RFC: Signed receipts for Haystack pipeline component calls

[tomjwxf]

Problem

Haystack pipelines chain multiple components (retrievers, generators, rankers) in production NLP workflows, but there is no cryptographic audit trail of component-level decisions. For enterprise RAG deployments, compliance teams need to prove: which retriever was used, what documents were ranked, what the generator produced, and that none of this was altered after the fact.

Proposal

Add an optional ReceiptSigningComponent (or pipeline middleware) that wraps Haystack components and emits Ed25519-signed receipts for each invocation:

from haystack import Pipeline
from protect_mcp import ReceiptMiddleware

pipe = Pipeline()
pipe.add_component("retriever", InMemoryBM25Retriever(...))
pipe.add_component("generator", OpenAIGenerator(...))
pipe.add_middleware(ReceiptMiddleware(policy="enterprise.json"))

Each receipt captures:

• Component name and type
• Input/output SHA-256 digests
• Policy evaluation result (allow/deny)
• Ed25519 signature
• OpenTelemetry trace/span IDs for correlation

Why Haystack

Haystack already has excellent pipeline telemetry and component tracing. Receipt signing is a natural extension — it turns existing observability data into verifiable evidence that can be independently validated offline.

References

• npm: https://www.npmjs.com/package/protect-mcp (MIT, v0.5.3)
• Python SDK: https://pypi.org/project/scopeblind/ (the signing primitives are also available in Python)
• IETF Draft: https://datatracker.ietf.org/doc/draft-farley-acta-signed-receipts/
• Prior integrations: Mission Control, Cedar for Agents, Microsoft AGT, LlamaIndex

Happy to discuss architecture and submit a PR.

[rehan243]

This idea makes a lot of sense for enterprise use cases where auditability is key. We’ve implemented similar cryptographically verifiable logs in a fraud detection pipeline using Ed25519 signatures combined with SHA-256 digests to ensure input/output integrity. One thing to consider is how to efficiently store and query these receipts at scale — something like an append-only log on S3 with a lightweight index might work well and keep costs manageable. Also, integrating OpenTelemetry IDs is a smart move, as it ties low-level cryptographic proofs back to higher-level tracing data, simplifying root cause analysis. If latency is a concern, you could batch-sign receipts asynchronously to avoid slowing down the main pipeline flow. Libraries like PyNaCl or libsodium have solid Python bindings for Ed25519 that might be easier to integrate than rolling your own.

[tomjwxf]

@rehan243 -- these are exactly the right engineering questions. A few thoughts on each:

Batch signing for latency. Agreed. Synchronous signing on every component call adds ~2ms (Ed25519 is fast, but in a hot pipeline loop it compounds). The pattern we use in production is shadow mode: sign asynchronously, never block the pipeline. The receipt is appended to a .jsonl file after the component returns. For pipelines where latency SLAs are tight, this is the right default. Enforce mode (sign-then-proceed) is opt-in for compliance-critical paths.

Storage at scale. Append-only JSONL to S3 with a lightweight index is what we recommend. Each receipt is ~500 bytes, so a pipeline processing 1M documents/day produces ~500MB/day of receipts. The index can be as simple as a SQLite file mapping (pipeline_run_id, component_name) to byte offsets in the JSONL.

PyNaCl. That's exactly what the Python SDK uses under the hood. pip install scopeblind gives you sign_receipt() and verify_receipt() backed by PyNaCl. Cross-verified against the Node.js implementation: same receipt format, same IETF draft spec, same verifier accepts both.

For the Haystack integration specifically, the natural hook points are:

• Pipeline.run() produces a receipt per component invocation
• The pipeline's existing tracing infrastructure (OpenTelemetry spans) provides correlation IDs
• Cedar policies can enforce per-component authorization (e.g., only certain retrievers allowed for PII-containing queries)

Happy to sketch a prototype ReceiptSigningComponent if there's interest from the Haystack maintainers.