The substrate
remembers.
Spawn, kill, capability change, scale event, egress denial, policy violation — every meaningful event enters a per-tenant audit chain. Each entry is hash-linked to the previous, signed by both the brane and the substrate operator, and optionally anchored to a Sigil chain for external long-term verification.
BLAKE3 · per-tenant
Ed25519 · brane + substrate
Sigil chain · optional
manifest-declared · GC-enforced
The properties
that matter.
CBOR-canonical · timestamp · event kind · brane DID · payload hash
BLAKE3 hash of (prev_link || record). HEAD is published per-tenant.
brane signs; substrate co-signs at insertion. two ed25519 sigs per record.
Optionally publish HEAD to a Sigil chain block — third-party verifiable forever.
ω audit walk · filter by brane / event kind / time range / signature.
Manifest declares retention; GC enforces; Sigil-anchored HEADs survive GC.
What it
looks like running.
$ω audit head
tenant did:omega:tenant:l1fe.ai
HEAD b3:9af2c8e7d3f1...
length 1,283,442
last record 2026-05-01T14:18:11Z
last anchor sigil:omega-audit/block/18,221 (12s ago)
$ω audit walk --since 1h --kind cap.change
2026-05-01T13:42:18 brane.api add net.http allowlist += [api.next.com]
2026-05-01T14:01:04 brane.archive remove fs.local
2026-05-01T14:11:33 brane.score ttl 30m → 5m (tightened)
What you
can rely on.
Brane + substrate both sign
Either signature alone is suspect. Both together prove the brane authored the record AND the substrate received it intact.
Sigil-anchored if you want forever
Anchoring HEAD to a Sigil block makes the chain auditable from outside the substrate. We can't rewrite history, even if we wanted to.
Tenant-scoped, exportable
`ω audit export` writes the entire chain to a signed CBOR file. Move tenants between substrates with continuity of audit.
BLAKE3 + CBOR · negligible overhead
Insertions are O(1). Verification is parallelizable per-segment. A 10M-event chain verifies in under 4 seconds on commodity hardware.