Live on npm · v0.6.0 · Apache-2.0

Cryptographic evidence
for enterprise AI.

Every AI invocation produces a signed, hash-chained, tamper-evident receipt. Auditors, regulators, and insurers verify it independently with only the public key — no platform dependency.

npm install @askledger/receipts-sdk View on npm →
5 language SDKs 280 tests passing 66/66 hardening controls 5 regulators · pre-mapped RFC 9162 transparency log
< 2 ms
Sign + safety + cite
100%
Tampers detected · 200-mutation fuzz
A+
Public Receipt Score · embeddable
0
Calls to Project Ledger to verify
Why now

The frameworks tell you what to do. The infrastructure to do it cryptographically did not exist — until now.

EU AI Act, UAE CBUAE Federal Decree-Law No. 6, SAMA, NIST AI RMF, ISO 42001, SR 26-2, PRA SS1/23, RBI FREE-AI — all demand evidence of what AI did, by whom, under what policy. Most enterprises fall back to spreadsheets and self-attestation. Then the regulator asks for proof.

UAE · CBUAE

Sep 16, 2026 · AED 1 B fines

Federal Decree-Law No. 6 of 2025 transitional deadline. Every UAE bank needs cryptographic AI evidence within weeks.

EU · AI Act

Aug 2, 2026 · High-risk obligations

Annex IV technical documentation becomes mandatory for high-risk AI systems. Audit-grade evidence required.

KSA · SAMA + Vision 2030

$9.1 B AI investment · $20 B+ committed

Saudi 2026 Year of AI. The largest concentrated buying wave in MENA history; every Tier-1 bank in scope.

How it works

Three primitives. Mathematical guarantees.

Wire-format compatible across five languages. Independent verifier ships with every SDK. No magic.

01

Canonical hashing

RFC 8785 (JCS) gives every receipt a single deterministic byte representation. SHA-256 of those bytes is the receipt_hash. Any TypeScript, Python, Go, Rust, or Java client produces the same hash for the same input — proven by shared conformance vectors.

02

Per-tenant hash chain

Every receipt's previous_receipt_hash binds it to the one before. Modify any historical receipt and every subsequent receipt's verification breaks. Periodic Merkle root commits to a transparency log make truncation detectable too.

03

HSM-backed signatures

Ed25519 over the canonical bytes. Private key never leaves the HSM (AWS KMS, Azure Key Vault Managed HSM, GCP KMS, or PKCS#11 — Thales, Entrust, CloudHSM). Optional RFC 3161 timestamps tie each signature to absolute time.

+ Cost discipline + ESG + insurance — v0.7

Every receipt now carries cost (USD), carbon (g CO₂e), and a cascade-savings ledger. Built-in modules: model-fit score, dedup cache, budget guard, recommendations engine, insurance underwriting bundle, MRM workpaper exporter, public benchmark scoring. 8 of 13 pillars shipping in code.

// v0.7 · one import. Every Anthropic + OpenAI call in this process // becomes a signed receipt. No other line of your code changes. import { installReceipts } from "@askledger/receipts-sdk/vendor-kit"; installReceipts({ tenantId: "acme" }); // Prefer the manual path? Same as before. import { wrapOpenAI, generateKeyPair } from "@askledger/receipts-sdk"; const client = wrapOpenAI(new OpenAI({ apiKey }), { tenantId: "acme", keypair: generateKeyPair() });
The stack

Built like the platforms it sits next to.

Open-core. Five language SDKs. Vendor-neutral HSM. Real workflows. Zero Trust ready.

5 SDKs · wire-format conformant · CL1/CL2/CL3 conformance suite

TypeScript@askledger/receipts-sdk
Pythonaskledger-receipts
Goreceipts-sdk-go
Rustaskledger-receipts
Javaio.askledger:receipts-sdk

9 native integrations · IDE · agents · gateways · one install per surface

Cursor@askledger/cursor-receipts
Claude Code@askledger/claude-code-skill
OpenAI proxy@askledger/openai-proxy · Aider · Cline · Windsurf · Codeium · Cody · Zed · Tabnine
LiteLLMupstream callback · PR-ready
LangChain · LangGraphReceiptsCallbackHandler
Vercel AI SDK · Mastra · LlamaIndexnative middleware
AutoGen · CrewAI · Pydantic AI · smolagentsaskledger-agents (PyPI)
Portkey · Cloudflare · Konggateway-native plug-ins
Chrome extensionMV3 · managed-policy identity binding

11 AI vendors · receipts emitted natively

OpenAI
Anthropic
Azure
Bedrock
Gemini
Cohere
HF
Mistral
Groq
Together
Vercel

4 HSM drivers · FIPS-validated providers

AWS KMSkms-fips endpoint
Azure Key VaultManaged HSM · FIPS L3
Google Cloud KMSprotectionLevel HSM
PKCS#11Thales · Entrust · CloudHSM
Safety layer

Every receipt is content-checked before it's signed.

