Signed Audit Trails
Software development skill, available on Zeplik
Signed Audit Trails is a ready-to-run software development skill on Zeplik. Walks through Cedar policy gating, Ed25519 receipts, offline verification, and CI for tamper-evident agent tool-call logs. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer. It returns a structured document you can keep and reuse: Walkthrough of the signed-receipt pattern (policy gate, Ed25519 receipt, verification, tamper demo).
The Signed Audit Trails skill loads automatically when your request matches it, or you can invoke it directly by typing /signed-audit-trails-recipe in any chat. It works with attachments, connectors, and any model that supports the task, so you get the same expert method every time without setting anything up.
What the Signed Audit Trails skill can do
- Explain Cedar policy gating that blocks tool calls before execution
- Demonstrate Ed25519 receipt signing with hash-chained tool-call logs
- Walk through offline chain verification and its exit codes
- Show a live tamper-detection demo on a signed receipt
Try these prompts on Zeplik
Pick a prompt to open it in the Zeplik app. If you are not signed in yet, your prompt is waiting for you the moment you do.
How the Signed Audit Trails skill works
Signed Audit Trails for Agent Tool Calls
A cookbook-style walkthrough of cryptographically signed receipts on every agent tool call. This is the teaching skill -- it explains and demonstrates the pattern so you can evaluate it before wiring up runtime hooks in production.
What the Pattern Gives You
Every tool call (Bash, Edit, Write, WebFetch) is:
- Evaluated against a Cedar policy before execution. If the policy denies the call, the tool does not run.
- Signed as an Ed25519 receipt after execution. Receipts are canonicalized, hash-chained, and verifiable offline by anyone holding the public key -- no network call, no vendor lookup, no trust in the operator.
When the Pattern Fits
- Regulated environments (finance, healthcare, critical infrastructure) needing tamper-evident evidence of agent behavior
- CI/CD pipelines where you must prove a policy gate held for every automated step
- Multi-party collaboration where a counterparty verifies your agent's behavior without trusting your tooling
- Compliance contexts (e.g. EU AI Act Article 12, SLSA provenance) where standard logging is insufficient
Step 1: Policy Gate Before Execution
A pre-tool hook evaluates each call against a Cedar policy. Typical rules:
- Read-oriented tools (Read, Glob, Grep, WebSearch) always allowed
- Bash allowed only for a safe command allow-list (git, npm, pnpm, node, etc.)
- Destructive Bash commands (rm -rf, dd, mkfs, shred) explicitly forbidden
- Writes allowed only within the project directory
Cedar forbid rules take precedence over permit, so destructive commands cannot be re-enabled by a later permissive rule.
Step 2: Sign a Receipt After Execution
A post-tool hook signs a receipt. The first run generates an Ed25519 private key if one does not exist. Commit the public key fingerprint; never commit the private key or the receipts directory (add both to .gitignore).
A receipt captures fields such as: receipt_id, event_time, tool_name, input_hash, decision, policy_id, policy_digest, parent_receipt_id, public_key, and signature. Every field except signature and public_key is covered by the signature -- modifying any field after signing invalidates it. A session of 20 tool calls yields 20 receipts, each hash-chained to its predecessor.
Step 3: Verify the Chain
An offline verifier walks the receipt files and returns:
| Exit code | Meaning |
|---|---|
0 | All receipts verified; chain intact |
1 | A receipt failed signature verification (tampered or wrong key) |
2 | A receipt was malformed |
Step 4: Demonstrate Tamper Detection
Flip a signed receipt's decision field from allow to deny and re-run the verifier: it exits 1 and names the failing receipt, because the signature no longer matches the canonical bytes. Restore the field and verification passes again.
How the Cryptography Works
Three invariants make receipts verifiable offline across conformant implementations:
- JCS canonicalization (RFC 8785) before signing -- keys sorted, whitespace minimized, strings NFC-normalized, so independent implementations produce byte-identical signing payloads.
- Ed25519 signatures (RFC 8032) over the canonical bytes -- deterministic, fixed-size, no nonce dependency.
- Hash-chain linkage -- each receipt references the SHA-256 of its predecessor's canonical form, so insertions, deletions, and reorderings break later receipts.
