Skip to content

2lab-ai/soma-proof

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 

Repository files navigation

soma-proof

Cryptographically verifiable behavior logs for AI agents.

You can trust an agent. But you should be able to verify.


The Problem

Millions of AI agents are writing code, sending emails, making API calls, and accessing sensitive data — right now, today. But there's no way to answer a simple question:

"What exactly did the agent do?"

  • An agent reviews your PR. Did it also read your .env.production?
  • An agent writes code to your repo. Can you prove it didn't exfiltrate source code?
  • An agent accesses customer data. Can you show the auditor exactly what it touched?
  • Three agents work in a chain. One made a bad call. Which one?

Git tracks what humans commit. Firewalls track what servers send. Nothing tracks what AI agents actually do.

soma-proof is the missing audit layer for the agent era.

What It Does

┌──────────────────────────────────────────────────────┐
│                    AI Agent Runtime                   │
│            (soma-work, OpenClaw, LangGraph, ...)     │
└───────────────────────┬──────────────────────────────┘
                        │ tool_use / tool_result events
                        ▼
┌──────────────────────────────────────────────────────┐
│                    soma-proof                         │
│                                                      │
│   Record ──→ Hash Chain ──→ Verify ──→ Anchor        │
│                                                      │
│   ┌─────────┐  ┌───────────┐  ┌──────────────────┐  │
│   │ SQLite  │  │  Merkle   │  │   L2 Blockchain  │  │
│   │ (local) │  │   Tree    │  │   (Base, Arb)    │  │
│   │         │  │           │  │                  │  │
│   │ Full    │  │ Periodic  │  │ Tamper-proof     │  │
│   │ action  │  │ batching  │  │ timestamp        │  │
│   │ history │  │ of trace  │  │ anchor           │  │
│   │         │  │ heads     │  │                  │  │
│   └─────────┘  └───────────┘  └──────────────────┘  │
│                                                      │
│   Query ◄── Anomaly Detection ◄── Trust Scoring      │
└──────────────────────────────────────────────────────┘

Every action an AI agent takes — every file read, file write, shell command, API call — is captured, hashed into a tamper-proof chain, and periodically anchored to a public blockchain. The full data stays local. Only a 32-byte hash goes on-chain.

Cost: ~$0.72/month for 10 agents. Mathematically tamper-proof.

Core Concepts

Trace = One Task, One Chain

Each user request ("Review PR #42") creates an independent hash chain called a trace. No global chain. No concurrency conflicts. 10,000 agents can run simultaneously with zero collisions.

User: "Review PR #42"
       │
       ▼
Trace-7f3a (independent hash chain)
       │
  ┌────┴────────────────────────────────────────────┐
  │                                                  │
  Action 0: user_input                               │
    hash: SHA-256(GENESIS + payload)                  │
       │                                             │
  Action 1: tool_use [file_read] src/auth.ts         │
    hash: SHA-256(prev_hash + payload)                │
       │                                             │
  Action 2: tool_use [file_read] src/db.ts           │
    hash: SHA-256(prev_hash + payload)                │
       │                                             │
  Action 3: tool_use [shell] npm test                 │
    hash: SHA-256(prev_hash + payload)                │
       │                                             │
  Action 4: agent_response "Review complete..."       │
    hash: SHA-256(prev_hash + payload)  ← trace head │
  └──────────────────────────────────────────────────┘

If any action in the chain is modified after the fact, every subsequent hash breaks. Tampering is immediately detectable.

Three-Layer Storage

Layer Where What Cost
L1 SQLite (local) Full action history, raw data $0
L2 Merkle Tree Periodic batch of trace heads Computed locally
L3 L2 Chain (Base/Arbitrum) Merkle root only (32 bytes) ~$0.001/tx

The blockchain doesn't store your data. It stores proof that your data existed at a specific point in time and hasn't been modified since.

Anchoring

Every hour (configurable):

  Active traces:
    Trace-A (head: 0xabc...)  ─┐
    Trace-B (head: 0xdef...)  ─┤
    Trace-C (head: 0x123...)  ─┤── Merkle Tree ── Root: 0x789...
    Trace-D (head: 0x456...)  ─┘         │
                                          ▼
                                  L2 Transaction
                                  (one tx, ~$0.001)

Use Cases

For Engineering Teams

Incident Response — Production goes down. Trace back through the agent's exact chain of actions to find which file change, which test was skipped, which assumption was wrong. In minutes, not hours.

