Add Agent Action Receipt (AAR) — ZK-compatible verifiable agent action standard

[Cyberweasel777]

Agent Action Receipt (AAR) v1.0

AAR is an open standard for cryptographically signed receipts for AI agent actions. It enables verifiable audit trails for agent-to-agent commerce, regulatory compliance, and dispute resolution.

Why Aztec?

AAR's privacy-preserving design (input/output hashing with SHA-256, selective disclosure) maps directly to Aztec's ZK privacy model:

• Receipts can be verified on-chain via ZK proofs on Aztec L2 — prove a receipt is valid without revealing its contents
• Selective Disclosure (same concept as Mastercard's Verifiable Intent, announced March 5, 2026) — share minimum information per party
• Ed25519 signatures over canonicalized JSON (JCS-SORTED-UTF8-NOWS)

Compatibility

• Mastercard Verifiable Intent — bidirectional mapping layer included
• x402 (Coinbase) — complementary standard (x402 = payment flow, AAR = action proof)
• Transport-agnostic: HTTP header, response body, on-chain

Links

• Spec: https://github.com/Cyberweasel777/agent-action-receipt-spec
• SDK (TypeScript): npm install @botindex/aar — single dependency (tweetnacl), Express middleware, verification, discovery
• Live implementation: BotIndex API (every response carries X-AAR-Receipt header with signed receipt)
• JSON Schema: https://github.com/Cyberweasel777/agent-action-receipt-spec/blob/main/schema/receipt.json

Suggested addition to awesome-aztec

Under a 'Standards & Protocols' or 'Privacy Tools' section:

• Agent Action Receipt (AAR) — Cryptographically signed receipts for AI agent actions. ZK-compatible selective disclosure. Ed25519/SHA-256.

MIT Licensed.

[critesjosh]

Sounds interesting. how do you envision this being used in Aztec contracts?

[Cyberweasel777]

@critesjosh Great question. Here's the concrete use case:

The problem AAR solves for Aztec

AI agents are increasingly executing transactions and making decisions autonomously. But there's no standard way to verify off-chain agent behavior on-chain. An agent claims it analyzed market data and recommends a trade — how does a smart contract (or another agent) verify that claim?

How it works in Aztec contracts

AAR receipts are Ed25519-signed JSON with SHA-256 content hashes. The verification flow in Noir:

1. Agent executes action off-chain → produces AAR receipt
2. Receipt submitted to Aztec contract as private input
3. Contract verifies in Noir:
   - Ed25519 signature over canonicalized receipt ✓
   - Input/output hashes match expected values ✓
   - Agent ID is in the authorized set ✓
   - Timestamp is within acceptable window ✓
4. Proof generated — receipt validity is proven without revealing receipt contents

Why Aztec specifically (vs. other L2s)

Privacy. AAR receipts contain sensitive data — what the agent did, for whom, with what inputs. On a transparent chain, verifying a receipt exposes all of this. In Aztec:

• Private verification: Prove the receipt is valid without revealing the agent's action, principal, or data hashes
• Selective disclosure: Reveal only specific fields (e.g., prove the agent was authorized without revealing what it did)
• Private agent identity: Verify an agent is in an authorized set without revealing which agent

This maps directly to Aztec's note model — a verified AAR receipt becomes a private note that downstream contracts can consume.

Concrete applications

1. Private DeFi agent verification: Agent manages a vault strategy → produces AAR receipt of each trade decision → Aztec contract verifies the agent followed the strategy rules without exposing the strategy
2. Cross-agent trust: Agent A delegates to Agent B → B's AAR receipt chain is verified in a private Aztec contract → A can trust B's work without seeing B's internals
3. Compliance proofs: Regulated entity proves their agent acted within compliance boundaries without revealing the agent's full action history

Technical fit

• Ed25519 verification is efficient in Noir (already implemented in aztec-packages)
• SHA-256 hashing is native
• JCS canonicalization (AAR's format) is deterministic — same receipt always produces same bytes, which is critical for ZK circuits
• Receipt size is small (~500 bytes) — fits comfortably in private notes

Resources

• Spec: https://github.com/Cyberweasel777/agent-action-receipt-spec
• SDK: https://www.npmjs.com/package/botindex-aar
• Landing: https://aar.botindex.dev

Happy to build a Noir proof-of-concept for AAR verification if there's interest. The circuit would be: verify_aar_receipt(receipt: private, pubkey: public) → bool.

[Cyberweasel777]

@critesjosh Follow-up: I built the Noir proof-of-concept.

Repo: https://github.com/Cyberweasel777/aar-noir-verifier

The circuit verifies AAR receipts as private inputs and proves:

1. Receipt composition is valid (input/output bound to receipt hash)
2. Agent's public key is in an authorized set
3. Timestamp is within an acceptable window

Without revealing what the agent did, what data it processed, or which specific agent acted.

Includes a selective disclosure variant — prove a receipt is valid AND reveal only specific fields (e.g., action type but not data).

Integration with Aztec contracts:

use aar_verifier::main as verify_aar;

#[aztec(private)]
fn execute_with_proof(receipt: AARReceiptProof) {
    let valid = verify_aar(
        receipt,
        storage.authorized_agents.read(),
        storage.num_agents.read(),
        context.timestamp() - 3600,
        context.timestamp(),
    );
    assert(valid, "Invalid AAR receipt");
}

Haven't tested compilation against the latest Noir/Aztec toolchain yet (don't have nargo installed locally) — but the circuit structure and constraint logic are production-intent. Happy to iterate on the Noir-specific patterns if anything needs adjusting for your stdlib.

[Cyberweasel777]

@critesjosh Update: we just shipped the companion standard — Session Continuity Certificates (SCC).

While AAR proves what an agent did, SCC proves who did it over time. Hash-linked certificate chain, same crypto stack (Ed25519 + JCS + SHA-256).

Why this matters for Aztec: The Noir verifier I built for AAR extends directly to SCC. You can now prove in a private Aztec contract that:

1. An agent action is valid (AAR) ✓
2. The agent has maintained continuous identity (SCC) ✓
3. Both are cryptographically bound (sccHash field in AAR) ✓

All without revealing the agent's actions, identity chain, or session history.

• Spec: https://github.com/Cyberweasel777/session-continuity-certificate-spec
• SDK: npm install botindex-scc (npm)
• AAR SDK: npm install botindex-aar

The full trust stack (AAR + SCC) is exactly the agent identity + action provenance primitive that ZK-private agent verification needs. Happy to extend the Noir PoC to cover SCC chain verification if there's interest.