Signed Audit Trail

When the auditor asks,
you have receipts

Every action your agents take produces a cryptographically signed receipt, chained to the one before it. Not logs you hope are complete — evidence anyone can verify independently.

Receipts

Every action, signed the moment it happens

Allowed, denied, or held for approval — each decision is captured as an Ed25519-signed receipt recording the agent, the action, the policy verdict, and the cost. Signed at decision time, not reconstructed later.

Actor, action, tool, cost, verdict, and signature — captured in every single receipt

Signed by the enforcement point at decision time, so the record cannot be quietly rewritten

Query the trail by agent, tool, policy, or time window — answers in seconds, not a log-diving sprint

Example decisions
A
Atlas Research
Stripe · charge $247
ALLOW
F
Forge CI
GitHub · push to main
DENY
M
Meridian Bot
SendGrid · send 1,200 emails
PENDING
Q
Quanta Agent
AWS · provision m5.2xlarge
PENDING
#482,191allowed
stripe.refund · $180.00
sha256 c41d09…88f2 · ed25519 signed
prev c41d09…88f2
#482,192allowed
db.write · orders.refunds
sha256 e07b3a…12cd · ed25519 signed
prev e07b3a…12cd
#482,193approved
email.send · order update
sha256 a91e7c…f2d0 · ed25519 signed
chain verified · 482,193 receipts · 0 breaks
Tamper evidence

A chain that tells on tampering

Each receipt carries the hash of its predecessor. Edit, delete, or reorder any one of them and every receipt after it fails verification — gaps and rewrites become mathematically self-evident.

Hash-chained history — a broken link is proof of tampering, not a debate about log integrity

Verification uses public keys only, so auditors never have to take govern.sh at its word

Export as signed JSON with the keys to verify it — your evidence stays valid even if you leave

Compliance

Evidence your auditors already know how to read

Stop assembling screenshots the week before the audit. Receipts export in the shape your framework expects, with the cryptography to back them up.

SOC 2 exports

Receipts mapped to the control language SOC 2 Type II auditors expect — exported in one click, not one quarter.

HIPAA-ready trails

Per-action accounting for systems that touch PHI, with retention policies that match your compliance posture.

PCI evidence

Prove exactly which agent touched a payment flow, under which policy, with what outcome — down to the cent.

Independent verification

Open verification tooling lets auditors re-run the math themselves, offline, with nothing but public keys.

SIEM streaming

Stream receipts to Datadog, Splunk, or S3 as they sign — the audit trail lives wherever your team already looks.

Custom retention

Keep receipts hot for a year or archived for a decade. Chain verification works the same either way.

Stop reconstructing. Start proving.

Your first signed receipt lands minutes after your first agent acts. Free for your first three agents — 10K receipts a month included.