The ledger, long form
Essays.
Why agents need bounds, why a receipt beats a log, and what we learned building a key history you can check without trusting us.
Start here.
2026-03-15
Towards Replacing Leaky API Keys and Secrets
API keys are copyable strings. Cryptographic identity is not. Here's how we're replacing the most common source of supply chain compromise with device-bound credentials that can't be leaked.
2026-03-22
How We Audit Our Code
Why we built capsec — a static analyzer and compile-time type system that catches I/O violations in our 20-crate Rust workspace before they ship.
The archive.
Written while we were building the identity layer underneath the bounded agent — kept for the record.
2026-04-10
Sigstore's Public Ledger, Without the Login Screen
Auths now submits attestations to Sigstore's Rekor transparency log — using its own identity model instead of OIDC. Here's what that means and why it matters.
2026-03-31
Two Supply Chain Attacks. One Root Cause. A Fix That Doesn't Exist Yet.
Axios and LiteLLM were both hijacked via stolen publishing tokens. Cryptographic signing would have made the poisoned releases detectable. Here's what we built — and what we still need the ecosystem to build.
2026-03-13
What if your npm token, PyPI token, and Docker token were the same key?
We replaced API keys with cryptographic identity. Here's how it works, how it would have caught the xz-utils backdoor, and why your DID is the last credential you'll ever need.
2026-03-09
The Three Paths to Signing a Commit
A practical walkthrough of what actually happens when you sign a commit with GPG, Sigstore, and Auths — the ceremonies, the dependencies, and the failure modes.
2026-03-07
Developer Identity Without a Certificate Authority
How key event logs handle algorithm migration, key rotation, and post-quantum readiness compared to CA-dependent systems like Sigstore — and the honest tradeoffs between both approaches.
2026-02-22
Announcing Auths
Introducing Auths — cryptographic identity for software supply chains, stored in your own repository and verifiable anywhere WebAssembly runs.