LockStock Technical Overview | d3cipher Documentation

"Every agent action extends a cryptographic chain. Skip, reorder, or delete a record — the hash breaks."

The Problem: Logs You Have to Trust

Traditional AI audit systems write logs to a database. Anyone with database access can alter, delete, or reorder entries after the fact. You're trusting the log, not verifying it.

LockStock replaces trust with math. Every agent action extends a SHA-256 hash chain. The chain proves ordering, detects tampering, and creates an unforgeable record of what happened and in what sequence.

Chain-Based Identity

Identity is not a label; it is the sum of a complete history.

Every agent's identity is its cryptographic hash chain. Each action extends the chain with a new hash that binds to all previous actions. A cloned agent diverges immediately — the chain catches it before any damage is done.

chain_state = {
  agent_id: "analytics-bot-001",
  sequence: 1247,
  state_hash: "sha256(prev_hash | state | payload)",
  parent_hash: "previous_state_hash"
}
                

The Chain Mechanism: Every agent carries proof of its entire execution history. To verify identity, check the cryptographic chain from genesis to current state.

Cryptographic State Evolution

Every agent action extends a hash chain. Each new hash binds the previous hash, a state matrix multiplication, and a payload seal into one value.

Why Order Matters: The chain enforces strict sequencing. You cannot rearrange an agent's history or insert fake actions without breaking the hash. Any divergence is immediately detectable by recomputing the chain from genesis.

What this gives you:

Fork Detection - Two versions of the same agent diverge immediately; the chain catches it
Tamper Detection - Any modification to any record breaks the chain from that point forward
Per-Action Proof - Each stamp is unique and forward-only; replaying an old stamp is rejected
Gap Detection - Missing records are visible as broken links in the chain

Parent Hash Chain

Unforgeable cryptographic lineage. One-time use per state.

LockStock treats agent states like blocks in a blockchain, but optimized for high-frequency updates. Every new state S_n must contain the SHA-256 hash of the previous state S_n-1.

State 0 (Genesis): hash = sha256("agent-001" + genesis_data)
State 1: parent_hash = hash(State 0), hash = sha256(State 1 data + parent_hash)
State 2: parent_hash = hash(State 1), hash = sha256(State 2 data + parent_hash)
...
                

Replay Prevention: Once a state hash is used to create the next state, it cannot be reused. The chain is strictly forward-moving. The server rejects any stamp request that doesn't extend the current chain head.

Each stamp is a unique cryptographic proof. The proof changes on every action, so replaying an old request is immediately rejected.

Encrypted Transcripts

The server stores ciphertext it cannot read. Only your Account Key can decrypt.

Every prompt and response passing through the gateway is encrypted with envelope encryption before leaving your network. The d3cipher cloud stores only encrypted blobs. Your Account Key — generated client-side, never sent to the server — is the only way to decrypt.

# Encryption flow (automatic in the gateway):
# 1. DEK generated per agent
# 2. Blob key derived from DEK + stamp_hash + payload_hash
# 3. Content encrypted with AES-256-GCM
# 4. DEK wrapped with KEK derived from Account Key
# 5. Server stores ciphertext + wrapped DEK (cannot decrypt either)
                

Auditor Decryption: Open the Auditor tab in the dashboard, enter your Account Key, and read the full content of every conversation — decrypted entirely in your browser.

Architecture Diagram

┌─────────────────────────────────────────┐
│         Agent Chain State               │
│  ┌────────────────────────────────────┐ │
│  │ agent_id: "bot-001"                │ │
│  │ sequence: 1247                     │ │
│  │ state_hash: hash(prev|state|seal)  │ │
│  │ parent_hash: previous_state_hash   │ │
│  └────────────────────────────────────┘ │
└─────────────────────────────────────────┘
              ↓
┌─────────────────────────────────────────┐
│    Cryptographic Hash Chain             │
│  Genesis → H₁ → H₂ → ... → H_n         │
│  (Unforgeable Cryptographic Lineage)    │
└─────────────────────────────────────────┘
              ↓
┌─────────────────────────────────────────┐
│        Encrypted Transcripts            │
│  Account Key → KEK → DEK → AES-256-GCM │
│  (Server stores ciphertext only)        │
└─────────────────────────────────────────┘

Getting Started

Ready to deploy? Start with the Gateway Quickstart or explore the API Reference.

See the full product overview on the LockStock product page, or learn about Liberty — our free secrets manager that integrates with LockStock.