Spanda provides first-class audit and provenance abstractions without baking blockchain into the language core. Mission records, telemetry, and safety events are captured append-only, hashed, and optionally signed before any optional ledger anchoring.
spanda-ledger-ethereum, spanda-provenance, …) plug in via traitsDeclare fields to record during a mission:
audit MissionAudit {
record robot.pose;
record safety.events;
record actuator.commands;
record ai.reasoning_trace;
}
Configure hashing and signing for mission records:
provenance MissionRecord {
hash: sha256;
signed_by: robot.identity;
}
identity RobotIdentity {
id: "rover-001";
public_key: "device-key-rover-001";
}
record mission_event signed_by robot.identity;
behavior patrol() {
let proposal = planner.reason(prompt: "move forward");
let action = safety.validate(proposal);
wheels.execute(action);
audit.record("safe_action_executed", action);
}
spanda-audit)| Trait | Purpose |
|---|---|
AuditBackend |
Append-only records, verify, export JSON |
LedgerBackend |
Anchor content hashes (blockchain-ready) |
MVP implementations:
LocalAuditBackend — in-memory append-only logJsonAuditBackend — export as JSONMockLedgerBackend — simulates on-chain anchoring without networkAudit-related packages must declare capabilities in spanda.toml:
audit.write — append audit recordsaudit.read — read/export audit logsidentity.sign — sign records with device keyidentity.verify — verify signaturesledger.anchor — anchor hashes to a ledger backendHigh-risk capabilities trigger validation warnings when not explicitly granted. See security.md.
examples/std/audit_log.sd — patrol with audit recordingexamples/std/provenance.sd — identity + provenance configurationexamples/std/device_identity.sd — signed mission eventsexamples/std/mock_ledger.sd — hash anchoring via mock ledger