DocsBuildAPI ReferenceSDK Reference
← Build Agents

ctx.provenance

Verifiable audit trail for every agent action. Log events, create cryptographic attestations, query history, and export for compliance — automatically wired to every ctx.* call.

Why it exists: Principle 7 — verifiability as a civic good. Every action should be attestable without you building a logging pipeline. How it helps: You get an audit trail and proof for free; regulators and auditors can verify without trusting "we logged it ourselves." Cost is tracked automatically on ctx.llm.complete(); pass result.cost into ctx.provenance.log() for custom events.

Most provenance is automatic

Every ctx.llm.complete(),ctx.call.agent(),ctx.db.insert(), and other ctx.* calls create provenance records automatically. You only need ctx.provenance.log()for custom business events that aren't captured by the platform.

Automatic Provenance

typescript
// Most ctx.* calls create provenance records automatically.
// You don't need to call ctx.provenance.log() for every LLM call —
// each ctx.llm.complete() already returns a provenanceId.


const response = await ctx.llm.complete({ prompt: 'Analyze this contract.' });
console.log(response.provenanceId);  // 'prov_a1b2c3d4...'


const dbResult = await ctx.db.insert('invoices', invoiceData);
// The insert is logged automatically with the agentId and delegationChain

ctx.provenance.log(event)

Log a custom business event. Use for domain-specific milestones: "invoice validated", "risk assessment complete", "document classified".

typescript
// Log custom business events to the audit trail
const provenanceId = await ctx.provenance.log({
  action: 'invoice.validated',
  executionId: ctx.executionId,
  agentId: ctx.agentId,
  timestamp: Date.now(),
  input: {
    invoice_id: invoiceId,
    expected_total: 15000,
    computed_total: 14200,
  },
  output: {
    status: 'mismatch_detected',
    escalation_triggered: true,
  },
  cost: ctx.llm.getTotalCost(),
});


console.log('Logged event:', provenanceId);

ctx.provenance.attest(action, data)

Create a cryptographically signed attestation. Unlike a plain log event, attestations are verifiable by third parties — useful for compliance, audits, and legal contexts.

typescript
// Attest an action — creates a cryptographically signed record
// Use for high-stakes actions that need to be verifiable by third parties
const attestationId = await ctx.provenance.attest(
  'payment.authorized',
  {
    invoice_id: invoiceId,
    amount: 14200,
    currency: 'USD',
    authorized_by: decision.humanId,
    decision_provenance: decision.metadata.provenanceId,
  }
);


// Later, anyone can verify this attestation
const result = await ctx.provenance.verify(attestationId);
console.log(result.valid);     // true
console.log(result.signedBy);  // The agent's DID
console.log(result.verifiedAt); // Timestamp of verification

ctx.provenance.query(filters)

typescript
// Query the audit trail
const events = await ctx.provenance.query({
  action: 'invoice.validated',
  timeRange: {
    start: Date.now() - 7 * 24 * 60 * 60 * 1000,  // last 7 days
    end: Date.now(),
  },
  hasError: false,
  limit: 50,
  sort: 'desc',
});


for (const event of events) {
  console.log(event.action, event.timestamp, event.cost?.usd);
}

Execution Trace and Delegation Chain

typescript
// Get the complete audit trail for an execution
const events = await ctx.provenance.trace(ctx.executionId);
// Returns all events in order: llm calls, db ops, agent calls, custom logs


// Get the delegation chain — who authorized what
const chain = await ctx.provenance.delegationChain(ctx.executionId);
console.log(chain);
// ['did:passport:human-alice', 'did:agent:invoice-suite', 'did:agent:invoice-processor']

Export for Compliance

typescript
// Export audit trails for compliance
const csvExport = await ctx.provenance.export(
  {
    timeRange: { start: monthStart, end: monthEnd },
    agentId: ctx.agentId,
  },
  'csv'
);


// Write to file storage for compliance archival
await ctx.files.writeText('/exports/audit-2024-01.csv', csvExport);

API Reference

MethodReturnsDescription
log(event)Promise<string>Log a custom event. Returns the provenanceId.
attest(action, data)Promise<string>Create a signed attestation. Returns the attestationId.
query(filters)Promise<ProvenanceEvent[]>Search the audit trail with filters.
get(provenanceId)Promise<ProvenanceEvent | null>Fetch a single event by ID.
trace(executionId)Promise<ProvenanceEvent[]>Get all events for an execution in order.
delegationChain(executionId)Promise<string[]>Get the chain of DIDs that authorized this execution.
verify(attestationId)Promise<VerificationResult>Verify a signed attestation.
export(filters, format)Promise<string>Export events as 'json', 'csv', or 'ndjson'.

In the wild

Reference agents that demonstrate ctx.provenance in production.

query() + trace()

compliance-auditor

Query audit records by agent and time range, then reconstruct full execution chains for compliance.

log() at all paths

invoice-processor

Logs provenance on both success and rejection. Every code path creates an immutable audit record.

log() for streaming

streaming-analyzer

Shows how to log provenance after accumulating a full streaming response.

Deep Dives: Provenance

Why Modified Code Can't Forge Identity

The self-hosted security model explained. Cryptographic enforcement, device attestation, and why open source makes this more secure.

12 minSecurity

See Also

Provenance concepts

Why verifiable audit trails matter

ctx.call

Human escalations appear in provenance

Provenance API

HTTP API for querying provenance