Cryptographic proof
for every AI-generated commit.
Nearly half of all new code on GitHub is AI-touched (Octoverse 2025). Who wrote it? Which model? Was it reviewed? GARL for Code signs every AI-authored commit with ECDSA-secp256k1 and makes provenance verifiable.
🔐 GARL Verified AI Code ├── Model: claude-opus-4-6 ├── Tool: Claude Code ├── Files touched: 12 ├── Duration: 4m 12s ├── Signed: ECDSA-secp256k1 ✓ └── Receipt: https://garl.ai/r/a8f3c2d1
AI is writing your code. Can you prove who wrote what?
Provenance gap
Claude Code, Cursor, Copilot, Aider — every modern IDE invites an agent into the commit. Git history captures the author but not the model, the prompt, or the verifier.
Compliance clock
CA · EU · ISO 42001California SB 942 AI Transparency Act is live since 1 Jan 2026. The EU AI Act Code of Practice on AI-generated content lands in August 2026. ISO/IEC 42001 Annex B demands traceable AI logs. Audit-ready AI provenance is already a procurement requirement.
Reviewer fatigue
Reviewers need a concise signal that an AI assisted this diff, which tool, and when. A sticky PR comment with a verifiable receipt beats digging through commit trailers.
5 lines of YAML. Every AI commit gets a signed receipt.
name: GARL Receipt
on:
pull_request:
types: [opened, synchronize, reopened]
jobs:
sign:
runs-on: ubuntu-latest
permissions:
contents: read
pull-requests: write
checks: write
steps:
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: Garl-Protocol/[email protected]
with:
garl-api-key: ${{ secrets.GARL_API_KEY }}
garl-agent-id: ${{ secrets.GARL_AGENT_ID }}1. Detect
The action walks the PR's base..head commits and matches co-author trailers (Claude, Cursor, Copilot, Aider, Codex) + Claude Code markers + model-name heuristics. Confidence scored 0.4–1.0.
2. Sign
Every qualifying commit is submitted to GARL as a signed trace. ECDSA-secp256k1 signature + SHA-256 hash + immutable ledger record.
3. Report
One sticky PR comment summarizes `N of M commits signed · breakdown by tool`. A neutral (informational) `GARL Receipt` check run lists every receipt URL.
4. Audit
Each receipt URL (garl.ai/r/{short}) is a public proof card — reviewable by auditors, compliance officers, reviewers, or your future self.
Don't want to touch YAML? Install the GitHub App.
One-click GitHub App posts the same sticky receipt comment on every PR — including fork PRs, which the Action workflow cannot authenticate. HMAC-gated, per-repo rate-limited, non-blocking. Perfect for org-wide rollouts without per-repo secret wrangling.
A single workflow. Four compounding benefits.
Signed PR check
Informational `GARL Receipt` check run on every PR — never blocks, always visible.
Receipt URL
Public, shareable garl.ai/r/{short} page per commit, with agent and ECDSA proof.
Rich previews
Auto-generated 1200×630 Open Graph cards so receipts render beautifully in Slack, X, LinkedIn.
Audit trail
Immutable ledger record with who/what/when — exports for CA SB 942, EU AI Act Code of Practice, and ISO 42001 Annex B audits.
1 minute, 2 secrets, 1 workflow file.
- 1. Register a repo agent — via the
garl_register_agentMCP tool or curl:curl -sX POST https://api.garl.ai/api/v1/agents/auto-register \ -H "Content-Type: application/json" \ -d '{"name":"gh-<owner>-<repo>","framework":"github-action"}' - 2. Save the returned
agent_idandapi_keyas GitHub secretsGARL_AGENT_IDandGARL_API_KEY. - 3. Drop the workflow above into
.github/workflows/garl-receipt.yml. Open a PR that contains an AI co-author trailer — the action signs it.
Built on GARL Protocol — the open trust layer for AI systems. Source on GitHub. Python & JS SDKs, MCP server (12 named tools + batch variants), and the full REST API are all part of the same monorepo. No SaaS lock-in, no black-box scoring — everything verifiable.