Portable work
The capsule is the unit of continuation.
program.md, agents.md, embedded skills, and payload/ files travel together so a different runtime can cold-load the same work without relying on a shared database or live account session.
Capsule format · v0.6
The Capsule v0.6 specification.
A portable unit of intelligence: a work product, the context to continue it, and a verifiable audit trail. v0.6 keeps the five things that are the actual product: skill bundles as foreign-LLM context, an append-only signed event chain, encrypted content with public attestation, Pith as a context-style discipline, and offline-first verification.
The reference surface is deterministic ZIP, RFC 8785 JCS, SHA-256 content indexing, Ed25519 signatures with domain separation, and optional ChaCha20-Poly1305 encrypted content. Capsule identity is bound to the originator public key plus the first event hash, which gives the file a portable identity without asking a server to mint one.
v0.6
prototype
Ed25519
RFC 8785 JCS
offline-first
Open live inspector
Section 01
v0.6 snapshot
Capsule v0.6 is a small, inspectable file format for moving useful work between people, agents, tools, and organizations. The artifact carries the work product, the context required to continue it, the evidence or payload files it depends on, and the signed record of what happened.
A reader verifies the envelope, checks the manifest content index, walks chain/events.jsonl, reads program.md for the current human and AI work surface, reads agents.md for actor and authority context, then renders the current view. State is computed from verified material at read time. If a host caches a view for speed, that cache is local convenience, not protocol truth.
Verified continuity
The durable record is append-only.
The manifest indexes package content, the event chain records cognition turns and operational decisions, and the provenance envelope signs the material that recipients should verify before they trust the work.
Boundary ready
Encryption and trust stay explicit.
Capsules can be plain for local inspection or encrypted for transfer. The protocol proves bytes, signatures, and chain order; the receiving host still decides signer allowlists, policy, and whether a skill may execute.
The snapshot below is the current v0.6 surface a developer, reviewer, or agent should expect to find.
| Layer | What exists | Why it exists |
|---|---|---|
| Container | A deterministic .capsule ZIP archive with safe, relative paths. |
Lets browsers, command-line tools, and offline machines inspect the same artifact without a custom storage service. |
| Manifest | manifest.json with identity, participants, structure, and content index hashes. |
Gives the reader a typed inventory before it renders or reasons over package content. |
| Program | program.md as the readable work surface and continuation brief. |
Gives humans and AI systems a shared starting point while keeping authority in the verified chain and host policy. |
| Actors | agents.md describing participants, allowed roles, and skill trust context. |
Helps a receiving runtime separate author intent, agent capability, and local execution authority. |
| Event chain | chain/events.jsonl with append-only events and hash linkage over canonical bytes. |
Records observations, model turns, decisions, evidence references, and continuation updates in order. |
| Payload | Optional payload/ files and embedded skill bundles. |
Moves evidence, documents, media, code, or task-specific instructions with the work instead of leaving context behind. |
| Envelope | provenance/envelope.json with Ed25519 signatures, content hashes, and optional encryption metadata. |
Lets a recipient verify what arrived before they hydrate it into a local agent, workflow, or review tool. |
Live Capsule Inspector
This is not a mock. The browser fetches a real .capsule, opens it with the browser-safe SDK, and verifies the chain plus content index.
Section 02
Capsule Hydration Protocol
Step through the v0.6 cold-read order a new AI worker should use: verify the seal, read the program, walk the chain, inspect indexed files, then append new events.
- 01 Verify seal Check manifest, envelope, content index, and chain anchors. v0.6
- 02 Read program Start with program.md. Treat legacy continuation files as hints only. v0.6
- 03 Walk chain Rebuild state from chain/events.jsonl in order. v0.6
- 04 Inspect files Open indexed files as inert evidence. Do not execute payloads. v0.6
- 05 Continue Append a semantic event, then checkpoint and seal. v0.6
Capsule v0.6 hydration
Verify seal
Before any model sees capsule text, the host verifies the package and provenance envelope.
- Capsule
- Data Infrastructure Mini Capsule
- Package
- verified hash-covered bytes
- Envelope
- signature envelope present
- Content index
- manifest files hash-covered
- Chain anchor
- first event hash present
1. Parse manifest.json
2. Verify provenance/envelope.json signatures and hashes
3. Confirm content_index.files matches stored bytes
4. Recompute first_event_hash and entry_hash from chain/events.jsonlThe verifier proves integrity, not trust. The host still needs an allowlist for signer identity.
Section 03
The five documents
The v0.6 specification is five short documents. Each one is the canonical source for its scope. Each page on this site renders the corresponding markdown faithfully and links back to the raw .md file at the top.
Section 04
Read the canonical source
The markdown files in spec/ are the canonical authority. The HTML pages on this site are a presentation layer over them. If anything diverges, the markdown wins. Every section page links to its raw .md at the top of the page so the drift is immediately visible.
Raw markdown:
/protocol/v0.6/README.md (overview) ·
format.md ·
manifest.md ·
chain.md ·
envelope.md ·
trust.md
Status. Spec version v0.6 is a prototype. It locks once a second independent implementation round-trips signed test vectors and an outside party reviews the crypto. v1.0 is the schema that will be verified for ten years. v0.6 is the schema that earns its way there.