https://github.com/quantumpipes/capsule-explorer
In-browser, offline verifier for agent-capsule hashchains (SHA3-256 + Ed25519) from Claude Code, Cursor, Codex, and Cline.
https://github.com/quantumpipes/capsule-explorer
ai-agents astro audit-trail ed25519 offline provenance security sha3 verification
Last synced: 10 days ago
JSON representation
In-browser, offline verifier for agent-capsule hashchains (SHA3-256 + Ed25519) from Claude Code, Cursor, Codex, and Cline.
- Host: GitHub
- URL: https://github.com/quantumpipes/capsule-explorer
- Owner: quantumpipes
- License: apache-2.0
- Created: 2026-05-31T04:51:40.000Z (about 2 months ago)
- Default Branch: main
- Last Pushed: 2026-05-31T05:28:24.000Z (about 2 months ago)
- Last Synced: 2026-05-31T07:12:18.074Z (about 2 months ago)
- Topics: ai-agents, astro, audit-trail, ed25519, offline, provenance, security, sha3, verification
- Language: TypeScript
- Size: 4.19 MB
- Stars: 1
- Watchers: 1
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.md
- License: LICENSE
Awesome Lists containing this project
README
# 🔍 Capsule Explorer
### Re-verify any AI coding agent's session, in your browser, offline.
A static site that recomputes every SHA3-256 hash and checks every Ed25519 signature of a capsule hashchain, client-side, with no backend and nothing to trust but the math. It is the companion verifier for [**agent-capsule**](https://github.com/quantumpipes/agent-capsule), which seals **Claude Code, Cursor, Codex, and Cline** sessions into tamper-evident chains.
[](LICENSE)
[](#how-verification-works)
[](docs/how-it-works.md)
[](https://github.com/quantumpipes/agent-capsule)

One explorer, every agent. Sessions from Claude Code, Cursor, Codex, and Cline, re-verified in the browser, offline.
---
## What it is
Your AI agents edit files, run commands, and make decisions in your repo. [agent-capsule](https://github.com/quantumpipes/agent-capsule) seals each session into a signed, linked chain of records. Capsule Explorer is where you (or anyone you hand a chain to) **prove that chain is intact**.
The whole verification runs **in your browser**, offline:
1. Recompute `SHA3-256` over each capsule's exact `canonical` bytes and compare it to the stored hash.
2. `Ed25519`-verify the signature over the UTF-8 of that hash hex string against the chain's public key.
3. Check `previous_hash` linkage and sequence order, so no record can be deleted, reordered, or inserted.
No network. No backend. No account. Nothing to trust but the math. Audited [`@noble`](https://github.com/paulmillr/noble-hashes) libraries do the crypto. A built-in **tamper test** flips one byte and scrolls straight to the break, so you can watch the chain catch it.
> Verify, never trust. You are never asking anyone to believe you. You are handing them the proof and the code that checks it.
## See it

Verify the chain (every check turns green), then tamper with one capsule. Verification breaks at the exact record, and every link after it.
## Quickstart
```bash
npm install
npm run export # regenerate public/data/chains from ~/.agent-capsule/chains
npm run dev # http://localhost:4840
```
`npm run export` runs `python3 scripts/export_chains.py`, which needs Python 3 with PyNaCl (`pip install PyNaCl`). It reads `~/.agent-capsule/chains/*/*.db` by default. Point it elsewhere with `--db PATH` or `--glob PATTERN`. From the agent-capsule package you can run the equivalent: `agent-capsule export --out public/data/chains`.
No chains yet? Seal a session first with [agent-capsule](https://github.com/quantumpipes/agent-capsule), then run `npm run export` again.
## How verification works
Three client-side checks, identical to what agent-capsule's CLI does, run entirely in `src/lib/crypto.ts`:
| Check | Mechanism |
|-------|-----------|
| **Hash** | `SHA3-256` over the capsule's `canonical` JSON bytes must equal the stored `hash`. |
| **Signature** | `Ed25519` verify of the `signature` over the UTF-8 of the `hash` hex string, against the capsule's signer (resolved from the bundle's keyring by `signed_by`). |
| **Link** | each capsule's `previous_hash` must equal the prior capsule's `hash`, and `sequence` must be consecutive from genesis. |
The exported bundle ships the exact `canonical` bytes per capsule, so the browser never re-serializes anything; it hashes the same bytes the signer signed. Full detail, including the `@noble` verify call and the tamper-test behavior, is in [docs/how-it-works.md](docs/how-it-works.md). The on-the-wire byte format is pinned in agent-capsule's [wire-format.md](https://github.com/quantumpipes/agent-capsule/blob/main/docs/wire-format.md).
