agentauth-receipts 0.1.0__tar.gz

agentauth_receipts-0.1.0/.gitignore

@@ -0,0 +1,83 @@
+# Rust
+/target/
+# Detached zkVM crate builds into its own target dir (RISC Zero toolchain output)
+crates/agent-receipts-zkvm/target/
+**/*.rs.bk
+
+# Python
+__pycache__/
+*.py[cod]
+*.egg-info/
+.eggs/
+dist/
+build/
+.venv/
+venv/
+.python-version
+.pytest_cache/
+.mypy_cache/
+.ruff_cache/
+
+# Coverage
+.coverage
+.coverage.*
+coverage.json
+coverage.xml
+htmlcov/
+lcov.info
+target/llvm-cov/
+dashboard/coverage/
+
+# Backend identity service
+backend/.venv/
+backend/agents.db
+backend/audit.jsonl
+backend/.env
+
+# Node / dashboard
+dashboard/node_modules/
+dashboard/dist/
+
+# Local dev
+.env
+*.db
+*.sqlite
+.audit/
+/receipts/
+*.redacted.json
+config/partner.yaml
+certs/*.pem
+certs/*.json
+!certs/.gitkeep
+
+# IDE / misc
+.idea/
+.vscode/
+.cursor/mcp.json
+*.swp
+*.log
+.DS_Store
+
+# Proving artifacts and generated key caches (large)
+/proofs/
+/keys/*.bin
+/keys/**/*.bin
+/keys/*.sha256
+/keys/**/*.sha256
+!/keys/.gitkeep
+
+# Generated compliance scratch fixtures
+/compliance/fixtures/*.generated.json
+/compliance/fixtures/*.tmp.json
+
+# Local caches
+.cache/
+.vendor/
+
+# Signing private keys — never commit
+keys/signing/
+*.key
+
+# Claude Code session/tooling
+.claude/
+SECURITY_AUDIT.md

agentauth_receipts-0.1.0/CHANGELOG.md

@@ -0,0 +1,71 @@
+# Changelog
+
+All notable changes to this project are documented here.
+
+Format follows [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [Unreleased]
+
+### Added — evidence plane (ZK binding + signing)
+
+- Halo2 policy proof now **binds the committed output and policy** into its public inputs
+  (`commitment_to_field`); editing a receipt's `output_hash` / `policy_commitment` after
+  proving fails verification. (Circuit id bumped; superseded by `policy_range_v3`.)
+- Ed25519 signing module (`agent_receipts.signing`): `SigningKey`, `generate_keypair`,
+  `load_or_create_key`, and envelope-level `sign_bundle` / `verify_bundle_signatures`.
+- Audit log hardening: optional per-record Ed25519 signatures, `verify_signatures()`, and a
+  signed Merkle `signed_checkpoint()` / `verify_checkpoint()` that detects a full-chain rewrite.
+- `cryptography` runtime dependency; `keys/signing/` private keys git-ignored.
+
+### Changed
+
+- Trust model docs updated with output-binding, signature, and checkpoint guarantees.
