惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

L
LINUX DO - 最新话题
小众软件
小众软件
C
Check Point Blog
酷 壳 – CoolShell
酷 壳 – CoolShell
V
Visual Studio Blog
Last Week in AI
Last Week in AI
P
Proofpoint News Feed
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
The GitHub Blog
The GitHub Blog
T
Tailwind CSS Blog
Recorded Future
Recorded Future
雷峰网
雷峰网
WordPress大学
WordPress大学
A
Arctic Wolf
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
Project Zero
Project Zero
T
Tor Project blog
T
Threat Research - Cisco Blogs
Scott Helme
Scott Helme
Spread Privacy
Spread Privacy
G
Google Developers Blog
Security Latest
Security Latest
MongoDB | Blog
MongoDB | Blog
T
Threatpost
I
InfoQ
T
Tenable Blog
T
The Exploit Database - CXSecurity.com
S
Security Affairs
H
Hackread – Cybersecurity News, Data Breaches, AI and More
人人都是产品经理
人人都是产品经理
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
aimingoo的专栏
aimingoo的专栏
C
CXSECURITY Database RSS Feed - CXSecurity.com
美团技术团队
Google DeepMind News
Google DeepMind News
The Hacker News
The Hacker News
D
Docker
博客园 - 【当耐特】
大猫的无限游戏
大猫的无限游戏
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
Vercel News
Vercel News
PCI Perspectives
PCI Perspectives
Microsoft Azure Blog
Microsoft Azure Blog
C
CERT Recently Published Vulnerability Notes
月光博客
月光博客
Cloudbric
Cloudbric
A
About on SuperTechFans
F
Fortinet All Blogs

