bundle format
What lives inside a .axy file
A bundle is self-contained: everything a verifier needs, with nothing it has to trust a server for.
Anatomy
| Part | What it holds |
|---|---|
| chain | The ordered, hash-linked event stream. Each entry carries the digest of the one before it, so any edit, reorder, or truncation breaks verification. |
| manifest | What the bundle is: the session id, the adapter and its declared capabilities, counts, and timestamps. |
| coverage | One honest state — complete-for-declared-capabilities, partial, degraded, or unverifiable. |
| signature | An Ed25519 signature over the canonicalised manifest and chain root, plus the signer identity. |
Shape
Conceptually, a bundle is a small, versioned document. The chaining rule is the heart of it.
proof.axy — shape
{
"format_version": 1,
"manifest": {
"session_id": "…",
"adapter": "codex",
"capabilities": ["tool.use", "file.edit"],
"events": 42,
"created_at": "2026-07-07T00:00:00Z"
},
"chain": [
{ "seq": 0, "prev": null, "digest": "…" },
{ "seq": 1, "prev": "<seq0>", "digest": "…" }
],
"coverage": "complete-for-declared-capabilities",
"signature": { "alg": "ed25519", "signer": "…", "sig": "…" }
}The chaining rule
Each digest folds in the previous one, so the chain only verifies if every link agrees.
digest
digest(n) = sha256( digest(n-1) ‖ canonical_json(event(n)) )
Canonical JSON
Digests are computed over a canonical serialization (sorted keys, no insignificant whitespace, deterministic escaping) so the same events always hash to the same bytes on any machine. This is the same canonicalization the commercial license format uses.
forward compatible
format_version lets newer verifiers read older bundles. Evidence you seal today stays checkable tomorrow — a signed record should not expire because a tool moved on.