<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Sahir</title>
    <description>The latest articles on DEV Community by Sahir (@sahiee-dev).</description>
    <link>https://dev.to/sahiee-dev</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3983413%2F59eac3d5-375d-4d74-8a44-3c67cbec1af7.jpg</url>
      <title>DEV Community: Sahir</title>
      <link>https://dev.to/sahiee-dev</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/sahiee-dev"/>
    <language>en</language>
    <item>
      <title>Your tamper-evident log can still be backdated. Here's what closes that.</title>
      <dc:creator>Sahir</dc:creator>
      <pubDate>Fri, 19 Jun 2026 08:25:10 +0000</pubDate>
      <link>https://dev.to/sahiee-dev/your-tamper-evident-log-can-still-be-backdated-heres-what-closes-that-5ddo</link>
      <guid>https://dev.to/sahiee-dev/your-tamper-evident-log-can-still-be-backdated-heres-what-closes-that-5ddo</guid>
      <description>&lt;p&gt;Most audit trail implementations record timestamps as fields in the log. The agent sets them, or the framework does. Either way, the party controlling the log also controls the clock.&lt;/p&gt;

&lt;p&gt;This matters under EU AI Act Article 12. Article 12 requires high-risk AI systems to maintain logs enabling verification of system operation. A log where the operator controls the timestamps does not enable independent verification of anything. It enables the operator to construct a plausible-looking history after the fact.&lt;/p&gt;

&lt;p&gt;Here is the demonstration.&lt;/p&gt;




&lt;h2&gt;
  
  
  A 2020 session passes a 2026 audit
&lt;/h2&gt;

&lt;p&gt;We ran Sasana's own verifier against a session with every timestamp set to January 1, 2020:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;Status&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;INTACT&lt;/span&gt;
&lt;span class="na"&gt;Evidence class&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;NON_AUTHORITATIVE_EVIDENCE&lt;/span&gt;
&lt;span class="na"&gt;Hash chain&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;PASS&lt;/span&gt;
&lt;span class="na"&gt;Structural integrity&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;PASS&lt;/span&gt;
&lt;span class="na"&gt;Completeness&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;PASS&lt;/span&gt;
&lt;span class="na"&gt;Errors&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="pi"&gt;[]&lt;/span&gt;

&lt;span class="na"&gt;Timestamps&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="s"&gt;SESSION_START  2020-01-01T00:00:00.000000Z&lt;/span&gt;
  &lt;span class="s"&gt;LLM_CALL       2020-01-01T00:00:00.000000Z&lt;/span&gt;
  &lt;span class="s"&gt;SESSION_END    2020-01-01T00:00:00.000000Z&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;INTACT. No errors. The session is internally consistent. The hash chain links every event to the next. The problem is that the entire chain, including those timestamps, was written today, not in 2020.&lt;/p&gt;

&lt;p&gt;The verifier correctly returns &lt;code&gt;NON_AUTHORITATIVE_EVIDENCE&lt;/code&gt;. That classification is load-bearing. A regulator asking "when did this session run" cannot answer that question from this record. They can verify the log was not modified after it was written. They cannot verify when "after it was written" actually was.&lt;/p&gt;




&lt;h2&gt;
  
  
  Operator-attested vs independently-attested
&lt;/h2&gt;

&lt;p&gt;Every log where the recording system and the system being recorded share the same authority boundary is operator-attested. The operator controls what timestamps go in. They can also discard and re-create the log before anyone looks at it, and the hash chain of the replacement will be just as valid as the original.&lt;/p&gt;

&lt;p&gt;The hash chain proves internal consistency. It does not prove when that consistent record was created.&lt;/p&gt;

&lt;p&gt;Independently-attested requires an external party, one the operator cannot impersonate, to sign: "this specific hash existed at this specific UTC time." That statement is verifiable without trusting the operator at all.&lt;/p&gt;




&lt;h2&gt;
  
  
  RFC 3161
&lt;/h2&gt;

&lt;p&gt;RFC 3161 is the IETF standard for trusted timestamps. A Timestamp Authority (TSA) receives a hash, not the data itself, only its SHA-256 digest, and returns a signed token containing that hash and the current time. The token is verifiable against the TSA's public certificate.&lt;/p&gt;

