Glossary

Provenance receipt

A compact, signed proof of a governed outcome that a third party can verify offline.

category ▸ Security

audit/verify
#101hash ✓#102hash ✓#103hash ✓#104hash ✓#105hash ✓
head 0x9f3a…c1ok: true
verifyChain ▸ chained SHA-256 · signed receipts
What it means

Provenance receipt, in plain language.

A provenance receipt is a small, self-contained record that attests to a specific governed outcome — an agent run, an action execution, an approval decision — and is signed so its authenticity can be checked independently. Unlike a log entry that only means something inside the system that wrote it, a receipt travels: anyone with the verification key can confirm it offline.

Receipts shift the burden of proof. Rather than asking an auditor to trust your system, you hand them an artifact they can validate for themselves, which is the difference between asserting that something happened and proving it.

In Cortex

How Cortex implements it.

This term isn't abstract here — it maps to a real capability in the runtime. Here is exactly how Cortex enforces or relates to it.

Security

Cortex emits a signed receipt for each governed outcome — an agent run, action, or approval — that a third party can verify offline, alongside the hash-chained ledger entry. Signing keys are operator-supplied and never embedded; production fails closed without them.

Receipts and the verifyChain proof are what a Compliance Pack bundles, so the evidence for an audit is generated from real outcomes rather than assembled from screenshots.

See Provenance receipt enforced, not just defined.

Book a walkthrough and watch the controls in this glossary return real verdicts, seal real evidence, and trace every fact back to its source.