Inline detection runs in < 1 ms — pure heuristics, no LLM call, no third-party AI dependency. Findings flow into the receipt's payload.metadata.safety block so the audit trail proves the bank caught the event.

01

PII detection

Regex + checksum validation across 14 categories — emails, US SSN, credit cards (Luhn), IBAN (MOD-97), UAE Emirates ID, Saudi national ID, Indian Aadhaar, API keys, wire references, customer IDs. Inline. Deterministic. Auditable.

02

Prompt injection

Twelve categories caught — instruction override, role injection, system-prompt leak, DAN jailbreaks, delimiter injection, encoded payloads, tool override, policy bypass. Deterministic. No second LLM in the loop.

03

Shadow AI

Identifies AI calls bypassing the corporate gateway: consumer endpoints (chatgpt.com, claude.ai), unapproved vendors, unapproved model versions, unapproved source systems. Pillar 6 of the platform architecture.

See it in the demo →

Click any receipt in the demo. You'll see PII matches highlighted, prompt-injection patterns called out, and a clear allow / flag / block verdict — each one signed into the receipt.

Run the demo
Public transparency log

Even we can't rewrite history.

A public RFC 9162 append-only Merkle tree. Every receipt batch lands in the log. Every five minutes a Signed Tree Head is published. Inclusion proofs and consistency proofs are queryable by anyone.

01

Append-only

RFC 9162 leaf/internal prefix scheme (second-preimage safe). Once a receipt's leaf hash is committed, removing it requires breaking SHA-256 — which has no known practical break.

02

Signed Tree Heads

Every 5 minutes the log signs {tree_size, root_hash, timestamp, log_id} with the operator key. Anyone holding any historical STH can detect log rewrites.

03

Independent verification

Auditors paste a receipt + inclusion proof + the public STH chain. The verifier confirms inclusion mathematically. No call to the log operator required.

The Receipts Protocol is being proposed for hosted-project status under an independent open-source foundation. Receipts and Signed Tree Heads are verifiable forever — including the historical chain — using only public keys.
Receipt Score

The SSL Labs A+ for AI trust.

A public 0-100 score + letter grade per tenant, computed from five weighted sub-scores: coverage, verification, safety hygiene, regulatory alignment, transparency log participation. Embeddable as an SVG badge in annual reports, RFP responses, AI disclosures.

Coverage

25%

What share of AI traffic produces a receipt

Verification

25%

What share of receipts pass independent verify

Safety hygiene

20%

PII / injection / shadow-AI findings handled

Regulatory align.

15%

How many of the 5 regulator templates the receipts cite

Transparency log

15%

What share of receipts reach the public log

Sample embedded badge

Banks embed this SVG in their AI disclosure pages. Auditors click it to verify the underlying receipts. Boards reference it like an ESG rating.

PROJECT LEDGER Receipt Score A+ 98 /100
Chrome extension

For developers. By default private.

Captures every prompt you send to ChatGPT, Claude, Gemini, Copilot, Perplexity, Hugging Face. Signs a cryptographic receipt locally. Your private key never leaves the browser. Optional opt-in ship-to-corporate-IT for shadow-AI visibility — but the default is stays on your machine.

1

Private by default

Keypair generated locally. Receipts encrypted at rest. The raw prompt text never leaves your browser — only the SHA-256 hash is recorded. Same Ed25519 + RFC 8785 cryptography as the production SDK.

2

You see your AI footprint

Click the extension icon — see every consumer-AI request you've made, which vendor, when, hash-chained. Export as JSON. Useful for self-attribution when reviewing pull requests or RFP responses.

3

CISO opt-in

Configure a corporate ingest URL with your consent. Receipts are shipped (metadata only — never prompt text). Your CISO finally sees the shadow-AI inventory their network DLP cannot.