DEV Community

Authentication Security Deep Dive: From Brute Force to Salted Hashing (With Java Examples) Why AI Systems Don’t Fail — They Drift Spilling beans for how i learn for exam😁"Reinforcement Learning Cheat Sheet" I Replaced Chrome with Safari for AI Browser Automation. Here's What Broke (and What Finally Worked) How Python Borrows Other People's Work The $40 Architecture: Processing 1 Billion API Requests with 99.99% Uptime Vibe Coding: A Workflow Guide (From Zero to SaaS) Most webhook security guides protect the wrong side. The scary part is delivery. Headless CMS for TanStack Start: Build a Blog with Cosmic EU Age Verification App "Hacked in 2 Minutes" — What Actually Happened Comfy Cloud’s delete function does not actually remove files Running AI Models on GPU Cloud Servers: A Beginner Guide Event-driven media intelligence with AWS Step Functions and Bedrock I scored 500 AI prompts across 8 quality dimensions — here's what broke How to Call Google Gemini API from Next.js (Free Tier, No Backend Needed) The Portal Protocol: Reclaiming Human Connection in the Age of AI How to Fix Your Team's Scattered Knowledge Problem With a Self-Hosted Forum Intro to tc Cloud Functors: A Graph-First Mental Model for the Modern Cloud Designing Multi-Tenant Backends With Both Ownership and Team Access I Built a Neumorphic CSS Library with 77+ Components — Here's What I Learned PostgreSQL Performance Optimization: Why Connection Pooling Is Critical at Scale Cómo construí un SaaS multi-rubro para gestionar expensas en Argentina con FastAPI + Vue 3 🚀 I Built an Ethical Hacking Scanner Tool – Open Source Project I Replaced /usage and /context in Claude Code With a Single Statusline A Pythonic Way to Handle Emails (IMAP/SMTP) with Auto-Discovery and AI-Ready Design I Collected 8.9 Million Polymarket Price Points — Here's What I Found About How Markets Really Move EcoTrack AI — Carbon Footprint Tracker & Dashboard Everyone's Using AI. No One Agrees How. 5 self-hosted ebook managers worth trying in 2026 Building Your First AI Agent with LangChain: From Chatbot to Autonomous Assistant Common SOC 2 Failures (Real World) Stop Vibe-Checking Your AI App: A Practical Guide to Evals How to Use SonarQube and SonarScanner Locally to Level Up Your Code Quality Your Next To-Do App Is Dead — I Replaced Mine with an OpenClaw AI Sign a Nostr event in 60 lines of Python using coincurve — no nostr-sdk, no nbxplorer, no rust toolchain ITGC Audit Explained Like You’re in Big 4 Patch Tuesday abril 2026: Microsoft parcha 163 vulnerabilidades y un zero-day en SharePoint Stop scraping everything: a better way to track competitor price changes Listing on MCPize + the Official MCP Registry while routing payments OUTSIDE the marketplace — how I kept 100% of my x402 revenue Building an AI-Powered Risk Intelligence System Using Serverless Architecture Why We Ripped Function Overloading Out of Our AI Toolchain Testing AI-Generated Code: How to Actually Know If It Works SaaS Churn Is Killing Your Business. Here Is What to Do About It (Without a Support Team) The Speed of AI Is No Longer Linear - And Self-Improving Models Are Why How to Implement RBAC for MCP Tools: A Practical Guide for Engineering Teams From Standard Quote to Persuasive Proposal: AI Automation for Arborists I built a CLI that scaffolds complete multi-tenant SaaS apps Axios CVE-2025–62718: The Silent SSRF Bug That Could Be Hiding in Your Node.js App Right Now The dashboard that ended our friendship Data Pipelines Explained Simply (and How to Build Them with Python) The Hidden Cost of AI Systems Nobody Talks About. undefined vs undeclared, and how typeof behaves Switching from file-based jobs to NATS/Kafka in Rust without changing code io_uring Adventures: Rust Servers That Love Syscalls Why Agentic AI is Killing the Traditional Database The POUR principles of web accessibility for developers and designers Quantum Neural Network 3D — A Deep Dive into Interactive WebGL Visualization How To Install Caveman In Codex On macOS And Windows Automation Pipeline Reliability: Why Your Workflow Breaks When Nobody Is Watching I Built an 'Open World' AI Coding Agent — It Works From ANY Folder From Freelancing to Product: A Tech Service Company's SaaS Transformation China's AI Giants: Adding Tencent Hunyuan & ByteDance Doubao to AI University (74 Providers) On the Vibe Coders and Their Lies clerk: Auto-Summarize Your Claude Code Sessions AI Weekly — 2026/04/10–04/17 | The Model Lockdown Is Here, but the Toolchain Is the Real Battleground AI 週報 — 2026/04/10–2026/04/17 模型封鎖潮來了,但工具鏈才是真戰場 Maybe this is how Open-Source apps are born... 🚀 Fine-Tune LLMs with LoRA and QLoRA: 2026 Guide tRPC v11 + Next.js App Router: End-to-End Type Safety Without the Boilerplate ShadCN UI in 2026: Why I Stopped Installing Component Libraries and Started Owning My Components SaaS Billing in React Server Components: Stripe + Supabase Without a Single `useEffect` Join our DEV Weekend Challenge — $1,000 in Prizes Across TEN winners! Submissions Due April 20 at 6:59 AM UTC. Implementing FSRS Spaced Repetition in Flutter + Supabase — Adding Memory Science to an AI Learning App "I Texted My Localhost From the Train — Claude Code Fixed the Bug Before I Got Home" I Built a Sales Prep AI and It Went Deeper Than Expected Design to Code #2: One JSON, Eleven Outputs Solving the 100M-Row Problem: A Summary Table Pattern for High-Volume Push Notification Logs Flutter Web With Wasm: What Actually Changes For Developers I Built 50 Royalty-Free Soundtracks for My Side Project in a Weekend Using AI Music Generation The Vibe Coding Security Checklist: 7 Things to Check Before You Ship Stop Letting Googlebot Guess Fix Your React App's SEO Right Desconstruindo o Streaming do LinkedIn: Como Criar um Engine de Extração de Vídeo de Alta Performance com HLS e FFmpeg (EDA Part-1) EDA (Exploratory Data Analysis) Explained With Real Life — Why Looking at Your Data Is the Most Important Step in Machine Learning Brand Relationship Management at Scale: Our 4-Touch Outreach System for 200+ Brands Why String.fromEnvironment() Might Return an Empty String in Dart JGuardrails 1.0.0 — Hardening Java LLM Apps Against Jailbreaks, Toxicity, and Prompt Injection Plan and Schedule a Full Week of Threads Content From One Claude Conversation Coding Cat Oran Ep3, Five Tables Changed Everything Updated: BFF Pattern I'm done watching freelancers get buried by 200 proposals. So I'm building the alternative. This is my first post BFS Algorithm in Java Step by Step Tutorial with Examples Tracking LLM Pricing Monthly: An Open Dataset for 22 AI Models How We Measure Content ROI on a Comparison Site: Revenue Attribution Without Perfect Data Introducing Nova AI Ops: The AI-Native Operating System for SRE Teams I built a free desktop video downloader for Windows — Grabbit How Talkie OCR Helps Vision-Impaired & Dyslexic Users Read the World Around Them VRCFaceTracking安装和iPhone面捕配置教程,有bug Even CrowdStrike Can't See Your Agents The Automation Gold Rush: What n8n Workflows and Claude Are Opening Up for Developers Right Now
AGEF explained: a portable evidence format for AI agent sessions
Radoslav Tsv · 2026-05-07 · via DEV Community

