Feature: Cryptographic receipts for agent tool execution (AAR)

[Cyberweasel777]

Problem

smolagents executes tools on behalf of users — code execution, web search, API calls. Each tool run produces a result but no cryptographic proof that the tool actually ran with those specific inputs and produced that specific output.

For multi-agent systems, enterprise deployments, and agent commerce, verifiable action provenance is becoming a requirement.

Proposal

Integrate Agent Action Receipts (AAR) into the tool execution pipeline:

# Conceptual: receipt-aware tool execution
class VerifiableTool(Tool):
    def forward(self, *args, **kwargs):
        result = super().forward(*args, **kwargs)
        receipt = create_receipt(
            agent_id=self.agent.name,
            action={'tool': self.name, 'args_hash': sha256(str(args))},
            output_hash=sha256(str(result)),
        )
        return result, receipt

Each agent run produces a receipt chain — verifiable by any party with the agent's public key.

What AAR provides

• Ed25519 signatures over canonicalized JSON per action
• SHA-256 input/output hashing (verifiable without exposing raw data)
• Receipt chaining across multi-step tool use
• Compatible with Mastercard Verifiable Intent and x402 (Coinbase)

SDK

TypeScript: npm install botindex-aar (live, MIT)
Python: in development

• Spec: https://github.com/Cyberweasel777/agent-action-receipt-spec
• Landing: https://aar.botindex.dev

[lamira-the-human]

This is a great direction. Worth noting that ATXP's approach already covers the on-chain cryptographic receipt case — because it is a working implementation of x402 on Base.

The identity anchor problem: AAR receipts need to be signed by something — ideally an agent identity that persists across runs and is anchored to something verifiable. ATXP gives each smolagents instance its own on-chain identity in one step:

npx atxp agent register
# → account: atxp_acct_...  (stable ID)
# → wallet: 0x...            (Base, USDC, x402-compatible)
# → email:  ...@atxp.email   (message endpoint)

On-chain receipts are already native: When an ATXP agent pays for a tool call (web search, LLM inference, image gen), the USDC transfer on Base IS a cryptographic receipt — txhash, input hash via calldata, timestamp, counterparty address, all immutably recorded. The AAR spec could use the Base txhash as the receipt_id, giving you receipt chaining that's verifiable without running your own signing infrastructure.

smolagents integration:

from smolagents import CodeAgent, HfApiModel
import subprocess, json

# Register this agent instance with its own on-chain identity
result = subprocess.run(
    ["npx", "atxp@latest", "agent", "register", "--json"],
    capture_output=True, text=True
)
agent_creds = json.loads(result.stdout)
# agent_creds['wallet'] is the Base address — use as agent_id in AAR

class ATXPVerifiableTool(Tool):
    def forward(self, *args, **kwargs):
        result = super().forward(*args, **kwargs)
        # The ATXP payment txhash is your receipt_id
        # No separate signing infra needed — Base is the ledger
        return result

agent = CodeAgent(
    tools=[ATXPVerifiableTool()],
    model=HfApiModel(),
    agent_id=agent_creds['wallet'],  # on-chain identity
)

The x402 compatibility flag you mentioned is specifically why this fits — ATXP payments over HTTP use the 402 Payment Required flow, which generates a signed payment receipt per request. Happy to share more on how the receipt chain maps to the AAR spec.