The core sub-protocol of ATLAST. Every AI agent action recorded as a cryptographically signed, SHA-256 hash-linked evidence chain — tamper-proof, verifiable, and permanent.
ECP (Evidence Chain Protocol) is the foundational data layer of the ATLAST Protocol. It answers the most critical question in the agent economy: "What did this AI agent actually do?"
Every action — every API call, every tool use, every decision — is recorded as a structured, cryptographically signed log entry. These entries are hash-linked into an immutable chain, creating a permanent, verifiable evidence trail.
Your AI agent makes an API call, uses a tool, or produces output.
Input, reasoning, execution steps, output, confidence score — all structured as a JSON record.
The record is signed with the agent's DID (Decentralized Identifier) and hash-linked to the previous record using SHA-256.
The hash can be anchored on Base blockchain via EAS (Ethereum Attestation Service) for permanent, public verifiability.
{
"version": "1.0",
"chain_id": "ec_1711234567_a1b2c3",
"agent_id": "did:atlast:agent-xyz-123",
"timestamp": "2026-03-30T12:00:00Z",
"input": {
"raw": "User instruction...",
"context_hash": "sha256:a1b2c3..."
},
"reasoning": {
"thinking": "Agent's reasoning process...",
"chosen_approach": "Selected method..."
},
"execution": [{
"step": 1,
"action": "tool_call",
"duration_ms": 123
}],
"confidence": { "score": 0.95 },
"integrity": {
"chain_hash": "sha256:...",
"agent_signature": "..."
}
}
Each ECP record contains the hash of the previous record, creating an unbreakable chain. If anyone tampers with any record, every subsequent hash breaks — making tampering immediately detectable. This is the same principle that secures blockchain, applied specifically to AI agent behavior.
Key guarantee: Once an ECP record is created, it cannot be modified without detection. Your agent's track record is permanent and trustworthy.
# Install the Python SDK pip install atlast-ecp # Or use the zero-code proxy atlast run python my_agent.py # Or integrate with any framework from atlast import track @track(agent_id="my-agent") def my_agent_function(): ...
The EU AI Act (enforcement begins 2027) requires audit trails, transparency, and accountability for high-risk AI systems. ECP provides exactly this — cryptographically verifiable evidence chains that satisfy compliance requirements out of the box. Early adopters build their compliance infrastructure before it becomes mandatory.
ECP doesn't just record actions — it analyzes them. Eight trust signals are automatically detected from evidence chains:
| Signal | What It Detects | Impact on Trust Score |
|---|---|---|
| retried | Agent retried a failed action | Positive (resilience) |
| hedged | Agent expressed uncertainty | Positive (honesty) |
| error | Action resulted in an error | Negative (if frequent) |
| high_latency | Action took unusually long | Neutral (context-dependent) |
| tool_misuse | Agent used a tool incorrectly | Negative |
| self_corrected | Agent caught and fixed its own mistake | Positive (reliability) |
| hallucination_detected | Output contradicts verified data | Negative |
| human_escalated | Agent correctly deferred to human | Positive (safety awareness) |
These signals feed into the AI Agent Trust Score (0–1000), providing a quantified measure of agent reliability.
A critical design principle of ECP is privacy by default:
ECP records are standardized across all SDKs. A chain created by the Python SDK can be verified by the TypeScript SDK, and vice versa. This is critical for multi-agent systems where different agents may use different languages:
# Python: create evidence from atlast_ecp import ECP ecp = ECP(agent_id="agent-python") record = ecp.record(action="analyze_data", input={...}, output={...}) // TypeScript: verify the same evidence import { verify } from 'atlast-ecp-ts' const valid = await verify(record.chain_hash) // true ✓
| Feature | Application Logs | ECP Evidence Chains |
|---|---|---|
| Tamper-proof | No — logs can be edited/deleted | Yes — hash chain breaks on any change |
| Standardized | No — every app has different format | Yes — universal ECP schema |
| Signed | No — no proof of origin | Yes — Ed25519 agent signatures |
| Legally admissible | Weak — easily disputed | Strong — cryptographic proof |
| Cross-platform | No — siloed per application | Yes — portable across platforms |
| Privacy-preserving | Stores raw data | Hash-only transmission |
Understanding the full lifecycle of an ECP evidence record helps you see why this protocol is fundamentally different from traditional logging. Here is a detailed walkthrough of what happens from the moment your agent takes an action to the point where that action becomes a permanent, verifiable part of the agent's history.
When your AI agent starts, the ECP SDK generates or loads a Decentralized Identifier (DID) and an Ed25519 key pair. This identity is unique to your agent and persists across sessions. The DID format follows W3C standards: did:ecp:<hash>. Every subsequent evidence record will be cryptographically bound to this identity, ensuring that records cannot be attributed to a different agent.
ECP captures agent actions through one of three integration methods. Layer 0 (Zero-Code): the atlast run command wraps your agent process and intercepts all outgoing API calls transparently. Layer 1 (SDK): the wrap() function wraps your OpenAI or Anthropic client, capturing requests and responses at the SDK level. Layer 2 (Framework Adapters): callbacks for LangChain, CrewAI, and AutoGen capture framework-specific events like tool calls, chain completions, and agent decisions.
For each captured action, ECP constructs a structured JSON record containing: the raw input (user prompt or trigger), the agent's reasoning or chain-of-thought (if available), execution details (tool calls, API parameters, duration), the output produced, a confidence score, token usage metrics, and any trust signals detected (retried, hedged, error, self_corrected, etc.). This structured approach ensures that every dimension of the agent's behavior is captured consistently.
The raw content — prompts, responses, tool inputs and outputs — is stored locally in the Content Vault at ~/.ecp/vault/. This data never leaves your machine unless you explicitly choose to share it. The vault uses a commit-reveal architecture: you can prove that specific evidence exists (via its hash) without revealing the actual content until you choose to.
The record is serialized and hashed using SHA-256. Critically, this hash includes the previous record's hash, creating an unbreakable chain. If record #47 references the hash of record #46, and record #46 references the hash of record #45, any tampering with record #45 would invalidate the hashes of every subsequent record. This is the same immutability principle that secures blockchain technology, applied specifically to AI agent behavior.
The hash-linked record is then signed with the agent's Ed25519 private key. This signature proves two things: (a) the record was created by this specific agent (identity binding), and (b) the record has not been modified since the agent created it (integrity guarantee). Ed25519 was chosen for its speed (sub-microsecond signing), security (128-bit equivalent), and compact signatures (64 bytes).
The signed, hash-linked record is appended to a local JSONL file at ~/.ecp/records/. JSONL (JSON Lines) format ensures records are append-only and can be streamed efficiently. Each line is a complete, self-contained evidence record that can be independently verified.
For maximum verifiability, evidence chain hashes can be periodically anchored on Base blockchain via EAS (Ethereum Attestation Service). ATLAST batches multiple records into a Merkle tree and anchors only the root hash, keeping costs to fractions of a cent. This creates a permanent, public, independently verifiable timestamp that the evidence existed at a specific point in time.
Most development teams rely on application logs, structured logging frameworks, or observability platforms for tracking what their software does. These tools were designed for traditional software — not autonomous AI agents that make independent decisions with real-world consequences. Here is a detailed comparison showing why ECP is fundamentally different.
| Dimension | Traditional Logging (Datadog, ELK, CloudWatch) | ECP Evidence Chains (ATLAST Protocol) |
|---|---|---|
| Tamper resistance | None — logs can be edited, deleted, or overwritten by anyone with access | SHA-256 hash chain — modifying any record breaks all subsequent hashes |
| Identity binding | No cryptographic identity — logs tagged with arbitrary strings | Ed25519 signed with agent's DID — every record is provably from a specific agent |
| Schema standardization | Every application defines its own format — no cross-app consistency | Universal ECP schema — records from any framework are structurally identical |
| Legal admissibility | Weak — easily disputed since logs can be fabricated or altered | Strong — cryptographic proof of origin, integrity, and timeline |
| Privacy architecture | Raw data stored in cloud — often sent to third-party platforms | Content stays local in encrypted vault — only hashes are transmitted |
| Cross-platform portability | Siloed per logging vendor — vendor lock-in | Open standard (MIT) — portable across any platform |
| Behavioral analysis | Basic metrics — no semantic understanding of agent decisions | Eight trust signals automatically detected — feeds into Trust Score |
| Compliance readiness | Requires significant additional work for EU AI Act compliance | Designed for EU AI Act compliance out of the box |
| Verification | Requires trusting the logging provider | Independently verifiable by anyone — zero trust required |
| Cost of proof | Expensive discovery process for audits and legal proceedings | Instant verification via hash chain traversal |
Bottom line: Traditional logs answer "what happened?" — but only if you trust the log provider. ECP evidence chains answer "what happened?" with cryptographic proof that doesn't require trusting anyone. For autonomous AI agents making real-world decisions, this distinction is critical.
Here is a complete, working example showing how to add ECP evidence chains to an existing AI agent using the atlast-ecp Python SDK. The integration requires just a few lines of code.
# Install: pip install atlast-ecp openai from openai import OpenAI from atlast_ecp import wrap # Step 1: Create your normal OpenAI client client = OpenAI(api_key="sk-...") # Step 2: Wrap it with ECP — this is the only change needed client = wrap(client) # Step 3: Use the client exactly as before # Every API call is now automatically recorded as an ECP evidence chain response = client.chat.completions.create( model="gpt-4o", messages=[{"role": "user", "content": "Analyze Q1 revenue trends"}] ) # That's it. The evidence chain is created automatically: # - Input captured (prompt hash stored, raw content in local vault) # - Output captured (response hash stored) # - Token usage recorded (tokens_in, tokens_out) # - Latency measured (duration_ms) # - Trust signals detected (hedged, retried, error, etc.) # - Record hash-linked to previous record (SHA-256 chain) # - Record signed with agent's Ed25519 key # - Record appended to ~/.ecp/records/*.jsonl print(response.choices[0].message.content)
For the zero-code approach that requires no code changes at all:
# Zero-code integration — wrap any existing agent # No code changes. No imports. Just prefix your command. $ atlast run python my_existing_agent.py # The agent runs exactly as before, but every API call # is now captured as a signed, hash-linked evidence chain. # View the evidence chain: $ atlast log # → Shows all captured actions with hashes and signatures # Verify chain integrity: $ atlast verify # → Cryptographic verification that no records have been tampered with # Open the visual dashboard: $ atlast dashboard # → Browser-based UI showing evidence chains, trust signals, and Trust Score
ECP is designed for any scenario where you need verifiable proof of what an AI agent did. Here are concrete, real-world applications where evidence chains provide critical value.
Financial regulators require detailed audit trails for all trading activity. When an AI agent executes trades, manages portfolios, or provides investment advice, ECP creates a tamper-proof record of every decision. If a trade goes wrong and regulators investigate, the evidence chain provides cryptographic proof of the agent's reasoning, the data it considered, and the exact sequence of actions it took. Without ECP, firms face the costly and uncertain process of reconstructing agent behavior from scattered, mutable logs.
AI agents assisting with patient triage, drug interaction checking, or clinical documentation need verifiable records for patient safety and regulatory compliance (HIPAA, FDA). ECP evidence chains record the clinical data the agent considered, the reasoning it applied, and the recommendation it produced — all with cryptographic proof of integrity. If a clinical outcome is questioned, the evidence chain provides an unimpeachable audit trail that protects both patients and healthcare providers.
Modern development teams use AI agents for code generation, code review, CI/CD automation, and incident response. ECP records exactly what code the agent generated, what context it considered, what tests it ran, and what it deployed. For SOC 2 compliance, change management, and incident forensics, having a signed evidence chain of every automated action is invaluable. Teams can also use evidence chains to compare agent performance over time and across different models.
Legal AI agents that review contracts, conduct legal research, or check regulatory compliance need to maintain a clear chain of custody for their work product. ECP provides verifiable proof that a specific agent reviewed a specific document at a specific time, what analysis it performed, and what conclusions it reached. This evidence chain can be presented in legal proceedings as cryptographically authenticated documentation of the agent's work — a standard of proof far beyond what traditional logging can provide.
Minimal. The Layer 0 proxy adds <5ms latency per API call. SHA-256 hashing and Ed25519 signing are sub-millisecond operations. Evidence recording is asynchronous and does not block agent execution.
Yes. On-chain anchoring is completely optional. ECP evidence chains are fully valid and verifiable without any blockchain component. Blockchain anchoring adds an extra layer of public timestamping for high-stakes scenarios.
A typical ECP record is 1-5KB. An agent performing 1,000 actions per day generates roughly 1-5MB of evidence data. The Content Vault supports configurable retention policies and compression.
ECP's cryptographic audit trails, access logging, and tamper detection align well with SOC 2 Trust Services Criteria and ISO 27001 Annex A controls. Several early adopters are using ECP as part of their compliance documentation.
Observability tools like LangSmith, LangFuse, and Helicone are excellent for debugging and monitoring — tracking tokens, latency, and costs in real time. ECP operates at a different layer: it provides tamper-proof accountability with cryptographic guarantees. Observability tells you what IS happening; ECP PROVES what DID happen, with evidence that is legally admissible and independently verifiable. The two are complementary — use observability for development and debugging, and ECP for accountability, compliance, and trust.
Start recording your agent's work in 30 seconds.
Get Started Free →Open source. MIT License. The complete technical spec is on GitHub.
ECP-SPEC.md on GitHub →