agent-receipt cost reads your local transcript (Anthropic's own usage) and prints this. Example session.One philosophy, "what the AI did and said, as a local receipt anyone can verify later." Three axes hang off it. From v0.20 the receipt becomes a reviewed document, approve/reject records, a local inbox, and one-command verification for the recipient.
What did the AI actually change in your repo?, checked against the contract scope, recorded in a hash-chained ledger, plus beyond-git actions (even failed / denied ones). Incidents it prevents →
Is the AI's stated evidence real?, quotes, numbers, dates, git claims, versions checked against their sources by 15 deterministic checks. No LLM judging LLMs. The checks →
What did this session actually cost?, the transcript's usage priced at list, showing where it leaks and when to start a fresh session. See cost →
Claude Code writes each session to local disk, and that transcript carries Anthropic's own usage data (per-message tokens + model). agent-receipt reads it and applies list pricing, nothing sent to a server, no values stored.
In a long session the money isn't the new code, it's re-sending the growing context every turn (80% of the session above). Seeing it tells you when to start fresh. Today's running total sums every session in the project today, a pure count that shows what you're spending now, before the month-end bill. High cache-read is NOT waste, the cache saved you 90%. We show measured numbers, never a made-up "savings" figure.
Not a feature list, the incidents that actually happen. Badges state exactly what the machine does: blocked = command fails (exit 1) or the commit is refused · recorded = kept as evidence (not blocked).
Quotes are deterministically checked against the source, a sentence that isn't there fails on the spot.
Commit existence, changed files, even diff contents, checked against actual git history.
The contract's allowed paths are compared against the real diff, the pre-commit gate refuses, and even a bypass (--no-verify) still leaves an evidence receipt. With guard: block, forbidden-path writes are stopped before the tool runs, the agent sees why and backs off (the denied attempt is chain-recorded too).
Invisible to git, failed and permission-denied attempts are kept as action classes only (values never stored). Reads and network calls stay record-only; real-time blocking covers forbidden-path writes, nothing more (honest scope).
⚠ READ_SECRET_FILE .env (failed attempt) ⚠ EXTERNAL_NETWORK_CALL api.exfil.example
Recomputed from the capture log: rereads with no edit in between · duplicate commands (fingerprint only) · the same failure repeating. It may be legitimate double-checking, so the human judges, measured counts only, never converted into token/time "savings" (unmeasurable numbers aren't displayed).
npm publishCommands are classified by their lead token into push · publish · network classes (a quoted "git push" stays out). Turn on forbid_actions + block to stop it before the tool runs, and the deny message confesses it is a bypassable signal, not a lock.
agent-receipt is a local audit layer that turns an AI agent's code work and report evidence into an independently verifiable trail. Two subsystems underneath:
| Audit | Question it answers |
|---|---|
| AI Change Audit | What did the AI actually do to my repo? Contract-scoped diff evidence · hash-chained ledger · third-party Rekor anchoring · beyond-git action capture (incl. failed & denied attempts), plus an opt-in real-time guard that stops forbidden-path writes up front. |
| AI Evidence Audit | Is what the AI said actually true? 15 deterministic check kinds, each carries an evidence grade (A recompute · B compare · C form), and abstains when there's no basis. No LLM judging LLMs. Same input, same verdict, every time. |
agent-receipt isn't tied to a single tool. It captures Claude Code and Cursor edits the same way, into one ledger, whether the tool runs on Windows or inside WSL.
# Bridge Cursor (Windows) to agent-receipt (WSL), one line agent-receipt capture install-cursor --wsl-bridge # Cursor (Windows) ─ afterFileEdit ─▶ wsl.exe ─▶ 🧾 agent-receipt (WSL) # garbled in transit (BOM / encoding)? it recovers on its own
Every time Cursor saves a file, that action flows into agent-receipt. One install command and the wiring is done.
Cursor on Windows, the tool in WSL, no problem. --wsl-bridge connects them, and even if the payload is mangled in transit it's recovered and recorded.
Each tool's envelope is normalized to one shape. Add more tools and the audit stays the same.
Prove, without a dispute, whether the AI stayed inside the contract and what it actually changed. Hand the client a self-contained proof HTML (share-proof).
Fabricated citations, numbers, versions and commit facts get blocked in CI before they reach a decision. What passes accumulates as receipts.
Sensitive-file reads, exfiltration attempts and change scope, evidenced locally, no server, no account, third-party sealable (Rekor).
Workflows, not command menus.
# Scenario A, before an AI-written report reaches a decision agent-receipt research verify --file report.md --out vr/r1.json # a single fabrication → exit 1 (CI stops it) agent-receipt graph view --dir vr --out browser.html # triage what accumulates agent-receipt graph diff --base-dir vr-old --head-dir vr # regression gate: NEW failures only # Scenario B, before AI-assisted code ships (four verbs) agent-receipt quickstart --write # once: contract + policy + capture hooks (print-first, idempotent) agent-receipt begin --objective "refund API" # baseline + session objective (recorded as self-report) …the agent works… agent-receipt done # 4-value verdict + sealed receipt + next steps ①②③ agent-receipt share --client # ten-second proof (condensed view, same seal, stated) agent-receipt review approve --receipt … # approve / reject / note, the review is recorded # Scenario C, operate the pile · check what you were handed agent-receipt inbox --out inbox.html # status board: FAIL-only · denied-path · unreviewed presets agent-receipt share --bundle # hand-off folder (receipt + signature + verify guide) agent-receipt verify-proof received-pb/ # recipient side: one offline command catches tampering
One kernel registry, the code is the spec (agent-receipt spec --format json). Each check carries a grade (A=recompute · B=compare · C=form), and when there's neither proof nor failure it abstains, no over-assurance.
