Spanda

Audit and Provenance

Spanda provides first-class audit and provenance abstractions without baking blockchain into the language core. Mission records, telemetry, and safety events are captured append-only, hashed, and optionally signed before any optional ledger anchoring.

Why audit-first?

Language syntax

Audit block

Declare fields to record during a mission:

audit MissionAudit {
    record robot.pose;
    record safety.events;
    record actuator.commands;
    record ai.reasoning_trace;
}

Provenance block

Configure hashing and signing for mission records:

provenance MissionRecord {
    hash: sha256;
    signed_by: robot.identity;
}

Device identity

identity RobotIdentity {
    id: "rover-001";
    public_key: "device-key-rover-001";
}

Signed record streams

record mission_event signed_by robot.identity;

Runtime API

behavior patrol() {
    let proposal = planner.reason(prompt: "move forward");
    let action = safety.validate(proposal);
    wheels.execute(action);
    audit.record("safe_action_executed", action);
}

Rust backend (spanda-audit)

Trait Purpose
AuditBackend Append-only records, verify, export JSON
LedgerBackend Anchor content hashes (blockchain-ready)

MVP implementations:

Capabilities

Audit-related packages must declare capabilities in spanda.toml:

High-risk capabilities trigger validation warnings when not explicitly granted. See security.md.

Examples