MECHANISM, NOT MARKETING
Every guarantee traces to a specific structure.
Four structures carry the whole system: the envelope, the authority boundary, the time anchor, and an adversary model honest about its own limits.
The envelope
Every event carries the same envelope. The hash is computed over RFC 8785 canonical JSON — a deterministic serialization. Without it, two implementations can hash the same logical object to different bytes: different hashes for identical content, or identical hashes for different content. Canonicalization is what makes the hash a statement about meaning, not formatting.
Payloads contain digests, not data. You cannot reconstruct a prompt from a Sasana log — which is why the log itself can cross a compliance boundary that raw transcripts cannot (GDPR, HIPAA: no PHI, no PII in the trail).
If events are dropped under backpressure, the SDK records a LOG_DROP marker — the chain stays intact but the verifier downgrades the result to PARTIAL. Honest about its own gaps.
The Archeion authority boundary
A hash chain proves internal consistency, not authorship. An operator who controls the storage can discard the log and write a fresh, internally-consistent chain where every hash is correct and every event is fabricated.
The fix is structural, not procedural: the entity that seals the log is separate from the entity that operates the agent. Archeion runs inside your security perimeter, controlled by your security team — not the agent developers. The SDK is type-blocked from emitting a seal. The agent cannot forge what it cannot produce.
This is a structural guarantee, not a policy.
RFC 3161: anchoring time to a party you can't impersonate
A hash chain proves the log wasn’t modified after it was written. It cannot prove when“written” was — a session backdated to 2020 verifies INTACT. The two-pass write below closes that. Scroll through it. These are the real hashes from the live run.
- [1/5]SESSION_START is written — without a token
On open_session(), the first event is committed and hashed over canonical JSON. This hash is the exact 32 bytes the TSA will see.
- [2/5]The hash — only the hash — goes to Freetsa
- [3/5]The TSA signs: “this hash existed at this time”
- [4/5]The token is committed into the chain
- [5/5]The rest of the session chains from the new hash
Adversary model
| id | attack | defense |
|---|---|---|
| A1 | Event injection | prev_hash chain; out-of-sequence seq rejected |
| A2 | MITM interception | Ed25519 signatures, verified server-side |
| A3 | Event deletion | Merkle root in SESSION_END; gap in seq chain |
| A4 | Event reordering | seq monotonically increases; prev_hash links |
| A5 | Full chain rewrite | NOT defended in local mode — requires independent sealing (Archeion) or RFC 3161 anchoring |
A5 is stated in red on purpose. A security tool that hides its own trust assumptions is not a security tool. In local, unsealed mode, a full chain rewrite by the operator is undetectable — that is exactly the gap the Archeion boundary and RFC 3161 anchoring exist to close, and exactly why the verifier reports an evidence classinstead of a binary “valid.”