&lt;p&gt;The operator cannot forge this after the fact. Producing a valid token for a different time requires either finding a SHA-256 collision or obtaining the TSA's private key.&lt;/p&gt;

&lt;p&gt;Freetsa (&lt;code&gt;freetsa.org&lt;/code&gt;) is a public TSA based in Wuerzburg, Germany. No account required. The endpoint is &lt;code&gt;https://freetsa.org/tsr&lt;/code&gt;. You POST a DER-encoded timestamp request and receive a DER-encoded response. The response from the live run for this article:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight properties"&gt;&lt;code&gt;&lt;span class="py"&gt;Status&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Granted.&lt;/span&gt;
&lt;span class="err"&gt;Hash&lt;/span&gt; &lt;span class="py"&gt;Algorithm&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;sha256&lt;/span&gt;
&lt;span class="py"&gt;TSA&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;/O=Free TSA/OU=TSA/CN=www.freetsa.org&lt;/span&gt;
&lt;span class="err"&gt;Time&lt;/span&gt; &lt;span class="py"&gt;stamp&lt;/span&gt;&lt;span class="p"&gt;:&lt;/span&gt; &lt;span class="s"&gt;Jun 18 15:21:55 2026 GMT&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The TSA is independent of the operator. It has no relationship to the session being timestamped. It received a 32-byte hash and returned a signed statement about when that hash arrived. The operator cannot produce an equivalent statement for a different time, because they do not control Freetsa's signing key.&lt;/p&gt;




&lt;h2&gt;
  
  
  How the implementation works
&lt;/h2&gt;

&lt;p&gt;There is a design constraint: the TSA must receive a hash, but the token must also be committed into the hash chain, otherwise substituting a different token later is trivial.&lt;/p&gt;

&lt;p&gt;The solution is a two-pass write. On &lt;code&gt;open_session()&lt;/code&gt;, SESSION_START is written without a token. That event's hash is submitted to the TSA. When the token returns, it is embedded in SESSION_START's payload, and &lt;code&gt;event_hash&lt;/code&gt; is recomputed over the full payload, now including the token.&lt;/p&gt;

&lt;p&gt;From the fresh run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight yaml"&gt;&lt;code&gt;&lt;span class="na"&gt;SESSION_START event_hash WITHOUT rfc3161_token&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="s"&gt;ff4be53f333aa85e7491961e0d944093e7a3ef896a399d11f98967d05bb5c34e&lt;/span&gt;

&lt;span class="na"&gt;SESSION_START event_hash WITH rfc3161_token&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt;
  &lt;span class="s"&gt;db37c1d4ab178e14018565bbfb5f65d0eadfe3ca17260d3774833e9793e572ea&lt;/span&gt;

&lt;span class="na"&gt;Hashes differ&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;True&lt;/span&gt;
&lt;span class="na"&gt;SESSION_END.prev_hash chains to WITH-token hash&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;True&lt;/span&gt;
&lt;span class="na"&gt;Token size&lt;/span&gt;&lt;span class="pi"&gt;:&lt;/span&gt; &lt;span class="s"&gt;4633 bytes&lt;/span&gt;
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The hash &lt;code&gt;ff4be53f...&lt;/code&gt; is exactly what the TSA received. Confirmed by parsing the MessageImprint field out of the returned token with &lt;code&gt;openssl ts -reply -text&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;Message data:
    0000 - ff 4b e5 3f 33 3a a8 5e-74 91 96 1e 0d 94 40 93
    0010 - e7 a3 ef 89 6a 39 9d 11-f9 89 67 d0 5b b5 c3 4e
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That reconstructs to &lt;code&gt;ff4be53f333aa85e7491961e0d944093e7a3ef896a399d11f98967d05bb5c34e&lt;/code&gt;. Byte-for-byte identical.&lt;/p&gt;

