Tessera

Self-Validating Executable Document Format

The tessera hospitalis was a Roman token of mutual recognition — a clay tablet broken between host and guest. The fit proved the relationship without any third party. Tessera the format carries the same property: the document proves itself.

View on GitHub Read the Spec
Cheaters can cheat but they can't hide it.

The engine doesn't prevent invalid mutations — it makes them detectable. Any party who receives a Tessera document can replay the chain and verify every step.

Features

Cryptographic Integrity

Ed25519 signatures on every mutation. SHA-256 hash chain links each state transition. Content-addressable versioning.

Dual-Format Serialization

JSON for readability, CBOR for efficiency. Content-sniffed on load. Round-trip fidelity guaranteed.

Embedded Validators

Domain logic runs inside a sandboxed Rhai runtime. Chess rules, contract negotiation, any state machine.

Schema Enforcement

Typed fields, transition guards, structural validation. The schema declares what's valid; the engine enforces it.

Multi-Actor Support

Different parties sign their own mutations with their own keys. Every action is attributable and verifiable.

Zero Dependencies

No server, no database, no blockchain, no network. Fully offline. The document is the authority.

How It Works

1

Define Schema

Declare fields, types, mutations, guards, and optional embedded validator code

2

Create Document

Initialize state from schema defaults, sign with authority key

3

Apply Mutations

Each mutation is validated, signed by the actor, hash-linked to the chain

4

Verify Anywhere

Any party replays the chain from genesis and confirms every step

Examples

Chess

Complete chess game with all rules enforced by an embedded Rhai validator (~650 lines of chess logic running inside the document's sandbox).

  • Full move validation: legal moves, check, checkmate, stalemate
  • Special moves: castling, en passant, promotion
  • Multi-actor turns: white and black sign independently
  • Post-game guards: no moves after checkmate
  • Tamper detection on any state modification
cargo run --bin chess
Try the Demo

Contract Negotiation

Two-party agreement where every edit, proposal, counter-offer, and acceptance is cryptographically recorded.

  • Turn-based workflow: propose, counter, accept, withdraw
  • Business rules: can't accept own proposal, immutable after acceptance
  • Multi-party signatures: vendor and client sign independently
  • Complete audit trail in the hash chain
  • Tamper-evident final agreement
cargo run --bin contract
Try the Demo

Document Format

A Tessera document is a single portable artifact — JSON or CBOR — containing everything needed to verify itself.

{
  "tessera": "0.1",
  "schema": {
    "fields": { "count": { "type": "u64", "default": 0 } },
    "mutations": {
      "increment": {
        "guards": ["count < 1000"],
        "effects": { "count": "count + 1" }
      }
    }
  },
  "state": { "count": 42 },
  "chain": [ ... ],
  "chain_mode": "embedded",
  "pubkey": "<Ed25519 public key>",
  "signature": "<Ed25519 signature>"
}

Each mutation in the chain carries: prev_hash, operation, next_hash, actor public key, and actor signature. The version is the SHA-256 hash of the current state.

Privacy Stack

Tessera is one layer of a larger architecture. Each component addresses a different failure mode.

Signet

Cryptographic vault between you and the world. Three-tier data model, zero-knowledge proofs, Ed25519 root of trust. Your agent proves things about you without revealing you.

Agent-Safe (SPL)

Authorization policy embedded in the token, evaluated locally in microseconds. No policy server in the critical path. The SQLite of agent authorization.

BlindDB

Storage where the operator cannot read what they store. Client-side encryption, opaque record IDs, no relationships between records computable by the server.

HermesP2P

Ephemeral peer-to-peer messaging. No central server, no metadata logging, no message persistence. Fixed-size padding defeats traffic analysis.