IRL: Immutable Reasoning Log
Protocol Specification
A cryptographic compliance protocol that seals every autonomous trading decision before it reaches the market — creating a tamper-evident chain of custody from regime attestation to exchange confirmation.
Abstract
Autonomous trading agents are increasingly prevalent in systematic finance, yet no standard mechanism exists for proving the reasoning behind individual trading decisions at the moment they were made. Post-hoc log analysis is insufficient: logs can be altered, they do not prove what the agent knew at decision time, and they cannot demonstrate that pre-execution compliance rules were actually enforced.
This paper introduces IRL — the Immutable Reasoning Log — a pre-execution compliance gateway that addresses these deficiencies through a combination of cryptographic sealing, bitemporal timestamping, and post-trade binding. IRL produces a final_proof for every trade: an unforgeable record that links the agent's reasoning, the market state it operated under, the policies that were enforced, and the exchange confirmation it produced.
IRL is signal-agnostic. Any cryptographically signed regime source may serve as the Market Truth Anchor (MTA). MacroPulse provides a turnkey MTA implementation using Ed25519-signed HMM/PCA regime broadcasts.
The Ownership Gap
When a human trader executes a position, intent is implicit: the trader was present, made a judgment, and bears direct accountability. When an autonomous agent executes the same position, the chain of accountability dissolves. The agent acted on a model, under market conditions that existed at a precise moment, subject to policies that may or may not have been enforced. None of these facts are provable from a standard execution log.
We define this as the Ownership Gap: the absence of a verifiable link between an autonomous agent's decision and the conditions under which it was made.
Why logs are not enough
Application logs record what happened. They do not prove:
- What the agent knew — the exact market state at the moment of decision, not reconstructed after the fact
- That policies were enforced — a log entry saying "policy check passed" is indistinguishable from one that was written retroactively
- That the reasoning was not altered — any log stored in a mutable system can be modified by a sufficiently privileged actor
- That the decision preceded the outcome — without a bitemporal record, an agent could theoretically be claimed to have decided after the fact
The regulatory trend
Regulators across jurisdictions are converging on a common requirement: autonomous systems making consequential decisions must be able to demonstrate, to an external auditor, that those decisions were made under specific conditions, subject to specific controls, and that the record has not been altered. The EU AI Act, SEC AI examination priorities, and MiFID II algorithmic trading requirements all point in this direction. IRL is designed around these requirements from the ground up.
The IRL Protocol
IRL operates as a sidecar between the agent and the exchange. Every trade that passes through IRL acquires a cryptographic chain: a sequence of signed, timestamped, and bound records that collectively prove what happened and when.
Market Truth Anchor (MTA)
The Market Truth Anchor is the source of ground truth about the market state at decision time. IRL requires any MTA to provide signed broadcasts satisfying the following interface:
The signature field is computed over the RFC 8785 canonical JSON serialization of all other fields. Any party holding the MTA operator's public key can independently verify the broadcast without trusting any intermediary. The MTA operator's public key is published and stable — it does not rotate without advance notice. IRL rejects any broadcast that carries no valid signature or whose signature fails verification. An unsigned MTA source cannot be used with IRL in production mode.
MacroPulse as a turnkey MTA: MacroPulse's daily pipeline produces Ed25519-signed regime broadcasts via GET /v1/regime/current. The model is frozen — it cannot be retroactively altered to produce a different historical signature. The public key is published and stable.
Custom MTA implementations are supported. Any operator who can produce signed payloads conforming to the above schema can serve as the MTA for an IRL deployment. This includes proprietary factor models, alternative data providers, or internal risk systems.
CognitiveSnapshot
Before any order is submitted to an exchange, the agent must construct a CognitiveSnapshot — a structured record of its decision context — and submit it to IRL for sealing. The snapshot captures everything the agent knew and intended at the moment of decision.
IRL computes the reasoning_hash as the SHA-256 of the RFC 8785 canonical JSON serialization of the CognitiveSnapshot. This hash is deterministic — any auditor who holds the original snapshot can reproduce it independently.
