RFC: Audit receipts for ADK agent tool execution #5164
Description
Problem
Google ADK agents execute tool calls in production environments, but there is no built-in mechanism to produce cryptographic evidence that a specific tool call occurred, what policy governed it, and that the audit record hasn't been tampered with. As ADK agents move into enterprise deployments, compliance and security teams need verifiable proof of agent behavior.
Proposal
Add an optional receipt-signing middleware to ADK's tool execution pipeline. When enabled, every tool call would emit an Ed25519-signed receipt:
from google.adk import Agent
from protect_mcp import ReceiptMiddleware
agent = Agent(
model="gemini-2.0-flash",
tools=[search_tool, database_tool],
middleware=[ReceiptMiddleware(key_path="./keys/agent.json")]
)Each receipt captures: tool name, decision (allow/deny), input/output digests, policy hash, timestamp, and an Ed25519 signature. Receipts can be verified offline without access to the agent runtime.
Reference
This pattern is standardized in an IETF Internet-Draft and implemented in protect-mcp (MIT, npm v0.5.3). Active integrations exist with Mission Control, Cedar for Agents, Microsoft AGT, and LlamaIndex.
Happy to discuss integration architecture and contribute.