Agentic Run Receipts

Why this page exists. Enterprises do not only need safe agent behavior. They need portable proof that a specific run stayed inside its delegated authority.

The product bet

SecurityRecipes is positioned as the secure context layer for agentic AI. The strongest product shape is not another prompt catalog; it is a control plane that can tell a reviewer:

  • which context an agent was allowed to retrieve,
  • which context was inspected before use,
  • which tools were allowed, held, denied, or killed,
  • where context was allowed to move,
  • who approved risky steps,
  • which verifier proved the result,
  • and when the agent’s delegated identity was revoked.

Agentic Run Receipts make that story inspectable. A receipt is the auditable envelope for one governed agent run. It is designed to be signed by a tenant KMS, Sigstore, or equivalent workload attestation system after the run closes.

What was added

  • Source profile: data/assurance/agentic-run-receipt-profile.json
  • Generator:
  • Evidence pack: data/evidence/agentic-run-receipt-pack.json
  • MCP tool: recipes_agentic_run_receipt_pack

Regenerate and validate the pack:

Receipt chain

Every workflow receipt template requires these event classes:

Event What it proves
identity_issued The agent used a scoped non-human identity, not a shared human token.
context_retrieval_decision Retrieved context was registered, hash-bound, owned, and cited.
context_poisoning_scan Prompt-like content was inspected and treated as untrusted data.
mcp_tool_decision Every tool call passed through the default-deny MCP gateway policy.
context_egress_decision Context movement was classified before crossing a model, tenant, telemetry, MCP, or public boundary.
human_approval Approval-required namespaces were authorized before execution or merge.
verifier_result Scanner, CI, simulation, resolver, or policy evidence proved the outcome.
evidence_attached Required evidence was retained with owner, hash, and retention metadata.
run_closed The run reached a terminal state and the receipt envelope was sealed.
identity_revoked Short-lived credentials ended with the run or kill signal.

The default state is untrusted_until_complete. A run is not trusted until the receipt contains every required event and the hashes match the current SecurityRecipes control artifacts.

Why this matters

This is the difference between “the agent said it followed the rules” and “the platform can prove the run followed the rules.” That is the shape procurement, GRC, security operations, incident response, and trust review diligence teams will expect before agentic remediation is allowed to touch real enterprise systems.

It also creates a realistic trusted-source path:

  • open receipt schemas and templates in the public project,
  • hosted receipt signing and verification,
  • cross-tool log ingestion from MCP gateways, source hosts, CI, and IAM,
  • SIEM and trust-center exports,
  • reviewer diligence workspaces for enterprise and M&A review.

MCP examples

Inspect the receipt pack:

recipes_agentic_run_receipt_pack()

Review one workflow:

recipes_agentic_run_receipt_pack(
  workflow_id="vulnerable-dependency-remediation"
)

List only workflows above a readiness score:

recipes_agentic_run_receipt_pack(minimum_score=95)

Industry alignment

This feature follows current guidance:

  • OWASP Top 10 for Agentic Applications 2026 for agent goal hijack, tool misuse, identity abuse, context poisoning, cascading failures, and rogue-agent containment.
  • MCP Authorization 2025-11-25 for resource indicators, audience-bound tokens, HTTPS, PKCE, and token validation.
  • MCP Security Best Practices for confused-deputy prevention, token passthrough denial, SSRF, session safety, local server compromise controls, scope minimization, and audit trails.
  • CISA AI Data Security for provenance, integrity, access control, monitoring, third-party data handling, and incident evidence.
  • NIST AI RMF for governed, mapped, measured, and managed AI risk, including the 2026 critical-infrastructure profile concept.

See also