Product Verify SCITT GitHub Pricing Spec Get Started
Open Standard

EPI File Format Specification v4.2.0

Language-agnostic reference for the EPI container format, cryptographic protocol, and verification model. Anyone may implement .epi producers and consumers.

Raw Spec (Markdown) →

Read the full specification as a Markdown file

JSON Schemas →

Formal JSON Schema (draft 2020-12) for all core formats

Test Vectors →

Conformance vectors from real .epi containers

1. Abstract

The EPI format defines a portable, self-contained, cryptographically sealed container for AI agent execution evidence. A .epi file is a polyglot — valid HTML for browser-based forensic inspection AND a binary envelope carrying a ZIP payload — enabling zero-install verification by regulators, auditors, and courts.

Reference Implementation: epi-recorder (Python, MIT). This specification is an open standard. The .epi file format carries no intellectual property restrictions.

2. Container Format

Envelope v2 (Polyglot)

A .epi file begins with a 128-byte binary header, followed by an HTML viewer and ZIP payload.

Envelope Header (128 bytes)

OffsetSizeFieldValue / Description
04magic0x3C 0x21 0x2D 0x2D (ASCII <!--)
41version0x02
51flagsReserved. MUST be 0x00
62reservedReserved. MUST be 0x0000
88payload_lengthZIP payload byte length (little-endian uint64)
1616payload_uuidUUID v4 (16 raw bytes)
328created_atUnix epoch microseconds (little-endian uint64)
4032payload_sha256SHA-256 of ZIP payload (32 raw bytes)
7256reservedReserved. MUST be zero

ZIP Payload Marker


<!-- EPI_ZIP_PAYLOAD_START -->

Bytes between header and marker = embedded viewer. Bytes after marker = ZIP payload.

MIME Types

ContainerMIME
Envelope v2application/vnd.epi
Legacy ZIPapplication/vnd.epi+zip
SCITT payloadapplication/vnd.epi.manifest+hash

Auto-detection

First 4 bytes: 0x3C 0x21 0x2D 0x2D → envelope-v2. 0x45 0x50 0x49 0x31 → legacy-zip. Otherwise → invalid.

3. Internal ZIP Payload

Required Files

FilePurposeSchema
mimetypeFirst entry, stored uncompressed. Contains application/vnd.epi+zipPlain text
manifest.jsonSigned manifest — root of trustJSON Schema
steps.jsonlImmutable execution timeline (NDJSON)JSON Schema
environment.jsonRuntime environment snapshotJSON Schema
analysis.json9-pass deterministic fault analysisJSON Schema
policy.jsonGovernance rulebookJSON Schema
viewer.htmlSelf-contained browser forensic viewerN/A
VERIFY.txtOffline verification instructions for auditorsPlain text

Optional Files

FilePurpose
review.jsonHuman review addendum (NOT in file_manifest)
review_index.jsonMulti-reviewer index
policy_evaluation.jsonPolicy rule evaluation results
stdout.logCaptured stdout
stderr.logCaptured stderr
artifacts/scitt/statement.cborSCITT COSE_Sign1
artifacts/scitt/receipt.cborSCITT Merkle receipt
artifacts/sbom/CycloneDX SBOM
artifacts/agt_export.jsonAGT export

4. Manifest Schema

Root of trust. Every file's SHA-256 hash is recorded in file_manifest.

Required Fields

FieldTypeDescription
spec_versionstringEPI version (auto-populated from package, e.g. "4.2.0")
workflow_idUUIDUnique execution identifier (auto-generated UUID v4)
created_atdatetimeUTC ISO 8601 (auto-set to current time): YYYY-MM-DDTHH:MM:SSZ
file_manifestobjectFile paths mapped to 64-char hex SHA-256 hashes

Optional Fields

FieldTypeDescription
cli_commandstringCLI invocation
public_keystring64-char hex Ed25519 (32 raw bytes)
signaturestringed25519:<key_id>:<sig_hex>
container_formatstring"legacy-zip" or "envelope-v2"
analysis_statusstring"complete", "skipped", "error"
goalstringWorkflow objective
metricsobjectKey-value metrics
sourceobject{integration, framework, agent}
total_stepsintegerTotal recorded steps
tagsarrayCategorization tags
governanceobjectDID, SCITT, trust score
trustobjectCryptographic verification state
policyobjectPolicy evaluation outcome

Full JSON Schema definition

5. Cryptographic Protocol

Canonical Hashing

  1. Convert model to dictionary
  2. Exclude: signature, governance, trust (manifest); source_type (step)
  3. Normalize UUIDs to lowercase canonical form
  4. Normalize datetimes to UTC YYYY-MM-DDTHH:MM:SSZ (strip microseconds)
  5. JSON serialize: sort_keys=True, separators=(",", ":"), ensure_ascii=True
  6. SHA-256 over UTF-8 bytes → 64-char lowercase hex

Conformance: Two implementations computing the canonical hash of identical data MUST produce identical hex strings.