+
+## [0.2.1] - 2026-05-29
+
+### Added — deployment hardening (pre design partner ship)
+
+- `arctl preflight` go/no-go checks (config, policy, writable dirs, prove readiness)
+- `scripts/partner_preflight.sh` deployment gate
+- HTTP verifier: optional API key auth, rate limiting, body size cap, `GET /ready`
+- Stable agent identity via `persist_certificate` (load/create JSON cert)
+- `PartnerConfig` strict mode, env overrides (`AGENT_RECEIPTS_*`)
+- [docs/deployment.md](docs/deployment.md), `config/partner.production.example.yaml`, `config/env.example`
+- `partner_factory.build_agent_from_config()` for integrations
+- Structured logging via `AGENT_RECEIPTS_LOG_LEVEL`
+
+## [0.2.0] - 2026-05-29
+
+### Added — design partner readiness
+
+- HTTP verifier service (`POST /v1/verify`, `GET /health`, `GET /v1/version`) via `arctl serve`
+- Partner onboarding guide ([docs/design_partner.md](docs/design_partner.md))
+- Partner operations runbook ([docs/partner_runbook.md](docs/partner_runbook.md))
+- Receipt bundle export (`agent-receipts.receipt-bundle.v1`) and `arctl verify-bundle`
+- `arctl` CLI: `doctor`, `export-audit`, `show-config`, `redact`, `serve`
+- Partner YAML config (`config/partner.example.yaml`) and `examples/partner_pilot.py`
+- `scripts/bootstrap.sh` and `scripts/partner_smoke.sh`
+- `scripts/scaffold_policy.py` for custom policy YAML from schema/tools
+- `arctl redact` for sharing receipts without PII
+- Docker image and `docker-compose.yml` (verifier + optional MCP profile)
+- [RELEASE.md](RELEASE.md) pinning instructions for pilot deployments
+
+### Changed
+
+- MCP server supports stdio, SSE, and streamable HTTP transports
+- `ReceiptedMcpClient` supports prove + composed proofs on live MCP
+- Python tooling CLI renamed to **`arctl`** (Rust binary remains **`agent-receipts`**)
+
+## [0.1.0] - 2026-05-29
+
+### Added
+
+- Rust core: certificates, audit chain, proof envelopes
+- Python SDK: `Policy`, `AgentWrapper`, operating modes
+- Halo2 `policy_range_v1` circuit and CLI prove/verify
+- MCP integration: gateway, delegation, live server
+- EZKL fraud head path and logical composed verification
+
+[0.2.0]: https://github.com/pberlizov/agent-receipts/compare/v0.1.0...v0.2.0
+[0.2.1]: https://github.com/pberlizov/agent-receipts/compare/v0.2.0...v0.2.1
+[0.1.0]: https://github.com/pberlizov/agent-receipts/releases/tag/v0.1.0

agentauth_receipts-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Agent Receipts contributors
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

agentauth_receipts-0.1.0/PKG-INFO

@@ -0,0 +1,276 @@
+Metadata-Version: 2.4
+Name: agentauth-receipts
+Version: 0.1.0
+Summary: AgentAuth — attested identity and verifiable execution receipts for autonomous AI agents
+License-Expression: MIT
+License-File: LICENSE
+Requires-Python: <3.14,>=3.10
+Requires-Dist: biscuit-python<0.5,>=0.4
+Requires-Dist: cbor2>=5.4
+Requires-Dist: cryptography>=42.0
+Requires-Dist: httpx>=0.27
+Requires-Dist: pyjwt<3.0,>=2.8
+Requires-Dist: pyyaml>=6.0
+Provides-Extra: dev
+Requires-Dist: agentauth[mcp,server,verifier]; extra == 'dev'
+Requires-Dist: coverage[toml]>=7.5; extra == 'dev'
+Requires-Dist: diff-cover>=9.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.24; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.4; extra == 'dev'
+Provides-Extra: ezkl
+Requires-Dist: agentauth[onnx]; extra == 'ezkl'
+Provides-Extra: kms
+Requires-Dist: boto3>=1.34; extra == 'kms'
+Requires-Dist: google-cloud-kms>=2.20; extra == 'kms'
+Provides-Extra: mcp
+Requires-Dist: httpx>=0.27; extra == 'mcp'
+Requires-Dist: mcp>=1.0; extra == 'mcp'
+Requires-Dist: uvicorn>=0.30; extra == 'mcp'
+Provides-Extra: onnx
+Requires-Dist: numpy>=1.26; extra == 'onnx'
+Requires-Dist: onnx>=1.16; extra == 'onnx'
+Provides-Extra: partner
+Requires-Dist: agentauth[dev,mcp,server,verifier]; extra == 'partner'
+Provides-Extra: server
+Requires-Dist: fastapi<1.0,>=0.110; extra == 'server'
+Requires-Dist: pydantic<3.0,>=2.6; extra == 'server'
+Requires-Dist: sqlalchemy<3.0,>=2.0; extra == 'server'
+Requires-Dist: uvicorn[standard]<1.0,>=0.27; extra == 'server'
+Provides-Extra: verifier
+Requires-Dist: starlette>=0.37; extra == 'verifier'
+Requires-Dist: uvicorn>=0.30; extra == 'verifier'
+Description-Content-Type: text/markdown
+
+# Agent Receipts
+
+Cryptographic receipts for autonomous AI agents: prove that a consequential action was **authorized**, ran on the **claimed model**, and satisfied a **committed policy**.
