Guides

Quickstart: seal your first capsule

From install to a verified, anchored record in a few minutes — using emit(), the canonical one-call API.

1. Install

pip install "capsule-emit==0.1.1" agent-action-capsule

2. Seal an action

Call emit() once at each consequential action. operator, developer, action, agent_input, agent_output, verdict, and effect are required; model is optional (adapters fill in what they can — the MCP adapter, for example, sees the tool boundary, not the LLM, so pass model explicitly there if you want it sealed).

from capsule_emit import emit

result = place("Frobozz Supply", 4210.00, "PO-0047")  # your tool logic

cap = emit(
    action="submit_order",
    operator="acme-co",                # accountable tenant (required)
    developer="po-agent@v1",           # agent identity + version (required)
    agent_input={"vendor": "Frobozz Supply", "total": 4210.00},
    agent_output=result,
    model={"provider": "anthropic", "model_id": "claude-sonnet-4-6"},
    verdict="executed",               # executed | confirmed | denied | blocked
    effect={"type": "submit_order", "status": "dispatched"},
)
print(cap.capsule_id, cap.anchored)   # sealed; digest submitted to the log
Adapter shortcut: if you use MCP, LangChain, CrewAI, or Goose, a thin adapter emits on every tool call — the fields above are what every adapter fills in automatically. See the capsule-emit adapter docs.

3. Where it anchors

By default, the capsule's digest is submitted asynchronously to the neutral public log at anchor.agentactioncapsule.org — no signup, no key. Set AAC_ANCHOR_URL or pass anchor_url=… to point at your own SCITT service, or anchor=False to seal locally.

4. Verify

Each emit() also appends the sealed capsule to a local ledger.jsonl by default — that’s the file you verify, offline:

# verify a ledger of sealed capsules, offline — no keys or network needed
agent-action-capsule verify --store ledger.jsonl

  capsule_id  9f2a...c14  ok
  substrate.anchored: True          # digest on the public log
  substrate.receipt_verified: True  # receipt present and validated
Today vs roadmap: emit() submits the capsule’s digest to the public log (cap.anchored=True). The log’s inclusion receipt is verifiable against the log today; surfacing it back onto the emit() return value is on the near-term roadmap.

Adapters: seal from your framework

You don’t have to call emit() by hand. Thin adapters seal one capsule per tool call across the framework you already use — MCP / any callable (a decorator), LangChain / LangGraph (a callback), CrewAI (a tool wrap), and Goose (companion MCP server or @emitter.tool() decorator, verified against Goose v1.39.0). A gateway integration (agentgateway) seals at the chokepoint every consequential action flows through — one policy point instead of N integrations (via the gateway's mcpGuardrails ExtMcp hook). Any custom loop works via one call at the tool boundary. Per-framework guides: docs/adapters/ — including the Goose extension and the agentgateway adapter.

Next: verify a capsule in detail — the hosted verifier, command line, and what each check proves.
Go deeper — implementation & usage docs in capsule-emit: Tutorial: your first capsule ↗ · Confirming & chaining ↗