If you ship AI-assisted code in a regulated codebase and somebody asks "show me what the agent did", you have about a week before that question turns into a finding. The data exists somewhere. It is not in a single shape. It is rarely portable. It is almost never tamper evident.

AGEF is the spec I wrote to fix that. It stands for Agent Governance Evidence Format. The current text is v0.1.1 (pre-stable), with wire format agef_version: "0.1". The repo is at github.com/radotsvetkov/agef. Spec text is CC BY 4.0. Code is Apache-2.0. Akmon is the reference implementation; akmon-journal is a Substrate Profile, and Akmon Phase 4 brings full Bundle Profile support.

This article walks the spec end to end, with code, and with the design choices I made.

What AGEF actually is

AGEF defines how one AI agent session can be represented as a portable, tamper-evident bundle. A session is a logical run from SessionStart to SessionEnd. The bundle captures every event in order, with cryptographic linkage and content-addressed payloads.

The bundle is a tar.zst archive with three top-level paths:

  • manifest.json, a small UTF-8 JSON file with sorted keys and LF newlines.
  • events.bin, an ordered stream of length-delimited canonical CBOR event records.
  • objects/<hex>, a directory of content-addressed object files (one per hash).

That is the whole shape. Verifiers ignore unknown non-normative files unless explicitly configured to reject them.

The manifest

{
  "agef_version": "0.1",
  "producer": {"name": "akmon", "version": "2.0.0"},
  "session": {
    "id": "550e8400-e29b-41d4-a716-446655440000",
    "head": "5c1f8b2a3d4e7f6a8b1d3e2c4f6a8b9d2c3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c",
    "created_at": "2026-05-06T09:14:02Z",
    "ended_at": "2026-05-06T09:14:18Z"
  },
  "hash_algorithm": "sha256",
  "object_count": 12,
  "event_count": 9
}

Enter fullscreen mode Exit fullscreen mode

A reader who has never seen the producer can answer four things from this object: which version of the format, who wrote it, when, and how big it is. Writers must keep counts honest. Readers must reject malformed or incomplete required fields.

Default hash algorithm is sha256. Readers must support sha256 and may support blake3. Bundles that declare unsupported algorithms must be rejected. Hex appears only in the manifest (session.head) and in object filenames. Hashes inside CBOR-encoded events are 32-byte byte strings.

The events stream

events.bin is the substance. It is a sequence of records, each framed by a 4-byte unsigned big-endian length prefix followed by exactly that many bytes of canonical CBOR encoding one event.

Length-delimited framing was a deliberate trade. It supports partial recovery from truncation and lets a verifier scan deterministically. Producers commit to canonical CBOR per RFC 8949.

Each event encodes:

  • parents, an array of zero or more parent event hashes.
  • kind, one of the closed event kinds in v0.1.
  • emitted_at, a CBOR tag 1 timestamp (integer epoch seconds, or floating point for sub-second precision).
  • sequence, monotonic per session, starting at 0.

