Sign skills. Seal execution. Verify receipts.
A tamper-evident audit trail for every agent invocation — verifiable by anyone, no access to the operator required.
Every execution receipt has three sections: what ran, who authorized the code, and who vouches for the execution. Any third party can verify all three — no access to the operator's machine, keys, or audit log.
The publisher signs the skill bundle with an ed25519 key. The signature covers every source file via a content-addressed manifest. The public key is recorded in the transparency log.
ed25519The operator runs the signed skill inside a kernel-namespace sandbox (bwrap). The runtime records inputs, outputs, timing, and sandbox configuration as SHA-256 hashes, then signs the entire record with the operator's ed25519 key.
bwrap isolationAny third party installs traceseal-verify and runs one command. The verifier checks the operator's signature over the canonical JSON of execution + provenance. No operator connection. No trust assumptions.
receipt.json onlycryptographyA Traceseal receipt is a self-contained JSON document with three sections. Every field is encoded as canonical JSON before signing, so any tampering breaks the signature.
{ "receipt_version": "1.0", "execution": { // A "skill_name": "agentmail", "skill_version": "1.2.0", "skill_manifest_hash": "sha256:00741b31...", "timestamp": "2026-04-15T04:47:13Z", "entry_point_name": "check", "inputs_hash": "sha256:62622f40...", "outputs_hash": "sha256:86f2cb02...", "exit_code": 0, "wall_time_ms": 167, "ok": "true", "sandbox_profile_hash": "sha256:daa6f3c4...", "audit_entry_hash": "sha256:a4925b7f..." }, "provenance": { // B "manifest_hash": "sha256:00741b31...", "publisher_fingerprint": "ed25519:a07c7eb5...", "publisher_public_key": "3a5e3b26...", "published_at": "2026-04-15T04:47:13Z", "transparency_log_seq": 1 }, "attestation": { // C "operator_fingerprint": "ed25519:f19bc125...", "operator_public_key": "810607ba...", "attested_at": "2026-04-15T04:47:40Z", "signature": "5ea122fa..." } }
Skill identity and version. A manifest_hash covering every source file. The sandbox configuration hash. SHA-256 of the inputs and outputs — not the values themselves, just their hashes. Timing, exit status, and a link to the audit chain via audit_entry_hash.
The publisher's ed25519 fingerprint and public key. The transparency log sequence number where the manifest was recorded. The manifest_hash must match the one in execution — consistency is enforced by the verifier.
The operator's ed25519 signature over the canonical JSON of execution + provenance. The public key is embedded in the receipt so verification is self-contained — no lookup required. A tamper anywhere in the receipt invalidates this signature.
Publisher signs once at publication. Operator signs once at execution. Verifier checks both without trusting either side.
Publisher builds a content-addressed manifest over every source file, signs with ed25519, records manifest hash + public key in the transparency log.
→Operator runs the signed skill inside a bubblewrap sandbox with declared capabilities. Inputs, outputs, and sandbox configuration are hashed and appended to the audit chain.
→Operator signs the execution + provenance record with their ed25519 key. The receipt embeds the operator's public key so verification needs nothing else.
→Any party runs traceseal-verify receipt.json. Signatures checked locally. Operator never contacted. Machine never accessed.
Traceseal runs on a production Debian 13 VPS. Every number below is reproducible. Every receipt is third-party verifiable.
The receipt format, signing convention, and verification algorithm are fully specified. Anyone can build a compatible verifier from scratch in any language.
The spec and verifier are Apache 2.0. Use it commercially, fork it, audit it, implement it yourself.
One package. Zero infrastructure. Works anywhere Python runs.