&lt;p&gt;The rest of the session chains from &lt;code&gt;db37c1d4...&lt;/code&gt;. Swapping the token changes that hash, which breaks every subsequent &lt;code&gt;prev_hash&lt;/code&gt; link. You cannot substitute the token without breaking the chain. The TSA's statement was produced by an external party and is bound into the record. The operator did not produce it and cannot retroactively produce a different one with a different time.&lt;/p&gt;

&lt;p&gt;Network failures are handled fail-open. If the TSA is unreachable, the session records without a token, and the verifier marks the timestamp check SKIPPED rather than failing the session.&lt;/p&gt;




&lt;h2&gt;
  
  
  What in-process verification does and does not check
&lt;/h2&gt;

&lt;p&gt;The &lt;code&gt;sasana_cli verify&lt;/code&gt; command checks that the token's MessageImprint matches the pre-token hash. It does not verify the TSA's signature chain. A token with a valid hash but a forged TSA signature would pass that check.&lt;/p&gt;

&lt;p&gt;The full verification path requires &lt;code&gt;openssl ts -verify&lt;/code&gt;:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight shell"&gt;&lt;code&gt;&lt;span class="nv"&gt;$ DIGEST&lt;/span&gt;&lt;span class="o"&gt;=&lt;/span&gt;&lt;span class="si"&gt;$(&lt;/span&gt;xxd &lt;span class="nt"&gt;-p&lt;/span&gt; sasana_pre_token_hash.bin | &lt;span class="nb"&gt;tr&lt;/span&gt; &lt;span class="nt"&gt;-d&lt;/span&gt; &lt;span class="s1"&gt;'\n'&lt;/span&gt;&lt;span class="si"&gt;)&lt;/span&gt;
&lt;span class="nv"&gt;$ &lt;/span&gt;openssl ts &lt;span class="nt"&gt;-verify&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
    &lt;span class="nt"&gt;-in&lt;/span&gt; sasana_fresh_token.tsr &lt;span class="se"&gt;\&lt;/span&gt;
    &lt;span class="nt"&gt;-digest&lt;/span&gt; &lt;span class="s2"&gt;"&lt;/span&gt;&lt;span class="nv"&gt;$DIGEST&lt;/span&gt;&lt;span class="s2"&gt;"&lt;/span&gt; &lt;span class="se"&gt;\&lt;/span&gt;
    &lt;span class="nt"&gt;-CAfile&lt;/span&gt; freetsa_ca.pem &lt;span class="se"&gt;\&lt;/span&gt;
    &lt;span class="nt"&gt;-untrusted&lt;/span&gt; freetsa_tsa.crt

Verification: OK
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;&lt;code&gt;Verification: OK&lt;/code&gt; means the TSA's certificate chain is valid, the MessageImprint matches the expected hash, and the token is genuine. The &lt;code&gt;.tsr&lt;/code&gt; file embedded in SESSION_START is sufficient input. No Sasana tooling is involved at this stage, only standard OpenSSL against Freetsa's published root certificate.&lt;/p&gt;




&lt;h2&gt;
  
  
  Article 12
&lt;/h2&gt;

&lt;p&gt;Article 12 requires that logs enable verification of system functioning. The question regulators will ask is not whether the log was modified after it was created. Hash chains handle that. The question is whether the log reflects what actually happened when it happened.&lt;/p&gt;

&lt;p&gt;A session anchored to RFC 3161 provides a verifiable answer to the second question that does not depend on trusting the operator. Any attempt to reconstruct the log for a different time requires forging the TSA's signature. The distinction between &lt;code&gt;NON_AUTHORITATIVE_EVIDENCE&lt;/code&gt; and &lt;code&gt;AUTHORITATIVE_EVIDENCE&lt;/code&gt; is architectural. Compliant evidence requires an external anchor.&lt;/p&gt;




&lt;p&gt;&lt;em&gt;Sasana is an open-source AI session auditing library. Source: &lt;a href="https://github.com/sahiee-dev/Sasana" rel="noopener noreferrer"&gt;github.com/sahiee-dev/Sasana&lt;/a&gt;&lt;/em&gt;&lt;/p&gt;

