Action Receipt / github.merge / prod

AgentBoundary · v0.1 · open spec

Prove every agent action.

An open specification, in the spirit of OAuth and WebAuthn, for the document that should follow every AI-initiated production action.

Portable. Tamper-evident. Verifiable by any party — auditor, regulator, insurer — without trusting the agent framework or the model provider.

$ npx agentboundary run scenarios/

10 scenarios 60 seconds no signup

Read the spec → v0.1 · threat model · OWASP LLM Top 10

action_receipt.json ALLOW 
{
  "version": "agentboundary/v0.1",
  "receipt_id": "0192c8d0-1f2a-7c3e-bf2a-1a4d3f5e6c7b",
  "issued_at": "2026-06-15T14:23:08Z",
  "actor": {
    "type": "agent",
    "id": "agent:claude-code:session/789abc",
    "display_name": "Claude Code"
  },
  "agent": {
    "framework": "claude-code",
    "framework_version": "2.4.1",
    "model": "claude-opus-4-7"
  },
  "tool": {
    "name": "github-mcp",
    "version": "0.7.0",
    "capability": "github.merge"
  },
  "target": {
    "system": "github.com/jamjet-labs/agentboundary",
    "environment": "prod",
    "resource_id": "pull/14"
  },
  "arguments_hash": "9698adaf2dca5f26a4f9644a8d0f4f34b5558bce09961f94e810fe3aaa9071aa",
  "policy": {
    "name": "agentboundary.repo.merges",
    "version": "2",
    "decision": "allow"
  },
  "execution": {
    "status": "success",
    "completed_at": "2026-06-15T14:23:09Z",
    "result_ref": "sha:b1c2d3e4f5a6"
  },
  "receipt_hash": "4d905d5dbc9faa4dafcb2155da9c4d5e1052cb23c680f3754d4ebc5800a4bae7"
}

What an Action Receipt proves

01

Who acted

The actor (human, agent, service), the agent's framework and model, and the tool capability that was invoked.

02

What they could do

The policy decision — allow, require-approval, deny, or escalate — bound to a named, versioned policy.

03

With which arguments

arguments_hash is the canonical SHA-256 of the inputs the agent ran the tool with. Mutate any byte after the policy decision and the chain breaks.

04

To what effect

Execution status, result reference, then receipt_hash — the canonical SHA-256 of the whole document. Any tamper invalidates it.

Run the conformance suite

Ten deterministic scenarios. Each one is named for the failure it prevents. The runner emits an Action Receipt for every scenario, validates it against the v0.1 schema, and grades it at Levels 1, 2, and 3. 

$ npx agentboundary run scenarios/

  PASS  01-merge-allow                               1ms
  PASS  02-mutation-require-approval                 0ms
  PASS  03-refund-under-limit                        0ms
  PASS  04-merge-deny                                0ms
  PASS  05-refund-escalate                           0ms
  PASS  06-missing-policy-block                      0ms
  PASS  07-bad-timestamp-format                      0ms
  PASS  08-arguments-hash-mismatch                   0ms
  PASS  09-receipt-hash-mismatch                     0ms
  PASS  10-claim-level-3-without-hash                0ms

  10 passed · 0 failed · 1ms total

Source: jamjet-labs/agentboundary · Apache 2.0 · Implementations welcome.