+
+OAuth 2.1 and MCP answer *who may act*. Agent Cards are self-declared. Agent Receipts answer *what actually happened* with a verifiable `ExecutionProof`, a lower-layer decision model, and a tamper-evident audit chain.
+
+---
+
+# AgentAuth for autonomous coding agents (Cognition / Devin)
+
+An autonomous software engineer like Devin acts directly on enterprise codebases: it reads repositories, issues, and PRs; runs commands; pushes commits; and spawns sub-agents. The thing standing between Devin and broad enterprise adoption is **trust** — can you prove what Devin did, prove it stayed inside the scope a human authorized, and be sure the record itself can't be forged? AgentAuth is the identity-and-verifiable-execution layer that answers those questions cryptographically. It turns Devin's output from *"commits your security team has to review"* into *"output guaranteed to have stayed within authorized scope, with machine-verifiable proof."*
+
+This section has three parts: **Section 1** ranks what we have today by fit to Cognition's problems and summarizes the Cognition-tailored features we propose to build; **Section 2** describes the current capabilities in depth; **Section 3** is the technical implementation plan for the proposed features.
+
+> **Honesty line.** Everything under "Built today" is implemented and, where noted, empirically validated. Everything under "Proposed" is roadmap — designed but not yet built. We mark the boundary explicitly because a verification company that overstates its own guarantees has already failed its one job.
+
+## Section 1 — Ranked fit for Cognition
+
+### Built today (ranked by fit to Cognition's enterprise-trust blockers)
+
+1. **Pre-action authorization + capability tokens (scope containment).** Every consequential Devin action is checked against a committed policy and a capability token *before it executes*; an injected or off-task Devin that reaches outside its authorized scope (files, repos, tools, network) is blocked before the action runs, not flagged after. This is the blast-radius control that makes granting Devin write access defensible at all.
+2. **Tamper-evident, cryptographically verifiable execution receipts.** Each action produces an `ExecutionProof` bound into a hash-chained Merkle audit log, so you can prove exactly what Devin did, under whose authority, and that the record was not altered afterward. Empirically validated: across **~284,000 adversarial tamper trials**, AgentAuth's false-accept rate on forgeable content is **~0**, versus **67–100%** for conventional logging and signed-receipt designs.
+3. **Attested agent identity, bound into every receipt.** Each Devin instance carries a short-lived, attested SPIFFE / JWT-SVID identity acting under a *named human principal*, cryptographically tied to every action — answering "which Devin, under whose authorization" with a signature an attacker cannot swap, not a self-declared label.
+4. **Privacy-preserving proof of policy compliance (ZK).** A zero-knowledge proof shows Devin's execution satisfied the committed policy *without revealing* the proprietary codebase, inputs, or model to the verifier — cryptographic compliance evidence that doesn't require exposing customer IP.
+5. **Capability delegation with monotonic attenuation (sub-agents).** When Devin spawns sub-agents, their capability tokens are *attenuations* of Devin's — they can only narrow scope, never widen it — giving a cryptographic authority chain across the entire agent tree.
+6. **Standards-conformant, independently verifiable evidence.** Receipts emit SCITT/COSE statements and a C2SP transparency-log format that an **independent** verifier (re-implemented from the specs, not our code) accepts — so the evidence plugs into the supply-chain and transparency tooling enterprises already run.
+
+### Proposed, Cognition-tailored (roadmap — technical plans in Section 3)
+
+- **Injection detection via behavioral anomaly.** Today we *contain* an injected Devin; we don't *detect* the injection. A learned model of normal Devin behavior flags the statistical signature of an injection in the action sequence — turning "block the out-of-scope action" into "Devin was compromised, here is the evidence."
+- **Memory-state commitment (sleeper-agent defense).** Commit a hash of Devin's full memory state (Wiki index, task context, observations) at each step and prove memory changed only via legitimate operations — closing the gap where poisoned memory yields legitimate-looking actions taken against a corrupted internal model.
+- **Attestation chains through the CI/CD pipeline.** Devin's signed action attestation propagates through build → test → scan → deploy; a commit without a valid agent attestation stops the pipeline, extending the integrity chain from the original human authorization all the way to production.
