Step-by-step cookbook for setting up cryptographically signed audit trails on Claude Code tool calls. Use when explaining, evaluating, or demonstrating the…
Signed Audit Trails for Claude Code Tool Calls Cookbook-style walkthrough for cryptographically signed receipts on every Claude Code tool call. This is the teaching skill. For the runtime implementation, install the protect-mcp plugin. What this gives you Every tool call (Bash, Edit, Write, WebFetch) is: Evaluated against a Cedar policy before execution. If the policy denies the call, the tool does not run. Signed as an Ed25519 receipt after execution. Receipts are JCS-canonical, hash-chained, and verifiable offline by anyone with the public key. An auditor, regulator, or counterparty can verify the full chain later with a single CLI command (npx @veritasacta/verify receipts/*.json). No network call, no vendor lookup, no trust in the operator.
don't have the plugin yet? install it then click "run inline in claude" again.