## Beyond a single chain
- **Keyring.** Each capsule is verified against its own signer, resolved from the bundle's `keys` map. A bundle can hold chains from several signers (an imported chain, a rotated key, a peer) and verify every one offline, not just the local key.
- **Meta-chain.** A chain-of-conversations view whose single head commits to every sealed conversation. Each conversation shows an intact / changed / missing cross-check, so deleting or truncating any conversation is visible, not just tampering inside one.
- **Deep dive.** Expand any capsule (button, or `E`) into a full-canvas view: every section with room to breathe, the exact signed bytes with a live SHA3-256 match check, and the full cryptographic seal, all copyable.
## Tool-agnostic
A capsule is a capsule, whatever produced it. Chains from every agent show up side by side in the rail, each tagged with its tool:
```
~/.agent-capsule/chains/claude-code/*.db
~/.agent-capsule/chains/cursor/*.db
~/.agent-capsule/chains/codex/*.db
~/.agent-capsule/chains/cline/*.db
```
The exporter namespaces each chain id by tool (`-`) and the rail renders a badge per tool. The same crypto verifies all of them.
## Data flow
```
~/.agent-capsule/chains//*.db (per-session chains, written by agent-capsule)
| tool = claude-code | cursor | codex | cline
v
scripts/export_chains.py (reads SQLite -> JSON; includes the exact
| canonical bytes + the Ed25519 public key)
v
public/data/chains/index.json (chain summaries + public key + tools)
public/data/chains/.json (per chain, loaded on demand)
v
src/lib/data-source.ts -> src/lib/crypto.ts (in-browser verify) -> Explorer.tsx
```
## Static vs live modes
| Mode | When | Behavior |
|------|------|----------|
| **static** (default) | `PUBLIC_CAPSULE_API` unset | Fetches the exported JSON from `/data/chains/`. Fully air-gapped, no backend, ships with the static build, and does the crypto in the browser. The tamper test is available here. |
| **live** | `PUBLIC_CAPSULE_API` set to a server base URL | Reads chains from that server and delegates verification to its `/v1/capsules/verify-chain` endpoint (client-side crypto needs the canonical bytes the static export carries). |
Static mode is the default and the one you want for handing a chain to someone with nothing but a browser.
## Deploy
The site builds to static (`npm run build` writes `dist/`) and deploys to Cloudflare Pages or any static host:
```bash
npm run build # -> dist/
npm run deploy # build + wrangler deploy (Cloudflare)
```
The exported bundle in `public/data/chains/` is what ships. See [docs/deploying.md](docs/deploying.md) for hosting, refreshing the bundle, and the privacy note.
## Tests
```bash
npm run build && npm test
```
| Test | What it asserts |
|------|-----------------|
| `crypto-fixture.test.ts` | recomputes SHA3-256 + Ed25519 over a small **committed fixture bundle** (runs in CI without the real corpus): every chain verifies via the keyring, a one-byte tamper breaks at the exact index, a wrong key is rejected, and the meta-chain verifies with full coverage. |
| `verify.test.ts` | the same checks over the **real exported chains** when a bundle is present locally (skipped when absent). |
| `build-integrity.test.ts` | the discovery and security surface: CSP plus immutable caching, canonical plus JSON-LD plus Open Graph. |
## Where the chains come from
Capsule Explorer only verifies. The chains are produced by [**agent-capsule**](https://github.com/quantumpipes/agent-capsule), one tool that seals Claude Code, Cursor, Codex, and Cline sessions into tamper-evident hashchains at `~/.agent-capsule/chains//.db`. The private signing key never leaves your machine; only the public key ships in the bundle, so anyone can verify and no one can forge.
- [agent-capsule README](https://github.com/quantumpipes/agent-capsule)
- [Wire format](https://github.com/quantumpipes/agent-capsule/blob/main/docs/wire-format.md): the exact canonical JSON, hashing, and signature scheme.
## License
[Apache License 2.0](LICENSE). Copyright 2026 Quantum Pipes Technologies, LLC.
**If a verifier that trusts nothing but the math sounds useful, [star the repo](https://github.com/quantumpipes/capsule-explorer) and re-verify your next session.**