+- **Adversarial task-decomposition verification.** The human's original task is signed; every subtask Devin generates for a sub-agent is verified to be a semantic decomposition of that signed intent — so even a poisoned Devin cannot redirect sub-agents toward objectives the human never authorized.
+
+## Section 2 — Built today, in depth
+
+**Pre-action authorization + capability tokens.** The policy engine (`agentauth/receipts/`) evaluates each `ActionDescriptor` against a committed policy and the action's capability token before the wrapper lets it execute; in `bounded_auto` mode a violation forces an abstain output. Capabilities are Biscuit tokens (`agentauth/backend/capabilities.py`) with offline verification and request-bound proof-of-possession, so authorization is enforced at the edge without a callback to a central server. For Devin this is the difference between "an injected agent can do anything Devin can" and "an injected agent is confined to the files, tools, and network the task authorized."
+
+**Verifiable receipts + Merkle audit log.** `AgentWrapper` records a `DecisionResult` and builds an `ExecutionProof` that binds the output, the execution context, the policy commitment, and the attested identity; receipts are appended to an RFC 6962 hash-chained log (`agentauth/receipts/audit.py`) with inclusion/consistency proofs and witness co-signing for anti-equivocation. The adversarial soundness benchmark (`benchmarks/soundness.py`) is our empirical proof this holds: it mutates every field of every receipt and measures the *false-accept rate* (a tampered receipt the verifier wrongly accepts) against a ladder of real alternatives — plain logging (accepts ~100%), signing just the output (~93%), a hash-chained audit log (~90%), a signed-receipt-core design (~67%), and AgentAuth (~0), with a 95% confidence bound and the residual misses enumerated.
+
+**Attested identity, bound into every receipt.** `auth.identify(...)` issues an attested, short-lived JWT-SVID (Ed25519) whose `sub` is the agent's SPIFFE ID; `session.wrap()` turns that credential into an `AuthorityBinding` that every receipt carries, and `verify_receipt_bundle` re-checks the signed credential and binds its `sub`/`iss`/`cnf` to the receipt's authority block (`agentauth/receipts/identity_evidence.py`). Swapping the credential, the SPIFFE ID, or the bound key on a receipt fails verification.
+
+**Privacy-preserving ZK + composed proofs.** A Halo2 policy circuit proves a decision satisfied a numeric/structural policy; an EZKL or RISC0/SP1 zkVM circuit attests the inference step; the two compose into one proof (`crates/`), with a confidential variant that proves a range over a *hidden* score. The verifier learns "the policy held" without learning the inputs — so an enterprise can require compliance proof on every Devin action without surrendering its codebase to the verifier. Measured prove/verify latency and tamper-resistance per backend live in `scripts/prove_tier_matrix.py`.
+
+**Delegation, standards, and interop.** Biscuit attenuation gives monotonic capability narrowing for sub-agents; receipts also serialize to SCITT/COSE signed statements and a C2SP tlog-tiles transparency log, validated by an independent verifier in `python/tests/test_interop_conformance.py`. This is what lets the evidence flow into in-toto/SLSA/Sigstore-style supply-chain tooling rather than living in a proprietary silo.
+
+## Section 3 — Technical implementation plans (proposed)
+
+### 3.1 Injection detection via behavioral anomaly (the "detect, don't just contain" layer)
+
+**Gap.** Capability tokens and pre-action authorization limit the *blast radius* of a prompt injection delivered through repository content (a malicious issue, comment, or file Devin reads). If injected Devin tries to act outside scope, it is blocked. But the system never says *"Devin was compromised"* — it cannot tell an injection apart from a task that legitimately needs something unusual.
+
+**Design.** Add an L2.5 anomaly signal on the action stream the wrapper already intercepts.
+- **Features per action:** action type, tool, requested resource vs authorized scope, position in the sequence, embedding distance from the signed task description, capability-usage delta, inter-action timing, output schema conformance.
+- **Model:** train a sequence anomaly detector (autoencoder or small transformer over action embeddings; isolation-forest baseline) on *legitimate* agent trajectories. We already ingest real trajectory corpora — ATIF MCP trajectories and ~80k SWE-agent sessions — as a cold-start training set; for Devin specifically the model is fine-tuned on Cognition's own legitimate-run telemetry.
