Skip to content

Releases: Danultimate/Agent-Ledger

AgentLedger v0.2.0

08 Jun 07:54
@Danultimate Danultimate
v0.2.0
237a3b6

Choose a tag to compare

View all tags
AgentLedger v0.2.0 Latest
Latest

v0.2.0 — Cryptographic delegation proof

v1 recorded that an action matched a receipt. v2 adds cryptographic proof the
grant was real: the principal signs the receipt (Ed25519) and the verifier
checks it against a trusted key.

  • Signed receipts (Receipt.sign) + agentledger.signing ([crypto] extra)
  • Trusted-key verification via KeyProvider / InMemoryKeyProvider
  • require_signed policy (graceful default) + per-call scopes checks
  • Pluggable agent identity (IdentityProvider; Static + SPIFFE)
  • New signature_verified / identity_status on proofs; new violation types
  • Backward compatible: v1 unsigned receipts and v1-format logs still verify

What v2 does and does not defend against: docs/threat-model.md.
Full notes: CHANGELOG.md.

Assets 2
Loading

AgentLedger v0.1.0

08 Jun 06:40
@Danultimate Danultimate
v0.1.0
6542aac

Choose a tag to compare

View all tags
AgentLedger v0.1.0 Pre-release
Pre-release

The missing audit layer between "token is valid" and "action is recorded."
AgentLedger records tamper-evident action proofs for every MCP tool call and
checks each invocation against an advisory delegation receipt.

AgentLedger records and attributes actions — it does not enforce
authorization by default. A violating call is recorded as a proof and still
runs (opt into blocking with on_violation="raise"). Hash-chaining makes the
log tamper-evident; it does not prove an action was authorized at execution
time by a cryptographically verified identity. See the README security note.

Highlights

  • @ledger.record decorator — works on sync and async handlers with zero
    restructuring, safe inside a running asyncio loop. on_violation =
    record (default) / warn / raise.
  • Delegation receipts with a frozen, version-tagged signable serialization
    (agentledger.receipt.v1), ready for v2 cryptographic signing without a
    breaking change.
  • Hash-chained, append-only JSONL proof log (agentledger.chain.v1); chain head
    restored across process restarts; file-locked concurrent appends.
  • Verifier/Verdict, Rich terminal + self-contained HTML reports.
  • CLI: init, report, verify (exit 1 on violations), chain
    (exit 1 on tamper).
  • Silent, zero-config TraceForge span enrichment when agentrace-llm is present.

Quality

  • 29 tests passing; ruff clean; CI across Python 3.10 / 3.11 / 3.12.

Install

bash pip install agentledger-llm # (pending PyPI publish)

Roadmap

  • v2 — signed receipts, SPIFFE/SPIRE SVID verification, enforced WIMSE WPT
    validation, scope-level checks.
  • v3 — multi-hop delegation chains, mid-chain revocation.

See docs/roadmap.md for full scope and entry/exit criteria.

Loading