</description>
      <category>ai</category>
      <category>security</category>
      <category>compliance</category>
      <category>euaiact</category>
    </item>
    <item>
      <title>Your AI agent logs satisfy Article 12. They won't survive a dispute.</title>
      <dc:creator>Sahir</dc:creator>
      <pubDate>Sun, 14 Jun 2026 10:11:02 +0000</pubDate>
      <link>https://dev.to/sahiee-dev/your-ai-agent-logs-satisfy-article-12-they-wont-survive-a-dispute-53md</link>
      <guid>https://dev.to/sahiee-dev/your-ai-agent-logs-satisfy-article-12-they-wont-survive-a-dispute-53md</guid>
      <description>&lt;h2&gt;
  
  
  What Article 12 actually says:
&lt;/h2&gt;

&lt;p&gt;The regulation text is precise: &lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;"&lt;em&gt;&lt;strong&gt;High risk AI systems shall be designed and developed with capabilities enabling the automatic recording of events ('logs') throughout the lifetime of the AI system.&lt;/strong&gt;&lt;/em&gt;"&lt;/p&gt;
&lt;/blockquote&gt;

&lt;p&gt;One piece of context compliance consultants should have before reading further: the Digital Omnibus provisional agreement reached on 7 May 2026 moved the high risk deadline for standalone systems to 2 December 2027, pending formal adoption by the European Parliament and Council. The original 2 August 2026 date remains in law until that process completes. For teams doing compliance work now, treat August 2026 as the planning deadline and any extension as a bonus, not because of urgency theater, but because the audit infrastructure work takes months. Starting in Q4 2026 against a December 2027 deadline is still tight.&lt;/p&gt;

&lt;p&gt;Now, to the logs themselves.&lt;/p&gt;




&lt;h2&gt;
  
  
  What your current tooling produces
&lt;/h2&gt;

&lt;p&gt;LangSmith, Arize, Langfuse, Helicone, and Datadog are good tools. They were built for what they do: real time debugging, cost tracking, performance monitoring, and observability. None of this is in dispute.&lt;/p&gt;

&lt;p&gt;What they produce, structurally, is mutable records in operator controlled storage. An administrator with database access or filesystem permissions can modify or delete a record after the fact. There is no detectable trace of that modification. The log still exists. It satisfies Article 12's "automatic recording" requirement. It does not prove it hasn't been touched since the event occurred.&lt;/p&gt;

&lt;p&gt;This is not a criticism of those tools. It is a structural property of how they were designed. They were not designed for evidence production.&lt;/p&gt;

&lt;p&gt;One objection worth addressing directly, because it appears in analyst commentary: "Article 12 does not require tamper evident logging." That is technically correct. The regulation uses "logs," not "tamper evident logs." The counterargument is not about the regulatory minimum, it is about what happens when you need to use the log as evidence.&lt;/p&gt;

&lt;p&gt;Article 9 requires a risk management system for high risk AI systems. When an incident occurs, a credit scoring model produces a discriminatory output, a medical AI diagnostic is challenged, an AI recruitment tool is investigated, and a regulator or counterparty demands your logs, "we have logs but cannot prove they weren't modified" is a gap in your risk management system. The regulation doesn't mandate cryptographic immutability. Defensible evidence production requires it regardless.&lt;/p&gt;

&lt;p&gt;A log that cannot prove its own integrity is not the same as a log that records something.&lt;/p&gt;




&lt;h2&gt;
  
  
  What tamper-evidence actually requires technically
&lt;/h2&gt;

&lt;p&gt;Three properties make a log forensically credible. Each is a distinct technical problem.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Integrity.&lt;/strong&gt; Any modification to a historical record must be detectable. The mechanism:&lt;br&gt;
SHA-256 hash over RFC 8785 canonical JSON, chained via a &lt;code&gt;prev_hash&lt;/code&gt; field. Each event commits to all prior events. Changing any byte in any prior event breaks every subsequent hash. Canonical JSON (RFC 8785) matters because without a deterministic serialization, two implementations can hash the same logical object to different bytes, producing different hashes for identical content, or the same hash for different content. The chain gives you internal consistency: you can verify the log was not modified after the fact.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Attribution.&lt;/strong&gt; A hash chain proves internal consistency. It does not prove who wrote it. An operator who controls the storage can rewrite the entire chain; generating a fresh, internally consistent chain where every hash is correct and every event is fabricated.&lt;/p&gt;

