Action-time proof and delegation verification for MCP agents
Project description
AgentLedger
Your agent executed a tool. AgentLedger records — tamper-evidently — which action ran, on whose authority, and whether it stayed within the delegation it was given.
pip install agentledger-llm
What this is and isn't. AgentLedger is an audit layer, not an enforcement layer. By default a tool call that violates its receipt is recorded as a proof and still runs — it is not blocked. Hash-chaining makes the log tamper-evident; it does not prove an action was authorized at execution time by a cryptographically verified identity. See Security note.
The problem
OAuth tells you who authenticated. It doesn't tell you which specific action was authorized, by whom, through what delegation, with what record.
AgentLedger fills that gap — it records the delegation intent and an attributable, tamper-evident proof of each tool call against it.
20-second quickstart
import asyncio
from agentledger import Ledger
ledger = Ledger()
receipt = ledger.issue_receipt(
principal="user:daniel",
agent="agent:financial-assistant",
permitted_tools=["get_exchange_rates"],
permitted_scopes=["read:rates"],
expires_in=3600,
)
@ledger.record(receipt=receipt)
async def get_exchange_rates(params, context=None):
return {"base": "USD", "GBP": 0.79, "EUR": 0.92}
async def main():
await get_exchange_rates({"base": "USD"})
ledger.report()
ledger.verify(ledger.last().proof_id).print()
asyncio.run(main())
Want violations to block instead of just record? Opt in:
@ledger.record(receipt=receipt, on_violation="raise") # "record" (default) | "warn" | "raise"
async def delete_alert(params, context=None):
...
The three-layer model
AgentLedger sits after authentication, not instead of it:
| Layer | Standard | What it does |
|---|---|---|
| Authentication | OAuth 2.1 | Who are you? |
| Workload identity | WIMSE WPT + SPIFFE/SPIRE | Which agent are you? |
| Action proof | AgentLedger | What did you do, recorded against whom? |
What it records
For every tool call:
- Which tool was called, by which agent, for which principal
- Whether the call was within the delegation receipt
- Any scope violations — each with an explanation and a remediation
- A hash-chained, tamper-evident proof record
- Latency and error state
What it does NOT do
AgentLedger v1 explicitly does not:
- Replace OAuth or any identity provider
- Enforce authorization by default (it records; opt in with
on_violation="raise") - Provide mid-chain revocation (v3 — see roadmap)
- Handle multi-hop delegation chains (v3)
- Bind agent identity cryptographically (v2 — SPIFFE/SPIRE + signed receipts)
- Provide enterprise compliance (SOC 2, legal)
- Compete with Prefactor (enterprise) or KYA-OS (DID-based)
See docs/roadmap.md for v2/v3 scope and entry criteria.
vs alternatives
| Tool | Open source | pip install | Action record | WIMSE-aligned | Developer-first |
|---|---|---|---|---|---|
| AgentLedger | ✅ | ✅ | ✅ | ✅ | ✅ |
| Prefactor | ❌ | ❌ | ✅ | ✅ | ❌ (enterprise) |
| KYA-OS | ✅ | ✅ | ✅ | ✅ | ⚠️ (DID-heavy) |
| FinMCP inline | ✅ | N/A | ✅ | ❌ | ✅ (one server) |
CLI
| Command | What it does | Exit code |
|---|---|---|
agentledger init |
Scaffold agentledger.yaml + working agent_example.py |
0 |
agentledger report [--log PATH] [--format terminal|html] |
Summarize the proof log | 0 always (informational) |
agentledger verify <proof_id> [--log PATH] |
Verdict for one proof | 1 if violations recorded |
agentledger chain [--log PATH] |
Verify hash-chain integrity | 1 if tampered |
TraceForge integration
If agentrace-llm is installed,
AgentLedger automatically attaches proof metadata (agentledger.proof_id,
agentledger.tool, agentledger.within_delegation, …) to the active TraceForge
span. If it isn't installed, enrichment is a silent no-op (a one-time warning
makes the no-op discoverable). Zero configuration required.
pip install "agentledger-llm[traceforge]"
Security note
Hash-chain integrity proves the proof log has not been tampered with after recording — and only while the log is read-only or externally anchored; an attacker with write access to the log can rewrite the whole chain. It does not prove actions were authorized at execution time by a cryptographically verified agent identity. Input/output digests are tamper-evidence, not confidentiality — low-entropy inputs can be recovered by guessing, so treat proof logs as sensitive. For cryptographic identity binding you need SPIFFE/SPIRE + AgentLedger v2. See docs/wimse-alignment.md.
Built by
Daniel Blanco · danblanco.dev · hello@danblanco.dev · Apache-2.0
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file agentledger_llm-0.1.0.tar.gz.
File metadata
- Download URL: agentledger_llm-0.1.0.tar.gz
- Upload date:
- Size: 23.9 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
994034b8c8d47f00c3329445f191a8c886e893657b0bf3fa040aa6aea171b7dd
|
|
| MD5 |
85f4bfd8b0911ad08c73db96e3cf064b
|
|
| BLAKE2b-256 |
446f3035762100163def57bc973d62a43896d5d4746a7d0f96ee0c4f446a6bbf
|
Provenance
The following attestation bundles were made for agentledger_llm-0.1.0.tar.gz:
Publisher:
release.yml on Danultimate/Agent-Ledger
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agentledger_llm-0.1.0.tar.gz -
Subject digest:
994034b8c8d47f00c3329445f191a8c886e893657b0bf3fa040aa6aea171b7dd - Sigstore transparency entry: 1754763949
- Sigstore integration time:
-
Permalink:
Danultimate/Agent-Ledger@31bd806b2cc96ed48fda7b8973ea3b37dc7e298e -
Branch / Tag:
refs/heads/main - Owner: https://github.com/Danultimate
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@31bd806b2cc96ed48fda7b8973ea3b37dc7e298e -
Trigger Event:
workflow_dispatch
-
Statement type:
File details
Details for the file agentledger_llm-0.1.0-py3-none-any.whl.
File metadata
- Download URL: agentledger_llm-0.1.0-py3-none-any.whl
- Upload date:
- Size: 23.0 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e5c2a99812336c8b2c819d0329fa5503473c767a5cf83cee5c8e3899ae8cca78
|
|
| MD5 |
4503195e6b3bf7d9e67e38ad67bddd88
|
|
| BLAKE2b-256 |
615ff5a657ac798144e80b10b718618797a0253b68c93f122e8b19313615967d
|
Provenance
The following attestation bundles were made for agentledger_llm-0.1.0-py3-none-any.whl:
Publisher:
release.yml on Danultimate/Agent-Ledger
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
agentledger_llm-0.1.0-py3-none-any.whl -
Subject digest:
e5c2a99812336c8b2c819d0329fa5503473c767a5cf83cee5c8e3899ae8cca78 - Sigstore transparency entry: 1754763969
- Sigstore integration time:
-
Permalink:
Danultimate/Agent-Ledger@31bd806b2cc96ed48fda7b8973ea3b37dc7e298e -
Branch / Tag:
refs/heads/main - Owner: https://github.com/Danultimate
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@31bd806b2cc96ed48fda7b8973ea3b37dc7e298e -
Trigger Event:
workflow_dispatch
-
Statement type:
