Agent Action Capsule
Proof of what an agent did. A tamper-evident, content-private, independently verifiable record of a single agent action — checkable by anyone, without trusting the operator.
Read the draft →
Why Logs Aren't Enough
A log entry isn't proof. The system that ran the action is not a disinterested witness, and a log is only as good as the party that keeps it. Logs are mutable, operator-controlled, and offer no cryptographic guarantee that what you read reflects what actually happened.
The Agent Action Capsule is a signed, digest-committed record that anyone can verify independently — without trusting the operator or any single layer in the stack. It moves the evidentiary bar from "the operator says so" to "the math says so."
The Verification Gap
Traditional audit trails require trusting the infrastructure that generated them. A capsule inverts this: the cryptographic binding is the evidence, and the operator is not in the verification path.
What a Capsule Records
Every verdict — including refusals — produces a capsule. A blocked or denied capsule is auditor-grade evidence that a gate worked.
Action & Disposition
The action itself and its verdict-level disposition: executed, blocked, denied, errored, or timed out. The disposition is not inferred — it is explicitly recorded at verdict time.
Deterministic Constraints
The constraints that were evaluated before the action was dispatched. The capsule records what rules were in scope, so an auditor can reconstruct the gate logic applied at the moment of decision.
Committed Effect
The effect that was committed, with a confirmed-effect binding that distinguishes a dispatched attempt from an observed result. Dispatch and confirmation are separate fields — neither implies the other.
Human-in-the-Loop Flag
An honest flag recording whether a human was in the loop for this action. The flag is part of the signed payload — it cannot be added or removed after signing without invalidating the capsule.
May ≠ Did ≠ Confirmed
Approved is not the same as executed, and executed is not the same as confirmed.
The capsule keeps these three states strictly distinct, so the record reflects what actually happened — not what was attempted, not what was authorized, not what was assumed. This distinction is critical for post-incident review, regulatory inquiry, and any audit that must answer: did it actually run, and did it actually take effect?
Built on Open Standards
Capsules are SCITT Signed Statements (COSE_Sign1), made transparent by registration in a SCITT Transparency Service. The format is deterministic and self-describing — a verifier needs only the capsule bytes and the public key to check the signature.
The profile builds on the neutral scitt-cose substrate, which verifies anyone's SCITT statements and treats the payload as opaque bytes. No vendor lock-in is introduced at the substrate layer.
COSE_Sign1
Cryptographic signing envelope from the COSE family of standards
SCITT Statement
Supply-chain integrity, transparency, and trust statement format
Transparency Service
Append-only log for public registration of signed statements
scitt-cose Substrate
Neutral verification layer — payload-agnostic, operator-independent
Try It in Under a Minute
Class-1 verification is reproducible from the capsule bytes alone — no keys, no network, no clock. Clone the repository and run against the included test vectors:
git clone https://github.com/action-state-group/agent-action-capsule cd agent-action-capsule pip install -e python agent-action-capsule verify test-vectors/pos-executed-confirmed/input.json # ok: True agent-action-capsule verify test-vectors/neg-capsule-id-mismatch/input.json # ok: False (capsule_id mismatch)
How Verification Works
Class-1 verification covers structural integrity and cryptographic correctness. It does not require a live transparency service, a network connection, or a trusted clock — making it suitable for offline audits, air-gapped environments, and forensic review long after the fact.
Standards Honesty
What This Specification Is — and Isn't
This is an individual IETF Internet-Draft, not a Working Group document and not an RFC. The SCITT and COSE substrate it builds on are themselves Internet-Drafts. No RFC number or WG adoption is claimed. The specification is intended for contribution to an appropriate standards body as the ecosystem matures.
What it is
  • An individual IETF Internet-Draft
  • A concrete, implementable profile of SCITT Signed Statements
  • An open specification with a reference implementation
  • Intended for standards contribution as the ecosystem matures
What it is not
  • An RFC — no RFC number is assigned or claimed
  • An IETF Working Group document
  • A finalized standard — the draft is actively evolving
  • A proprietary or vendor-controlled specification
The Auditor's Perspective
For auditors and standards professionals, the capsule addresses a long-standing gap: how do you verify that an autonomous agent behaved correctly after the fact, without relying on the operator's own testimony?
Post-Incident Review
Capsules are immutable records. Retrieve any capsule by its ID and verify it deterministically — the signed payload cannot be altered without breaking the signature, regardless of how much time has passed.
Refusal as Evidence
Every blocked or denied action produces its own capsule. A regulator or auditor can demonstrate that a gate fired — not just that the gate existed — by presenting the signed capsule with a blocked or denied disposition.
Cross-Operator Portability
Because verification requires only the capsule bytes and the public key, audits are portable across operators, environments, and time. No proprietary toolchain or operator cooperation is required to check a capsule.
Contribute or Get in Touch
The Agent Action Capsule specification is developed in the open. Review the draft, open issues, and submit pull requests on GitHub. For questions about integration, standards strategy, or the broader Action State Group work, reach out directly.
Read the Internet-Draft
The individual IETF Internet-Draft is published on the IETF Datatracker. Review the full specification, header claims, and verification algorithm.
Contribute on GitHub
The reference implementation, test vectors, and specification source are all open. Issues and pull requests are welcome.
Get in Touch
For integration questions, standards discussion, or to explore how capsules fit your compliance requirements, contact the Action State Group directly.