The neutral referee
Proof your work passed. That anyone can re-check.
A green check that lives on the operator’s server is a screenshot. These checks re-run anywhere: every commit verifies against the signer’s own key history, and every agent receipt re-derives without asking us.
# .github/workflows/verify.ymlname: Verify Commitson: [pull_request]permissions:contents: read # least privilege — no id-token, no writejobs:verify:runs-on: ubuntu-lateststeps:- uses: actions/checkout@v4with:fetch-depth: 0- uses: auths-dev/verify@v1with:auths-version: "0.1.3" # pin the CLI — the action never resolves `latest`fail-on-unsigned: true
The check that refuses.
The action reads each commit’s signer from its trailers and verifies the signature against that signer’s key history. An unsigned commit, an unknown signer, or a corrupted signature fails the check — classified, with the fix spelled out in the job summary.
The action itself refuses shortcuts: the CLI version is pinned, its checksum is verified before it runs, and latest is never resolved. A verifier whose own supply chain is soft would prove nothing.
# any commit, any clone — no CI required
$ auths verify HEAD
✓ Commit 51017ad… verified: signed by <root>
# an unsigned commit does not pass quietly
$ auths verify 3f9c2e1
✗ Verification failed for 3f9c2e1…: no Auths signature (exit 1)
The same referee for agents.
Commits are one kind of receipt. A bounded agent leaves another: every gated tool call, signed and logged. The auditor re-derives the spend from those signatures alone — a party who never ran the agent can confirm what it did.
Tamper with one byte of a signed proof and the audit says so.
$ auths-mcp-gateway verify-spend --log spend.jsonl \
$ --registry ./registry --agent <agent> --root <root>
✓ consistent — 2 call(s), $12.00 re-derived from signed costs
# the forged variant, caught
$ auths-mcp-gateway verify-spend --log tampered.jsonl …
✗ tampered-proof — 51017ad1… failed verification (exit 1)