Manifest Signing

  1. Canonical hash of manifest (excluding signature fields)
  2. Convert hex to 32 raw bytes
  3. Ed25519 sign (RFC 8032) → 64 raw bytes
  4. Encode signature as 128-char hex
  5. Key ID = SHA-256(hex_public_key)[:16]
  6. Signature string: ed25519:<key_id>:<128-hex-sig>

Key ID is cryptographically bound to the public key — prevents key substitution attacks.

Manifest Verification

  1. Parse signature on : into 3 parts
  2. Reject if algorithm is not ed25519
  3. Verify key ID = SHA-256(hex_public_key)[:16]
  4. Decode 128-char hex to 64 raw bytes
  5. Compute canonical hash of manifest
  6. Import Ed25519 public key
  7. Verify signature over canonical hash

Step Hash Chain

Each step in steps.jsonl contains prev_hash:

Append-only, hash-linked timeline. Any insertion, deletion, or reorder breaks the chain.

6. Steps Format

NDJSON: one JSON object per line.

FieldTypeRequiredDescription
indexintegerYesMonotonically increasing, 0-indexed
kindstringYesStep type identifier
timestampdatetimeAutoUTC ISO 8601 (auto-populated)
contentobjectAutoStep-specific payload (defaults to empty object)
prev_hashstring|nullAutoSHA-256 of previous step (auto-computed)
trace_idstringNoW3C trace identifier
span_idstringNoW3C span identifier
governanceobjectNoStep-level governance
source_typestringNo"user"|"tool"|"reasoning"|"system"

Full JSON Schema

7. Verification Procedure

7 independent checks, in order:

  1. Structural — Valid envelope, extractable ZIP, required files present
  2. Integrityfile_manifest entries match SHA-256; no extra files
  3. Signature — Ed25519 valid against manifest canonical hash
  4. Chainprev_hash links intact; indices monotonic; timestamps non-decreasing
  5. Completenesstotal_steps matches line count
  6. MIMEmimetype = application/vnd.epi+zip
  7. SCITT (optional) — COSE_Sign1 valid, Merkle proof correct

8. Trust Model

LevelIntegritySignatureIdentityMeaning
HIGHPassValidKnownSigner verified in trust registry
MEDIUMPassValidUnknownSCITT-anchored
LOWPassValidUnknownValid sig, unverified identity
NONEPassNoneUnsigned artifact
TAMPEREDFailInvalidModified or corrupted

9. Security Model

ThreatMitigation
Post-seal tamperingSHA-256 file manifest + Ed25519 signature
Evidence replayUnique workflow_id + created_at
Secret leakageHMAC-SHA256 redaction
Signature spoofingKey ID bound to public key
Step manipulationprev_hash chain
File injectionIntegrity rejects extras
Visual deceptionviewer.html in file_manifest
Key compromiseRevocation files in trust registry

Threats Not Mitigated

EPI is a post-execution evidence system. It records what happened — it does not prevent unauthorized access at runtime. For enforcement, use EPI_ENFORCE=1. File-level encryption is not specified; implementers MAY layer on top.

10. Conformance

An implementation is conformant if:

  1. Produces .epi files passing the 7-pass verification procedure
  2. Produces correct canonical hashes matching published test vectors
  3. Produces valid Ed25519 signatures
  4. Correctly parses and validates prev_hash chains

11. Schemas & Test Vectors

ResourceLocation
Manifest Schemamanifest.schema.json
Step Schemastep.schema.json
Environment Schemaenvironment.schema.json
Analysis Schemaanalysis.schema.json
Policy Schemapolicy.schema.json
Test Vectorstest-vectors.json
Reference Implementation: epi-recorder (Python, MIT) · PyPI

This specification is an open standard. The .epi file format carries no intellectual property restrictions. Anyone may implement producers and consumers conforming to this specification. Contributions via GitHub Issues.

EPI Labs — Tamper-evident evidence infrastructure for AI agents

epilabs.org · GitHub · PyPI