none.private_beta.v1
Without signer env vars, public web receipts use an unsigned private-beta digest. That is fine for demos and schema testing, but verifiers should not treat it as production issuer proof.
Hekate Receipts
Hekate Lite can already issue AgentSec-compatible receipts. Configure the receipt signer to make those receipts portable: verifiers can check issuer identity, evidence hash, policy hash, scanner version, and decision without trusting a screenshot or mutable dashboard.
Without signer env vars, public web receipts use an unsigned private-beta digest. That is fine for demos and schema testing, but verifiers should not treat it as production issuer proof.
With an Ed25519 key configured, every new preflight receipt includes a public key PEM, signer id, and `ed25519:` signature that `/v1/receipts/verify` can validate.
Required env
Ed25519 PKCS#8 private key. Store only in Vercel/secret manager.
Stable public key id exposed by /v1/agentsec/trust.
Human-readable signer identity for issued receipts.
Operator sequence
Run npm run hekate:receipt-keygen locally and store the private key outside the repo.
Add the three env vars to the Vercel Production environment for hekategate.com.
Redeploy the web project so new preflight responses sign with Ed25519.
Check GET /v1/receipts/signing-status for the active signature scheme and key fingerprint.
Check /v1/agentsec/trust and submit a new receipt to /v1/receipts/verify.
Ed25519 signing proves Hekate issued a receipt over a specific evidence hash and policy hash. It does not certify mainnet flows, replace external review, or guarantee that an agent is safe.