Proving What Your AI Agent Did: Introducing Traceseal

Ventse — Thu, 16 Apr 2026 14:01:09 +0000

Every AI agent framework can make agents do things. None of them
can prove what the agent did.

When a client asks "was your AI agent running authorized code when
it published that article?" the answer today is "trust me." When a
regulator asks "what capabilities did the automated system have?"
the answer is "trust me." When something goes wrong and someone
asks "what exactly happened?" the answer is still "trust me."

We built Traceseal to replace "trust me" with math.

What Traceseal does

Traceseal produces an Execution Receipt — a signed JSON document
that proves:

What code ran (manifest hash over every source file)
Who authorized it (publisher's ed25519 signature)
What sandbox it ran in (hash of the kernel-namespace configuration)
What it produced (SHA-256 of inputs and outputs)
Who vouches for it (operator's ed25519 signature over all of the above)

A third party verifies the receipt with one command:

pip install traceseal-verify
traceseal-verify receipt.json

[OK] receipt.json
  skill:     agentmail v1.2.0
  operator:  ed25519:f19bc125...
  publisher: ed25519:a07c7eb5...

No access to the operator's machine. No trust assumptions. Just math.

What we built

8 weeks. 217 tests. 27-entry audit chain on real Debian 13 hardware.
Three signed production skills with verified receipts:

A multi-entry-point skill bundle — signed, sandboxed with
kernel-namespace isolation, receipt verified by a third party. 116ms.
A real production skill with SDK dependencies — the agentmail
SDK was mounted read-only into the sandbox. The execution failed
(bad API key) and the receipt honestly records the failure.
The system doesn't hide bad outcomes — it seals them.
A web scraping skill — signed, sandboxed, 47ms, receipt verified.

The full pipeline — sign, sandbox, execute, receipt, verify — runs
in under 200ms.

Why this matters

AI agents are moving from demos to production. When they get there,
someone will ask for proof. Proof that the code was authorized.
Proof that the sandbox was real. Proof that the outputs weren't
tampered with. Proof that a third party can check independently.

Every other trust system in the AI agent space offers dashboards,
not proofs. They log what happened. We seal it. The difference:
a log says "the operator claims this happened." A receipt says
"anyone can independently verify this happened."

Open spec, open verifier

The Execution Receipt Specification is Apache 2.0:
→ RECEIPT-SPEC.md

The standalone verifier is Apache 2.0:
→ pip install traceseal-verify
→ GitHub

The transparency log is live:
→ log.traceseal.io

Anyone can verify receipts. Anyone can implement the spec.
The hard part — signing, sandboxing, audit logging, the full stack
that generates receipts worth verifying — is Traceseal.

What's next

Traceseal currently produces receipts for skill execution. We're
extending the receipt format to cover:

Model call receipts — prove which model processed your data
Orchestration receipts — prove a multi-step workflow executed in order with declared inputs at each step
Data flow receipts — prove what data was sent where

Same format. Same verifier. Same transparency log.

The goal: a cryptographic audit trail for every action your AI agent
takes, verifiable by anyone, without trusting the operator's machine.