Show and tell: Agent Execution Proof — structured audit records for tool calls #1
Replies: 6 comments
-
|
This is a useful direction. The part I would make very explicit in AEP is the boundary between an observability span and an authority receipt. For the audit record, I would want a few fields that are not only useful for dashboards:
The OTel span names look reasonable for live operations, but I would avoid making the span model carry the whole compliance story. Spans are great for latency, causality, and error paths; the persisted AEP record should be the thing that survives sampling, retention changes, collector outages, and later training-data export. One pattern that has worked well for agent ops is to store a compact run-level capability snapshot once, then refer to it from individual tool receipts. Otherwise every tool call either repeats too much context or loses the answer to "what could this agent have done at the time?" Disclosure: I work on Armorer Labs. |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for the detailed read — your taxonomy maps onto fields we Already in
Three real gaps you're surfacing:
These are now drafted as point fixes in RFC #7 (aep/v0.3), On the OTel question — we agree, and the current split is what you'd Comments on the RFC welcome, particularly on the Disclosure: I maintain wasmagent-js, the project being discussed. |
Beta Was this translation helpful? Give feedback.
-
|
Also — since you mentioned you work on Armorer Labs and I just looked We're both MIT-licensed and shipping in public, so let me be direct
If there's appetite for it on your side, two concrete things that
No need to coordinate roadmap or even agree on naming. Just flagging |
Beta Was this translation helpful? Give feedback.
-
|
Thanks for spelling this out. I agree with the clean split: scanner/runtime-risk decision on one side, persistent authority receipt on the other. The integration point I would keep boring is a receipt schema contract, not runtime coupling. For the Guard side, the useful receipt fields are probably something like:
The important part is that this should be joinable to the downstream execution receipt without requiring both projects to share a process. A run id, tool-call id, normalized args digest, and policy/version tuple are enough for an operator to ask: what did the scanner decide before execution, what did the runtime actually execute, and did anything drift between those two points? That also keeps the projects from pretending to solve the same layer. A fast local classifier can be wrong in ways the receipt layer later exposes, and a signed receipt can prove that a weak decision was faithfully executed without proving the decision was good. Those are complementary failure modes, so a shared vocabulary around common fields seems more useful than shared roadmap. Disclosure: I work on Armorer Labs. |
Beta Was this translation helpful? Give feedback.
-
|
The framing on complementary failure modes is exactly right, and I would take it one step further: a strong scanner + weak receipt is a worse combination than weak scanner + strong receipt, because the scanner failure is silent — the operator sees an allow and has no artifact showing what assumption the allow was built on. A signed receipt at least surfaces the question. On the Guard receipt fields you listed — those map well onto the AEP fields already in
The join key you named — run id, tool-call id, normalized args digest, policy/version — is already our canonical join key between If you do wire up receipts on the Guard side and want to test the join against real AEP output, the emitter and signer are in Disclosure: I maintain wasmagent-js, the project being discussed. |
Beta Was this translation helpful? Give feedback.
-
|
That join test would be useful. I would keep the first interop target deliberately small: one Guard decision artifact, one runtime execution receipt, and one negative-path case where the digest or authority boundary does not match. For
The scanner can still keep richer local explanation text, but the receipt should carry a stable class that a downstream policy engine can group without parsing prose. I would also include the policy/ruleset version next to the class, because the same class can become stricter over time. On redaction, I agree the per-action join is the important bit. The artifact should make it clear whether the digest was computed over raw input, redacted input, or a canonicalized form after redaction. Otherwise two systems can appear to agree on For an interop fixture, the useful acceptance test is not just the happy path. I would want the reader to prove three outcomes:
That keeps the coupling at the evidence boundary: Guard does not need to know about the runtime internals, and AEP does not need to know how Guard reached the decision, but an operator can still reconstruct whether the scan decision, approval grant, and executed call describe the same event. Disclosure: I work on Armorer Labs. |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Show and tell: Agent Execution Proof — structured audit records for tool calls
Hey everyone 👋
We've been working on something we're calling Agent Execution Proof (AEP) — a structured, schema-versioned audit record that captures every tool call an AI agent makes, along with the policy decision that allowed it, the budget it consumed, and the pre/post state digests.
The motivation: logs tell you what happened, but they can't prove in what order things happened or whether the policy gate ran before or after the tool. In multi-agent systems, that distinction matters.
What it looks like in practice
The record is versioned (
aep/v0.1,aep/v0.2) and feeds downstream into a compliance evaluation and trace-to-training pipeline.9 OTel span names
For real-time observability alongside the audit record:
These flow into any OTel collector. The
AEPRecordis what you persist.Repo
packages/aeppackages/otel-exporterQuestions for the community:
Happy to discuss any of this here.
Beta Was this translation helpful? Give feedback.
All reactions