Quantum Pipes
Open Source · Apache 2.0 · Works with Claude Code, Cursor, Codex, Cline

Your agents edit, run, and decide.
Capsules prove what they did.

agent-capsule seals every AI coding session into a tamper-evident SHA3-256 + Ed25519 hashchain. Verify it yourself, in the browser, fully offline. Nothing to trust but the math.

agent-capsule verify
Sealed
$ agent-capsule verify claude-code --signatures
# re-hash every record, check every Ed25519 sig
[OK] 128/128 verified
head 9c8ec070...
signatures valid. chain intact. nothing changed since sealed.
SHA3-256 + Ed25519
~/.agent-capsule/chains/claude-code/
Claude Code
Cursor
Codex
Cline
4
Agents Supported
SHA3-256 + Ed25519
Sealed
1
Runtime Dependency
100%
Verifiable Offline

A Chat Log Is Editable Text.
A Capsule Chain Is Not.

When an agent edits your code, runs your tests, and makes calls, the transcript is just a file anyone can rewrite. A sealed chain proves exactly what happened, and breaks the moment a single byte changes.

A Chat Log
Editable text

Open the file, change a line, save. No trace.

No proof

Nothing attests the log matches what really ran.

No reasoning

You see output, not why the agent chose it.

No chain of custody

Records can be inserted or deleted silently.

"Did the agent really do that?" "Here is a text file, trust me."
A Capsule Chain
Signed and hash-linked

Each record is SHA3-256 hashed and Ed25519 signed.

Tamper breaks at the record

Change a byte and verify points to the exact seq.

Real diffs and reasoning

Unified diffs, tool results, and the model's reasoning.

Verify it yourself

Re-check the math offline. No account, no server.

"Did the agent really do that?" agent-capsule verify → ✓
Supported Agents

One Tool. Four Agents.

agent-capsule hooks into the agent you already use. The hook fires when a session ends, and the session is sealed before it can be edited.

Claude Code

Stop and SessionEnd hooks fire on every turn

agent-capsule install claude-code

Cursor

~/.cursor/hooks.json stop hook, enriched from globalStorage SQLite

agent-capsule install cursor

Codex

~/.codex/config.toml notify program

agent-capsule install codex

Cline

~/Documents/Cline/Hooks TaskComplete, Cancel, and Start

agent-capsule install cline
30 Seconds

Let the Agent Install Itself.

Paste one prompt and your agent registers its own hook. Or run two commands yourself. Either way you are sealing sessions in under a minute.

Option A: paste into your agent
prompt

Install agent-capsule so all my coding sessions, from now on, are sealed into a tamper-evident audit trail. Fetch https://raw.githubusercontent.com/quantumpipes/agent-capsule/main/INSTALL.md and do every step for whichever agent you are, then confirm the hook is registered.

Option B: do it yourself
terminal
# install the package (Python 3.11+)
$ pipx install git+https://github.com/quantumpipes/agent-capsule
# register the hook for your agent
$ agent-capsule install <tool>
<tool> is one of: claude-code · cursor · codex · cline. One runtime dependency (PyNaCl). The signing key stays local.
How It Works

Three Primitives.
Hash, Sign, Chain.

No new cryptography. Just three well-understood operations composed into a record that cannot be quietly rewritten.

Hash

Each capsule is serialized to canonical JSON, then SHA3-256 hashed. Same bytes, same hash, every time.

Sign

The hash is signed with a local Ed25519 key. The signature proves the record came from your machine and was not altered.

Chain

Every capsule stores the previous capsule's hash plus its own sequence number. The records are welded into one line.

seq 0
hash: 9c8ec070...
prev: null
seq 1
hash: 4a17e9b2...
prev: 9c8ec070...
seq 2
hash: e3f08d51...
prev: 4a17e9b2...
Change any byte, and every link after it breaks.
What Gets Captured

Not a Summary. The Receipts.

A capsule records what the agent actually did, at full fidelity, so a reviewer can reconstruct the session from the sealed record alone.

src/auth/session.py
+14 -3
- token = make_token(user)
+ token = make_token(user, ttl=900)
+ audit.record(token.id, actor=user.id)
[Explore: 2 edits, +14/-3, 9 tool calls] · claude-opus-4-8 · 2,847 tokens

Real diffs

Rendered unified diffs with per-file +/- counts, not a vague summary of what changed.

Full tool results

Actual stdout and stderr, file contents read, and web URLs fetched. The receipts, not the recap.

The model's reasoning

Where the tool persists it, the reasoning behind each turn is sealed alongside the action.

Subagent scorecards

A compact tally per subagent, for example [Explore: 2 edits, +14/-3, 9 tool calls].

Cost and provenance

Token and cache usage, the per-turn model, and the permission posture in effect.

Summarized blobs

Heavy payloads are summarized with their hash, never inlined wholesale. The chain stays lean.

Verify It Yourself

Nothing to Trust
But the Math.

The chain ships the canonical bytes and the public key. Anyone can re-hash every record and re-check every signature, in Python, in JavaScript, or in the browser with Capsule Explorer. You do not have to trust agent-capsule. You can check it.

Re-derive each hash from the canonical JSON
Re-check each Ed25519 signature against the public key
Walk the prev-hash links to confirm the chain is intact
Runs fully offline, on an air-gapped machine if you want
Open Capsule Explorer
verify.py
# re-verify a chain with only stdlib + the public key
for cap in chain:
h = sha3_256(cap.canonical_bytes)
assert h == cap.hash
assert cap.prev == prev_hash
verify_sig(pubkey, h, cap.sig)
# [OK] 128/128 verified ✓

Seal Every Session.
Prove Every Edit.

Open source, offline, no account. Install it once and every coding session your agents run becomes a tamper-evident record you can verify yourself.

View on GitHubVerify in the BrowserThe Protocol
Apache 2.0 Works Offline No Account Key Stays Local