Code Provenancegit blame shows who committed. soma-proof shows which agent generated it, what context it used, what files it referenced, and whether a human actually reviewed the diff.

Security Audit — "Show me every external API call our agents made this month." One query. Cryptographically complete.

For Enterprises

Compliance — Regulated industries (finance, healthcare, legal) require audit trails. AI agents without verifiable behavior logs cannot pass compliance review. soma-proof makes agent adoption possible in environments where it's currently blocked.

Data Loss Prevention — Track every file an agent accessed and every external endpoint it contacted. Detect unauthorized data flows in real time.

Vendor Risk — Using third-party agent plugins or MCP tools? Verify that a plugin's actual behavior matches its declared permissions. Detect silent data exfiltration.

For the Agent Ecosystem

Trust Scoring — An agent with 10,000 verified traces and 0 anomalies has earned trust. Dynamically grant more autonomy to proven agents, require approval for untrusted ones.

Multi-Agent Accountability — Agent A writes code → Agent B reviews → Agent C deploys. When something breaks, trace responsibility through the entire chain.

Agent Marketplaces — Publish cryptographic proof that your agent/skill/plugin behaves as advertised. Not reviews. Not ratings. Math.

Quick Start

Install

npm install soma-proof

Record Agent Actions

import { SomaProof } from 'soma-proof';

const proof = new SomaProof({
  storage: './agent-audit.db',    // SQLite path
  anchor: {
    chain: 'base',                // L2 chain for anchoring
    interval: '1h',               // anchor every hour
    wallet: process.env.WALLET_KEY,
  }
});

// Start a trace when a task begins
const trace = await proof.startTrace({
  userId: 'U-alice',
  agentId: 'agent-01',
  intent: 'Review PR #42',
});

// Record each agent action
await trace.record({
  actionType: 'tool_use',
  toolName: 'file_read',
  input: { path: 'src/auth.ts', lines: '1-50' },
  output: { content: fileContent, bytes: 1200 },
  resourcesAccessed: ['src/auth.ts'],
});

await trace.record({
  actionType: 'tool_use',
  toolName: 'shell',
  input: { command: 'npm test' },
  output: { exitCode: 0, stdout: '...' },
});

// Complete the trace
await trace.complete();

Verify Integrity

// Verify a trace's hash chain
const result = await proof.verify(traceId);
// { valid: true, actionCount: 12, brokenAt: null }

// Verify on-chain
const onchain = await proof.verifyOnChain(actionId);
// { verified: true, block: 12345678, chain: 'base', explorerUrl: '...' }

Query

// What files did agents modify today?
const actions = await proof.query({
  resourcesModified: 'src/**',
  since: '2026-04-05',
});

// All external API calls this week
const external = await proof.query({
  toolName: 'http_request',
  since: '2026-03-30',
});

// Anomalies
const anomalies = await proof.getAnomalies('agent-01');
// [{ reason: 'first_time_external_endpoint', detail: 'api.stripe.com', risk: 'high' }]

Architecture

Action Schema

interface AgentAction {
  id: string;
  traceId: string;
  sequence: number;

  agentId: string;
  userId: string;
  model: string;

  actionType: 'tool_use' | 'tool_result' | 'user_input' | 'agent_response';
  toolName?: string;

  inputHash: string;             // SHA-256 of input
  outputHash: string;            // SHA-256 of output
  inputSummary: string;          // Human-readable
  outputSummary: string;

  resourcesAccessed: string[];
  resourcesModified: string[];
  externalEndpoints: string[];

  prevHash: string;              // Previous action in this trace
  hash: string;                  // SHA-256(prevHash + payload)

  timestamp: string;
  durationMs: number;
  permission: 'auto' | 'user_approved' | 'denied';
}

Concurrency Model

No global chain. No consensus algorithm. Each trace is an independent hash chain.

