Nolixan

Signed receipts

Offline-verifiable, Ed25519-signed receipts that prove what an agent did, on whose authority, under which policy — without trusting Nolixan.

Every governed action and every redaction produces a receipt: a signed, tamper-evident record you can verify offline, with no call back to Nolixan. This is the provability layer — hand an auditor a receipt and a public key and they can confirm exactly what happened.

What's in a receipt

A receipt commits to the action's identity and decision and binds it into a tamper-evident structure:

  • Ed25519 signature over the RFC 8785 JCS canonical form of the payload.
  • signer_public_key — the environment's signing key (hex).
  • A Merkle inclusion proof (merkle_leaf_hash, merkle_proof, merkle_tree_root) tying the action into the audit batch.
  • Action metadata: provider, action, decision, identity hashes, timestamps — never raw arguments or PII (arguments are SHA-256 hashed; sensitive content is redacted first).

Signing requires RECEIPT_SIGNING_KEY to be set (see Deployment); without it, receipts are returned unsigned.

Get a receipt

A governed action's receipt is returned on the approval/execution record:

curl https://your-host/api/v1/governance/approvals/{approval_id} \
  -H "Authorization: Bearer <JWT>" -H "Environment-Id: 1"
# → response includes a "receipt" object

The public verify page also accepts a pasted receipt and checks it in the browser.

Verify offline

Save the receipt object to a file and run the standalone verifier — it has no network dependency:

python scripts/verify_receipt.py receipt.json
# checks: Ed25519 signature over JCS payload + Merkle inclusion (leaf → root)
# exit 0 = valid, exit 1 = tampered/invalid
 
# also accepts stdin and an optional transparency-log witness key:
cat receipt.json | python scripts/verify_receipt.py -
python scripts/verify_receipt.py receipt.json --witness-pubkey <hex>

Redaction receipts

Data redaction emits its own counts-only chain (class, count, action, ruleset version, boundary — no values). Export and verify it the same way:

curl -s "https://your-host/api/v1/redaction/receipts?environment_id=1" \
  -H "Authorization: Bearer <JWT>" > redaction-export.json
python scripts/verify_redaction.py redaction-export.json

Why offline verification matters

  • Trust nothing. A regulator or counterparty verifies with the public key alone — they don't have to trust (or even reach) Nolixan.
  • Tamper-evident. Any edit to a recorded action breaks the hash chain and the signature.
  • Portable. Receipts export as CSV/JSON, CloudEvents, or in-toto/SLSA provenance. See Audit log and Compliance.

On this page