+- **Integration:** the wrapper computes an anomaly score per step, attaches it plus a commitment to the model version (hash of weights) into the receipt, and the policy can gate on it (escalate / abstain / require human approval). When the capability layer blocks, the receipt now also carries the *why*: "anomaly 0.94 — accessed `/etc` outside scope, sequence break immediately after reading untrusted issue #214."
+- **Verifiability:** committing the model hash and the input feature vector makes the score reproducible and auditable; an EZKL proof that `score = model(features)` for the committed model makes the *detection itself* tamper-evident.
+
+**Honest limits.** Anomaly detection is probabilistic — it has false positives and negatives and is a *signal layered on* the deterministic capability containment, not a replacement for it. It needs representative normal-behavior data, which is a co-build with Cognition. This is the productionization of the adaptive-reliability-layer (ARL) work as an attested receipt signal.
+
+### 3.2 Memory-state commitment + ZK transition proofs (sleeper-agent defense)
+
+**Gap.** The Merkle log records what Devin *did*, step by step. But if Devin's persistent memory — its accumulated beliefs about authorized scope, vendor relationships, and security policy — is poisoned through injected content, the log shows legitimate-looking actions taken against a corrupted internal model. There is a commitment to the *actions*, none to the *memory state*.
+
+**Design.**
+- **Define Devin's persistent state concretely** and instrument each component: the Devin Wiki index (content-addressed → a Merkle snapshot), conversation/task context, the tool-observation log, and derived "beliefs" (authorized scope, relationship facts, policy).
+- **Commit it:** at step *t*, compute `memory_root_t` over those components and include it in each receipt and audit entry alongside `context_hash`. The audit chain already commits actions per step; this adds a parallel commitment of belief state.
+- **Prove legitimate transitions:** define an allowed transition function `δ(memory_t, op_t) → memory_{t+1}` over operations like `append_observation(authorized_source)` or `apply_authorized_wiki_update`. A ZK circuit (reusing the session-folding proof we use for multi-step) proves `memory_root_{t+1} = δ(memory_root_t, op_t)` for an allowed, authorized op. Memory that diverges with no corresponding legitimate operation fails the proof — the poisoning is cryptographically visible.
+
+**Honest limits.** "Agent memory" is fuzzy in current LLM architectures; the hard part is *defining and instrumenting* persistent state per Devin component, which requires Devin-internal access — a genuine co-build, not a drop-in. The transition circuit is non-trivial. This is the most research-forward of the four and the one we'd scope jointly. We name it because the sleeper-agent scenario is the one currently terrifying enterprise security teams, and it is the only mechanism here that commits to the agent's *beliefs*, not just its actions.
+
+### 3.3 AI action attestation chains through the CI/CD pipeline (our recommended first build)
+
+**Gap.** Devin's security model treats "push a commit" as a terminal action. But a commit *begins* a chain — CI, tests, scanners, deployment — that all run because Devin acted. After the push there is no cryptographic link between "Devin was authorized to make this change" and "this deployment is running because Devin made it." The integrity chain breaks at the Devin boundary.
+
+**Design.**
+- **Emit the push as an attestation.** When Devin pushes, it produces a receipt over the `git push` action: output = the commit hash; bound to the Devin instance's SPIFFE identity, the human principal's signed authorization (an AP2-style mandate), the capability token, and a ZK proof that the execution stayed in scope. We map this receipt to an **in-toto attestation + SLSA provenance predicate**, signed via Sigstore/cosign and logged to the C2SP/Rekor transparency log — so it rides the supply-chain standards GitHub and enterprises already adopt rather than inventing a silo.
+- **Gate the pipeline.** A GitHub Action / CI step fetches the attestation for the commit SHA and verifies: (a) the agent signature and attested identity, (b) the ZK proof of policy-compliant execution, (c) the human authorization chain (mandate → Devin), (d) inclusion in the transparency log. No valid agent attestation ⇒ the pipeline **fails closed**.
+- **Propagate the chain.** Each downstream stage (build, test, scan, deploy) emits its own in-toto attestation referencing the upstream artifact, producing an unbroken layout from human authorization → Devin → CI → deploy. The deploy gate verifies the *whole* chain; code that passed through any unauthorized hand — human or AI — is flagged before production.
