provenancechain of custody for AI code

Prove what your AI
actually did.

Axyvera seals every AI coding session into a tamper-evident, hash-chained record — exported as a signed .axy bundle anyone can verify offline. No trust required, and nothing leaves your machine.

works with Claude Code & OpenAI Codex · free verifier, no license

session.startedobserved
sha256:3bc172af0d…99eadb
prev ← genesis
tool.used · edit src/billing.tsadapter-reported
sha256:ca8f789ae7…22e7d3
prev ← sha256:3bc172af0d…99eadb
session.completedobserved
sha256:78024235b6…0ddde9
prev ← sha256:ca8f789ae7…22e7d3
chain: valid
signature: valid
coverage: complete
ed25519 · offline
0 bytes
transmitted off your machine
Ed25519
signed evidence bundles
RFC 8785
canonical JSON digests
4 states
of honest coverage
contents
Block 0x00sha256:d800dff0eb…83a699

A hash-chained record of the session

Every event an agent produces is normalised to a canonical form and appended to a hash chain. Change one byte anywhere in the history and the chain no longer verifies. Truncate the tail and the anchored count catches it.

  • RFC 8785 canonical JSON digests
  • Append-only, tamper-evident ordering
  • Detects edits, reorders, and truncation
Canonical stream

Each event is hashed with the digest of the one before it. The chain is only valid if every link agrees — a single altered byte breaks it.

digest = sha256(prev ‖ canonical(event))
Block 0x01sha256:605e3e7572…7a8528

Portable proof in a single .axy file

Export a session as a signed evidence bundle: the chain, its manifest, the coverage it honestly claims, and an Ed25519 signature. Hand it to a reviewer, an auditor, or a customer — it stands on its own.

  • Ed25519-signed manifest
  • Self-contained and offline
  • Backward-compatible bundle format
Signed bundles

A bundle carries the chain, its manifest, the coverage it claims, and an Ed25519 signature. It is complete on its own.

bundle = { chain, manifest, coverage, signature }
Block 0x02sha256:e5a630bbf8…834237

Anyone can check it, no license required

Verification is free and license-independent — on purpose. The party checking evidence should never have to trust, or pay, the party that produced it. Structure, content, signature, and coverage are reported separately.

  • No account, no telemetry, no lock-in
  • Separates signature validity from signer trust
  • Reports coverage verbatim — never inflated
Free verifier

The verifier is a separate, free tool. Whoever receives evidence can check it without trusting — or paying — whoever produced it.

axyvera verify session.axy → free, offline
Block 0x03sha256:329909622f…2de416

Redaction happens before anything is stored

Raw prompts, hook payloads, transcripts, and credentials are never persisted — not to disk, not to a vault, not to us. Nothing about your code or your session leaves the machine. There is no activation server to phone.

  • Redaction before persistence, always
  • No raw prompts or hidden reasoning stored
  • Fully offline; nothing transmitted
Private by design

Redaction runs before persistence. There is no server to phone, no telemetry, and no raw prompt ever written to disk.

raw prompt → [redacted] → persisted
Block 0x04sha256:66e16fd3b9…60349b

Three commands, start to proof

Wrap a session, export a bundle, verify it. The capture is automatic; the proof is portable.

zsh — axyvera
$ axyvera codex exec "add rate limiting to the API"
sealing session · 42 events · chain valid

$ axyvera adapters finalize codex --export ./proof.axy
wrote proof.axy · ed25519 signed

$ axyvera verify ./proof.axy
signature: valid
content: intact
coverage: complete-for-declared-capabilities
overall: PASS
The point

The person reviewing the work runs one free command and gets an unambiguous verdict — with the coverage stated honestly, not sold.

  • No CI wiring required to start
  • Works the same offline and air-gapped
  • Bundles stay compatible across versions
Block 0x05sha256:5f8d5d0702…71e298

Coverage you can trust because it can say “no”

Most tools claim completeness. Axyvera reports exactly what it captured — and flags what it couldn't — in four honest states.

Provenance never escalates. Adapter-captured evidence is labelled adapter-reported, never observed. A tool that will admit a gap is a tool you can put in front of an auditor.

Coverage vocabularynever inflated
  • complete-for-declared-capabilitiesEverything the adapter can capture, it captured. No gaps.
  • partialMeaningful capture with identifiable holes — stated plainly.
  • degradedStorage fell back or gaps were recorded during capture.
  • unverifiableThe chain did not verify. We say so, loudly.
Block 0x06sha256:80bdceeb53…b52c09

Bring evidence to AI-assisted work

Pro, Team, and Enterprise are onboarding now. The verifier is free forever — start by checking a bundle.

Request access to Axyvera

Tell us about your team and what you're building with AI. We'll set you up with a signed license.