent-receipt graph view --dir vr --out browser.html    # triage what accumulates
agent-receipt graph diff --base-dir vr-old --head-dir vr # regression gate: NEW failures only

# Scenario B, before AI-assisted code ships (four verbs)
agent-receipt quickstart --write           # once: contract + policy + capture hooks (print-first, idempotent)
agent-receipt begin --objective "refund API" # baseline + session objective (recorded as self-report)
…the agent works…
agent-receipt done                         # 4-value verdict + sealed receipt + next steps ①②③
agent-receipt share --client               # ten-second proof (condensed view, same seal, stated)
agent-receipt review approve --receipt …   # approve / reject / note, the review is recorded

# Scenario C, operate the pile · check what you were handed
agent-receipt inbox --out inbox.html       # status board: FAIL-only · denied-path · unreviewed presets
agent-receipt share --bundle               # hand-off folder (receipt + signature + verify guide)
agent-receipt verify-proof received-pb/    # recipient side: one offline command catches tampering
§ Kernel

15 deterministic checks + A/B/C evidence grades

One kernel registry, the code is the spec (agent-receipt spec --format json). Each check carries a grade (A=recompute · B=compare · C=form), and when there's neither proof nor failure it abstains, no over-assurance.

kindverifies
citationthe quote is literally in the cited source
number grade Aa stated number exists in the source, or matches a recomputation (sum/mean/ratio/median/stddev/pow…)
range new in 0.16a stated number falls within the declared bounds [min, max] (inclusive)
dateformat-agnostic date match ("Mar 1, 2026" ≡ "2026-03-01")
hash / signatureSHA-256 integrity · real Ed25519 verification
commit / fileChanged / diffContains"commit X exists / changed file Y / its diff contains Z", against actual git history
schema / versionJSON-Schema subset conformity · real semver-range satisfaction (^3.23.8 ⊨ 3.24.0)
file / artifacta claimed path exists · a build output matches declared shape constraints
receipta cited receipt exists and its seal replays clean
linkURL well-formedness, advisory only
§ 0.16 · harder evidence

Proven in numbers · mapped to clauses · forgery caught

Not "trust me", "reproduce it." From the checker's own accuracy to regulation clauses, supply-chain attestation, and halting an action, what grew in 0.16. All deterministic, local, honestly labeled.

📊 Benchmark harness bench

Puts a number on how accurate the checker is, precision/recall on a labeled set + N-run reproducibility (same input → same verdict, 1000 out of 1000). If reproducibility ever breaks, CI exit 1. Seed-set accuracy is in-sample, not a world-accuracy claim.

🅰 Evidence grades A / B / C + abstain

Not every pass carries the same weight. A=recompute (number·hash·signature) > B=compare (citation·git) > C=form. When there's no basis to judge, it abstains, never over-assures.

🌳 Merkle transparency log

Even if someone silently rewrites the log's past and recomputes what follows, a previously published root + consistency proof catches that re-chain (fork). RFC6962 · O(log n) inclusion · ledger merkle.

🔗 in-toto attestation predicate

Wraps a verification receipt in the standard type claim-verification/v1 so it drops straight into the supply-chain attestation ecosystem (in-toto·Sigstore). subject digest = the sealed receipt's hash.

📋 Regulation crosswalk controls --crosswalk

Maps each verification capability to EU AI Act·SOC 2·ISO 42001 clauses as evidence, not a compliance claim; "evidence relevant to", with a per-clause "does not prove".

🛑 Action-halt gate gate

When verification fails, it halts the action, CI exit 1, or in hook mode a PreToolUse deny that stops the tool before it runs (opt-in, explicitly wired).

📡 OpenTelemetry emission otel

Emits verification events as OTLP into your existing observability / GenAI dashboards. No SDK bundled (deps 0) · deterministic traceId.

💸 Model-swap audit cost --audit-swap

When the declared model differs from the model that actually answered, it computes the price delta, catching a downgrade (a premium model promised, a cheaper one served = suspected overcharge).

§ 0.17→0.20 · review-ready receipts

Judge it · make it readable · record the review

It doesn't stop at generating a receipt, the session closes with a verdict, reads in ten seconds, and carries a recorded approve/reject. All local, all deterministic, self-reports always labeled.

⚖️ 4-value session verdict 0.17

done closes the session as PASS · warnings · FAIL · incomplete (◌), a gate, not a score (numeric scores are banned by test). Every verdict carries [rule-id] facts; incomplete comes with a how-to-fix line.

📜 codified rules + exit gate 0.18

All 12 rules live in a code registry + doc kept in lockstep by a test. A warning never auto-escalates to FAIL, opt in to a CI exit gate with fail_on_done if you want one.

💡 why it was expensive 0.18

Session cost decomposed into input · output · cache-read · cache-creation (same formula as the total, the numbers cannot disagree) + fixed signals that disclose their trigger. Zero judgment words, banned by test.

🧾 ten-second proof page 0.19–0.20

One share page: the contract as plain sentences (KO/EN), signals in four buckets in the reviewer's reading order (scope → contract-designated critical → validation → behavior), plus a session timeline. --client = a condensed view of the same seal (names what it omits) · --bundle = hand-off folder + verify guide.

✍️ recorded review review 0.20

review approve|reject|note, the receipt becomes a reviewed document. The record (labeled self-reported, not an authority) badges the inbox, the proof page and the PR comment.

📥 receipt inbox 0.20

Filter the pile by verdict · denied paths · critical paths · review status, with fact-named presets (FAIL only · denied-path touched · critical + no checks · unreviewed) shareable by URL hash. Zero server · neutral counts (not a judgment).

🔁 one-command re-verification verify-proof 0.20

The recipient re-checks a hand-off bundle offline in one command, seal recompute · signature · evidence replay. Failures explained in plain words ("someone changed it after it was generated").

🚦 action-class signals 0.20

git push · npm publish · network commands classified by lead token (a quoted "git push" stays out), turn on forbid_actions to record or block. The deny message confesses it is a signal, not a lock.

§ Honest scope

What this is not

§ FAQ

FAQ

Why not just have another LLM check the first LLM?

A model checking a model can hallucinate its own "yes, that's accurate." Every verdict here is recomputable arithmetic/string/crypto, same input, same answer, on any machine. That's also why it works as a CI gate: exit codes don't have moods.

What does a pass actually guarantee?

Faithfulness, not truth. A pass means the claim matches its cited source / recomputation. If the source itself is wrong, a faithful citation still passes, claiming otherwise would be a lie, so this tool doesn't.

Where does my data go?

Nowhere. Local-first: no account, no server, no telemetry. The only network calls are explicitly opt-in: --fetch (re-fetch a cited URL) and anchor --upload (register a receipt hash to the public Rekor transparency log).