Tamper-evident capture.

Most LLM platforms log requests and responses. Logs are useful for debugging and dashboards, but they share three properties that disqualify them as forensic evidence:

• Mutable. Anyone with write access can change them.
• Unsigned.Their authenticity rests on the operator’s word.
• Aggregated. Token-level detail — the only level at which prompt injection, attribution, or hallucination root cause can be analyzed — is averaged away.

For a customer in a regulated industry, or any team running incident response on an LLM-driven product, “we have logs” is not the same as “we have evidence.”

Authenticity needs the signing key in the producer’s process. Position-in-chain needs a single serialization point on the server. One hash cannot do both, so the event hash is split:

• contentHash = sha256(JCS(event)) — computed and signed by the producerwith the tenant’s ed25519 key (BYOK — the private half never reaches our servers).
• chainHash = sha256(prevHash | contentHash) — computed by the server inside the append transaction.

Neither party alone can corrupt the record. The customer cannot reorder history (the chain hash isn’t theirs to write); the vendor cannot forge content (the signature isn’t theirs to produce).

The per-event chain hash makes tampering detectable, but the witness to that fact lives inside the ledger. Once a day the platform folds each tenant’s prior-day chainHash values into a single 32-byte Merkle root, persists it, and appends a MERKLE_ROOT_ANCHOR event back into the chain it just summarized.

Recursive evidence: tampering with any event the anchor covers breaks the anchor’s own prevHash. The witness to the day’s integrity is itself protected by the same mechanism it witnesses. The root is also small enough for external anchoring — OpenTimestamps on Bitcoin is the next step.

• Capture SDKs — TypeScript and Python (@tokenforensics/capture, tokenforensics). One line of instrumentation wraps OpenAI or Anthropic; every call is captured.
• Framework adapters— LangChain, LlamaIndex, AutoGen, Pydantic AI. The adapters find the inner provider client on a framework’s chat-model wrapper and instrument it in place.
• Capture-ingest endpoint — POST /api/ingest. Bearer-token transport auth, server-side contentHash recomputation, idempotent dedup.
• Capture workbench — /app/capture. Chain header, recent events with filters + pagination, event detail with live signature verify, signing-key registration, API- key mint, multi-role permissions.
• Daily Merkle-root anchoring — Vercel cron at /api/cron/merkle-root. Per-tenant, per-UTC-day, idempotent.
• BYOK signing keys — register with POST /api/signing-keys; rotate via a SIGNATURE_ROTATION event signed by the outgoing key. The chain contains a tamper-evident proof of every key change.

Every pillar above Pillar 1 — attribution, security forensics, cost, compliance, agent reconstruction, drift, the investigator workbench — composes over the same hash-chained substrate. Source-to-output attribution is meaningless if the events can be reordered. A prompt-injection replay is worth nothing if the replay input was edited after capture. A compliance evidence pack is rejected by an auditor if the chain it sits on is mutable.

Capture isn’t a feature; it’s the precondition for everything else.