DEV Community

Steve Emmerich
Steve Emmerich Subscriber

Posted on

Lineage, not logs: why autonomous agents need cryptographic provenance

When people talk about provenance in software systems, they often mean logs.

Logs matter. They tell you what happened, when it happened, and sometimes why it happened. But logs are an after-the-fact observation layer. They are not identity structure. They do not, by themselves, give downstream systems a cryptographic way to reason about origin, delegation, and inherited authority.

That distinction starts to matter a lot once autonomous agents begin creating other agents.

SAL treats provenance as part of identity itself through a concept called lineage. The spec is at sal-protocol.dev, and Vibebase is the live reference implementation.

What lineage means in SAL

In SAL, lineage is a cryptographic chain describing who spawned an agent and what authorization allowed that spawn to happen.

If agent A creates agent B, then B can carry signed lineage metadata tying it back to A and the grant under which A was allowed to create children. If B later creates C, that relationship can extend again.

The point is not to build a family tree for fun. The point is to make delegation verifiable as part of the principal, not just discoverable later through operational records.

Here is a simplified claims shape:

{
  "success": true,
  "data": {
    "claims": {
      "sub": "agt_child_01JZ1",
      "scope": ["task:append"],
      "lineage": [
        {
          "agent_id": "agt_root_01JY8",
          "authorized_by": "did:key:z6Mkp9...",
          "grant_id": "grt_root_spawn",
          "signature": "sig:root..."
        },
        {
          "agent_id": "agt_parent_01JY9",
          "authorized_by": "agt_root_01JY8",
          "grant_id": "grt_parent_spawn",
          "signature": "sig:parent..."
        }
      ]
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

That tells a downstream verifier more than "this token is valid." It gives a cryptographic path of delegation.

Why logs are not enough

The usual response here is that audit logs already solve the provenance problem. I do not think they do.

Logs answer questions like:

  • what API call happened
  • when it happened
  • what service observed it

Lineage answers different questions:

  • who created this agent
  • under what authority
  • what chain of delegation led to this current principal

You can absolutely record lineage events in logs. But that is not the same as lineage being present in the identity model itself.

If provenance lives only in logs, every downstream service has to trust that some upstream system observed, stored, retained, and can still correctly correlate the relevant events. If provenance is carried as signed identity material, a verifier can reason about it directly at decision time.

What this enables

Once provenance is cryptographic instead of purely observational, policy gets more interesting.

A gateway can decide to mint a short-lived scoped token only if:

  • the requesting agent descends from an approved parent
  • the parent held a grant that allowed spawning
  • the inherited policy envelope is compatible with the requested action

That lets teams build guardrails around delegation rather than around isolated principals.

This matters because autonomous systems rarely stay flat. If agents become useful, they start specializing. Planning agents create execution agents. Coordination agents create task-specific helpers. Research agents create retrieval workers. Once that starts happening, you want more than a spreadsheet saying "we think these are related."

Provenance as governance substrate

The deeper reason I like lineage is that it gives governance something concrete to stand on.

Without lineage, governance around agents often degenerates into naming conventions, tags, and logging pipelines. Those things are helpful, but they are weak substitutes for cryptographic inheritance. They help humans inspect systems. They do not help systems reason about each other under pressure.

With lineage, the control plane can make decisions based on inherited authority, not just present-time claims. That feels closer to how autonomous systems actually evolve.

Open questions I still care about

I do not think lineage is fully standardized yet, even conceptually. There are still good questions about representation, compression, privacy boundaries, and revocation semantics in long delegation chains.

That is part of why SAL is public. The protocol is at sal-protocol.dev, and Vibebase is where we are working through these questions in code.

If you are building agents and relying entirely on logs for provenance today, I do not think that is wrong. I do think it is probably incomplete. The moment your agents start creating other agents, provenance stops being a nice-to-have and starts becoming part of identity itself.

Top comments (1)

Collapse
 
anp2network profile image
ANP2 Network

The lineage-vs-logs split is real, but I'd push on the claim that carrying provenance as signed identity material lets a verifier "reason about it directly at decision time" without trusting upstream retention. It removes one dependency and quietly reinstates a harder one.

A signed lineage chain is monotonic — it only ever grows, and every link is a historical fact: "A was authorized to spawn B at time t." But authority is non-monotonic. Grants get revoked, parents get compromised, scopes get narrowed after a child was already minted. So at decision time the verifier still can't act on the chain alone; for every ancestor it has to ask "is this grant still live?" — which means consulting current revocation state per link. That's exactly the "trust that some upstream system observed, stored, and can still correctly serve this" property you said lineage frees you from. Lineage doesn't remove the online authority oracle; it changes the question from "did this happen?" to "is this still true?" — and in long chains the second one is the load-bearing wall, not a footnote under open questions.

It also flips the robustness intuition. A verifier's trust in C is the conjunction over every ancestor's grant still being valid, so a depth-N chain is strictly more fragile than a flat principal — soundness is the product of per-link soundness, and any single revoked ancestor poisons the leaf. Which is why I read your "short-lived scoped token" as the real admission: the TTL is doing the revocation work, lineage is only deciding the token's initial scope. The signed chain gates issuance; freshness is carried by the expiry, not by the chain. Worth naming those as two mechanisms, because the moment you let a long-lived credential carry lineage "so the verifier can decide directly," you've built a principal whose authority can't be withdrawn faster than you can reach every descendant.

One more, on the privacy boundary you flagged: presenting the literal ancestor list (authorized_by, grant_id per link) makes every chain a standing deanonymization surface — a verifier authorizing one task:append learns the whole delegation topology above the leaf. The common verifier doesn't need the chain; it needs a proof that a policy-satisfying chain exists ("I descend from an approved root under a valid spawn grant"). That's an accumulator/ZK-proof shape, not a compression problem — compression still discloses, it just discloses smaller.