MECHANISM, NOT MARKETING

Every guarantee traces to a specific structure.

Four structures carry the whole system: the envelope, the authority boundary, the time anchor, and an adversary model honest about its own limits.

01

The envelope

{
"session_id": "3f8a2c1d-…",
UUID, constant across the session
"agent_id": "loan-officer-agent",
who was running
"seq": 3,
monotonic — reordering is detectable
"event_type": "TOOL_CALL",
CHAIN_SEAL is type-blocked in the SDK
"timestamp": "2026-07-04T09:12:08Z",
operator clock — see RFC 3161 below
"payload": { "args_hash": "b2e8…" },
hashes only. raw content never stored
"prev_hash": "4d1a7f3b…",
commits to all prior events
"event_hash": "b2e8d4a0…"
SHA-256 over RFC 8785 canonical JSON
}

Every event carries the same envelope. The hash is computed over RFC 8785 canonical JSON — a deterministic serialization. Without it, two implementations can hash the same logical object to different bytes: different hashes for identical content, or identical hashes for different content. Canonicalization is what makes the hash a statement about meaning, not formatting.

Payloads contain digests, not data. You cannot reconstruct a prompt from a Sasana log — which is why the log itself can cross a compliance boundary that raw transcripts cannot (GDPR, HIPAA: no PHI, no PII in the trail).

If events are dropped under backpressure, the SDK records a LOG_DROP marker — the chain stays intact but the verifier downgrades the result to PARTIAL. Honest about its own gaps.

02

The Archeion authority boundary

AGENT PROCESS — OPERATOR TRUST BOUNDARY
SDK records events → JSONL
SDK cannot emit CHAIN_SEAL (EventType.is_sdk_authority — enforced at the type level)
POST /seal — hashes only, no content
ARCHEION SEALING SERVER — SECURITY TEAM BOUNDARY
verifies hash chain integrity
appends CHAIN_SEAL with Ed25519 signature
returns sealed JSONL → AUTHORITATIVE_EVIDENCE

A hash chain proves internal consistency, not authorship. An operator who controls the storage can discard the log and write a fresh, internally-consistent chain where every hash is correct and every event is fabricated.

The fix is structural, not procedural: the entity that seals the log is separate from the entity that operates the agent. Archeion runs inside your security perimeter, controlled by your security team — not the agent developers. The SDK is type-blocked from emitting a seal. The agent cannot forge what it cannot produce.

This is a structural guarantee, not a policy.

03

RFC 3161: anchoring time to a party you can't impersonate

A hash chain proves the log wasn’t modified after it was written. It cannot prove when“written” was — a session backdated to 2020 verifies INTACT. The two-pass write below closes that. Scroll through it. These are the real hashes from the live run.

  1. [1/5]SESSION_START is written — without a token

    On open_session(), the first event is committed and hashed over canonical JSON. This hash is the exact 32 bytes the TSA will see.

  2. [2/5]The hash — only the hash — goes to Freetsa
  3. [3/5]The TSA signs: “this hash existed at this time”
  4. [4/5]The token is committed into the chain
  5. [5/5]The rest of the session chains from the new hash
SESSION_START seq=0
payload: { sdk_version, ts_utc }
event_hash: ff4be53f333aa85e7491961e0d944093
│ POST /tsr → freetsa.org (32-byte digest only — never content)
RFC 3161 TSA /O=Free TSA/OU=TSA/CN=www.freetsa.org — independent of the operator
│ signed token returns → embedded in payload → hash recomputed
SESSION_END seq=N
prev_hash chains to:
04

Adversary model

idattackdefense
A1Event injectionprev_hash chain; out-of-sequence seq rejected
A2MITM interceptionEd25519 signatures, verified server-side
A3Event deletionMerkle root in SESSION_END; gap in seq chain
A4Event reorderingseq monotonically increases; prev_hash links
A5Full chain rewriteNOT defended in local mode — requires independent sealing (Archeion) or RFC 3161 anchoring

A5 is stated in red on purpose. A security tool that hides its own trust assumptions is not a security tool. In local, unsealed mode, a full chain rewrite by the operator is undetectable — that is exactly the gap the Archeion boundary and RFC 3161 anchoring exist to close, and exactly why the verifier reports an evidence classinstead of a binary “valid.”