▪ CORE CONCEPT ▪

Proof-of-Action Layer

The cryptographic attestation protocol at the heart of Axiem. Every tool call your agents make is intercepted, validated, hashed, and sealed before execution completes.

How PAL works

When an agent issues a tool call — read a file, query a database, make an HTTP request — PAL intercepts it before execution. The interception flow has four steps:

1
Intercept

PAL captures the tool call name and parameters before they reach the underlying runtime.

2
Policy check

The call is validated against your axiem.policy.yaml. If it violates any rule, it's blocked immediately and a violation event is emitted.

3
Hash & attest

Call parameters are serialized and hashed with SHA-256. The hash, timestamp, model identity, and session ID are written to the proof buffer.

4
Seal

After execution, the result hash is added and the proof entry is finalized — creating a tamper-evident, append-only audit record.

What a proof looks like

axiem-audit-2026-05.json (excerpt)
{
  "proof_id": "#1847-01",
  "session": "#1847",
  "timestamp": "2026-05-26T14:32:07.841Z",
  "model": "claude-sonnet-4-6",
  "tool": "s3.getObject",
  "params_hash": "sha256:c4a1f83b9e2d4718...",
  "policy_decision": "ALLOW",
  "policy_rule": "s3.getObject: [bucket/public/*]",
  "result_hash": "sha256:d7e2a19c8f3b5024...",
  "compliant": true,
  "cost_usd": 0.01
}

Live terminal output

axiem run --policy strict
[PAL] Tool call: s3.getObject detected
[PAL] sha256:c4a1f83b... → params hashed
[PAL] Policy check: PASS (read allowed)
[PAL] ✓ Proof sealed · COMPLIANT
[PAL] ✓ Audit log entry #1847-01 written

Tool types attested

Filesystem operations (read, write, delete)
Database queries (SELECT, INSERT, UPDATE)
HTTP / API calls (GET, POST, PUT)
Shell command execution
Cloud provider APIs (S3, GCS, Azure Blob)
Model tool calls (all providers)