Context
Demo-03 shows offline TRACE verification — the session-level signed record verifiable with only the issuer public key, no server needed. This is the right portability property.
The gap demo-03 doesn't show yet: per-action evidence below the session level. The TRACE record proves the session ran with the right policy. It doesn't prove each individual tool call within the session stayed within the authorized scope.
The composition
TRACE record (session level) — what demo-03 already verifies
└── Nobulex receipt (action level) — per tool call, same offline-verifiable property
action_ref = SHA-256(JCS({agent_id, action_type, scope, timestamp_ms}))
Ed25519 signature, verifiable with only signer_public_key
hash-chained across the session
A verifier with the TRACE record + the per-action receipts can answer:
- Was the session policy-compliant? (TRACE, already in demo-03)
- Did each tool call within the session stay within authorized scope? (Nobulex receipts)
Proposed addition to demo-03
After verify.py confirms the TRACE record, add a second step that loads the per-action receipt chain and verifies each receipt against the agent's public key. Same offline-verifiable property, one level deeper.
from nobulex import Agent, Receipt
# Load receipt chain from the demo-01 workspace
receipts = Receipt.load_chain('workspace/receipts.json')
for r in receipts:
assert r.verify(), f'Receipt {r.action_ref} failed verification'
print(f' action_ref: {r.action_ref} — {r.terminal_state}')Why this matters for the Summit narrative
The Summit framing is 'software enforcement cannot prove itself to someone who does not trust the operator.' Per-action receipts extend that to: 'even within a TEE-attested session, individual tool calls are independently provable.' TRACE + Nobulex = session proof + action proof.
I can implement this and open a PR if it fits the demo scope. pip install nobulex — the receipt chain format is documented in agentrust-io/integrations#6.
Context
Demo-03 shows offline TRACE verification — the session-level signed record verifiable with only the issuer public key, no server needed. This is the right portability property.
The gap demo-03 doesn't show yet: per-action evidence below the session level. The TRACE record proves the session ran with the right policy. It doesn't prove each individual tool call within the session stayed within the authorized scope.
The composition
A verifier with the TRACE record + the per-action receipts can answer:
Proposed addition to demo-03
After
verify.pyconfirms the TRACE record, add a second step that loads the per-action receipt chain and verifies each receipt against the agent's public key. Same offline-verifiable property, one level deeper.Why this matters for the Summit narrative
The Summit framing is 'software enforcement cannot prove itself to someone who does not trust the operator.' Per-action receipts extend that to: 'even within a TEE-attested session, individual tool calls are independently provable.' TRACE + Nobulex = session proof + action proof.
I can implement this and open a PR if it fits the demo scope.
pip install nobulex— the receipt chain format is documented in agentrust-io/integrations#6.