The Audit Chain
The IRL audit chain is a sequence of five verifiable events, each dependent on the one before it. Altering any event invalidates all subsequent events.
broadcast_time anchors the broadcast to wall clock.reasoning_hash = SHA-256(canonical_json(snapshot)). IRL returns the reasoning_hash and a trace_id. The snapshot is stored in the bitemporal ledger.reasoning_hash and trace_id in the exchange order metadata (e.g., client order ID or custom tag field). This binds the sealed intent to the exchange record before the order is sent.exchange_tx_id. This is the first point at which the outcome is known. The agent was committed to the decision (step 2) before this happened.exchange_tx_id to IRL. IRL computes: final_proof = SHA-256(reasoning_hash ‖ exchange_tx_id). If the reasoning hash matches the sealed record, the chain is closed as MATCHED. If it does not, or if the execution parameters diverged materially from the stated intent, the chain is flagged DIVERGENT and the reason is recorded permanently.Tamper-evidence: the final_proof chains together the agent identity, the market state at decision time, the policy context, the order intent, and the exchange confirmation. Altering any component changes the hash and breaks the chain. No party — including the agent operator — can retroactively produce a valid chain for a trade that did not follow this sequence.
Post-Trade Verifier
Every sealed snapshot enters a lifecycle managed by the IRL post-trade verifier. The lifecycle has three terminal states:
| State | Type | Meaning |
|---|---|---|
| MATCHED | terminal | Execution bound, final_proof computed, chain closed. Regulator can independently verify. |
| DIVERGENT | terminal | Execution parameters deviated materially from sealed intent. Flagged, reason recorded permanently. |
| EXPIRED | terminal | Authorized snapshot was not bound within the allowed window. Treated as a compliance gap. |
An async expiry worker monitors all open snapshots. Snapshots that exceed the binding window without a bind-execution call transition to EXPIRED. This prevents agents from accumulating authorized-but-never-executed snapshots as a form of option on market conditions.
Cryptographic Guarantees
Ed25519 MTA signatures
Ed25519 (RFC 8032) provides 128-bit security with fast verification and small signature size (64 bytes). The MTA operator's private key is used to sign each broadcast. The corresponding public key is published and stable. Any party can verify a broadcast without trusting any intermediary, including IRL itself.
RFC 8785 canonical JSON
All hashes are computed over RFC 8785 canonical JSON — a deterministic serialization that sorts object keys lexicographically and removes insignificant whitespace. This ensures that the same logical document always produces the same hash regardless of how it was serialized by the producer.
SHA-256 snapshot sealing
The reasoning_hash is SHA-256 of the canonical CognitiveSnapshot. SHA-256 is a one-way function: given the hash, it is computationally infeasible to produce an alternative snapshot that hashes to the same value. The snapshot is therefore bound to its hash in both directions.
final_proof binding
The final_proof concatenates the reasoning_hash and the exchange_tx_id before hashing: SHA-256(reasoning_hash ‖ exchange_tx_id). This produces a single value that cryptographically binds the agent's decision to the exchange record. Neither can be substituted without invalidating the proof. For concrete examples of final_proof in context, see the case studies in §9.
L2: Signed heartbeats and replay prevention
L2 deployments add a signed heartbeat protocol that binds each authorization to a specific, fresh MTA broadcast. The mechanism works as follows:
- The MTA assigns a monotonic sequence ID to each broadcast, incrementing by one with every emission.
- When a CognitiveSnapshot is submitted for authorization, IRL checks that the embedded MTA broadcast's sequence ID is within the configured freshness bound (e.g., the last N broadcasts).
- A snapshot referencing a broadcast outside the freshness bound is rejected — the agent cannot use a stale or historical regime state to authorize a present-day trade.
- Each heartbeat is signed by the MTA with the same Ed25519 key as the broadcast, so sequence IDs cannot be fabricated or reordered.
This prevents a class of attacks where an agent accumulates authorized snapshots during a favorable regime and attempts to replay them during a different, unfavorable regime. Without L2 heartbeats, the time window between authorization and binding could in principle be exploited by an adversarial agent.
What IRL does not do: IRL does not evaluate whether the agent's decision was correct, profitable, or wise. It only proves that the decision was made, under specific conditions, subject to specific policies, and that the execution matched the declared intent. Judgment remains with the operator.
Bitemporal Audit Ledger
IRL's ledger is bitemporal: every record carries two timestamps that serve distinct functions.
| Field | Type | Definition |
|---|---|---|
| valid_time | timestamp | When the agent could have known the information — bounded by the MTA broadcast_time. Proves the agent could not have seen the future. |
| txn_time | timestamp | When IRL recorded the event. Always ≥ valid_time. Set by IRL's system clock at the moment of record creation. |
The bitemporal structure provides a fundamental proof of temporal integrity: valid_time ≤ txn_time is enforced by IRL at sealing time. An agent that attempts to submit a snapshot with a decision_time after the MTA's broadcast_time will be rejected — it cannot have decided before it received the information.