| kind | verifies |
|---|---|
| citation | the quote is literally in the cited source |
| number grade A | a stated number exists in the source, or matches a recomputation (sum/mean/ratio/median/stddev/pow…) |
| range new in 0.16 | a stated number falls within the declared bounds [min, max] (inclusive) |
| date | format-agnostic date match ("Mar 1, 2026" ≡ "2026-03-01") |
| hash / signature | SHA-256 integrity · real Ed25519 verification |
| commit / fileChanged / diffContains | "commit X exists / changed file Y / its diff contains Z", against actual git history |
| schema / version | JSON-Schema subset conformity · real semver-range satisfaction (^3.23.8 ⊨ 3.24.0) |
| file / artifact | a claimed path exists · a build output matches declared shape constraints |
| receipt | a cited receipt exists and its seal replays clean |
| link | URL well-formedness, advisory only |
Not "trust me", "reproduce it." From the checker's own accuracy to regulation clauses, supply-chain attestation, and halting an action, what grew in 0.16. All deterministic, local, honestly labeled.
benchPuts a number on how accurate the checker is, precision/recall on a labeled set + N-run reproducibility (same input → same verdict, 1000 out of 1000). If reproducibility ever breaks, CI exit 1. Seed-set accuracy is in-sample, not a world-accuracy claim.
Not every pass carries the same weight. A=recompute (number·hash·signature) > B=compare (citation·git) > C=form. When there's no basis to judge, it abstains, never over-assures.
Even if someone silently rewrites the log's past and recomputes what follows, a previously published root + consistency proof catches that re-chain (fork). RFC6962 · O(log n) inclusion · ledger merkle.
predicateWraps a verification receipt in the standard type claim-verification/v1 so it drops straight into the supply-chain attestation ecosystem (in-toto·Sigstore). subject digest = the sealed receipt's hash.
controls --crosswalkMaps each verification capability to EU AI Act·SOC 2·ISO 42001 clauses as evidence, not a compliance claim; "evidence relevant to", with a per-clause "does not prove".
gateWhen verification fails, it halts the action, CI exit 1, or in hook mode a PreToolUse deny that stops the tool before it runs (opt-in, explicitly wired).
otelEmits verification events as OTLP into your existing observability / GenAI dashboards. No SDK bundled (deps 0) · deterministic traceId.
cost --audit-swapWhen the declared model differs from the model that actually answered, it computes the price delta, catching a downgrade (a premium model promised, a cheaper one served = suspected overcharge).
It doesn't stop at generating a receipt, the session closes with a verdict, reads in ten seconds, and carries a recorded approve/reject. All local, all deterministic, self-reports always labeled.
done closes the session as PASS · warnings · FAIL · incomplete (◌), a gate, not a score (numeric scores are banned by test). Every verdict carries [rule-id] facts; incomplete comes with a how-to-fix line.
All 12 rules live in a code registry + doc kept in lockstep by a test. A warning never auto-escalates to FAIL, opt in to a CI exit gate with fail_on_done if you want one.
Session cost decomposed into input · output · cache-read · cache-creation (same formula as the total, the numbers cannot disagree) + fixed signals that disclose their trigger. Zero judgment words, banned by test.
One share page: the contract as plain sentences (KO/EN), signals in four buckets in the reviewer's reading order (scope → contract-designated critical → validation → behavior), plus a session timeline. --client = a condensed view of the same seal (names what it omits) · --bundle = hand-off folder + verify guide.
review 0.20review approve|reject|note, the receipt becomes a reviewed document. The record (labeled self-reported, not an authority) badges the inbox, the proof page and the PR comment.
Filter the pile by verdict · denied paths · critical paths · review status, with fact-named presets (FAIL only · denied-path touched · critical + no checks · unreviewed) shareable by URL hash. Zero server · neutral counts (not a judgment).
verify-proof 0.20The recipient re-checks a hand-off bundle offline in one command, seal recompute · signature · evidence replay. Failures explained in plain words ("someone changed it after it was generated").
git push · npm publish · network commands classified by lead token (a quoted "git push" stays out), turn on forbid_actions to record or block. The deny message confesses it is a signal, not a lock.
Each opens live in the playground, the kernel judges it in your browser.
A model checking a model can hallucinate its own "yes, that's accurate." Every verdict here is recomputable arithmetic/string/crypto, same input, same answer, on any machine. That's also why it works as a CI gate: exit codes don't have moods.
Faithfulness, not truth. A pass means the claim matches its cited source / recomputation. If the source itself is wrong, a faithful citation still passes, claiming otherwise would be a lie, so this tool doesn't.
Nowhere. Local-first: no account, no server, no telemetry. The only network calls are explicitly opt-in: --fetch (re-fetch a cited URL) and anchor --upload (register a receipt hash to the public Rekor transparency log).