Open Protocol • Apache 2.0 • CPS v1.0

Your AI Thinks. Decides. Acts.
Capsules Prove It.

A Capsule is a cryptographically sealed record of an AI decision — what triggered it, how it reasoned, who approved it, what happened, and the result. Six sections. One truth. Tamper-evident forever.

capsule #4,291AGENT
Sealed
Trigger
What initiated this action
Type
user_request
Source
api/v1/chat
Timestamp
2026-03-05 14:32:01 UTC
User
usr_8f3a2b
Request

"Generate the Q4 revenue report with charts"

SHA3-256 + Ed25519
sequence: 4291
hash:a7f3c2e9b1d4...
6
Decision Phases
2
Cryptographic Signatures
16
Golden Test Vectors
100%
Tamper-Evident

Your AI Makes Thousands of Decisions.
Can You Prove Any of Them?

Logs tell you what. Capsules prove what, why, who approved, and what resulted — with cryptographic signatures a court would accept.

Without Capsules
Text logs

Editable. Deletable. No proof of authenticity.

No reasoning

You know what happened, not why.

No chain of custody

Anyone could have inserted or removed entries.

Single-algorithm

One quantum computer breaks everything.

Auditor: "Show me proof." You: "Here are some log files..."
With Capsules
Cryptographic seal

SHA3-256 hash + Ed25519 signature. Tamper = detected.

Pre-execution reasoning

Options considered, why it chose, confidence score.

Hash chain

Each capsule links to the previous. Insert or delete = chain breaks.

Dual signatures

Ed25519 + ML-DSA-65. Survives quantum computers.

Auditor: "Show me proof." You: chain.verify() → ✓
Three Lines

Create. Seal. Prove.

No configuration. No database setup. No key ceremony. Create a Capsule, seal it, and you have a cryptographically signed audit record.

before.py
result = await deploy(service, version)
logger.info("Deployed %s %s", service, version)
# A text log. Editable. Deletable.
# No proof of why, who approved, or what changed.
after.py
from qp_capsule import Capsule, Seal
capsule = Capsule(trigger=...)
Seal().seal(capsule)
# SHA3-256 hashed. Ed25519 signed. Chained. ✓
# 6 sections. Tamper-evident forever.
Hash Chain

Every Capsule Links to the Last.
Tamper With One, Break the Chain.

Each capsule contains the SHA3-256 hash of the previous capsule. Insert, remove, or modify any record and the chain breaks — instantly, detectably, irrefutably.

