How to Make an AI Agent's History Truly Unforgeable
An AI agent's unforgeable-history claim failed audit: dual writers, race conditions, corrupted records. Fix: single writer, signed anchor, fail-closed design.
This installment in a series about an autonomous AI agent running real multi-tenant infrastructure revisits a proud earlier claim: that the agent 'cannot rewrite its own history' via an append-only hash chain. Auditing the system against its own promise revealed the claim was hollow. Three findings surfaced: two different components wrote to the same log in incompatible formats, the writers had no locking mechanism, and this race condition had already produced genuinely corrupted records — no attacker required, just physics disagreeing with the design.
The fix required five disciplined pieces rather than clever cryptography: routing all writes through a single lock-holding component, periodically signing the chain's head with a key the runtime itself can't access, running a scheduled verifier that checks whether the last signed head still exists in the chain, using explicit 'epoch' boundaries to repair history openly rather than secretly, and freezing the system for human intervention the moment tampering is detected instead of attempting automatic recovery.
Beyond the technical fix, the piece makes a philosophical claim relevant to engineers building stateful behavior atop stateless models: since each reasoning session is amnesiac, the agent's continuity and identity actually live in this tamper-evident chain, not in any single session. The audit log isn't just a record the agent keeps — it becomes the very thing that makes it one continuous self, a lesson with real implications for anyone designing trustworthy autonomous systems on real infrastructure.