I ran three agents on a deploy, each in its own isolated git worktree. None of them could see the others' files. All three still wrote to the same secret store, because the store wasn't inside any of their worktrees.
A worktree fences an agent's working tree. The database it writes to and the API it calls live outside that fence, and when two agents touch the same resource out there, isolation can't see that it happened.
Signing each action doesn't distinguish much on its own, since most audit tools already do it. The harder problem is reconstructing, from separately signed per-agent chains, a graph of which agents touched which shared resource and in what order. A single-actor sandbox only sees one process, and a flat audit log records actions without linking them across agents.
The full post walks through one real receipt: which agent acted, under whose authority (a kernel-attested OS user rather than a self-declared label), and what signed it. It also gives an honest account of what the graph can't show yet, including which shared resources draw edges today and which don't.
Read the full post (canonical):
[https://agentreceipts.ai/blog/attribution-over-undo/](https://agentreceipts.ai/blog/attribution-over-undo/)