Trigger
type: user_request
source: api/v1/chat
timestamp: 2026-03-05T14:32:01+00:00
request: Generate the Q4 revenue report with charts
user_id: usr_8f3a2b
Context
agent_id: conductor
session_id: sess_a1b2c3
environment: model: llama-3.1-70b, workspace: acme-corp
Reasoning
analysis: User needs quarterly report with visual charts
options: Generate from template,Query live data + charts,Delegate to report agent
selected: Query live data + charts
confidence: 0.92
Authority
type: autonomous
policy: org/reports/auto-approve
chain: policy_check → approved
Execution
tool_calls: query_database(q4_sales),query_database(q4_expenses)
duration_ms: 1203
resources: tokens: 1,247
Outcome
status: success
summary: Initiated Q4 report pipeline
side_effects: Spawned 2 tool capsules
SHA3-256 + Ed25519 sealed
sig: e7d4a2f1...
Trigger
type: agent
source: conductor
timestamp: 2026-03-05T14:32:02+00:00
request: SELECT revenue, region FROM sales WHERE quarter='Q4'
user_id: usr_8f3a2b
Context
agent_id: tool_executor
session_id: sess_a1b2c3
environment: db: postgres, table: sales
Reasoning
analysis: Direct SQL query against sales database
options: Execute query as-is
selected: Execute query as-is
confidence: 0.99
Authority
type: policy
policy: org/data/read-only-approved
chain: parent_capsule → inherited
Execution
tool_calls: pg_execute(SELECT revenue...)
duration_ms: 342
resources: rows: 847, bytes: 12.4KB
Outcome
status: success
summary: Retrieved 847 rows of Q4 sales data
side_effects: none
SHA3-256 + Ed25519 sealed
sig: e7d4a2f1...
Trigger
type: agent
source: conductor
timestamp: 2026-03-05T14:32:03+00:00
request: Render revenue by region as bar chart
user_id: usr_8f3a2b
Context
agent_id: tool_executor
session_id: sess_a1b2c3
environment: renderer: matplotlib, format: svg
Reasoning
analysis: Bar chart is appropriate for regional comparison
options: Bar chart,Pie chart,Table
selected: Bar chart
confidence: 0.87
Authority
type: autonomous
policy: org/charts/auto-approve
chain: policy_check → approved
Execution
tool_calls: matplotlib.bar(regions, revenue),export_svg()
duration_ms: 891
resources: output: chart_q4_revenue.svg (24KB)
Outcome
status: success
summary: Generated Q4 revenue chart (SVG)
side_effects: file_created: chart_q4_revenue.svg
SHA3-256 + Ed25519 sealed
sig: e7d4a2f1...
Trigger
type: agent
source: conductor
timestamp: 2026-03-05T14:32:04+00:00
request: Compile final report from data + charts
user_id: usr_8f3a2b
Context
agent_id: conductor
session_id: sess_a1b2c3
environment: template: quarterly_report_v3, format: pdf
Reasoning
analysis: All data and charts ready, compile into standard template
options: Use quarterly_report_v3 template,Generate freeform
selected: Use quarterly_report_v3 template
confidence: 0.95
Authority
type: autonomous
policy: org/reports/auto-approve
chain: policy_check → approved
Execution
tool_calls: typst_compile(template, data, charts),pdf_export()
duration_ms: 2104
resources: tokens: 3,201, output: 2.1MB
Outcome
status: success
summary: Compiled Q4 report (14 pages, 3 charts)
side_effects: file_created: Q4_Report_2025.pdf
SHA3-256 + Ed25519 sealed
sig: e7d4a2f1...
Trigger
type: system
source: conductor
timestamp: 2026-03-05T14:32:06+00:00
request: Deliver report to user
user_id: usr_8f3a2b
Context
agent_id: conductor
session_id: sess_a1b2c3
environment: channel: chat, thread: thr_9x8y7z
Reasoning
analysis: Report compiled successfully, deliver with summary
options: Deliver with executive summary,Deliver file only
selected: Deliver with executive summary
confidence: 0.94
Authority
type: autonomous
policy: org/chat/auto-respond
chain: policy_check → approved
Execution
tool_calls: format_response(summary + attachment),send_message()
duration_ms: 156
resources: tokens: 412
Outcome
status: success
summary: Delivered Q4 report with executive summary to user
side_effects: message_sent: thr_9x8y7z
SHA3-256 + Ed25519 sealed
sig: e7d4a2f1...
Open Protocol

One Spec. Any Language.
Identical Hashes. Everywhere.

The Capsule Protocol Specification (CPS v1.0) defines byte-level serialization so any conformant implementation — in any language — produces identical hashes for identical capsules. Pass the 16 golden test vectors, and you're compatible with every other implementation.

Lexicographic key ordering, zero whitespace, deterministic floats
SHA3-256 + Ed25519 sealing algorithm (RFC 8032)
16 golden test vectors for cross-language conformance
Optional ML-DSA-65 post-quantum signatures (FIPS 204)
Python
Reference Impl
TypeScript
Reference Impl
Go
Planned
Rust
Planned
capsule_protocol.py
# The chain of trust:
# Capsule → Canonical JSON → SHA3-256 → Ed25519
def seal(capsule):
# 1. Serialize deterministically
canonical = json.dumps(
capsule.to_dict(),
sort_keys=True,
separators=(",", ":")
)
# 2. Hash
hash = sha3_256(canonical)
# 3. Sign
sig = ed25519_sign(hash)
return hash, sig

Dual Cryptographic Signatures.
Today's Security. Tomorrow's Threats.

Every sealed Capsule carries two signatures: Ed25519 for proven classical security, and ML-DSA-65 (FIPS 204) for post-quantum protection. Belt, suspenders, and a spare.

Ed25519

Classical Security

Fast, proven, widely deployed
128-bit security level
64-byte signature footprint
Verify on any platform
RFC 8032 · The Internet's signature algorithm

ML-DSA-65

Post-Quantum Security

NIST FIPS 204 approved
Quantum-computer resistant
Category 3 security level
Standardized August 2024
FIPS 204 · Survives Shor's algorithm

Why both?

