# DoNotAct Verdict Receipts

DoNotAct v1.1 diagnostic responses may include a `receipt` object. A receipt attests to the diagnostic response that was returned at a specific time.

Receipts are for auditability. They are not execution instructions, not custody, not order signing, not routing, and not advice.

## Public Key

Use:

```http
GET /.well-known/closeedge-receipt-key.json
```

If the key endpoint returns `status=not_configured`, receipts may still include a payload hash but are not cryptographically signed.

Agents can discover this key from `/agent.json`, `/llms.txt`, `/llms-full.txt`, and `/sitemap.xml`.

## What Is Signed

A signed receipt covers:

- `payload_sha256`
- `issued_at`
- `api_key_id`
- `endpoint_id`
- `venue`
- `market_id`

The `payload_sha256` is computed over the diagnostic response excluding the `receipt` field itself.

## Offline Verification

```bash
python scripts/closeedge_verify_receipt.py \
  --response response.json \
  --public-key closeedge-receipt-key.json
```

Exit codes:

- `0`: receipt verified
- `2`: receipt missing, unsigned, malformed, tampered, or signed by a different key

## Agent Behavior

Agents should preserve the receipt when forwarding or storing a diagnostic response. If a receipt is missing or unsigned, agents should not claim cryptographic attestation.

Agents must still obey the verdict. A valid receipt proves what DoNotAct returned; it does not turn a blocked or uncertain verdict into permission to continue.