User A, Task 1:  Genesis → A₁ → A₂ → A₃         (independent)
User A, Task 2:  Genesis → A₁ → A₂               (independent)
User B, Task 1:  Genesis → B₁ → B₂ → B₃ → B₄    (independent)

Anchor (hourly):
                    Merkle Root → L2
                   /     |       \
              A-T1.head  A-T2.head  B-T1.head

10,000 concurrent agents. Zero conflicts. Each trace maps naturally to a Slack thread, a CI job, or an API request.

Smart Contract

Minimal. Stores only 32-byte merkle roots.

contract AgentAuditAnchor {
    struct Anchor {
        bytes32 merkleRoot;
        uint64  startTime;
        uint64  endTime;
        uint32  actionCount;
        address agent;
    }

    mapping(address => Anchor[]) public anchors;

    function anchor(bytes32 root, uint64 start, uint64 end, uint32 count) external;
    function verify(address agent, uint256 index, bytes32 leaf, bytes32[] proof) external view returns (bool);
}

Verification Flow

"Prove agent didn't access production DB on April 3rd"

  1. Query local SQLite → 0 matching actions
  2. Find anchor covering April 3rd → Anchor #47
  3. Generate merkle proof for relevant traces
  4. Verify on-chain: contract.verify() → true
  5. Result: "No production DB access recorded.
     This record was anchored at block #12345678
     on Base L2 at 2026-04-03T21:00:12Z.
     Tampering is mathematically impossible."

Integration

soma-work (Slack AI Agent)

// In ClaudeHandler stream processing
import { SomaProof } from 'soma-proof';

const proof = new SomaProof(config);

async function handleStreamEvent(event, trace) {
  if (event.type === 'tool_use') {
    await trace.record({
      actionType: 'tool_use',
      toolName: event.tool.name,
      input: event.tool.input,
      resourcesAccessed: extractResources(event),
    });
  }
}

Any Agent Framework

soma-proof is framework-agnostic. If your agent emits tool calls, soma-proof can record them.

// LangChain
chain.on('tool_start', (tool, input) => trace.record({ ... }));
chain.on('tool_end', (tool, output) => trace.record({ ... }));

// OpenClaw / any MCP-based agent
mcpServer.on('tool_call', (call) => trace.record({ ... }));

API Reference

Recording

Method Description
proof.startTrace(opts) Start a new trace (returns Trace)
trace.record(action) Record an action in the trace
trace.complete() Mark trace as completed

Verification

Method Description
proof.verify(traceId) Verify hash chain integrity
proof.verifyOnChain(actionId) Verify against L2 anchor
proof.getProof(actionId) Generate merkle proof

Query

Method Description
proof.query(filters) Search actions by resource, tool, time
proof.getTrace(traceId) Get full action chain
proof.getAnomalies(agentId) Behavioral anomalies
proof.getTrust(agentId) Trust score and stats

Anchoring

Method Description
proof.anchor() Manually trigger L2 anchoring
proof.getAnchors(since) List anchor history

Cost

Scale Agents Actions/day L2 Cost/month
Team 10 6,000 $0.72
Startup 100 60,000 $7.20
Enterprise 1,000 600,000 $72
Platform 10,000 6,000,000 $720

Local storage (SQLite): free. The only cost is L2 gas for anchoring, which is one transaction per batch regardless of how many actions are included.

Roadmap

  • Action data model and hash chain
  • SQLite storage with full query support
  • Merkle tree batching and L2 anchoring
  • Anomaly detection (behavioral profiling)
  • Trust scoring and dynamic permissions
  • Dashboard UI
  • soma-work integration
  • Framework adapters (LangChain, CrewAI, OpenClaw)
  • Enterprise: SSO, RBAC, compliance reports
  • Multi-agent trace linking

Philosophy

AI agents are the most powerful tools humans have ever built. Power without accountability is dangerous. But accountability doesn't have to mean surveillance or restriction — it means transparency.

soma-proof doesn't limit what agents can do. It makes what they did provable.

In a world where AI agents write code, manage finances, handle healthcare data, and make decisions on behalf of humans — the ability to verify their behavior isn't a feature. It's infrastructure.


soma (σῶμα) — body soma-proofproof of what the body did

License

MIT


Built by 2lab.ai

About

Cryptographically verifiable behavior logs for AI agents

Resources

Stars

0 stars

Watchers

0 watching

Forks

Releases

No releases published

Packages

 
 
 

Contributors