Classical signatures protect you today. Post-quantum signatures protect records sealed today against the computers of 2030. A Capsule sealed in 2026 must still verify in 2036, even if a large quantum computer arrives in between.

Just Two

Two Dependencies. That's It.

SHA3-256 hashing comes from Python's standard library. We only pull in what stdlib doesn't have: signatures and async storage.

PyNaCl

≥ 1.6.2·Python binding to libsodium

Ed25519 digital signatures. Every Capsule is signed with a key that's auto-generated and stored with owner-only permissions. Same algorithm SSH, Signal, and Tor rely on.

  • Ed25519 key generation
  • Digital signatures
  • Signature verification

aiosqlite

≥ 0.22.1·Async SQLite wrapper

Capsule storage with zero setup. No database server, no connection string, no migrations. A single file on disk. Upgrade to PostgreSQL when you outgrow it.

  • Async capsule persistence
  • Chain ordering and retrieval
  • Zero-config storage

Everything else comes from Python's standard library:

hashlib · SHA3-256 hashing
json · Canonical serialization
dataclasses · Capsule model
uuid · Capsule identity

The smaller the supply chain, the harder it is to compromise. That matters when you're sealing records a regulator will read in 2036.

Regulatory Alignment

Regulations Demand Proof.
Capsules Deliver It.

The EU AI Act takes effect August 2026. It mandates tamper-evident logging but provides no technical spec. Capsules fill that gap.

EU AI Act

Article 12
August 2, 2026
Requires

Automatic, tamper-evident event logging for high-risk AI systems

Capsule Answer

Cryptographic hash chain with dual signatures — tamper = detected instantly

SOC 2 Type II

CC7.2 / CC8.1
Ongoing
Requires

Monitor system components for anomalies; controlled change management

Capsule Answer

Every AI action recorded with reasoning, authority chain, and outcome

HIPAA

§164.312(b)
Ongoing
Requires

Audit controls for information systems with ePHI

Capsule Answer

Three privacy layers: public metadata, restricted reasoning, sealed PII

NIST AI RMF

MAP / GOVERN
Recommended
Requires

Document AI system decisions and maintain accountability

Capsule Answer

Six-section structure maps directly to NIST accountability requirements

Raw Record

What a Capsule Actually Looks Like

No abstraction. No marketing. This is the actual JSON structure that gets hashed, signed, and chained — every field, every decision.

capsule_4291.json
122 lines
valid
1{2  "id": "d4e5f6a7-8b9c-4d0e-1f2a-3b4c5d6e7f80",3  "type": "agent",4  "domain": "agents",5  "parent_id": null,6  "sequence": 4291,7  "previous_hash": "c9e5f102b8a7d6e5f4c3b2a1...",89  "trigger": {10    "type": "user_request",11    "source": "api/v1/chat",12    "timestamp": "2026-03-05T14:32:01+00:00",13    "request": "Generate the Q4 revenue report with charts",14    "correlation_id": "corr_7x8y9z",15    "user_id": "usr_8f3a2b"16  },1718  "context": {19    "agent_id": "conductor",20    "session_id": "sess_a1b2c3d4",21    "environment": {22      "model": "llama-3.1-70b",
This JSON is what gets hashed with SHA3-256|Cross-language SDKs (TypeScript available; Go, Rust planned)

Built For People Who Need Proof

🤖

AI Engineers

Building agents that make real decisions. You need proof of what they chose and why — before they acted.

🏥

Regulated Industries

Healthcare, finance, legal. When auditors ask 'prove it,' capsules are the answer.

🔒

Security Teams

Post-quantum dual signatures. Air-gap deployment. Kill switch. Tamper-evident records.

🚀

Startups

Ship fast now, prove trustworthiness later. The capsule chain is your compliance foundation from day one.

📜

Compliance Officers

EU AI Act, SOC 2, HIPAA, NIST — capsules map directly to what regulations require.

🌍

Open Source Contributors

Python and TypeScript reference implementations. 16 golden test fixtures. Build a conformant SDK in your language.

🔐

Your AI Decides.
Capsules Prove It.

Six sections. Cryptographic seal. Hash chain. Every decision your AI makes — recorded, signed, and provable forever.

Apache 2.0 16 Golden Test Vectors Post-Quantum Ready Air-Gap Ready