Xybern
Provenance Vault · Hash Chain

The Provenance Vault

The execution ledger for every AI action across the enterprise. Every verification, agent decision, and enforcement action is sequenced, cryptographically hashed, and permanently immutable.

See How It Works Security & Compliance
Provenance Vault — Hash Chain Ledger
SHA-256 Hashing
HMAC Signatures
Chain Linking
Tamper-Evident

Cryptographic Integrity at Every Layer

Every verification anchored to an immutable hash chain.

Hash Chain

Every entry linked to the previous via SHA-256. Sequence numbers + previous_hash + entry_hash = immutable linked list.

  • Sequential ordering
  • Previous hash linking
  • Gap detection

Digital Signatures

HMAC-SHA256 signature on every entry, verified on every access. Workspace-scoped secrets ensure isolation.

  • HMAC-SHA256 per entry
  • Workspace scoped secrets
  • Automatic verification on read

Execution Evidence Exports

JSON & HTML execution evidence packs with chain validation and integrity certificates. Filter by date range or entry type.

  • JSON & HTML formats
  • Date range filtering
  • Integrity hash certificates

How Entries Are Recorded

Every API verification automatically creates a signed, chain linked vault entry. No manual steps. No gaps.

01

Verification Completes

/api/v1/verify finishes with trust score, claims, and governance result.

02

Entry Hashed & Signed

Content SHA-256 hashed, linked to previous entry's hash, HMAC-signed with workspace secret.

03

Chain Extended

Appended with monotonic sequence number, chain state updated. Entry becomes permanently immutable.

How Vault Entries Are Recorded - 5 Step Process

AI Execution Ledger

Every AI verification, agent decision, and enforcement action is permanently recorded in the execution ledger. Each record is cryptographically hashed and chained to create a tamper-evident history of how AI systems executed actions across the enterprise.

AI Execution Records

Model verification events recorded via the API

Agent Decision Chains

Multi-step agent execution chains with tool calls

Runtime Events

Chain validations, exports, system events

Tamper Alerts

Automatic integrity violation detection

Vault API

Browse, validate, and export vault entries through the Sentinel Vault v2 API. Every endpoint returns cryptographic proof alongside the data.

  • Paginated entry browsing
  • Chain validation
  • Execution evidence pack generation
  • Merkle proofs per entry
GET /entries POST /export POST /validate GET /proof
GET /api/sentinel/vault/v2/entries/<id> 
{
  "entry_id": "ve_a1b2c3d4e5f6...",
  "entry_type": "verification_llm",
  "sequence_number": 847,
  "previous_hash": "e3b0c44298fc...",
  "content_hash": "a7f3b9c8d2e1...",
  "entry_hash": "9f86d081884c...",
  "signature": "d4735e3a265e...",
  "trust_score": 82,
  "verification_status": "verified",
  "verification": {
    "signature_valid": true,
    "hash_algorithm": "sha256",
    "signature_algorithm": "hmac-sha256"
  }
}

Chain Integrity

Every entry is cryptographically linked to the one before it. If any entry is modified after the fact, the hash chain breaks immediately.

Chain Validation

POST /validate walks the full chain verifying each hash link, signature, and sequence number.

Merkle Proofs

GET /entries/<id>/proof returns per-entry cryptographic proofs with chain context.

Tamper Detection

If any entry is modified, the hash chain breaks immediately. Content hash, entry hash, and HMAC signature all fail together.

Chain Integrity Validation - Hash Chain Verification

Every Verification. Permanently Recorded.

Request a demo to see how the Provenance Vault creates an immutable, cryptographically signed audit trail for every AI verification.

Security Overview