+
+**Honest limits.** It needs integration points in the customer's CI/CD (a verification Action and a deploy gate), and the per-commit proof has to fit a CI latency budget — so the push attestation uses the fast policy-tier proof, not full composed inference.
+
+**Why we'd build this first.** It is the smallest extension of what we already emit (a receipt *is* an attestation), it is concretely demoable (an Action that blocks an unattested commit), and it rides a strong standards tailwind (SLSA/in-toto/Sigstore plus the regulatory push on AI-generated-code provenance). Commercially it is the sharpest reframe for Cognition: Devin stops being "an AI that produces commits your security team must review" and becomes "an AI whose output is cryptographically guaranteed in-scope all the way through deployment" — trust infrastructure, not an audit tool.
+
+### 3.4 Adversarial task-decomposition verification
+
+**Gap.** When Devin decomposes a task into subtasks for sub-agents, there are no security properties on the decomposition. A poisoned memory state could cause Devin to generate subtask descriptions that subtly redirect sub-agents toward unauthorized objectives, with nothing to catch it.
+
+**Design.** Two layers, one cryptographic and one semantic.
+- **Cryptographic floor (have today):** the human's original task is signed as a mandate; each subtask's capability token must be a Biscuit *attenuation* of the original — it cannot add scope. This is already sound and enforced offline.
+- **Semantic filter (new):** embed the signed original task and each generated subtask, and verify *entailment* — the subtask must be derivable from the original without introducing new objectives (an NLI model, or an LLM-judge run under a committed prompt). A subtask that is not semantically entailed by the signed original is **blocked before assignment**. Bind the signed original, the per-subtask verdicts, and the judge/model commitment into the receipt.
+- **Effect:** if Devin's memory has been poisoned to also "update the deployment configuration while fixing the bug," the subtask `update the deployment configuration` fails entailment against the signed `fix the authentication bug` — the human never authorized configuration changes — and never reaches a sub-agent.
+
+**Honest limits.** Semantic entailment is probabilistic — embeddings / NLI / LLM-judge can err — so it is a strong filter, not a proof. The cryptographic guarantee is the capability attenuation plus the binding of signed intent and verdict; the entailment layer catches drift *within* the capability scope. The two together defeat the sleeper-agent attack at the decomposition boundary: even a corrupted internal state must produce output that passes verification against the uncorrupted, human-signed original intent before any sub-agent acts.
+
+---
+
+## Layered repo
+
+This repository now carries multiple layers of the stack:
+
+- `L1` identity and attestation foundations in [`agentauth/identity/`](agentauth/identity) + [`agentauth/backend/`](agentauth/backend), with SPIRE/SPIFFE deployment notes in [`identity/`](identity/identity.md)
+- `L2` capability-token and delegation primitives in the same identity backend + SDK
+- `L3/L4` decision, receipt, verifier, audit, and proof infrastructure in [`agentauth/receipts/`](agentauth/receipts), [`crates/`](crates), and [`docs/`](docs)
+
+All three are one installable package (`agentauth`); see [Repository layout](#repository-layout).
+
+The current architectural seam between the upper and lower layers is documented in [docs/l1_l3l4_boundary.md](docs/l1_l3l4_boundary.md).