Linkage rules are strict in v0.1:

  • sequence starts at 0 and increases by exactly 1 per event.
  • Every event except SessionStart has at least one parent.
  • SessionStart has exactly zero parents.
  • Every non-SessionStart event in v0.1 has exactly one parent, and that parent is the hash of the immediately preceding event by sequence. Multi-parent events are reserved for future versions.
  • Event hashes are computed over canonical CBOR bytes of the full event envelope.
  • Event ordering in events.bin matches sequence.

Event kinds in v0.1 (closed set)

Readers must recognize exactly these kinds in v0.1. Unknown kinds are rejected.

  • SessionStart: opens the session, fields cwd_hash and config_hash.
  • UserTurn: a user prompt, field prompt_hash.
  • ProviderCall: a model provider call, field provider_id, an attempts[] array of AttemptRecord, optional stream_hash.
  • ToolCall: a tool execution, fields tool_id, input_hash, output_hash, optional side_effects_hash.
  • RetrievalCall: a retrieval, fields index_id, query_hash, results_hash.
  • PermissionGate: a policy decision, fields policy_id, decision (string, recommended lowercase verbs like allowed, denied, deferred), context_hash.
  • AssistantTurn: an assistant message, fields message_hash, optional tool_calls_hash.
  • SessionEnd: closes the session, optional summary_hash.

ProviderCall.attempts[] preserves chronological order. Each AttemptRecord has attempt_number (1-indexed), started_at, ended_at, a closed AttemptStatus, request_hash, optional response_hash, optional stream_hash, optional error_message. AttemptStatus is one of Success, RateLimited, NetworkError, ServerError, ClientError, Cancelled, or Other(string). v0.1 readers reject unknown variants.

Two design notes worth calling out.

First, PermissionGate.decision is open in v0.1. The spec recommends lowercase verbs but does not close the set. Closing it is a likely v1.0 change. If you are a producer, follow the recommendation now to make the v1 transition free.

Second, AttemptStatus and EventKind are intentionally closed. The cost is that adding a new variant is a normative spec change. The benefit is that two implementations cannot legitimately disagree on the meaning of a record.

The objects directory

Every object referenced by an event hash field exists as a file at objects/<hex> where <hex> is the lowercase hex digest for the active hash algorithm. Object bytes hash to their filename digest. Objects are opaque bytes; AGEF v0.1 does not require MIME metadata.

A typical bundle has many small objects (prompts, tool inputs, tool outputs, file diffs) and a few large ones (full file contents). Storage is efficient because identical content hashes once.

Hashing rules

default: sha256
optional: blake3

Enter fullscreen mode Exit fullscreen mode

Readers must support sha256. They may support blake3. Within CBOR-encoded events, hashes must be encoded as CBOR byte strings (major type 2) of length 32 for both algorithms. Hex string representation is used only in manifest.json (session.head) and in object filenames. Once you internalize that, the rest of the spec falls into place.

Serialization rules in one paragraph

Event payloads in events.bin use canonical CBOR (RFC 8949). manifest.json is UTF-8 JSON with sorted keys and LF endings. Timestamps in CBOR-encoded events use CBOR tag 1. Producers may emit either integer epoch seconds or floating point; readers must accept both. The reference implementation akmon-journal v0.1 emits integer epoch seconds. Timestamps in manifest.json use RFC3339 strings. Implementations may use any internal storage format; AGEF rules apply only to the bytes emitted in events.bin and to the bytes used for event hashing.

Verification procedure

A conforming verifier runs this sequence:

  1. Extract the archive.
  2. Parse manifest.json. Reject on schema or version failure.
  3. Read events.bin using the 4-byte length-delimited framing.
  4. For each event: decode canonical CBOR, recompute event hash, verify sequence monotonicity, verify all parents resolve to previously seen events, verify referenced content hashes resolve to files in objects/.
  5. For each referenced object: read bytes, hash with manifest.hash_algorithm, compare to filename digest.
  6. Confirm manifest.event_count equals decoded event count, manifest.object_count equals object file count, manifest.session.head equals terminal event hash, and SessionStart is a reachable ancestor of head.

