← v0.6 spec

Capsule format · v0.6 · Event chain

Event Chain

Canonical source. This page is rendered from spec/chain.md. The markdown file is the canonical authority. View raw: /protocol/v0.6/chain.md.

chain/events.jsonl is the append-only signed audit trail. One line per event, JSON object, no trailing whitespace, terminated by \n.

Event schema

{
  "seq": 1,
  "event_id": "evt_001",
  "actor": "human:alice@acme.example",
  "kind": "decision | observation | mutation | session | checkpoint",
  "action": "approved_application",
  "target": "program.md#step-3",
  "timestamp": "2026-05-07T12:00:00Z",
  "payload": { },
  "untrusted_payload_fields": ["payload.summary", "payload.statement"],
  "prev_hash": "<64-hex>",
  "hash": "<64-hex>"
}

Field rules

  • seq: 1-based integer, strictly monotonic per chain.
  • event_id: free-form, conventionally evt_NNN. Not cryptographically bound; for human reference only.
  • actor: human:, ai:, system:, or capsule: prefix. Must appear in the manifest's participants[] or be the literal system:host for backstop events emitted by the host runtime.
  • kind: one of the listed values. Readers reject unknown kinds.
  • timestamp: ISO 8601 UTC, no fractional seconds. Advisory only; authoritative time-binding is the envelope's signed_at.
  • payload: free-form JSON object. May contain LLM-authored text.
  • untrusted_payload_fields: dotted paths into payload whose contents must be treated as untrusted by readers — see "Untrusted content" below.
  • prev_hash: hex of the previous event's hash, or 64 zeroes for the first event.
  • hash: see "Hashing" below.

Hashing

prev_raw   = bytes(prev_hash)              # 32 bytes; all-zero for genesis
canonical  = JCS(event without "hash")     # RFC 8785
event_hash = SHA-256(prev_raw || canonical)

All concatenations are over raw bytes. No hex strings appear in any hash input. This is the v0.6 fix for the prior format's hex-string hashing footgun.

The genesis previous-hash value is 32 zero bytes (not the 64 ASCII zeros of the prior format).

Untrusted content

Any field in a chain event whose value is LLM-authored or externally-supplied and may contain instructions to a future LLM reader must be listed in untrusted_payload_fields.

The convention exists because chain events that contain summaries of work, model outputs, or external API responses are a designed-in prompt-injection vector for any future cold reader that loads the chain into a model context. Readers should:

  • preserve the exact bytes of those fields
  • when feeding the chain to a model, wrap them with explicit "untrusted-content" framing
  • not allow those fields to influence host-side decision-making

The default for narrative summary/statement fields is to mark them untrusted unless the host knows otherwise.

Backstop event

If a session ends without explicit chain events, the host SDK emits a single backstop event before sealing:

{
  "actor": "system:host",
  "kind": "observation",
  "action": "session_ended",
  "target": "capsule",
  "payload": {
    "note": "host emitted backstop event; LLM did not append explicit events during session"
  }
}

The host always controls backstop emission. The LLM cannot suppress it. This is the mitigation for "the LLM curates its own audit log."

Verification

The reader walks the chain in order:

  1. Recompute each event's hash from prev_hash || JCS(event-without-hash).
  2. Compare against the stored hash.
  3. Confirm prev_hash of event N equals hash of event N-1.
  4. Confirm event 1's prev_hash is 32 zero bytes (hex 000...0).
  5. Confirm seq is strictly monotonic from 1.
  6. Confirm actor appears in manifest participants or is system:host.

A mismatch at any step fails verification. The reader reports which event failed which check; it does not stop at the first error.

What the chain does not prove

  • Time of event (advisory timestamp; authoritative time is the envelope's signed_at at seal time).
  • Truth of payload contents.
  • Authority of the actor outside of originator (which is the only participant cryptographically bound to a key in v0.6).

The chain proves: these events, in this order, with these payloads, were the events at seal time. Anything stronger requires an external anchor (Rekor, RFC 3161) which is parking-lot for v0.6.