CI/CD Integration
Gate merges on receipt-chain verification so no build lands with a broken evidence chain. Archive the receipts as a job artifact so the chain survives beyond the run. For agent-built software, the receipt chain can be referenced from SLSA Provenance v1 byproducts, cross-referencing two trust domains (the builder identity and the supervisor-hook identity).
Common Pitfalls
- Private key in version control -- never commit it; rotate immediately if leaked.
- Hook command quoting -- keep tool inputs quoted so values with spaces pass through intact.
- Receipts lost in CI -- upload them as an artifact or the chain ends with the job.
- Missing policy -- treat an absent policy as a hard failure in production, not a silent pass.
Output
A clear explanation or live demonstration of the signed-receipt pattern -- the policy gate, the receipt structure, offline verification, and a tamper-detection demo -- so the reader can decide whether to adopt runtime enforcement.
How to use the Signed Audit Trails skill
Sign in to Zeplik
Create a free Zeplik account or sign in. New accounts start with free credits, so you can try the Signed Audit Trails skill right away.
Describe your software development task
Ask in plain language, or type /signed-audit-trails-recipe to invoke the skill directly. Zeplik recognizes the Signed Audit Trails skill and applies its method.
Review and refine the result
Zeplik returns a structured document you can edit, download, and reuse. Ask follow-ups to refine it.
Source and credit
- Author
- wshobson
- License
- MIT
Adapted from the open-source wshobson/agents project and tuned to run natively on Zeplik. View source on GitHub.
Frequently asked questions
- What is the Signed Audit Trails skill?
- Signed Audit Trails is a ready-to-run software development skill on Zeplik. Walks through Cedar policy gating, Ed25519 receipts, offline verification, and CI for tamper-evident agent tool-call logs. Ask in plain language and Zeplik applies the skill's method for you inside the conversation, on whichever AI model you prefer. It returns a structured document you can keep and reuse: Walkthrough of the signed-receipt pattern (policy gate, Ed25519 receipt, verification, tamper demo).
- How do I use Signed Audit Trails on Zeplik?
- Sign in to Zeplik and ask in plain language, or type /signed-audit-trails-recipe in any chat to invoke it directly. The skill applies its method and returns a result you can refine in the same conversation.
- Which AI model does the Signed Audit Trails skill use?
- Any model you choose. Zeplik works across every model in one chat, so the Signed Audit Trails skill runs on your preferred model for the task.
- Where does the Signed Audit Trails skill come from?
- The Signed Audit Trails skill is adapted from the open-source wshobson/agents project (MIT) and tuned to run natively on Zeplik. The original source is linked on this page.
- How much does the Signed Audit Trails skill cost?
- Using the skill is free to start. You only spend Zeplik credits when the assistant runs, and new accounts begin with free credits.
Related software development skills
- .NET BackendBuild ASP.NET Core 8+ backends with EF Core: auth, background jobs, production API patterns
- Advanced Git WorkflowsUse for advanced Git surgery: interactive rebase, cherry-pick, bisect, reflog recovery, and history cleanup before merging. Not for parallel worktree workflows (use using-git-worktrees).
- Adversarial Code ReviewHunt for bugs in code the user shares by assuming defects exist and attacking the code through several distinct lenses, then report severity-ranked findings with evidence. Use for "review this", "what could go wrong", "bug hunt", or pre-merge scrutiny of a change. Read-only, it reports problems and does not rewrite the code. Not for style cleanup (use simplify-code) or for writing new code.
- AI Agent FrameworksUse when building multi-agent systems or agent orchestration -- LangChain/LangGraph, agent team design, task coordination, pipelines. Not for authoring a Zeplik skill (use skill-creator).
- Algolia SearchAdd Algolia search: indexing strategies, React InstantSearch, relevance tuning, search-as-you-type
- Android CI/CDAutomate Android CI/CD to Google Play: keystore, GitHub Secrets, multi-stage release workflow for RN, Flutter, native
More on Zeplik
Try Signed Audit Trails on Zeplik
Every model, one chat. Bring the Signed Audit Trails skill into your next conversation and let the assistant do the work.