+
+## Design partners (v0.2.1)
+
+**[Design partner guide](docs/design_partner.md)** · **[Deployment](docs/deployment.md)** · **[Runbook](docs/partner_runbook.md)** · **[Open standard strategy](docs/open_standard_strategy.md)** · **[Landscape research](docs/landscape_research.md)** · **[Release pinning](RELEASE.md)**
+
+```bash
+git checkout v0.2.1
+bash scripts/partner_preflight.sh
+bash scripts/bootstrap.sh
+cp config/partner.example.yaml config/partner.yaml
+python3 examples/partner_pilot.py
+arctl verify-bundle receipts/<proof-id>.json
+arctl explain receipts/<proof-id>.json
+arctl audit-summary receipts/<proof-id>.json
+arctl replay-check receipts/<id>.json --policy policies/fraud_decision.yaml
+```
+
+HTTP verifier for compliance:
+
+```bash
+arctl serve
+curl -s -X POST http://localhost:8787/v1/verify -H 'Content-Type: application/json' -d @receipts/<id>.json
+```
+
+## Quick start
+
+```bash
+pip install -e ".[dev]"
+python examples/shadow_fraud_agent.py
+```
+
+```bash
+cargo test
+```
+
+## Repository layout
+
+One installable distribution (`agentauth`), one import namespace:
+
+```text
+agent-receipts/
+├── agentauth/                   # the unified Python package
+│   ├── identity/                #   L1/L2 SDK: client, session, models, errors
+│   ├── backend/                 #   FastAPI service: identity router + receipt verifier
+│   └── receipts/                #   L3/L4 runtime: policy, decision, proofs, audit, verifier
+├── crates/agent-receipts-*/     # Rust proof, audit, and verifier core
+├── identity/                    # SPIFFE/SPIRE and attestation deployment notes
+├── dashboard/                   # React/TypeScript SPA
+├── backend/tests, sdk/python/tests, python/tests   # the unified test suite
+├── docs/                        # Architecture, trust model, policy language
+├── examples/                    # Runnable demos
+└── policies/                    # Example policy YAML files
+```
+
+## Developer interface
+
+One import spans both layers. Attest an identity, then receipt everything it does — each receipt is bound to the verified identity:
+
+```python
+from agentauth import AgentAuth, Policy
+
+auth = AgentAuth(api_key="aa_...", dev_attestation=True)  # localhost demos/tests
+agent = auth.identify(agent_type="researcher", owner="alice@acme.ai",
+                      scopes=["db:read"])           # L1/L2 — attested identity
+
+receipted = agent.wrap(your_model,
+                       policy=Policy.from_yaml("policies/fraud_decision.yaml"),
+                       mode="shadow")                # L3/L4 — receipted, bound to identity
+result = receipted.run({"transaction_id": "tx-1", "amount": 420.0})
+print(result.output, result.decision.outcome)
+```
+
+The receipts runtime also works standalone (no identity), and the identity SDK
+works standalone (no receipts) — `agentauth.identity` and `agentauth.receipts`
+remain importable directly.
+
+## AgentAuth identity service
+
+The integrated L1/L2 identity service issues short-lived, attested agent credentials and optional capability grants. The same backend (`uvicorn agentauth.backend.main:app`) also verifies receipt bundles at `POST /v1/verify`.
+
+- Architecture note: [identity/identity.md](identity/identity.md)
+- L1→L3/L4 seam: [docs/l1_l3l4_boundary.md](docs/l1_l3l4_boundary.md)
+
+## Proof paths
+
+| Path | Inference attestation | Policy attestation | Use case |
+|------|----------------------|-------------------|----------|
+| **Full ZK** | EZKL / zkPyTorch circuit | Halo2 policy circuit | Small models (fraud heads, classifiers) |
+| **TEE hybrid** | Intel TDX / NVIDIA CC quote | ZK policy circuit on attested output | LLM-scale |
+
+## Operating modes
+
+| Mode | Behavior |
+|------|----------|
+| `shadow` | Policy check + audit chain; no ZK latency |
+| `recommend` | Same as shadow; suggests abstain on violation |
+| `bounded_auto` | Forces abstain output on violation |
+| `prove` | Generates Halo2 policy proof via Rust CLI |
+
+## Status
+
+Implemented:
+
+- Core data types + hash-chained audit log (SQLite)
+- Python `AgentWrapper` (`shadow` / `recommend` / `bounded_auto` / `prove`)
+- Halo2 policy-range circuit
+- `agent-receipts` CLI: `setup`, `prove-policy`, `verify-policy`
+- MCP receipting and live transports
+- EZKL + composition path
+- AgentAuth identity service, attestation flow, and capability-token prototype
+
+Not yet implemented or still hardening:
+
+- Final L1/L2 to L3/L4 semantic unification
+- ZK inference circuit and recursive composition
+- TEE quote verification hardening
+- Remaining security backlog items in [docs/security_issues_backlog.md](docs/security_issues_backlog.md)
+
+See [docs/architecture.md](docs/architecture.md), [docs/open_standard_strategy.md](docs/open_standard_strategy.md), [docs/landscape_research.md](docs/landscape_research.md), and [docs/roadmap.md](docs/roadmap.md).
+
+## License
+
+MIT — see [LICENSE](LICENSE).