Signed Audit Trails

Software development skill, available on Zeplik

Signed Audit Trails is a ready-to-run software development skill on Zeplik. Walks through Cedar policy gating, Ed25519 receipts, offline verification, and CI for tamper-evident agent tool-call logs. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer. It returns a structured document you can keep and reuse: Walkthrough of the signed-receipt pattern (policy gate, Ed25519 receipt, verification, tamper demo).

The Signed Audit Trails skill loads automatically when your request matches it, or you can invoke it directly by typing /signed-audit-trails-recipe in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.

What the Signed Audit Trails skill can do

Try these prompts on Zeplik

Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.

How the Signed Audit Trails skill works

Signed Audit Trails for Agent Tool Calls

A cookbook-style walkthrough of cryptographically signed receipts on every agent tool call. This is the teaching skill -- it explains and demonstrates the pattern so you can evaluate it before wiring up runtime hooks in production.

What the Pattern Gives You

Every tool call (Bash, Edit, Write, WebFetch) is:

  1. Evaluated against a Cedar policy before execution. If the policy denies the call, the tool does not run.
  2. Signed as an Ed25519 receipt after execution. Receipts are canonicalized, hash-chained, and verifiable offline by anyone holding the public key -- no network call, no vendor lookup, no trust in the operator.

When the Pattern Fits

  • Regulated environments (finance, healthcare, critical infrastructure) needing tamper-evident evidence of agent behavior
  • CI/CD pipelines where you must prove a policy gate held for every automated step
  • Multi-party collaboration where a counterparty verifies your agent's behavior without trusting your tooling
  • Compliance contexts (e.g. EU AI Act Article 12, SLSA provenance) where standard logging is insufficient

Step 1: Policy Gate Before Execution

A pre-tool hook evaluates each call against a Cedar policy. Typical rules:

  • Read-oriented tools (Read, Glob, Grep, WebSearch) always allowed
  • Bash allowed only for a safe command allow-list (git, npm, pnpm, node, etc.)
  • Destructive Bash commands (rm -rf, dd, mkfs, shred) explicitly forbidden
  • Writes allowed only within the project directory

Cedar forbid rules take precedence over permit, so destructive commands cannot be re-enabled by a later permissive rule.

Step 2: Sign a Receipt After Execution

A post-tool hook signs a receipt. The first run generates an Ed25519 private key if one does not exist. Commit the public key fingerprint; never commit the private key or the receipts directory (add both to .gitignore).

A receipt captures fields such as: receipt_id, event_time, tool_name, input_hash, decision, policy_id, policy_digest, parent_receipt_id, public_key, and signature. Every field except signature and public_key is covered by the signature -- modifying any field after signing invalidates it. A session of 20 tool calls yields 20 receipts, each hash-chained to its predecessor.

Step 3: Verify the Chain

An offline verifier walks the receipt files and returns:

Exit codeMeaning
0All receipts verified; chain intact
1A receipt failed signature verification (tampered or wrong key)
2A receipt was malformed

Step 4: Demonstrate Tamper Detection

Flip a signed receipt's decision field from allow to deny and re-run the verifier: it exits 1 and names the failing receipt, because the signature no longer matches the canonical bytes. Restore the field and verification passes again.

How the Cryptography Works

Three invariants make receipts verifiable offline across conformant implementations:

  1. JCS canonicalization (RFC 8785) before signing -- keys sorted, whitespace minimized, strings NFC-normalized, so independent implementations produce byte-identical signing payloads.
  2. Ed25519 signatures (RFC 8032) over the canonical bytes -- deterministic, fixed-size, no nonce dependency.
  3. Hash-chain linkage -- each receipt references the SHA-256 of its predecessor's canonical form, so insertions, deletions, and reorderings break later receipts.

CI/CD Integration

Gate merges on receipt-chain verification so no build lands with a broken evidence chain. Archive the receipts as a job artifact so the chain survives beyond the run. For agent-built software, the receipt chain can be referenced from SLSA Provenance v1 byproducts, cross-referencing two trust domains (the builder identity and the supervisor-hook identity).

Common Pitfalls

  • Private key in version control -- never commit it; rotate immediately if leaked.
  • Hook command quoting -- keep tool inputs quoted so values with spaces pass through intact.
  • Receipts lost in CI -- upload them as an artifact or the chain ends with the job.
  • Missing policy -- treat an absent policy as a hard failure in production, not a silent pass.

Output

A clear explanation or live demonstration of the signed-receipt pattern -- the policy gate, the receipt structure, offline verification, and a tamper-detection demo -- so the reader can decide whether to adopt runtime enforcement.

How to use the Signed Audit Trails skill

  1. Sign in to Zeplik

    Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the Signed Audit Trails skill right away.

  2. Describe your software development task

    Ask in plain language, or type /signed-audit-trails-recipe to invoke the skill directly. Zeplik recognizes the Signed Audit Trails skill and applies its method.

  3. Review and refine the result

    Zeplik returns a structured document you can edit, download, and reuse. Ask follow-ups to refine it.

Source and credit

Author
wshobson
License
MIT

Adapted from the open-source wshobson/agents project and tuned to run natively on Zeplik. View source on GitHub.

Frequently asked questions

What is the Signed Audit Trails skill?
Signed Audit Trails is a ready-to-run software development skill on Zeplik. Walks through Cedar policy gating, Ed25519 receipts, offline verification, and CI for tamper-evident agent tool-call logs. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer. It returns a structured document you can keep and reuse: Walkthrough of the signed-receipt pattern (policy gate, Ed25519 receipt, verification, tamper demo).
How do I use Signed Audit Trails on Zeplik?
Sign in to Zeplik and ask in plain language, or type /signed-audit-trails-recipe in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
Which AI model does the Signed Audit Trails skill use?
Any model you choose. Zeplik works across every model in one chat, so the Signed Audit Trails skill runs on your preferred model for the task.
Where does the Signed Audit Trails skill come from?
The Signed Audit Trails skill is adapted from the open-source wshobson/agents project (MIT) and tuned to run natively on Zeplik. The original source is linked on this page.
How much does the Signed Audit Trails skill cost?
Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.

Related software development skills

More on Zeplik

Try Signed Audit Trails on Zeplik

Every model, one chat. Bring the Signed Audit Trails skill into your next conversation and let the assistant do the work.

Browse all skills
Signed Audit Trails - Software development skill for Zeplik AI | Zeplik Chat