Trust & Verification
Trust & Verification
Section titled “Trust & Verification”AgentCTX’s trust model ensures that every agent action is verifiable. This guide explains how the cryptographic verification pipeline works and how to use it.
The Trust Problem
Section titled “The Trust Problem”When an AI agent modifies your codebase, how do you know what it actually did? You could:
- Read the agent’s chat output — but it might hallucinate
- Diff the files — but you miss the intent
- Review a log — but who wrote the log?
AgentCTX solves this with cryptographic verification: every action is translated to human-readable form by a deterministic compiler (not an LLM), then signed with Ed25519.
The Verification Pipeline
Section titled “The Verification Pipeline”1. Agent writes CTX: +m "decision" #arch "Use PASETO" ↓2. Sidecar translates: "Stored architecture decision: Use PASETO" ↓3. Crypto signs: Ed25519(ctx + translation) → signature ↓4. Three files written: {digest}.ctx, {digest}.md, {digest}.json ↓5. Human verifies: actx verify → ✅ all signatures validKey Properties
Section titled “Key Properties”| Property | How |
|---|---|
| Deterministic | Sidecar is a compiler — same input, same output, always |
| Tamper-evident | Ed25519 signature breaks if any byte changes |
| Offline-capable | Signing happens locally, no network required |
| Non-repudiable | Agent’s Ed25519 key proves authorship |
| Auditable | Any human can run actx verify at any time |
Setting Up Trust
Section titled “Setting Up Trust”1. Initialize (automatic)
Section titled “1. Initialize (automatic)”actx init# Creates Ed25519 keypair at .context/.keys/2. Operations Are Signed Automatically
Section titled “2. Operations Are Signed Automatically”When using actx query or the gateway, every operation creates a signed translation:
actx query '+m "auth-choice" #arch "PASETO for all APIs"'# 🗣️ Human: Stored architecture decision: PASETO for all APIs# (Signed: a1b2c3d4...)3. Verify Anytime
Section titled “3. Verify Anytime”actx verify# 🔍 Verifying translations...# ✅ All signatures validTranslation Files
Section titled “Translation Files”Each signed translation produces three files in .context/translations/:
{digest}.ctx
Section titled “{digest}.ctx”+m "auth-choice" #arch "PASETO for all APIs"{digest}.md
Section titled “{digest}.md”> +m "auth-choice" #arch "PASETO for all APIs"
Stored architecture decision: PASETO for all APIs
---*Signature: base64(Ed25519...)**Digest: a1b2c3d4...**Timestamp: 2026-03-20T20:15:00Z*{digest}.json
Section titled “{digest}.json”{ "ctx": "+m \"auth-choice\" #arch \"PASETO for all APIs\"", "human": "Stored architecture decision: PASETO for all APIs", "signature": "base64...", "digest": "a1b2c3d4...", "timestamp": "2026-03-20T20:15:00Z"}Detecting Tampering
Section titled “Detecting Tampering”If someone modifies a translation file:
$ actx verify🔍 Verifying translations... ✅ a1b2c3d4... valid ❌ e5f6g7h8... INVALID SIGNATURE ✅ i9j0k1l2... valid⚠️ 1 of 42 translations failed verificationContent-Addressed Store (CAS)
Section titled “Content-Addressed Store (CAS)”The CAS provides a second layer of integrity. Every stored object is named by its SHA-256 hash:
actx verify --cas# Recomputes hashes and compares against filenamesIf a file’s content doesn’t match its hash-based filename, it’s been tampered with.
See Also
Section titled “See Also”- Sidecar — the compiler architecture
- Security Model — all 8 security layers
- actx verify — CLI reference