Make the agent show its receipts.

Logs can be edited. That used to be fine.

AI agents now take consequential actions: they call tools, change records, move money, send messages on someone's behalf. The audit trail for all of that is usually a log file owned by whoever ran the agent. Mutable, deletable, and unverifiable by anyone outside the operator's own infrastructure.

Regulators have noticed. The EU AI Act makes automatic event logging a design requirement for high-risk AI systems (Article 12), obliges deployers to retain those logs for at least six months (Article 26), and its high-risk obligations apply from 2 August 2026. In the US, NIST's Center for AI Standards and Innovation launched the AI Agent Standards Initiative in February 2026, with agent security and identity as core research pillars. The common thread: when an agent acts, someone must be able to establish what happened — and the record has to hold up.

A log you can rewrite is a story. A receipt you can verify is a record.

One receipt per consequential action.

For each action that matters, AXR emits a receipt: the action taken, hashes of its inputs and outputs, a timestamp, the identity of the agent, and an Ed25519 signature over the canonicalised record. These are the design goals the project is built around:

Signed

Ed25519 over a canonical serialisation of the receipt. Re-signing a tampered record requires the private key; without it, edits are visible.

Self-contained

A receipt verifies offline with nothing but the public key. No access to the operator's infrastructure, no trust in their database.

Tamper-evident

Any change to the receipt breaks the signature. That is the whole trick, and it is enough.

Boring on purpose

Standard primitives only: SHA-256, Ed25519, canonical JSON. No novel cryptography. Assurance work should be auditable by people who did not write it.

Built toward where the rules are going.

AXR is designed to map onto the record-keeping duties that are arriving, not to claim certified compliance with any of them. Concretely: the EU AI Act's Article 12 requires high-risk systems to automatically record events for traceability, and Article 26 puts log retention on deployers. NIST's AI Agent Standards Initiative is shaping the US side, with identity, security and auditability of agents on the table. Signed, independently verifiable receipts are a primitive both directions can build on.

Precision matters here: "designed to map onto" is the claim, and the mapping itself is part of the project's open work.

Early, open, and honest about both.

AXR is open source and developed in public. The receipt schema and the signing flow are the foundation; the threat modelling, hardening and formal standards mapping are the current work. That ordering is deliberate — it is exactly the security depth I am building, in the open, where it can be inspected.

This site runs on the same primitive.

Every deploy of chrisconen.dev publishes a manifest of every file on the site, hashed with SHA-256 and signed with Ed25519. Your browser can verify the signature and re-hash any file against the manifest. It is AXR's core idea applied to a build pipeline instead of an agent — same receipt, different actor.