&lt;p&gt;Ed25519 signatures provide attribution. A per session signing key produces a signature over each event's hash. If the key is controlled by the agent operator, this gives you a statement of the form "the operator attests this event occurred." That is weaker than what you need for a dispute, but stronger than an unsigned log. &lt;br&gt;
The distinction matters:&lt;br&gt;
operator-attested evidence and independently-attested evidence are not the same thing.&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Independence.&lt;/strong&gt; The entity that seals the log must be structurally separate from the entity that operates the agent. If the same team controls both the agent and the sealing authority, a sophisticated adversary who owns the team can forge both the log and the seal.&lt;/p&gt;

&lt;p&gt;The correct architecture separates these two roles:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;┌──────────────────────────────────────────────────┐
│  Agent process  (operator trust boundary)        │
│                                                  │
│  SDK records events → JSONL                      │
│  SDK cannot emit CHAIN_SEAL events               │
└──────────────────────────┬───────────────────────┘
                           │  POST /seal
                           ▼
┌──────────────────────────────────────────────────┐
│  Archeion sealing server  (security team boundary)│
│                                                  │
│  Verifies hash chain integrity                   │
│  Appends CHAIN_SEAL with Ed25519 signature       │
│  Returns sealed JSONL                            │
└──────────────────────────────────────────────────┘
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The SDK enforces the boundary at the type level: &lt;code&gt;EventType.is_sdk_authority&lt;/code&gt; blocks any attempt by the agent process to emit a &lt;code&gt;CHAIN_SEAL&lt;/code&gt; event. The agent cannot produce its own seal. This is a structural guarantee, not a policy.&lt;/p&gt;

&lt;p&gt;Archeion runs inside your security perimeter, controlled by your security team &amp;amp; not the agent developers. No session content leaves: only hashes pass through &lt;code&gt;POST /seal&lt;/code&gt;. The sealing authority appends one event and returns the sealed log.&lt;/p&gt;




&lt;h2&gt;
  
  
  Evidence classes
&lt;/h2&gt;

&lt;p&gt;Not every deployment has an independent sealing authority. The verifier produces five evidence classes reflecting what can be cryptographically proven given what is present:&lt;/p&gt;

&lt;div class="table-wrapper-paragraph"&gt;&lt;table&gt;
&lt;thead&gt;
&lt;tr&gt;
&lt;th&gt;Class&lt;/th&gt;
&lt;th&gt;What it means&lt;/th&gt;
&lt;th&gt;When you have it&lt;/th&gt;
&lt;/tr&gt;
&lt;/thead&gt;
&lt;tbody&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;AUTHORITATIVE_EVIDENCE&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Independent party sealed it. Agent could not have forged this.&lt;/td&gt;
&lt;td&gt;Archeion sealed&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;SIGNED_NON_AUTHORITATIVE&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Ed25519 signatures present. Requires private key to forge.&lt;/td&gt;
&lt;td&gt;SDK signing enabled&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;NON_AUTHORITATIVE_EVIDENCE&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Hash chain intact. Proves no post hoc modification.&lt;/td&gt;
&lt;td&gt;Default&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;PARTIAL_EVIDENCE&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Chain intact but events were dropped during the session.&lt;/td&gt;
&lt;td&gt;
&lt;code&gt;LOG_DROP&lt;/code&gt; events present&lt;/td&gt;
&lt;/tr&gt;
&lt;tr&gt;
&lt;td&gt;&lt;code&gt;NO_EVIDENCE&lt;/code&gt;&lt;/td&gt;
&lt;td&gt;Chain broken or structurally invalid.&lt;/td&gt;
&lt;td&gt;Verification failed&lt;/td&gt;
&lt;/tr&gt;
&lt;/tbody&gt;
&lt;/table&gt;&lt;/div&gt;