Default operation fails on the first invariant violation. Implementations may offer a "report-all" mode for diagnostics. They must not claim successful verification unless all required checks pass.

Conformance profiles

AGEF v0.1 defines two profiles:

  • Bundle Profile, an implementation that produces or consumes AGEF bundles.
  • Substrate Profile, an implementation that maintains an AGEF-compatible content-addressed event journal but does not necessarily emit bundles directly.

A Substrate Profile must be able to produce Bundle Profile output through an export pathway when required.

akmon-journal is currently a Substrate Profile. Akmon Phase 4 introduces Bundle Profile capability.

If you are an implementer, knowing which profile you are claiming is the most important conformance question.

Producing AGEF in practice

If you use Akmon, you already produce AGEF. Sessions land in .akmon/audit/<session-id>.jsonl and .akmon/evidence/<session-id>.json. With Phase 4 export, the same session is portable as a .akmon bundle.

If you build your own producer, the spec lists the libraries known to produce canonical CBOR with the right configuration: ciborium for Rust, fxamacker/cbor for Go, cbor2 for Python, cbor-x for JavaScript and TypeScript. Validate canonical encoding behavior with test vectors before claiming conformance.

Reading and verifying AGEF

For Akmon-produced bundles, the verification commands are part of the trust pipeline:

# Verify audit chain integrity for the live session journal
akmon audit verify .akmon/audit/<session-id>.jsonl

# Verify the evidence summary plus its linkage to the audit chain
akmon evidence verify .akmon/evidence/<session-id>.json

# Once Phase 4 export is on hand, verify a bundle on import
akmon bundle import evidence.akmon --verify-only

Enter fullscreen mode Exit fullscreen mode

Independent verifier implementations are welcome. The spec is small enough to implement in a weekend if you start with a CBOR library that supports canonical encoding.

Security considerations

AGEF provides tamper evidence and portability. It does not provide identity attribution by itself. If producer trust matters in your environment, layer external signing on top of the bundle. Bundles may contain sensitive content; storage and sharing controls are the operator's job. Verification proves integrity, not semantic correctness.

For sharing, the redaction flow is the right answer. With Akmon:

akmon redact <session-id> \
  --output sanitized.akmon \
  --object <object-hash> \
  --reason "Removed customer name before audit handoff"

Enter fullscreen mode Exit fullscreen mode

This produces a derivative bundle in which the targeted objects are replaced by canonical CBOR sentinels. The sentinel payload records the original hash, original size, the supplied reason, and a redacted_at timestamp. The chain still verifies because the sentinel hashes correctly, and the audit trail makes the redaction explicit.

Compatibility and evolution

v0.x is pre-stable. Breaking changes are permitted. Future versions should preserve forward migration guidance. v1.0 is the first stable major. New event kinds in future majors must be version-gated. v0.1 readers must not silently ignore unknown required semantics.

If you build against v0.1, plan for one migration to v1.0. If you are a careful producer, the migration is small.

Why a new format

Three reasons.

First, no shared shape exists today. Every framework, every vendor, every gateway writes its own. A reviewer cannot move between them. The cost of a new format is small compared to the cost of having no shared format.

Second, evidence has a different audience than observability. Observability is for engineers in the moment. Evidence is for reviewers, regulators, customers, and the version of you reading the file in a year. Different shape, different guarantees, different expectations.

Third, regulated engineering needs an answer that does not depend on a vendor dashboard. The portability requirement is real. AGEF is built for it.

What you can do this week

If you build AI tooling, three small steps:

  1. Read SPEC.md end to end. It is short on purpose.
  2. Implement a Bundle Profile verifier in your language of choice. Use the test vectors that ship in the examples/minimal-bundle folder.
  3. Open an issue on the AGEF repo. Tell me what your runtime emits today and where the spec helps or gets in the way.

If you ship a coding agent, the smallest first step is one binary and the trust pipeline. The repo is at github.com/radotsvetkov/akmon.

The format spec is at github.com/radotsvetkov/agef.
The site is at radotsvetkov.github.io/akmon.

Standards become standards by being used. Implementations are welcome.