Concepts

How it composes with your stack

The capsule is one layer in a stack, not a replacement for the others. It sits alongside the layers you already use — identity, authorization, anchoring — and adds the piece none of them provide on their own: a record any third party can verify without trusting any single party.

Composes, doesn't replace

Most agent-trust layers answer a different question than the capsule does. Identity says who is acting; authorization says whether an action is allowed; an anchoring log says the record was included. The capsule answers what the agent did, in a record anyone can check — and it leans on those other layers for the rest rather than reabsorbing them. There's no need to fork your stack to adopt it.

How composition works: reference by digest

A capsule binds external evidence into its verifiable trail through chain.relation: it commits the digest of another artifact — an authorization grant, a policy decision, an upstream receipt — without copying or exposing it. The verifier checks the binding; the referenced data stays where it lives. (The same mechanism links a confirmation back to the action it confirms — see what is a capsule.)

{
  "action": "submit_order",
  "operator": "acme-co",
  "chain": {
    "relation": "authorized-by",      // this action was permitted by …
    "ref": "sha-256:9f2a…c14"         // digest of the grant / credential
  }
}

Illustrative: the capsule carries only the digest of the authorization grant, policy decision, or identity credential — never its contents. A verifier recomputes that digest from the artifact you (or a partner layer) present, and confirms the binding. The precise relation vocabulary is defined in the spec registry; to register a relation for your layer, open an issue on the spec.

LayerIt answersHow the capsule composes
Identity / delegationwho the agent is acting forreference the identity or delegation credential by digest
Authorization / policywhether the action was permittedreference the grant or policy decision by digest
Anchoring / transparency logthat the record was publicly includedthe SCITT receipt — the capsule is log-agnostic
Input integrity / provenancewhether upstream inputs are authenticreference the input-integrity evidence by digest

What only the capsule adds

A record of what the agent did that any third party can verify without trusting the operator, the model vendor, or the log. That neutrality is the point: it's the piece a single party's own system can't provide for itself, because a party vouching for its own actions is exactly what a verifier can't take on faith.

A capsule records the bytes it is given. Authenticating upstream inputs — that a tool response or grounding source is genuine — is a separate, composable layer; bind its evidence by digest and the verifier checks that too. Composition, not dependency.