Because txn_time is set by IRL and valid_time is bounded by the MTA broadcast, no party — not the agent, not the operator, not the MTA — can retroactively claim a decision was made at a different time than it was recorded.
Multi-Agent Registry (MAR)
The MAR maintains identity records for all agents registered with an IRL deployment. Every POST /irl/authorize call is validated against the MAR before any other check runs.
| Field | Type | Purpose |
|---|---|---|
| agent_id | string | Unique agent identifier, operator-assigned |
| model_hash | SHA-256 | Hash of approved model weights. Snapshot rejected if agent presents a different hash. |
| notional_cap | decimal | Maximum single-trade notional. Enforced at authorization time. |
| allowed_regimes | integer[] | Regime IDs under which the agent is permitted to trade. |
| status | enum | ACTIVE / SUSPENDED / RETIRED. Suspended agents are rejected at the MAR gate. |
The model_hash check provides a strong guarantee against unauthorized model substitution: an agent running a model whose hash is not registered cannot obtain authorization, regardless of whether its other parameters are valid.
Policy Engine
IRL's policy engine evaluates a set of operator-defined rules against the CognitiveSnapshot at authorization time. Policies are evaluated atomically with the MAR check — a single failed policy halts the entire authorization and returns an explicit rejection reason.
Built-in policy types (L1)
- Regime gate — reject orders when current regime_id is not in the agent's allowed_regimes set
- Risk score ceiling — reject orders when risk_score exceeds a configured threshold
- Notional cap — reject orders where intended size exceeds the per-agent or per-regime notional limit
- Direction constraint — prevent long exposure during specific regimes (e.g., no long equity in risk_off)
- Blackout window — reject orders during defined calendar windows (e.g., FOMC meeting days)
WebAssembly policy modules (L3)
L3 deployments support hot-reloadable policy modules compiled to WebAssembly. Modules run in a sandboxed environment with no network access and bounded execution time. New policies can be deployed without restarting the IRL engine or modifying its core logic. This enables operators to respond to regulatory changes or risk events without a deployment cycle.
Regulatory Mapping
IRL is designed to satisfy the technical requirements of the primary regulatory frameworks governing autonomous trading systems. The following table maps IRL protocol components to specific regulatory requirements.
| Framework | Requirement | IRL Component |
|---|---|---|
| EU AI ActArt. 13 | High-risk AI systems must maintain logs enabling post-hoc monitoring and reconstruction of decisions | Bitemporal ledger + CognitiveSnapshot. Every decision is sealed before execution and is permanently reconstructable. |
| EU AI ActArt. 14 | Human oversight mechanisms must be able to intervene and halt automated systems | MAR suspension: setting an agent's status to SUSPENDED immediately blocks all future authorizations. |
| SECRule 15c3-5 | Market access controls must prevent erroneous orders before they reach the exchange | Pre-execution policy engine enforces notional caps, direction constraints, and risk score ceilings before the order is submitted. |
| SECAI Exam Priority | AI-generated trading decisions must be explainable and auditable | reasoning_summary field in CognitiveSnapshot. final_proof links decision to execution. Forensic replay reconstructs any historical trade from its sealed snapshot. |
| MiFID IIArt. 17 | Algorithmic trading systems must have effective systems and risk controls, with a clear audit trail | Full audit chain from regime attestation to exchange confirmation. DIVERGENT flag catches cases where execution deviated from declared intent. |
| MiFID IIRTS 6 | Records must be kept for at least 5 years and be available to authorities on request | The bitemporal ledger is append-only and immutable. L2+ deployments anchor period root hashes to an external ledger for additional tamper-evidence. |
Note on ZK compliance proofs (L3): For operators subject to regulatory examination, L3's zero-knowledge proofs allow demonstrating policy compliance without revealing the underlying model, strategy, or position data. The regulator receives a proof that the policy was enforced; they do not learn what the policy was or what position was taken.