&lt;p&gt;For most internal compliance purposes, &lt;code&gt;NON_AUTHORITATIVE_EVIDENCE&lt;/code&gt; is sufficient. For regulatory submissions and legal proceedings where the operator is a party to the dispute, &lt;code&gt;AUTHORITATIVE_EVIDENCE&lt;/code&gt; is the correct target.&lt;/p&gt;




&lt;h2&gt;
  
  
  What verification looks like
&lt;/h2&gt;



&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="gp"&gt;$&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;sasana verify session.jsonl &lt;span class="nt"&gt;--trust-key&lt;/span&gt; &amp;lt;archeion-pubkey&amp;gt;
&lt;span class="go"&gt;
Sasana Verifier v1.0.0
File     : session.jsonl
Session  : 3f8a2c1d-…
Events   : 7
Evidence : AUTHORITATIVE_EVIDENCE

[1/5] Structural validity  ... PASS
[2/5] Sequence integrity   ... PASS
[3/5] Hash chain integrity ... PASS
[4/5] Session completeness ... PASS
[5/5] Seal signature       ... PASS

Result: INTACT ✅
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;If a single byte in any event is changed after sealing:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight console"&gt;&lt;code&gt;&lt;span class="gp"&gt;$&lt;/span&gt;&lt;span class="w"&gt; &lt;/span&gt;sasana verify tampered.jsonl &lt;span class="nt"&gt;--trust-key&lt;/span&gt; &amp;lt;archeion-pubkey&amp;gt;
&lt;span class="go"&gt;
[3/5] Hash chain integrity ... FAIL
      seq=3: expected 7f3a4b… got d91c08…

Evidence : NO_EVIDENCE
Result   : COMPROMISED ❌
&lt;/span&gt;&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;The verification binary has no external dependencies. It reads one file, checks five properties, and exits 0 (INTACT), 1 (COMPROMISED), 2 (PARTIAL), or 3 (ERROR). No network calls. No API keys. No running server required. A Rust binary ships alongside the Python implementation for forensic environments where Python is not available.&lt;/p&gt;

&lt;p&gt;Archeion is self-hosted: it runs as a container inside your perimeter. The deployment guide covers docker-compose, key lifecycle, and network isolation. The signing key is a CA-root-equivalent: generated once, retained for the lifetime of sealed sessions, rotated only on compromise.&lt;/p&gt;




&lt;h2&gt;
  
  
  What Sasana does not do
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;
&lt;strong&gt;Does not record raw content.&lt;/strong&gt; Hashes only. You cannot reconstruct what the agent said from a Sasana log.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Does not prevent tampering.&lt;/strong&gt; Detects it after the fact. Detection and prevention are different properties.&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Does not replace LangSmith or Arize.&lt;/strong&gt; Those tools are for debugging and observability. Sasana is for evidence production. The two are complementary.&lt;/li&gt;
&lt;li&gt;&lt;strong&gt;Does not rate limit, filter, or modify agent behaviour.&lt;/strong&gt;&lt;/li&gt;
&lt;li&gt;
&lt;strong&gt;Does not currently have a managed cloud offering.&lt;/strong&gt; Self-hosted only.&lt;/li&gt;
&lt;/ul&gt;




&lt;h2&gt;
  
  
  Further reading
&lt;/h2&gt;

&lt;ul&gt;
&lt;li&gt;&lt;a href="https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689" rel="noopener noreferrer"&gt;EU AI Act Article 12 — EUR-Lex official text&lt;/a&gt;&lt;/li&gt;
&lt;li&gt;
&lt;a href="https://datatracker.ietf.org/doc/draft-sharif-agent-audit-trail/" rel="noopener noreferrer"&gt;IETF draft-sharif-agent-audit-trail-00 (March 2026)&lt;/a&gt; — Internet-Draft, expires September 2026. Consult the IETF datatracker for current status.&lt;/li&gt;
&lt;li&gt;&lt;a href="https://github.com/sahiee-dev/Sasana" rel="noopener noreferrer"&gt;Sasana — GitHub&lt;/a&gt;&lt;/li&gt;
&lt;/ul&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>security</category>
      <category>compliance</category>
    </item>
  </channel>
</rss>