Manifest V3 · Chrome / Edge / Brave. Private key generated and stored locally. Optional corporate ingest is opt-in and HTTPS-only. Source on GitHub.
Industry frameworks

Composes with the frameworks your board reads.

Project Ledger ships open adapters for published industry frameworks. Receipts automatically cite which pillars, towers, or principles they contribute evidence toward — alongside the regulator articles.

QAG · Quantitative AI Governance

Five-pillar framework for scaling AI with measurable trust. Receipts populate every pillar with cryptographic measurement.

QAIS · Quantitative AI Security

Three towers for breach-proof AI. The safety and Zero Trust modules implement each tower as live enforcement.

AI Agency · Exponential Experience

Seven-pillar framework for deploying AI agents at scale. The agent capture adapter writes receipts for every pillar's measurable output.

Frameworks are integrated through a typed adapter interface. Authors of published frameworks can contribute verified mappings under joint attribution. Apache-2.0.
Regulator templates

Day-one compliance — five regulators, pre-mapped.

Every receipt automatically cites the regulator articles it satisfies. No policy consulting. No template build-out. The receipt fields ARE the evidence the inspector reads.

CBUAE

Responsible AI · 5 principles + Article 184

Maps to the Feb 2026 guidance. Sealed evidence pack ready for the September 16, 2026 transitional inspection. Receipt fields auto-satisfy each principle.

EU AI Act

Reg. 2024/1689 · 8 articles

Article 9 risk management, Article 11 + Annex IV technical docs, Article 12 logs, Article 14 oversight, Article 15 robustness, Article 50 GenAI transparency. Aug 2, 2026 high-risk deadline.

SAMA

AI Adoption Framework · 5 tier controls

Inventory · KSA data residency · decision logging · ECC-1 cybersecurity · customer recourse. Aligned with Saudi PDPL and Vision 2030.

ISO/IEC 42001

AI Management Systems · 6 Annex A controls

The international AI management standard. Already appearing in ~40% of EU enterprise AI RFPs. Receipts populate the AIMS documentation.

NIST AI RMF

Voluntary · 5 mapped controls

GOVERN · MAP · MEASURE · MANAGE. Used by US federal contractors and the CO / CA / NY state AI bills.

+

SR 26-2 · PRA SS1/23 · RBI FREE-AI

Shipped in v0.6 — HIPAA, FedRAMP, ISO 27001, GDPR · plus PR-ready scaffolds for SR 11-7, OSFI E-23, PRA SS1/23, RBI FREE-AI. Same template format — community contributions welcome.

Each template is content-addressed (SHA-256 of the canonical bytes), versioned through its own hash chain, and Apache-2.0 licensed. Receipts cite specific articles automatically. New templates ship in the same format.
Standards

Open standards. Open code. Open verification.

No vendor lock-in. No black box cryptography. Every claim verifiable against published RFCs and the public spec.

RFC 8785
JSON Canonicalization Scheme. The deterministic byte representation every receipt is hashed over.
RFC 8032
Edwards-Curve Digital Signature Algorithm. Ed25519 for non-repudiable signing.
RFC 3161
Time-Stamp Protocol. Independently verifiable absolute time anchoring for every receipt.
RFC 9162
Certificate Transparency v2. Merkle leaf/internal hashing scheme — second-preimage safe.
RFC 9562
UUIDv7. Time-ordered receipt identifiers.
NIST SP 800-207
Zero Trust Architecture. Every Project Ledger deployment is ZTA-compliant.
ISO/IEC 42001
AI Management Systems. Receipts populate the runtime evidence the standard demands.
OWASP AIBOM
AI Bill of Materials. Receipts populate the runtime portion of the AIBOM.
Sigstore OMS
Open Model Signing. Receipts reference OMS-signed model artifacts in the subject block.
in-toto / SLSA
Supply-chain attestation. Receipts complement build-time attestation with runtime.
SPIFFE / SPIRE
Workload identity. Receipts bind to SPIFFE service IDs in the event context.
OpenTelemetry GenAI
Semantic conventions. Receipt fields align with OTel GenAI semantic conventions.

Verify a receipt yourself.

No installation. No login. The verifier runs entirely in your browser using the same SDK every customer uses — because that is what "openly verifiable" actually means.

Open the verifier Try the playground Read the spec →