Deployment Editions
| Feature | L1 Sidecar | L2 Audit Platform | L3 Sovereign Gateway |
|---|---|---|---|
| CognitiveSnapshot sealing | ✓ | ✓ | ✓ |
| Pre-execution policy enforcement | ✓ | ✓ | ✓ |
| Bitemporal ledger | ✓ | ✓ | ✓ |
| Multi-Agent Registry | ✓ | ✓ | ✓ |
| Post-trade verifier (MATCHED/DIVERGENT/EXPIRED) | ✓ | ✓ | ✓ |
| Signed heartbeats (replay prevention) | — | ✓ | ✓ |
| Forensic replay API | — | ✓ | ✓ |
| TEE execution (Intel TDX / AMD SEV) | — | — | ✓ |
| WebAssembly policy modules | — | — | ✓ |
| Zero-knowledge compliance proofs | — | — | ✓ |
| Double-Green signing | — | — | ✓ |
All editions expose the same REST API surface. Upgrading from L1 to L2 or L3 does not require changes to the agent integration — the agent continues to call the same endpoints. Capabilities are added transparently on the IRL side.
Case Studies
Systematic Equity Fund — L1 Sidecar
Situation: A mid-sized systematic equity fund runs a fleet of 12 agents trading US equities across multiple strategies. After an internal compliance review, the fund's risk committee requires that every agent decision be auditable within 24 hours. The fund's existing infrastructure is Python-based and runs on AWS.
Implementation: IRL L1 deployed as a Docker sidecar alongside each agent. Agents are modified to call POST /irl/authorize before order submission and POST /irl/bind-execution after fill confirmation. The MacroPulse MTA provides the regime broadcast. Total integration time: 2 days.
Outcome: Every trade now carries a final_proof. The compliance team can reconstruct any historical decision from its CognitiveSnapshot. The risk committee can demonstrate to external auditors that pre-execution notional caps were enforced on every trade.
12 agents ~340 trades/day L1 SidecarProprietary Trading Desk — L2 Audit Platform
Situation: A proprietary trading desk is preparing for a MiFID II audit. The desk runs agents across equities, rates, and FX. The compliance requirement is a 5-year tamper-evident record of every algorithmic decision, with the ability to demonstrate to the regulator that execution matched declared intent.
Implementation: IRL L2 deployed on-premise. Signed heartbeats ensure that each authorization is bound to a specific MTA broadcast — replay of historical regime data to authorize present-day trades is impossible. Period root hashes are anchored to an external ledger daily, providing independent tamper-evidence. The forensic replay tool allows the compliance team to reconstruct any historical trade in full.
Outcome: The desk passes the MiFID II audit. The regulator receives a complete audit trail for 5 years of algorithmic trading activity, including the regime context for every decision, the policies that were in force, and cryptographic proof that execution matched intent.
3 desks ~2,100 trades/day L2 Audit PlatformQuantitative Hedge Fund — L3 Sovereign Gateway
Situation: A quantitative hedge fund runs proprietary alpha-generating models. The fund is required to demonstrate policy compliance to an external regulator, but cannot reveal its models, strategies, or position data — doing so would compromise the fund's competitive edge.
Implementation: IRL L3 with zero-knowledge compliance proofs. The fund provides the regulator with ZK proofs demonstrating that every trade passed the registered policy set. The proofs are verifiable without revealing the underlying model, strategy, or position. The TEE execution environment ensures that even IRL's operator cannot access the fund's model internals.
Outcome: The fund satisfies its regulatory compliance requirement without disclosing alpha-sensitive information. The regulator receives mathematical proof of compliance; the fund's competitive advantage is preserved.
1 fund alpha-sensitive L3 Sovereign GatewayConclusion
The gap between autonomous agent activity and provable accountability is one of the defining challenges facing systematic finance as AI adoption accelerates. IRL addresses this gap through a protocol that is cryptographically sound, operationally lightweight, and aligned with the direction of regulatory travel across major jurisdictions.
The protocol makes one guarantee: if a trade passed through IRL, there is a final_proof. That proof is unforgeable, permanently stored, and independently verifiable. It links the agent's identity, the market state it operated under, the policies that were enforced, and the exchange execution it produced. No party — including the operator — can alter any link without breaking the chain.
IRL is signal-agnostic. The MacroPulse MTA provides the easiest path to a complete deployment, but any cryptographically signed regime source can serve as the MTA. The protocol is designed to fit the existing infrastructure of systematic trading operations, not to replace it.
Try the Live Sandbox
The API is production-ready. Three demo agents are pre-seeded. Run the full authorize → bind-execution flow before any deployment conversation.
Open Swagger UI → Pricing & Editions →