Audit chain

Tamper-evident from minute one.

Every coordinator action emits a Blake3-hashed event chained against the prior event. The fleet's chain root is periodically anchored on Sigil — so the audit history is verifiable independent of L1fe's infrastructure.

Per-fleet, per-event.

The audit chain lives per fleet, not per coordinator. Every event includes its predecessor's Blake3 hash. Replaying the chain reconstructs every state transition the coordinator has ever applied to that fleet. Modifying any past event breaks the chain at that point — and the next Sigil anchor will not verify.

event schema (excerpt)
type Event = {
  fleet:    DidOasFleet,
  seq:      u64,
  prev:    "blake3:" & Hex64,
  ts:       UnixMillis,
  actor:    DidOas,
  action:   "peer.enrolled"
          | "peer.dropped"
          | "acl.recomputed"
          | "cap.issued"
          | "cap.revoked"
          | "policy.changed"
          | "anchor.submitted"
          | …,
  payload:  json,
  sig:      ed25519:&,
}

Anchoring

The root is the proof.

On a configurable cadence (daily for low-volume fleets, hourly or per-event for high-stakes deployments), the coordinator computes a Merkle root of the fleet's event chain and submits the root as a transaction on Sigil. The transaction is light — just a hash, a fleet ID, and a height marker — but anchoring is the property regulated industries need: an external, immutable timestamp that says "the chain was this on this date."

From that point on, anyone holding the fleet's event log can replay it, compute the Merkle root themselves, and compare to the Sigil transaction. If the root does not match, the log has been altered. The verification does not require the coordinator, the relays, or any L1fe service.

What gets logged

Every state-changing coordinator action.

  • Identity events — peer enrollment, lineage update, revocation, identity-doc rotation.
  • Capability events — token issuance, expiry, revocation, scope change.
  • Policy events — governance edit, attestation issuance, attestation expiry, manual override.
  • ACL events — recomputation summary (peers gained/lost routes, route count delta).
  • Transport events — relay assignment, transport switch, tunnel teardown.
  • Cellular events — SIM order, activation, suspension, deprovision, usage threshold.
  • Anchor events — anchor submitted, anchor confirmed, anchor mismatch (which would indicate tampering).

Authentication failures are logged the same way as successes. A replay of a stale challenge, a signature mismatch, a revoked token — each generates an event with the failing DID, the originating coordinator region, and the failure reason.

Open a fleet

The mesh that fits agents and humans.

A `did:oas`-rooted private mesh that ships peer configurations to any device, anywhere, by policy — not by hand.

Open consoleRead the quickstart