Aggregates execution_hashes from N ChainGraph tool calls in one agent session into a single SHA-256 Merkle root (session_receipt_root). Returns a tamper-evident session receipt and a regulator-framed PTG-01 audit prompt. One receipt covers an entire agent session: supply all execution_hashes in c...
AI agents call build_session_receipt to retrieve information from Ainumbers Mcp Apps without modifying anything — typically the context-gathering step in research, monitoring, and reporting workflows, before the agent takes action elsewhere.
| Parameter | Type | Required | Description |
|---|---|---|---|
framing | string | — | Optional framing context for the PTG-01 regulator prompt (e.g. "DORA incident review" or "EU AI Act Art.12 transparency log"). |
tool_ids | array | — | tool_id values corresponding to execution_hashes, in the same order. Used for the audit narrative. |
session_id | string | — | Optional agent session identifier for the audit narrative (e.g. a UUID or timestamp). |
execution_hashes | array | Yes | Ordered list of execution_hash values from ChainGraph tool calls in this session (each produced by emit_chaingraph_artifact or a kernel tool). Minimum 1. |
Parameters from the server's own tool schema.
This tool performs a purely deterministic, read-only cryptographic computation (SHA-256 Merkle root aggregation) over provided hashes. It does not write, modify, or delete data, execute code, or involve financial transactions. The server description also confirms 'Read-only, no auth, zero PII.' The output is a digest/audit artifact with no side effects.
From the tool's definition Aggregates execution_hashes into a single SHA-256 Merkle root (session_receipt_root). Returns a tamper-evident session receipt. The Merkle root is deterministic — the same hashes in the same order always produce the same root.
Risk signalsAdmin/system-level operation
Attacks that exploit this kind of access
Aggregates execution_hashes from N ChainGraph tool calls in one agent session into a single SHA-256 Merkle root (session_receipt_root). Returns a tamper-evident session receipt and a regulator-framed PTG-01 audit prompt. One receipt covers an entire agent session: supply all execution_hashes in call order. The Merkle root is deterministic — the same hashes in the same order always produce the same root. Compliant with EU AI Act Art. 12 (transparency) and DORA ICT audit-trail requirements. It is categorised as a Read tool in the Ainumbers Mcp Apps MCP Server, which means it retrieves data without modifying state.
build_session_receipt accepts 4 parameters: framing, tool_ids, session_id, execution_hashes. Required: execution_hashes. The full parameter table on this page comes from the server's own tool schema.
Register the Ainumbers Mcp Apps MCP server in PolicyLayer and add a rule for build_session_receipt: allow, deny, rate-limit, or require approval. Point your MCP client at the PolicyLayer proxy URL and the rule is enforced on every call, before it reaches Ainumbers Mcp Apps. Nothing to install.
build_session_receipt is a Read tool with low risk. Read-only tools are generally safe to allow by default.
Yes. Add a rate_limit block to the build_session_receipt rule in your PolicyLayer policy. For example, setting max: 10 and window: 60 limits the tool to 10 calls per minute. Rate limits are tracked per agent session and reset automatically.
Set action: deny in the PolicyLayer policy for build_session_receipt. The AI agent will receive a policy violation error and cannot call the tool. You can also include a reason field to explain why the tool is blocked.
build_session_receipt is provided by the Ainumbers Mcp Apps MCP server (postoaklabs/ainumbers-mcp-apps). PolicyLayer sits as a proxy in front of this server to enforce policies before tool calls reach the server.
Every MCP server has a record like this.
Type a name, get the same breakdown: verified identity, auth posture, risk grade, capabilities, recommended policy.
Teams ship this data inside their own products. See what a licence covers →