How it composes with your stack
The capsule is one layer in a stack, not a replacement for the others. It sits alongside the layers you already use — identity, authorization, anchoring — and adds the piece none of them provide on their own: a record any third party can verify without trusting any single party.
Composes, doesn't replace
Most agent-trust layers answer a different question than the capsule does. Identity says who is acting; authorization says whether an action is allowed; an anchoring log says the record was included. The capsule answers what the agent did, in a record anyone can check — and it leans on those other layers for the rest rather than reabsorbing them. There's no need to fork your stack to adopt it.
How composition works: reference by digest
A capsule binds external evidence into its verifiable trail through chain.relation: it commits the digest of another artifact — an authorization grant, a policy decision, an upstream receipt — without copying or exposing it. The verifier checks the binding; the referenced data stays where it lives. (The same mechanism links a confirmation back to the action it confirms — see what is a capsule.)
{
"action": "submit_order",
"operator": "acme-co",
"chain": {
"relation": "authorized-by", // this action was permitted by …
"ref": "sha-256:9f2a…c14" // digest of the grant / credential
}
}
Illustrative: the capsule carries only the digest of the authorization grant, policy decision, or identity credential — never its contents. A verifier recomputes that digest from the artifact you (or a partner layer) present, and confirms the binding. The precise relation vocabulary is defined in the spec registry; to register a relation for your layer, open an issue on the spec.
| Layer | It answers | How the capsule composes |
|---|---|---|
| Identity / delegation | who the agent is acting for | reference the identity or delegation credential by digest |
| Authorization / policy | whether the action was permitted | reference the grant or policy decision by digest |
| Anchoring / transparency log | that the record was publicly included | the SCITT receipt — the capsule is log-agnostic |
| Input integrity / provenance | whether upstream inputs are authentic | reference the input-integrity evidence by digest |
What only the capsule adds
A record of what the agent did that any third party can verify without trusting the operator, the model vendor, or the log. That neutrality is the point: it's the piece a single party's own system can't provide for itself, because a party vouching for its own actions is exactly what a verifier can't take on faith.